Configure LDAP Server2014/12/31 |
Configure LDAP Server in order to share users' accounts in your local networks.
|
|
[1] | Install OpenLDAP. |
[root@dlp ~]#
yum -y install openldap-servers openldap-clients
[root@dlp ~]#
vi /etc/openldap/slapd.conf # create new pidfile /run/openldap/slapd.pid argsfile /run/openldap/slapd.args rm -rf /etc/openldap/slapd.d/* [root@dlp ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d config file testing succeeded
[root@dlp ~]#
vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif # line 6: change olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
chown -R ldap. /etc/openldap/slapd.d [root@dlp ~]# chmod -R 700 /etc/openldap/slapd.d [root@dlp ~]# systemctl start slapd [root@dlp ~]# systemctl enable slapd |
[2] | Configure Slapd. |
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=core,cn=schema,cn=config"[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@dlp ~]#
slappasswd # generate encrypted password New password: # input any password Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxx # remember
[root@dlp ~]#
vi backend.ldif # create new # replace the section "dc=***,dc=***" to your own suffix # replace the section "olcRootPW: ***" to your own password generated by slappasswd above dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib64/openldap olcModuleload: back_hdb dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=srv,dc=world olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=srv,dc=world olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcMonitoring: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=srv,dc=world" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=srv,dc=world" write by * read ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config"
[root@dlp ~]#
vi frontend.ldif # create new # replace the section "dc=***,dc=***" to your own suffix # replace the section "userPassword: ***" to your own password generated by slappasswd above dn: dc=srv,dc=world objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: Srv dn: cn=admin,dc=srv,dc=world objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: ou=people,dc=srv,dc=world objectClass: organizationalUnit ou: people dn: ou=groups,dc=srv,dc=world objectClass: organizationalUnit ou: groups ldapadd -x -D cn=admin,dc=srv,dc=world -W -f frontend.ldif Enter LDAP Password: # admin password you set above adding new entry "dc=srv,dc=world" adding new entry "cn=admin,dc=srv,dc=world" adding new entry "ou=people,dc=srv,dc=world" adding new entry "ou=groups,dc=srv,dc=world" |
[3] |
Configure LDAP TLS. Create SSL Certificates first, refer to here.
|
[4] | Configure Slapd for TLS. |
[root@dlp ~]#
cp /etc/pki/tls/certs/server.key \ /etc/pki/tls/certs/server.crt \ /etc/pki/tls/certs/ca-bundle.crt \ /etc/openldap/certs/ [root@dlp ~]# chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \ /etc/openldap/certs/ca-bundle.crt
[root@dlp ~]#
vi mod_ssl.ldif # create new dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"[root@dlp ~]# systemctl restart slapd |
Sponsored Link |
|