OpenLDAP

To configure a basic OpenLDAP authentication server

Start by installing the OpenLDAP serverices with:

yum install openldap-servers

Then you must edit the default configuration file (/etc/openldap/slapd.conf):

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile /var/run/slapd.pid
#argsfile       //var/run/slapd.args
# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
access to attrs=userPassword
  by self write
  by anonymous auth
  by * none
access to *
  by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database        ldbm
suffix            "dc=localhost,dc=localdomain"
rootdn          "cn=Manager,dc=localhost,dc=localdomain"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# rootpw                {crypt}ijFYNcSNctBYg
schemacheck off
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

Make sure you notice the ‘localhost’, ‘localdomain’ and the ‘rootpw’ entries. These should be changed!The ‘dc’ entries define the realm that this database should respond to, and multiple ‘dc’ entries should be used to define each section of the hostname around the ‘.’ (dots). So, localhost.localdomain would be dc=localhost,dc=localdomain.

To generate a new password, you should run:

# slappasswd

Copy and paste the output line of that into the ‘rootpw’ entry in the config file.

Next you will need to start the ldap server:

# service ldap start

There are migration scripts that you will find in /usr/share/openldap/migration. First you will need to edit the file ‘migrate_common.ph’ and edit the following lines (replacing the values with what you put in slapd.conf):

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "localhost.localdomain";
# Default base
$DEFAULT_BASE = "dc=localhost,dc=localdomain";

Next you will need to generate the base LDAP database configuration for your server. Do this by running this command from the directory /usr/share/openldap/migration:

# ./migrate_base.pl > /tmp/base.ldif

The file /tmp/base.ldif is a file that can be imported directly into the LDAP database. Do this with the command:

ldapadd -W -x -D "cn=Manager,dc=localhost,dc=localdomain" -f /tmp/base.ldif

At this point, you have a base working authentication directory server. Now you need to add users and confiugure systems to look at it for authentication. Authconfig is a program that configures some of the key files to use LDAP for authentication.

# authconfig

You will want to configure "User Information" to "Use LDAP" AND "Authentication" to also "Use LDAP Authentication". The next screen will prompt you to configure which LDAP server you wish to connect to. You should configure as:

Server: localhost.localdomain
Base DN: dc=localhost,dc=localdomain

(again changing localhost.localdomain for the real hostname.domain of your LDAP server)

Then press OK. This will change /etc/nsswitch.conf, /etc/ldap.conf, /etc/openldap/ldap.conf and some of the /etc/pam.d/ files to use LDAP. If you get a warning about nss_ldap modules not beind installed, you may need to install them with the command:

# yum install nss_ldap

Finally to add users, you can either do it by hand with ‘ldapadd’, migrate your current user list with /usr/share/openldap/migration/migrate_passwd.pl (or any of the other migration scripts), or use a tool to deal with user and host configuration. cAos includes one:

# directory_administrator

note: This will add the users to your LDAP database, but it will not create home directories. Consider the following to do that:

# cp -ra /etc/skel /home/[USERNAME]
# chown -R [USERNAME]:[GROUP] /home/[USERNAME]

Soon, there will be an update to this to have LDAP use SSL (Secure Sockets) for all communication.

source

history

similar

Created by: gmkurtzer last modification: Tuesday, June 14, 2005 [20:56:27 UTC] by mej

Wiki

[ Execution time: 0.30 secs ] [ Memory usage: 7.58MB ] [ 46 database queries used ] [ GZIP Enabled ] [ Server load: 0.61 ]