cAos Community Wiki | Please log in to access full functionality |
Login Search |
OpenLDAPStart by installing the OpenLDAP serverices with: yum install openldap-servers Then you must edit the default configuration file (/etc/openldap/slapd.conf): # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 access to attrs=userPassword by self write by anonymous auth by * none access to * by * read ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database ldbm suffix "dc=localhost,dc=localdomain" rootdn "cn=Manager,dc=localhost,dc=localdomain" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {crypt}ijFYNcSNctBYg schemacheck off # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub Make sure you notice the ‘localhost’, ‘localdomain’ and the ‘rootpw’ entries. These should be changed!The ‘dc’ entries define the realm that this database should respond to, and multiple ‘dc’ entries should be used to define each section of the hostname around the ‘.’ (dots). So, localhost.localdomain would be dc=localhost,dc=localdomain. To generate a new password, you should run: # slappasswd Copy and paste the output line of that into the ‘rootpw’ entry in the config file. Next you will need to start the ldap server: # service ldap start There are migration scripts that you will find in /usr/share/openldap/migration. First you will need to edit the file ‘migrate_common.ph’ and edit the following lines (replacing the values with what you put in slapd.conf): # Default DNS domain $DEFAULT_MAIL_DOMAIN = "localhost.localdomain"; # Default base $DEFAULT_BASE = "dc=localhost,dc=localdomain"; Next you will need to generate the base LDAP database configuration for your server. Do this by running this command from the directory /usr/share/openldap/migration: # ./migrate_base.pl > /tmp/base.ldif The file /tmp/base.ldif is a file that can be imported directly into the LDAP database. Do this with the command: ldapadd -W -x -D "cn=Manager,dc=localhost,dc=localdomain" -f /tmp/base.ldif At this point, you have a base working authentication directory server. Now you need to add users and confiugure systems to look at it for authentication. Authconfig is a program that configures some of the key files to use LDAP for authentication. # authconfig You will want to configure "User Information" to "Use LDAP" AND "Authentication" to also "Use LDAP Authentication". The next screen will prompt you to configure which LDAP server you wish to connect to. You should configure as: Server: localhost.localdomain Base DN: dc=localhost,dc=localdomain (again changing localhost.localdomain for the real hostname.domain of your LDAP server) Then press OK. This will change /etc/nsswitch.conf, /etc/ldap.conf, /etc/openldap/ldap.conf and some of the /etc/pam.d/ files to use LDAP. If you get a warning about nss_ldap modules not beind installed, you may need to install them with the command: # yum install nss_ldap Finally to add users, you can either do it by hand with ‘ldapadd’, migrate your current user list with /usr/share/openldap/migration/migrate_passwd.pl (or any of the other migration scripts), or use a tool to deal with user and host configuration. cAos includes one: # directory_administrator note: This will add the users to your LDAP database, but it will not create home directories. Consider the following to do that: # cp -ra /etc/skel /home/[USERNAME] # chown -R [USERNAME]:[GROUP] /home/[USERNAME] Soon, there will be an update to this to have LDAP use SSL (Secure Sockets) for all communication. Created by: gmkurtzer last modification: Tuesday, June 14, 2005 [20:56:27 UTC] by mej |