SLES 12
Sponsored Link

Configure LDAP Server
2015/12/01
 
Configure LDAP Server in order to share users' accounts in your local networks.
[1] Install OpenLDAP.
dlp:~ #
zypper -n install openldap2 openldap2-client
dlp:~ #
vi /etc/sysconfig/openldap
# line 37: change

OPENLDAP_START_LDAPI="
yes
"
# line 149: change

OPENLDAP_CONFIG_BACKEND="
ldap
"
dlp:~ #
mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.org

dlp:~ #
touch /etc/openldap/slapd.conf

dlp:~ #
rm -rf /etc/openldap/slapd.d/*

dlp:~ #
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded
dlp:~ #
vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 2: remove the line

# CRC32 xxxxxxxx
# line 6: change

olcAccess:
{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dlp:~ #
chown -R ldap. /etc/openldap/slapd.d

dlp:~ #
chmod -R 700 /etc/openldap/slapd.d

dlp:~ #
systemctl start slapd

dlp:~ #
systemctl enable slapd
# generate encrypted password

dlp:~ #
slappasswd

New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dlp:~ #
vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[2] Import basic Schemas.
dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[3] Set your domain name on LDAP DB.
# generate directory manager's password

dlp:~ #
slappasswd

New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dlp:~ #
vi backend.ldif
# create new

# replace to your own domain name for "dc=***,dc=***" section

# specify the password generated above for "olcRootPW" section

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=srv,dc=world
olcRootDN: cn=Manager,dc=srv,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcAccess: {0}to attrs=userPassword,shadowLastChange by 
  dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read

dlp:~ #
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

dlp:~ #
vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section

dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server

dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=srv,dc=world
objectClass: organizationalUnit
ou: Group

dlp:~ #
ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif

Enter LDAP Password:    
# directory manager's password

adding new entry "dc=srv,dc=world"

adding new entry "cn=Manager,dc=srv,dc=world"

adding new entry "ou=People,dc=srv,dc=world"

adding new entry "ou=Group,dc=srv,dc=world"
[4]
SSSD which is used on SLES 12 LDAP Client needs encrypted connection, so Configure LDAP TLS. Create Certificates first, refer to here.
[5] Configure LDAP TLS.
dlp:~ #
mkdir /etc/openldap/certs

dlp:~ #
cp /etc/ssl/private/server.key \
/etc/ssl/private/server.crt \
/etc/ssl/ca-bundle.pem \
/etc/openldap/certs/

dlp:~ #
chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.pem
dlp:~ #
vi mod_ssl.ldif
# create new

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

dlp:~ #
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

dlp:~ #
vi /etc/sysconfig/openldap
# line 27: change

OPENLDAP_START_LDAPS="
yes
"
dlp:~ #
systemctl restart slapd

 
Tweet