LDAP-Server-setup

From Immersive Visualization Lab Wiki
Revision as of 19:29, 22 August 2012 by Jschulze (Talk | contribs)

Jump to: navigation, search

Contents

Resource URLs

Installation Procedure

Install Libraries

  • yum install migrationtools
  • yum install openldap-servers
  • yum install openldap-clients
  • yum install openldap-devel
  • yum install cyrus-sasl
  • yum install cyrus-sasl-ldap

Configure LDAP Server

Backend

  • vi /etc/sysconfig/iptables
    • Add these lines to open firewall for LDAP server:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT 
    • service iptables restart
  • Generate root password for openldap server: /usr/sbin/slappasswd
  • cd /etc/openldap/slapd.d/cn=config
  • vi olcDatabase={2}bdb.ldif
    • change oldSuffix to: dc=ucsd,dc=edu
    • change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
    • add a line for olcRootPW to end of file:
      olcRootPW: {SSHA}yourhashhere
    • add certificate lines to end of file:
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
    • add these lines after the last olcDbIndex line:
olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * read
  • vi olcDatabase={1}monitor.ldif
    • in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
  • cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    • chown -Rf ldap:ldap /var/lib/ldap
  • vi /etc/sysconfig/ldap
    • set: SLAPD_LDAPS=yes
  • openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
    • Country Name (2 letter code) [XX]:US
    • State or Province Name (full name) []:California
    • Locality Name (eg, city) [Default City]:San Diego
    • Organization Name (eg, company) [Default Company Ltd]:UCSD
    • Organizational Unit Name (eg, section) []:Calit2
    • Common Name (eg, your name or your server's hostname) []:IVL
    • Email Address []: <email_address>
  • chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
  • chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
  • slaptest -u
    • this should return "config file testing succeeded"
  • service slapd start
    • should return "Starting slapd: [ OK ]"
  • chkconfig slapd on
    • shouldn't return anything
  • Test server:
    • ldapsearch -x -b “dc=ucsd,dc=edu”
    • You should get a ‘search: 2′ somewhere in the output

Frontend

  • create file base.ldif with this content:
dn: dc=ucsd,dc=edu
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=ucsd,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ucsd,dc=edu
ou: Group
objectClass: top
objectClass: organizationalUnit
  • create file newgroup.ldif with this content:
dn: cn=blah,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: blah
userPassword: {crypt}x
gidNumber: 1000
  • create file newpeople.ldif with this content:
dn: uid=blah,ou=People,dc=ucsd,dc=edu
uid: blah
cn: Blah Blah
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}cr5y5J6F67Ci2
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/blah
  • ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f base.ldif
  • ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newgroup.ldif
  • ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newpeople.ldif
  • vi /etc/openldap/ldap.conf
    • Add to end of file:
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem