Sunday, March 17, 2013

Step by step GUIDE to install and setup openLDAP on RedHat

Step includes how to create certificate for secure connectivity.

1. Install required packages
[root@sama openldap]# yum install openldap-servers migrationtools openldap db4

2. Run updatedb at the prompt.
[root@sama openldap]# updatedb

3. Copy the slapd.conf file
[root@sama openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

4. Generate root passwd for LDAP
[root@sama openldap]# slappasswd
New password:
{SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/


5. Copy the DB_CONFIG file
[root@sama openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sama openldap]# chown ldap.ldap -R /var/lib/ldap/DB_CONFIG
[root@sama openldap]# ls -ld /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 ldap ldap 921 Mar 16 20:01 /var/lib/ldap/DB_CONFIG


6. Edit the slapd.conf file and change domain and com to your domain info.

[root@sama openldap]# vi slapd.conf
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d/
drwx------. 3 ldap ldap 4096 Mar 16 19:39 slapd.d/
[root@sama openldap]# rm -rf slapd.d/* ; ls -l slapd.d/
total 0

7. Run slaptest command..

[root@sama openldap]# slaptest -f slapd.conf -F slapd.d/


8. Generate certificate

[root@sama openldap]# openssl req -new -x509 -nodes -out /etc/openldap/certs/slapdcert.pem -keyout

/etc/openldap/certs/slapdkey.pem -days 365


9. Restart the service
[root@sama openldap]# service slapd start


10. Make some changes to the migrate_common.ph file based on your info..

[root@sama openldap]# vi /usr/share/migrationtools/migrate_common.ph


11. Create a test user on your system

[root@sama openldap]# useradd ldapuser1
[root@sama openldap]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.

12. Convert user info from /etc/passwd format to ldif file

[root@sama openldap]# grep ldapuser /etc/passwd
ldapuser1:x:528:529::/home/ldapuser1:/bin/bash
[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# pwd
/etc/openldap

[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif


13. Create your domain info and load..

[root@sama openldap]# vi expanor.local.ldif
[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f expanor.local.ldif

14. Import users (root first) in to the LDAP

[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f root.ldif

15. Search the entry on the LDAP. If you see your user info, its working....

[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)' | more





----------- detail ----------------

1. Install packages

[root@sama openldap]# yum install openldap-servers migrationtools
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
Setting up Install Process
Package openldap-servers-2.4.23-31.el6.i686 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package migrationtools.noarch 0:47-7.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch           Version          Repository         Size
================================================================================
Installing:
 migrationtools         noarch         47-7.el6         MY-RHL6.4          24 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 24 k
Installed size: 104 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : migrationtools-47-7.el6.noarch                               1/1
duration: 782(ms)
Installed products updated.

Installed:
  migrationtools.noarch 0:47-7.el6

Complete!
[root@sama openldap]# ls
certs  ldap.conf  schema  slapd.d

2. Run updatedb at the prompt.

[root@sama openldap]# updatedb
[root@sama openldap]# ls
certs  ldap.conf  schema  slapd.d
[root@sama openldap]# locate slapd.conf
/usr/share/man/man5/slapd.conf.5.gz
/usr/share/openldap-servers/slapd.conf.obsolete


3. Copy the slapd.conf file

======================================================================

[root@sama openldap]# vi slapd.conf

Search for rootpw and enter the encrypt pw from spappasswd output as follow,

rootpw                  {SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/

search for TLSCertificateFile and remove the entry after that entry.. in this case remove "\"OpenLDAP Server\""


TLSCertificateFile "\"OpenLDAP Server\""


search for my-domain and change it to whatever your domain is..

also change under suffix line   
suffix          "dc=expanor,dc=local"

and

rootdn          "cn=Manager,dc=expanor,dc=local"


and

# vi /etc/sysconfig/ldap

verify that
SLAPD_LDAP=yes


======================================================================

[root@sama openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@sama openldap]# ls
certs  ldap.conf  schema  slapd.conf  slapd.d
[root@sama openldap]# more slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap

# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" ma
nage
        by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" re
ad
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=my-domain,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

4. Generate root passwd for LDAP
[root@sama openldap]# slappasswd
New password:
Re-enter new password:
{SSHA}O888/ATP9sai92UIKJCS6sk2SARkJEX/

5. Copy the DB_CONFIG file
[root@sama openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sama openldap]# chown ldap.ldap -R /var/lib/ldap/DB_CONFIG
[root@sama openldap]# ls -ld /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 ldap ldap 921 Mar 16 20:01 /var/lib/ldap/DB_CONFIG

6. Edit the slapd.conf file and change domain and com to your domain info.

[root@sama openldap]# vi slapd.conf
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d/
drwx------. 3 ldap ldap 4096 Mar 16 19:39 slapd.d/
[root@sama openldap]# cp -rp slapd.d/ slapd.d.old
[root@sama openldap]# rm -rf slapd.d/*
[root@sama openldap]# ls -l slapd.d/
total 0

7. Run slaptest command..

[root@sama openldap]# slaptest -f slapd.conf -F slapd.d/
bdb_db_open: database "dc=expanor,dc=local": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or

directory (2).
backend_startup_one (type=bdb, suffix="dc=expanor,dc=local"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@sama openldap]# ls -ld /var/lib/ldap/
drwx------. 2 ldap ldap 4096 Mar 16 21:27 /var/lib/ldap/
[root@sama openldap]# chow -R ldap.ldap /var/lib/ldap/
-bash: chow: command not found
[root@sama openldap]# ls -l /var/lib/ldap/
total 9028
-rw-r--r--. 1 root root      2048 Mar 16 21:27 alock
-rw-------. 1 root root     24576 Mar 16 21:27 __db.001
-rw-------. 1 root root   7225344 Mar 16 21:27 __db.002
-rw-------. 1 root root 335552512 Mar 16 21:27 __db.003
-rw-------. 1 root root   2359296 Mar 16 21:27 __db.004
-rw-------. 1 root root    491520 Mar 16 21:27 __db.005
-rw-------. 1 root root     32768 Mar 16 21:27 __db.006
-rw-r--r--. 1 ldap ldap       921 Mar 16 20:01 DB_CONFIG
[root@sama openldap]# chown -R ldap.ldap /var/lib/ldap/
[root@sama openldap]# pwd
/etc/openldap
[root@sama openldap]# ls -ld slapd.d
drwx------. 3 ldap ldap 4096 Mar 16 21:27 slapd.d
[root@sama openldap]# ls -l slapd.d
total 8
drwxr-x---. 3 root root 4096 Mar 16 21:27 cn=config
-rw-------. 1 root root 1120 Mar 16 21:27 cn=config.ldif
[root@sama openldap]# chown -R ldap.ldap slapd.d
[root@sama openldap]# vi /etc/sysconfig/ldap

====================================================================

and search for the string "padl.com" and change it to your.. search for other padl as well and change

accordingly.

====================================================================

8. Generate certificate

[root@sama openldap]# openssl req -new -x509 -nodes -out /etc/openldap/certs/slapdcert.pem -keyout

/etc/openldap/certs/slapdkey.pem -days 365
Generating a 2048 bit RSA private key
................................................................................          

.....................................+++
....................................................................+++
writing new private key to '/etc/openldap/certs/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:VA
Locality Name (eg, city) [Default City]:Fairfax
Organization Name (eg, company) [Default Company Ltd]:Expanor
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:sama.expanor.local
Email Address []:jay@sama.expanor.local

9. Restart the service

[root@sama openldap]# service slapd status
slapd is stopped
[root@sama openldap]# service slapd start
Starting slapd:                                            [  OK  ]

10. Make some changes to the migrate_common.ph file based on your info..

[root@sama openldap]# vi /usr/share/migrationtools/migrate_common.ph


11. Create a test user on your system

================================================================

create a user called ldapuser1 and change the pw for the user.

only grep the user ldap from /etc/passwd and save output to a file called users.txt

[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif

================================================================

[root@sama openldap]# useradd ldapuser1
[root@sama openldap]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.

12. Convert user info from /etc/passwd format to ldif file

[root@sama openldap]# grep ldapuser /etc/passwd
ldapuser1:x:528:529::/home/ldapuser1:/bin/bash
[root@sama openldap]# grep ldapuser /etc/passwd >users.txt
[root@sama openldap]# pwd
/etc/openldap

[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl users.txt > passwd.ldif
[root@sama openldap]# vi /root/base.ldif
[root@sama openldap]# more /root/base.ldif
dn: dc=expanor,dc=local
dc: expanor
objectClass: domain

dn: ou=People,dc=expanor,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=expanor,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@sama openldap]# ldapadd -x -M -D "cn=Manager,dc=expanor.dc=local" -f /root/base.ldif
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed


Note: Add first root user to get rid of the error message..

[root@sama openldap]# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin

[root@sama openldap]# cat >passwd.root
root:x:0:0:root:/root:/bin/bash

[root@sama openldap]# /usr/share/migrationtools/migrate_passwd.pl passwd.root root.ldif



[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/root.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

13. Create your domain info..

[root@sama openldap]# mv expanor.ldif expanor.local.ldif
[root@sama openldap]# more expanor.local.ldif
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit

[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f expanor.local.ldif
Enter LDAP Password:
adding new entry "dc=expanor,dc=local"

adding new entry "ou=People, dc=expanor,dc=local"

[root@sama openldap]# more expanor.local.ldif
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit

14. Import users (root first) in to the LDAP

[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f root.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=expanor,dc=local"

[root@sama openldap]# service slapd status
slapd (pid  14100) is running...
[root@sama openldap]# service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# expanor.local
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

# People, expanor.local
dn: ou=People,dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit

# root, People, expanor.local
dn: uid=root,ou=People,dc=expanor,dc=local
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDlDazRJYjJDJEo2dVBiVDZtclFTUnJVVzJFNFdaZWUwN2l0Z2x
 xVGlpSFN2TXRUc05rRUVkczkwbUFvWk9FQlc0RXFLem42YjVlZTkycGhFNXRNMHlGNFNab0dvUFgv
shadowLastChange: 15767
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

14.a. Add test user to the LDAP.

[root@sama openldap]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f passwd.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=expanor,dc=local"

15. Search the entry on the LDAP. If you see your user info, its working....

[root@sama openldap]# ldapsearch -x -b 'dc=expanor,dc=local' '(objectclass=*)' | more
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# expanor.local
dn: dc=expanor,dc=local
dc: expanor
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

# People, expanor.local
dn: ou=People,dc=expanor,dc=local
ou: People
description: Users of expanor
objectClass: organizationalUnit

# root, People, expanor.local
dn: uid=root,ou=People,dc=expanor,dc=local
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDlDazRJYjJDJEo2dVBiVDZtclFTUnJVVzJFNFdaZWUwN2l0Z2x
 xVGlpSFN2TXRUc05rRUVkczkwbUFvWk9FQlc0RXFLem42YjVlZTkycGhFNXRNMHlGNFNab0dvUFgv
shadowLastChange: 15767
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

# ldapuser1, People, expanor.local
dn: uid=ldapuser1,ou=People,dc=expanor,dc=local
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHhTdllpcHBLJGRUVEd1Ym4zeUY0UUdpNFgzT2o2c3gzUDIvVkR
 Yb0dIRk41WDloMWc3aFJHekFCczNaeWFiSS9aSmRrS0NFT1BVTElCTUdoMnd5OXAvR0xLWGxFWi4u
shadowLastChange: 15781
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 528
gidNumber: 529
homeDirectory: /home/ldapuser1

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
[root@sama openldap]#


[root@sama openldap]# more slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args



# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile  /etc/openldap/certs/slapdcert.pem
# TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/slapdkey.pem



# enable on-the-fly configuration (cn=config)
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=expanor,dc=local" read
        by * none

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=expanor,dc=local"
#suffix         "dc=my-domain,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=expanor,dc=local"
#rootdn         "cn=Manager,dc=my-domain,dc=com"

# rootpw                {crypt}ijFYNcSNctBYg

rootpw                  {SSHA}hZHoEV/NkQhTpGl5HDb3SYadhq1UafWh

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@sama openldap]#

[root@sama openldap]# chkconfig --list slapd
slapd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@sama openldap]# chkconfig slapd on
[root@sama openldap]# chkconfig --list slapd
slapd           0:off   1:off   2:on    3:on    4:on    5:on    6:off


Creating certificate to authenticate the LDAP client,

[root@sama CA]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
..........++++++
e is 65537 (0x10001)
[root@sama CA]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:VA
Locality Name (eg, city) [Default City]:Fairfax
Organization Name (eg, company) [Default Company Ltd]:Expanor
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:sama.expanor.local
Email Address []:jay@sama.expanor.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeme
An optional company name []:
[root@sama CA]# pwd
/var/www/html/CA
[root@sama CA]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.c                                             rt
Signature ok
subject=/C=US/ST=VA/L=Fairfax/O=Expanor/OU=IT/CN=sama.expanor.local/emailAddress                                             =jay@sama.expanor.local
Getting Private key
[root@sama CA]# pwd
/var/www/html/CA
[root@sama CA]# ls -ltr
total 12
-rw-r--r--. 1 root root 887 Mar 17 09:18 ca.key
-rw-r--r--. 1 root root 741 Mar 17 09:20 ca.csr
-rw-r--r--. 1 root root 960 Mar 17 09:21 ca.crt
[root@sama CA]# pwd
/var/www/html/CA

[root@sama CA]# grep jay /etc/passwd >user.jay
[root@sama CA]# /usr/share/migrationtools/migrate_passwd.pl user.jay >user.jay.l                                             dif
[root@sama CA]# more user.jay.ldif
dn: uid=jay,ou=People,dc=expanor,dc=local
uid: jay
cn: Jay
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$2zEGs6IA$XySxxA7zkB5RApv21xxNS2IMop7gCivvxhRdiapx9hTi2W2
YWI5d6NtdTspOIhbjhu/oLItci5T28MXHidcIB/
shadowLastChange: 15732
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 520
gidNumber: 520
homeDirectory: /home/jay
gecos: Jay
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld                                             if
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@sama CA]# service slapd status
slapd dead but pid file exists
[root@sama CA]# service slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld                                             if
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@sama CA]# service slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]
[root@sama CA]# ldapadd -x -D "cn=Manager,dc=expanor,dc=local" -W -f user.jay.ld                                             if
Enter LDAP Password:
adding new entry "uid=jay,ou=People,dc=expanor,dc=local"
[root@sama CA]# service slapd status
slapd (pid  25647) is running...
[root@sama CA]# service slapd status
slapd dead but pid file exists
[root@sama CA]# service slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]
[root@sama CA]# service slapd status
slapd (pid  26016) is running...
[root@sama CA]# service slapd status

Ref: http://www.howtoforge.com/linux_openldap_setup_server_client

No comments:

Post a Comment