Difference between revisions of "LDAP-Server-setup"
From Immersive Visualization Lab Wiki
(→Installation Procedure) |
(→Web Based Admin Interface) |
||
| (41 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==Resource URLs== | |
| − | * http://www.nodeofcrash.com/?p=481 | + | * Just the server setup: http://www.nodeofcrash.com/?p=481 |
| + | * http://blog.domb.net/?p=74 | ||
| + | * Server and client setup: http://huinn.wordpress.com/2012/01/01/centos-6-2-ldap-with-tls-quick-dirty/ | ||
| − | + | ==Installation Procedure== | |
| − | * yum install openldap-servers openldap-clients | + | ===Install Libraries=== |
| + | |||
| + | * yum install migrationtools | ||
| + | * yum install openldap-servers | ||
| + | * yum install openldap-clients | ||
| + | * yum install openldap-devel | ||
| + | * yum install cyrus-sasl | ||
| + | * yum install cyrus-sasl-ldap | ||
| + | |||
| + | ===Configure LDAP Server=== | ||
| + | |||
| + | ====Backend==== | ||
| + | |||
| + | * vi /etc/sysconfig/iptables | ||
| + | ** Add these lines to open firewall for LDAP server: | ||
| + | <pre> | ||
| + | -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT | ||
| + | -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT | ||
| + | -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT | ||
| + | </pre> | ||
| + | ** service iptables restart | ||
* Generate root password for openldap server: /usr/sbin/slappasswd | * Generate root password for openldap server: /usr/sbin/slappasswd | ||
| + | * cd /etc/openldap/slapd.d/cn=config | ||
* vi olcDatabase={2}bdb.ldif | * vi olcDatabase={2}bdb.ldif | ||
| − | * change olcRootDN to: cn=Manager,dc=ucsd,dc= | + | ** change oldSuffix to: dc=ucsd,dc=edu |
| − | * add a line for olcRootPW: <pre>olcRootPW: {SSHA}yourhashhere</pre> | + | ** change olcRootDN to: cn=Manager,dc=ucsd,dc=edu |
| − | * | + | ** add a line for olcRootPW to end of file: <pre>olcRootPW: {SSHA}yourhashhere</pre> |
| + | ** add certificate lines to end of file: | ||
<pre> | <pre> | ||
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem | olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem | ||
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem | olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem | ||
</pre> | </pre> | ||
| − | * | + | ** add these lines after the last olcDbIndex line: |
| − | * in line starting with olcAccess change dc=my-domain to dc=ucsd | + | <pre> |
| + | olcAccess: to attrs=userPassword | ||
| + | by self write | ||
| + | by anonymous auth | ||
| + | by dn.base="cn=Manager,dc=ucsd,dc=edu" write | ||
| + | by * none | ||
| + | olcAccess: to * | ||
| + | by self write | ||
| + | by dn.base="cn=Manager,dc=ucsd,dc=edu" write | ||
| + | by * read | ||
| + | </pre> | ||
| + | * vi olcDatabase={1}monitor.ldif | ||
| + | ** in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu | ||
* cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | * cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | ||
| + | ** chown -Rf ldap:ldap /var/lib/ldap | ||
* vi /etc/sysconfig/ldap | * vi /etc/sysconfig/ldap | ||
| − | * set: SLAPD_LDAPS=yes | + | ** set: SLAPD_LDAPS=yes |
* openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365 | * openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365 | ||
** Country Name (2 letter code) [XX]:US | ** Country Name (2 letter code) [XX]:US | ||
| Line 27: | Line 64: | ||
** Organizational Unit Name (eg, section) []:Calit2 | ** Organizational Unit Name (eg, section) []:Calit2 | ||
** Common Name (eg, your name or your server's hostname) []:IVL | ** Common Name (eg, your name or your server's hostname) []:IVL | ||
| − | ** Email Address []: | + | ** Email Address []: <email_address> |
* chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem | * chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem | ||
* chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem | * chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem | ||
| + | * vi /etc/openldap/ldap.conf | ||
| + | ** Add to end of file: | ||
| + | <pre> | ||
| + | TLS_CACERT /etc/pki/tls/certs/slapdcert.pem | ||
| + | </pre> | ||
* slaptest -u | * slaptest -u | ||
** this should return "config file testing succeeded" | ** this should return "config file testing succeeded" | ||
| + | * service slapd start | ||
| + | ** should return "Starting slapd: [ OK ]" | ||
| + | * chkconfig slapd on | ||
| + | ** shouldn't return anything | ||
| + | * Test server: | ||
| + | ** ldapsearch -x -b "dc=ucsd,dc=edu" | ||
| + | ** You should get a ‘search: 2′ somewhere in the output | ||
| + | |||
| + | ====Frontend==== | ||
| + | |||
* create file base.ldif with this content: | * create file base.ldif with this content: | ||
<pre> | <pre> | ||
| − | dn: dc= | + | dn: dc=ucsd,dc=edu |
| − | dc: | + | dc: ucsd |
objectClass: top | objectClass: top | ||
objectClass: domain | objectClass: domain | ||
| − | dn: ou=People,dc= | + | dn: ou=People,dc=ucsd,dc=edu |
ou: People | ou: People | ||
objectClass: top | objectClass: top | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
| − | dn: ou=Group,dc= | + | dn: ou=Group,dc=ucsd,dc=edu |
ou: Group | ou: Group | ||
objectClass: top | objectClass: top | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
</pre> | </pre> | ||
| − | * create file newgroup.ldif with this content: | + | ** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif |
| + | * create a new user group 'calvr' by creating a file newgroup.ldif with this content: | ||
<pre> | <pre> | ||
| − | dn: cn= | + | dn: cn=calvr,ou=Group,dc=ucsd,dc=edu |
objectClass: posixGroup | objectClass: posixGroup | ||
objectClass: top | objectClass: top | ||
| − | cn: | + | cn: calvr |
userPassword: {crypt}x | userPassword: {crypt}x | ||
| − | gidNumber: | + | gidNumber: 1212 |
</pre> | </pre> | ||
| − | * create file | + | ** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif |
| + | * create a new user 'jschulze' with file newuser.ldif and this content: | ||
<pre> | <pre> | ||
| − | dn: uid= | + | dn: uid=jschulze,ou=People,dc=ucsd,dc=edu |
| − | uid: | + | uid: jschulze |
| − | cn: | + | cn: Jurgen Schulze |
| + | objectClass: top | ||
objectClass: account | objectClass: account | ||
objectClass: posixAccount | objectClass: posixAccount | ||
| − | |||
objectClass: shadowAccount | objectClass: shadowAccount | ||
| − | userPassword: { | + | userPassword: {crypt}x |
| − | + | loginShell: /bin/tcsh | |
| − | + | uidNumber: 4009 | |
| − | + | gidNumber: 1212 | |
| − | + | gecos: Jurgen Schulze, room 2125 | |
| − | loginShell: /bin/ | + | homeDirectory: /home/jschulze |
| − | uidNumber: | + | shadowLastChange: 0 |
| − | gidNumber: | + | shadowMax: 0 |
| − | homeDirectory: /home/ | + | shadowWarning: 0 |
</pre> | </pre> | ||
| − | * ldapadd -x -W -D | + | ** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif |
| − | * | + | * set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword> |
| − | * | + | ** ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu |
| + | |||
| + | ===Configure CentOS Client=== | ||
| + | |||
| + | * yum install nss-pam-ldapd | ||
| + | * run authconfig-tui | ||
| + | ** Select LDAP and LDAP Authetication. | ||
| + | ** Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case. | ||
| + | ** Give the base DN as dc=localdomain,dc=com | ||
| + | ** Do not select TLS. | ||
| + | ** [*] Use LDAP | ||
| + | ** [*] Use Shadow Passwords | ||
| + | ** [*] Use LDAP Authetication | ||
| + | ** [*] Local authorization is sufficient | ||
| + | ** [ ] Use TLS | ||
| + | ** Server: ldap://192.168.1.2 | ||
| + | ** Base DN: dc=localdomain,dc=com | ||
| + | * By default home dirs are not created after login, but can be turned on like this: | ||
| + | ** authconfig --enablemkhomedir --update | ||
| + | |||
| + | ===Install Web-Based Administration Interface=== | ||
| + | |||
| + | * yum install phpldapadmin | ||
| + | * vi /etc/httpd/conf.d/phpldapadmin.conf | ||
| + | ** change 127.0.0.1 to local IP (137.110.119.xxx) | ||
| + | * vi /etc/phpldapadmin/config.php | ||
| + | ** search for line $servers->setValue('login','attr','uid'); | ||
| + | ** comment it out to: //$servers->setValue('login','attr','uid'); | ||
| + | * service httpd restart | ||
| + | * log in to web interface: | ||
| + | ** point web browser to: http://137.110.119.xxx/phpldapadmin/ | ||
| + | ** user name: cn=Manager,dc=ucsd,dc=edu | ||
| + | ** password: LDAP server password | ||
Latest revision as of 21:42, 22 August 2012
Contents |
Resource URLs
- Just the server setup: http://www.nodeofcrash.com/?p=481
- http://blog.domb.net/?p=74
- Server and client setup: http://huinn.wordpress.com/2012/01/01/centos-6-2-ldap-with-tls-quick-dirty/
Installation Procedure
Install Libraries
- yum install migrationtools
- yum install openldap-servers
- yum install openldap-clients
- yum install openldap-devel
- yum install cyrus-sasl
- yum install cyrus-sasl-ldap
Configure LDAP Server
Backend
- vi /etc/sysconfig/iptables
- Add these lines to open firewall for LDAP server:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
- service iptables restart
- Generate root password for openldap server: /usr/sbin/slappasswd
- cd /etc/openldap/slapd.d/cn=config
- vi olcDatabase={2}bdb.ldif
- change oldSuffix to: dc=ucsd,dc=edu
- change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
- add a line for olcRootPW to end of file:
olcRootPW: {SSHA}yourhashhere - add certificate lines to end of file:
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
- add these lines after the last olcDbIndex line:
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=ucsd,dc=edu" write
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=ucsd,dc=edu" write
by * read
- vi olcDatabase={1}monitor.ldif
- in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
- cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- chown -Rf ldap:ldap /var/lib/ldap
- vi /etc/sysconfig/ldap
- set: SLAPD_LDAPS=yes
- openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
- Country Name (2 letter code) [XX]:US
- State or Province Name (full name) []:California
- Locality Name (eg, city) [Default City]:San Diego
- Organization Name (eg, company) [Default Company Ltd]:UCSD
- Organizational Unit Name (eg, section) []:Calit2
- Common Name (eg, your name or your server's hostname) []:IVL
- Email Address []: <email_address>
- chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
- chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
- vi /etc/openldap/ldap.conf
- Add to end of file:
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
- slaptest -u
- this should return "config file testing succeeded"
- service slapd start
- should return "Starting slapd: [ OK ]"
- chkconfig slapd on
- shouldn't return anything
- Test server:
- ldapsearch -x -b "dc=ucsd,dc=edu"
- You should get a ‘search: 2′ somewhere in the output
Frontend
- create file base.ldif with this content:
dn: dc=ucsd,dc=edu dc: ucsd objectClass: top objectClass: domain dn: ou=People,dc=ucsd,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=ucsd,dc=edu ou: Group objectClass: top objectClass: organizationalUnit
- ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif
- create a new user group 'calvr' by creating a file newgroup.ldif with this content:
dn: cn=calvr,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: calvr
userPassword: {crypt}x
gidNumber: 1212
- ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif
- create a new user 'jschulze' with file newuser.ldif and this content:
dn: uid=jschulze,ou=People,dc=ucsd,dc=edu
uid: jschulze
cn: Jurgen Schulze
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}x
loginShell: /bin/tcsh
uidNumber: 4009
gidNumber: 1212
gecos: Jurgen Schulze, room 2125
homeDirectory: /home/jschulze
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
- ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif
- set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword>
- ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu
Configure CentOS Client
- yum install nss-pam-ldapd
- run authconfig-tui
- Select LDAP and LDAP Authetication.
- Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case.
- Give the base DN as dc=localdomain,dc=com
- Do not select TLS.
- [*] Use LDAP
- [*] Use Shadow Passwords
- [*] Use LDAP Authetication
- [*] Local authorization is sufficient
- [ ] Use TLS
- Server: ldap://192.168.1.2
- Base DN: dc=localdomain,dc=com
- By default home dirs are not created after login, but can be turned on like this:
- authconfig --enablemkhomedir --update
Install Web-Based Administration Interface
- yum install phpldapadmin
- vi /etc/httpd/conf.d/phpldapadmin.conf
- change 127.0.0.1 to local IP (137.110.119.xxx)
- vi /etc/phpldapadmin/config.php
- search for line $servers->setValue('login','attr','uid');
- comment it out to: //$servers->setValue('login','attr','uid');
- service httpd restart
- log in to web interface:
- point web browser to: http://137.110.119.xxx/phpldapadmin/
- user name: cn=Manager,dc=ucsd,dc=edu
- password: LDAP server password
