Configuring OpenLDAP
Posted by admin on 03 May 2009 at 05:36 pm | Tagged as: IT Stuff, Linux, authentication, ldap, openldap
This was used to configure OpenLDAP on Centos 5.3
Initial Configuration of slapd.conf
(1) You need the following schemas included:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
(2) depending on what you might be planning for your ldap server you might also want to include:
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/RADIUS-LDAPv3.schema
(3) For these initial tests I am not going to configure TLS but for a production system you should be using TLS
(4) enable an acl that will allow users to modify their own information
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
(5) configure your suffix and rootdn
suffix "dc=mydomain,dc=com"
rootdn "cn=manager,dc=mydomain,dc=com"
(6) generate your management password with the command
slappasswd -s secret -h {SSHA}
where -s specifies the password to encrypt and -h the encryption scheme. Use man slappasswd for more information. Paste the output into your slapd.conf file as:
rootpw {SSHA}D74b0UDGxQ43biWJXCNLTw1Q+MsAlvti
(7) Now save your slapd.conf file
(8) Start ldap with
/etc/init.d/ldap start
To make ldap start automatically whenever the system starts chkconfig ldap on
Create the Directory Contents
Creating the initial user and group ldif import files
(1) download the current version of the padl migration scripts from http://www.padl.com/OSS/MigrationTools.html
(2) unpack the tools (eg. use the command ‘tar zxvf MigrationTools.tgz’ which will create a subdirectory such as MigrationTools-47 with the padl migration scripts in the current directory)
(3) cd in to the newly created scripts directory
(4) edit the migrate_common.ph script (eg. vi migrate_common.ph) and set the following variables to appropriate values:
$DEFAULT_MAIL_DOMAIN = "mydomain.com";
$DEFAULT_BASE = "dc=mydomain,dc=com";
$DEFAULT_MAIL_HOST = "mail.prod.mydomain.com";
$EXTENDED_SCHEMA = 1;
I also updated all the cn=Xxx values to all lowercase but this is just my personal preference
(5) Unless you are using Kerberos and have the appropriate schema loaded into your slapd.conf you should also edit the migrate_common.ph script so that the lines
# Default Kerberos realm
if ($EXTENDED_SCHEMA) {
$DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
$DEFAULT_REALM =~ tr/a-z/A-Z/;
}
are commented out thus
# Default Kerberos realm
#if ($EXTENDED_SCHEMA) {
# $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
# $DEFAULT_REALM =~ tr/a-z/A-Z/;
#}
(6) Assuming your initial passwd, shadow and group files are located in the directory above your current working directory you can now use the commands …
./migrate_passwd.pl ../passwd.in ../passwwd_out.ldif
./migrate_group.pl ../group.in ../group_out.ldif
… to generate your ldif import files
For a sample passwd, shadow and group file that only contains the 1 user with the following information
passwd: john:x:503:503:john doe:/home/john:/bin/bash
shadow: john:$1$EwO.4wlT$n5KoIfFE8qcDcPAC12vxn2:14360:0:99999:7:::
group: john:x:503:
users:x:100:john
you will get the following passwd_out.ldif information:
dn: uid=john,ou=users,dc=mydomain,dc=com
uid: john
cn: john
givenName: john
sn: doe
mail: john@mydomain.com
mailRoutingAddress: john@mail.prod.mydomain.com
mailHost: mail.prod.mydomain.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$EwO.4wlT$n5KoIfFE8qcDcPAC12vxn2
shadowLastChange: 14360
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/john
gecos: john doe
and group_out.ldif information
dn: cn=users,ou=groups,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: users
userPassword: {crypt}x
gidNumber: 100
memberUid: john
dn: cn=john,ou=groups,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: john
userPassword: {crypt}x
gidNumber: 503
Create Containers For Users And Groups
(1) the contents of the file mydomain.com_ldap_init.ldif:
# Set up the origanisation container
dn: dc=mydomain,dc=com
objectclass: dcObject
objectclass: organization
o: Neologix Pty Ltd
dc: neologix
# set up a users container
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: users
# set up a groups container
dn: ou=group,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: group
# set up a hosts container
dn: ou=hosts,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: hosts
(2) Initialize the directory
ldapadd -x -D 'cn=manager,dc=mydomain,dc=com' -W -f ./mydomain.com_ldap_init.ldif
(3) Add the users and groups (files are ldap_passwd.ldif and ldap_group.ldif cwd) to the ldap directory using the files you created above
ldapadd -x -D 'cn=manager,dc=mydomain,dc=com' -W -f ./ldap_passwd.ldif
ldapadd -x -D 'cn=manager,dc=mydomain,dc=com' -W -f ./ldap_group.ldif
(4) Now test your directory
(a) searching for everything
ldapsearch -x -D'cn=manager,dc=mydomain,dc=com' -b'dc=mydomain,dc=com' -W '(objectclass=*)'
(b) reset a user password
ldappasswd -D"cn=manager,dc=mydomain,dc=com" -x -W -S "uid=john,ou=users,dc=mydomain,dc=com"
You should now have a basic, working ldap directory server.
Leave a reply
You must be logged in to post a comment.
