Difference between revisions of "LDAP-Server-setup"

Latest revision as of 20:42, 22 August 2012

Resource URLs

• Just the server setup: http://www.nodeofcrash.com/?p=481
• http://blog.domb.net/?p=74
• Server and client setup: http://huinn.wordpress.com/2012/01/01/centos-6-2-ldap-with-tls-quick-dirty/

Installation Procedure

Install Libraries

• yum install migrationtools
• yum install openldap-servers
• yum install openldap-clients
• yum install openldap-devel
• yum install cyrus-sasl
• yum install cyrus-sasl-ldap

Configure LDAP Server

Backend

• vi /etc/sysconfig/iptables
  • Add these lines to open firewall for LDAP server:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT 

• • service iptables restart
• Generate root password for openldap server: /usr/sbin/slappasswd
• cd /etc/openldap/slapd.d/cn=config
• vi olcDatabase={2}bdb.ldif
  • change oldSuffix to: dc=ucsd,dc=edu
  • change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
  • add a line for olcRootPW to end of file:

    olcRootPW: {SSHA}yourhashhere

  • add certificate lines to end of file:

olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

• • add these lines after the last olcDbIndex line:

olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * read

• vi olcDatabase={1}monitor.ldif
  • in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
• cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  • chown -Rf ldap:ldap /var/lib/ldap
• vi /etc/sysconfig/ldap
  • set: SLAPD_LDAPS=yes
• openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
  • Country Name (2 letter code) [XX]:US
  • State or Province Name (full name) []:California
  • Locality Name (eg, city) [Default City]:San Diego
  • Organization Name (eg, company) [Default Company Ltd]:UCSD
  • Organizational Unit Name (eg, section) []:Calit2
  • Common Name (eg, your name or your server's hostname) []:IVL
  • Email Address []: <email_address>
• chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
• chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
• vi /etc/openldap/ldap.conf
  • Add to end of file:

TLS_CACERT /etc/pki/tls/certs/slapdcert.pem

• slaptest -u
  • this should return "config file testing succeeded"
• service slapd start
  • should return "Starting slapd: [ OK ]"
• chkconfig slapd on
  • shouldn't return anything
• Test server:
  • ldapsearch -x -b "dc=ucsd,dc=edu"
  • You should get a ‘search: 2′ somewhere in the output

Frontend

• create file base.ldif with this content:

dn: dc=ucsd,dc=edu
dc: ucsd
objectClass: top
objectClass: domain

dn: ou=People,dc=ucsd,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ucsd,dc=edu
ou: Group
objectClass: top
objectClass: organizationalUnit

• • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif
• create a new user group 'calvr' by creating a file newgroup.ldif with this content:

dn: cn=calvr,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: calvr
userPassword: {crypt}x
gidNumber: 1212

• • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif
• create a new user 'jschulze' with file newuser.ldif and this content:

dn: uid=jschulze,ou=People,dc=ucsd,dc=edu
uid: jschulze
cn: Jurgen Schulze
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}x
loginShell: /bin/tcsh
uidNumber: 4009
gidNumber: 1212
gecos: Jurgen Schulze, room 2125
homeDirectory: /home/jschulze
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

• • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif
• set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword>
  • ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu

Configure CentOS Client

• yum install nss-pam-ldapd
• run authconfig-tui
  • Select LDAP and LDAP Authetication.
  • Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case.
  • Give the base DN as dc=localdomain,dc=com
  • Do not select TLS.
  • [*] Use LDAP
  • [*] Use Shadow Passwords
  • [*] Use LDAP Authetication
  • [*] Local authorization is sufficient
  • [ ] Use TLS
  • Server: ldap://192.168.1.2
  • Base DN: dc=localdomain,dc=com
• By default home dirs are not created after login, but can be turned on like this:
  • authconfig --enablemkhomedir --update

Install Web-Based Administration Interface

• yum install phpldapadmin
• vi /etc/httpd/conf.d/phpldapadmin.conf
  • change 127.0.0.1 to local IP (137.110.119.xxx)
• vi /etc/phpldapadmin/config.php
  • search for line $servers->setValue('login','attr','uid');
  • comment it out to: //$servers->setValue('login','attr','uid');
• service httpd restart
• log in to web interface:
  • point web browser to: http://137.110.119.xxx/phpldapadmin/
  • user name: cn=Manager,dc=ucsd,dc=edu
  • password: LDAP server password