Step includes how to create certificate for secure connectivity.
1. Install required packages
[root@sama openldap]# yum install openldap-servers migrationtools openldap db4
2. Run updatedb at the prompt.
[root@sama openldap]# updatedb
3. Copy the slapd.conf file
[root@sama openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
4. Generate root passwd for LDAP
[root@sama openldap]# slappasswd
New password:
{SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/
5. Copy the DB_CONFIG file
[root@sama openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sama openldap]# chown ldap.ldap -R /var/lib/ldap/DB_CONFIG
[root@sama openldap]# ls -ld /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 ldap ldap 921 Mar 16 20:01 /var/lib/ldap/DB_CONFIG
6. Edit the slapd.conf file and change domain and com to your domain info.
[root@sama openldap]# vi slapd.conf
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d/
drwx------. 3 ldap ldap 4096 Mar 16 19:39 slapd.d/
[root@sama openldap]# rm -rf slapd.d/* ; ls -l slapd.d/
total 0
7. Run slaptest command..
[root@sama openldap]# slaptest -f slapd.conf -F slapd.d/
8. Generate certificate
[root@sama openldap]# openssl req -new -x509 -nodes -out /etc/openldap/certs/slapdcert.pem -keyout
/etc/openldap/certs/slapdkey.pem -days 365
9. Restart the service
[root@sama openldap]# service slapd start
10. Make some changes to the migrate_common.ph file based on your info..
[root@sama openldap]# vi /usr/share/migrationtools/migrate_common.ph
11. Create a test user on your system
[root@sama openldap]# useradd ldapuser1
[root@sama openldap]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
12. Convert user info from /etc/passwd format to ldif file
[root@sama openldap]# grep ldapuser /etc/passwd
ldapuser1:x:528:529::/home/ldapuser1:/bin/bash
[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif
13. Create your domain info and load..
[root@sama openldap]# vi expanor.local.ldif
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f expanor.local.ldif
14. Import users (root first) in to the LDAP
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f root.ldif
15. Search the entry on the LDAP. If you see your user info, its working....
[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)' | more
----------- detail ----------------
1. Install packages
[root@sama openldap]# yum install openldap-servers migrationtools
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
Setting up Install Process
Package openldap-servers-2.4.23-31.el6.i686 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package migrationtools.noarch 0:47-7.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
migrationtools noarch 47-7.el6 MY-RHL6.4 24 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 24 k
Installed size: 104 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : migrationtools-47-7.el6.noarch 1/1
duration: 782(ms)
Installed products updated.
Installed:
migrationtools.noarch 0:47-7.el6
Complete!
[root@sama openldap]# ls
certs ldap.conf schema slapd.d
2. Run updatedb at the prompt.
[root@sama openldap]# updatedb
[root@sama openldap]# ls
certs ldap.conf schema slapd.d
[root@sama openldap]# locate slapd.conf
/usr/share/man/man5/slapd.conf.5.gz
/usr/share/openldap-servers/slapd.conf.obsolete
3. Copy the slapd.conf file
======================================================================
[root@sama openldap]# vi slapd.conf
Search for rootpw and enter the encrypt pw from spappasswd output as follow,
rootpw {SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/
search for TLSCertificateFile and remove the entry after that entry.. in this case remove "\"OpenLDAP Server\""
TLSCertificateFile "\"OpenLDAP Server\""
search for my-domain and change it to whatever your domain is..
also change under suffix line
suffix "dc=expanor,dc=local"
and
rootdn "cn=Manager,dc=expanor,dc=local"
and
# vi /etc/sysconfig/ldap
verify that
SLAPD_LDAP=yes
======================================================================
[root@sama openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@sama openldap]# ls
certs ldap.conf schema slapd.conf slapd.d
[root@sama openldap]# more slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" ma
nage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" re
ad
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
4. Generate root passwd for LDAP
[root@sama openldap]# slappasswd
New password:
Re-enter new password:
{SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/
5. Copy the DB_CONFIG file
[root@sama openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sama openldap]# chown ldap.ldap -R /var/lib/ldap/DB_CONFIG
[root@sama openldap]# ls -ld /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 ldap ldap 921 Mar 16 20:01 /var/lib/ldap/DB_CONFIG
6. Edit the slapd.conf file and change domain and com to your domain info.
[root@sama openldap]# vi slapd.conf
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d/
drwx------. 3 ldap ldap 4096 Mar 16 19:39 slapd.d/
[root@sama openldap]# cp -rp slapd.d/ slapd.d.old
[root@sama openldap]# rm -rf slapd.d/*
[root@sama openldap]# ls -l slapd.d/
total 0
7. Run slaptest command..
[root@sama openldap]# slaptest -f slapd.conf -F slapd.d/
bdb_db_open: database "dc=expanor,dc=local": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or
directory (2).
backend_startup_one (type=bdb, suffix="dc=expanor,dc=local"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@sama openldap]# ls -ld /var/lib/ldap/
drwx------. 2 ldap ldap 4096 Mar 16 21:27 /var/lib/ldap/
[root@sama openldap]# chow -R ldap.ldap /var/lib/ldap/
-bash: chow: command not found
[root@sama openldap]# ls -l /var/lib/ldap/
total 9028
-rw-r--r--. 1 root root 2048 Mar 16 21:27 alock
-rw-------. 1 root root 24576 Mar 16 21:27 __db.001
-rw-------. 1 root root 7225344 Mar 16 21:27 __db.002
-rw-------. 1 root root 335552512 Mar 16 21:27 __db.003
-rw-------. 1 root root 2359296 Mar 16 21:27 __db.004
-rw-------. 1 root root 491520 Mar 16 21:27 __db.005
-rw-------. 1 root root 32768 Mar 16 21:27 __db.006
-rw-r--r--. 1 ldap ldap 921 Mar 16 20:01 DB_CONFIG
[root@sama openldap]# chown -R ldap.ldap /var/lib/ldap/
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d
drwx------. 3 ldap ldap 4096 Mar 16 21:27 slapd.d
[root@sama openldap]# ls -l slapd.d
total 8
drwxr-x---. 3 root root 4096 Mar 16 21:27 cn=config
-rw-------. 1 root root 1120 Mar 16 21:27 cn=config.ldif
[root@sama openldap]# chown -R ldap.ldap slapd.d
[root@sama openldap]# vi /etc/sysconfig/ldap
====================================================================
and search for the string "padl.com" and change it to your.. search for other padl as well and change
accordingly.
====================================================================
8. Generate certificate
[root@sama openldap]# openssl req -new -x509 -nodes -out /etc/openldap/certs/slapdcert.pem -keyout
/etc/openldap/certs/slapdkey.pem -days 365
Generating a 2048 bit RSA private key
................................................................................
.....................................+++
....................................................................+++
writing new private key to '/etc/openldap/certs/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:VA
Locality Name (eg, city) [Default City]:Fairfax
Organization Name (eg, company) [Default Company Ltd]:Expanor
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:sama.expanor.local
Email Address []:jay@sama.expanor.local
9. Restart the service
[root@sama openldap]# service slapd status
slapd is stopped
[root@sama openldap]# service slapd start
Starting slapd: [ OK ]
10. Make some changes to the migrate_common.ph file based on your info..
[root@sama openldap]# vi /usr/share/migrationtools/migrate_common.ph
11. Create a test user on your system
================================================================
create a user called ldapuser1 and change the pw for the user.
only grep the user ldap from /etc/passwd and save output to a file called users.txt
[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif
================================================================
[root@sama openldap]# useradd ldapuser1
[root@sama openldap]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
12. Convert user info from /etc/passwd format to ldif file
[root@sama openldap]# grep ldapuser /etc/passwd
ldapuser1:x:528:529::/home/ldapuser1:/bin/bash
[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif
[root@sama openldap]# vi /root/base.ldif
[root@sama openldap]# more /root/base.ldif
dn: dc=expanor,dc=local
dc: expanor
objectClass: domain
dn: ou=People,dc=expanor,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=expanor,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@sama openldap]# ldapadd -x -M -D "cn=Manager,dc=expanor.dc=local" -f /root/base.ldif
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
Note: Add first root user to get rid of the error message..
[root@sama openldap]# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
[root@sama openldap]# cat >passwd.root
root:x:0:0:root:/root:/bin/bash
[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl passwd.root root.ldif
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/root.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
13. Create your domain info..
[root@sama openldap]# mv expanor.ldif expanor.local.ldif
[root@sama openldap]# more expanor.local.ldif
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f expanor.local.ldif
Enter LDAP Password:
adding new entry "dc=expanor,dc=local"
adding new entry "ou=People, dc=expanor,dc=local"
[root@sama openldap]# more expanor.local.ldif
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit
14. Import users (root first) in to the LDAP
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f root.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=expanor,dc=local"
[root@sama openldap]# service slapd status
slapd (pid 14100) is running...
[root@sama openldap]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# expanor.local
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
# People, expanor.local
dn: ou=People,dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit
# root, People, expanor.local
dn: uid=root,ou=People,dc=expanor,dc=local
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDlDazRJYjJDJEo2dVBiVDZtclFTUnJVVzJFNFdaZWUwN2l0Z2x
xVGlpSFN2TXRUc05rRUVkczkwbUFvWk9FQlc0RXFLem42YjVlZTkycGhFNXRNMHlGNFNab0dvUFgv
shadowLastChange: 15767
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
14.a. Add test user to the LDAP.
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f passwd.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=expanor,dc=local"
15. Search the entry on the LDAP. If you see your user info, its working....
[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)' | more
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# expanor.local
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
# People, expanor.local
dn: ou=People,dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit
# root, People, expanor.local
dn: uid=root,ou=People,dc=expanor,dc=local
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDlDazRJYjJDJEo2dVBiVDZtclFTUnJVVzJFNFdaZWUwN2l0Z2x
xVGlpSFN2TXRUc05rRUVkczkwbUFvWk9FQlc0RXFLem42YjVlZTkycGhFNXRNMHlGNFNab0dvUFgv
shadowLastChange: 15767
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
# ldapuser1, People, expanor.local
dn: uid=ldapuser1,ou=People,dc=expanor,dc=local
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHhTdllpcHBLJGRUVEd1Ym4zeUY0UUdpNFgzT2o2c3gzUDIvVkR
Yb0dIRk41WDloMWc3aFJHekFCczNaeWFiSS9aSmRrS0NFT1BVTElCTUdoMnd5OXAvR0xLWGxFWi4u
shadowLastChange: 15781
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 528
gidNumber: 529
homeDirectory: /home/ldapuser1
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@sama openldap]#
[root@sama openldap]# more slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile /etc/openldap/certs/slapdcert.pem
# TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/slapdkey.pem
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=expanor,dc=local" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=expanor,dc=local"
#suffix "dc=my-domain,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=expanor,dc=local"
#rootdn "cn=Manager,dc=my-domain,dc=com"
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}hZHoEV/NkQhTpGl5HDb3SYadhq1UafWh
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@sama openldap]#
[root@sama openldap]# chkconfig --list slapd
slapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@sama openldap]# chkconfig slapd on
[root@sama openldap]# chkconfig --list slapd
slapd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Creating certificate to authenticate the LDAP client,
[root@sama CA]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
..........++++++
e is 65537 (0x10001)
[root@sama CA]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:VA
Locality Name (eg, city) [Default City]:Fairfax
Organization Name (eg, company) [Default Company Ltd]:Expanor
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:sama.expanor.local
Email Address []:jay@sama.expanor.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeme
An optional company name []:
[root@sama CA]# pwd
/var/www/html/CA
[root@sama CA]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.c rt
Signature ok
subject=/C=US/ST=VA/L=Fairfax/O=Expanor/OU=IT/CN=sama.expanor.local/emailAddress =jay@sama.expanor.local
Getting Private key
[root@sama CA]# pwd
/var/www/html/CA
[root@sama CA]# ls -ltr
total 12
-rw-r--r--. 1 root root 887 Mar 17 09:18 ca.key
-rw-r--r--. 1 root root 741 Mar 17 09:20 ca.csr
-rw-r--r--. 1 root root 960 Mar 17 09:21 ca.crt
[root@sama CA]# pwd
/var/www/html/CA
[root@sama CA]# grep jay /etc/passwd >user.jay
[root@sama CA]# /usr/share/migrationtools/migrate_passwd.pl user.jay >user.jay.l dif
[root@sama CA]# more user.jay.ldif
dn: uid=jay,ou=People,dc=expanor,dc=local
uid: jay
cn: Jay
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$2zEGs6IA$XySxxA7zkB5RApv21xxNS2IMop7gCivvxhRdiapx9hTi2W2
YWI5d6NtdTspOIhbjhu/oLItci5T28MXHidcIB/
shadowLastChange: 15732
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 520
gidNumber: 520
homeDirectory: /home/jay
gecos: Jay
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld if
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@sama CA]# service slapd status
slapd dead but pid file exists
[root@sama CA]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld if
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@sama CA]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld if
Enter LDAP Password:
adding new entry "uid=jay,ou=People,dc=expanor,dc=local"
[root@sama CA]# service slapd status
slapd (pid 25647) is running...
[root@sama CA]# service slapd status
slapd dead but pid file exists
[root@sama CA]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@sama CA]# service slapd status
slapd (pid 26016) is running...
[root@sama CA]# service slapd status
Ref: http://www.howtoforge.com/linux_openldap_setup_server_client
No comments:
Post a Comment