Difference between revisions of "LDAP-Server-setup"
From Immersive Visualization Lab Wiki
(→Configure LDAP Server) |
(→Resource URLs) |
||
| Line 3: | Line 3: | ||
* http://www.nodeofcrash.com/?p=481 | * http://www.nodeofcrash.com/?p=481 | ||
* http://blog.domb.net/?p=74 | * http://blog.domb.net/?p=74 | ||
| + | * http://huinn.wordpress.com/2012/01/01/centos-6-2-ldap-with-tls-quick-dirty/ | ||
==Installation Procedure== | ==Installation Procedure== | ||
Revision as of 20:14, 22 August 2012
Contents |
Resource URLs
- http://www.nodeofcrash.com/?p=481
- http://blog.domb.net/?p=74
- http://huinn.wordpress.com/2012/01/01/centos-6-2-ldap-with-tls-quick-dirty/
Installation Procedure
Install Libraries
- yum install migrationtools
- yum install openldap-servers
- yum install openldap-clients
- yum install openldap-devel
- yum install cyrus-sasl
- yum install cyrus-sasl-ldap
Configure LDAP Server
- vi /etc/sysconfig/iptables
- Add these lines to open firewall for LDAP server:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
- service iptables restart
- Generate root password for openldap server: /usr/sbin/slappasswd
- cd /etc/openldap/slapd.d/cn=config
- vi olcDatabase={2}bdb.ldif
- change oldSuffix to: dc=ucsd,dc=edu
- change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
- add a line for olcRootPW to end of file:
olcRootPW: {SSHA}yourhashhere - add certificate lines to end of file:
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
- add these lines after the last olcDbIndex line:
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=ucsd,dc=edu" write
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=ucsd,dc=edu" write
by * read
- vi olcDatabase={1}monitor.ldif
- in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
- cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- chown -Rf ldap:ldap /var/lib/ldap
- vi /etc/sysconfig/ldap
- set: SLAPD_LDAPS=yes
- openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
- Country Name (2 letter code) [XX]:US
- State or Province Name (full name) []:California
- Locality Name (eg, city) [Default City]:San Diego
- Organization Name (eg, company) [Default Company Ltd]:UCSD
- Organizational Unit Name (eg, section) []:Calit2
- Common Name (eg, your name or your server's hostname) []:IVL
- Email Address []: <email_address>
- chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
- chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
- slaptest -u
- this should return "config file testing succeeded"
- create file base.ldif with this content:
dn: dc=ucsd,dc=edu dc: example objectClass: top objectClass: domain dn: ou=People,dc=ucsd,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=ucsd,dc=edu ou: Group objectClass: top objectClass: organizationalUnit
- create file newgroup.ldif with this content:
dn: cn=blah,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: blah
userPassword: {crypt}x
gidNumber: 1000
- create file newpeople.ldif with this content:
dn: uid=blah,ou=People,dc=ucsd,dc=edu
uid: blah
cn: Blah Blah
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}cr5y5J6F67Ci2
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/blah
- ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f base.ldif
- ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newgroup.ldif
- ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newpeople.ldif
- ldapsearch -x -b “dc=ucsd,dc=edu”
- You should get a ‘search: 2′ somewhere in the output
- service slapd start
- chkconfig slapd on
- vi /etc/openldap/ldap.conf
- Add to end of file:
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
