Fedora 21
Sponsored Link

Configure LDAP Server
2014/12/31
 
Configure LDAP Server in order to share users' accounts in your local networks.
[1] Install OpenLDAP.
[root@dlp ~]#
yum -y install openldap-servers openldap-clients
[root@dlp ~]#
vi /etc/openldap/slapd.conf
# create new

pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args

[root@dlp ~]#
rm -rf /etc/openldap/slapd.d/*

[root@dlp ~]#
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded
[root@dlp ~]#
vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 6: change

olcAccess:
{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[root@dlp ~]#
chown -R ldap. /etc/openldap/slapd.d

[root@dlp ~]#
chmod -R 700 /etc/openldap/slapd.d

[root@dlp ~]#
systemctl start slapd

[root@dlp ~]#
systemctl enable slapd

[2] Configure Slapd.
[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@dlp ~]#
slappasswd
# generate encrypted password

New password:
# input any password

Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxx
# remember

[root@dlp ~]#
vi backend.ldif
# create new

# replace the section "dc=***,dc=***" to your own suffix

# replace the section "olcRootPW: ***" to your own password generated by slappasswd above

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=srv,dc=world
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=srv,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=srv,dc=world" write by * read

[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

[root@dlp ~]#
vi frontend.ldif
# create new

# replace the section "dc=***,dc=***" to your own suffix

# replace the section "userPassword: ***" to your own password generated by slappasswd above

dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Srv

dn: cn=admin,dc=srv,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: ou=people,dc=srv,dc=world
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=srv,dc=world
objectClass: organizationalUnit
ou: groups

[root@dlp ~]#
ldapadd -x -D cn=admin,dc=srv,dc=world -W -f frontend.ldif

Enter LDAP Password:
# admin password you set above

adding new entry "dc=srv,dc=world"

adding new entry "cn=admin,dc=srv,dc=world"

adding new entry "ou=people,dc=srv,dc=world"

adding new entry "ou=groups,dc=srv,dc=world"
[3]
Configure LDAP TLS. Create SSL Certificates first, refer to here.
[4] Configure Slapd for TLS.
[root@dlp ~]#
cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/

[root@dlp ~]#
chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.crt
[root@dlp ~]#
vi mod_ssl.ldif
# create new

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

[root@dlp ~]#
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@dlp ~]#
systemctl restart slapd

 
Tweet