LDAP-Server-setup

From Immersive Visualization Lab Wiki
Revision as of 21:42, 22 August 2012 by Jschulze (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Resource URLs

Installation Procedure

Install Libraries

  • yum install migrationtools
  • yum install openldap-servers
  • yum install openldap-clients
  • yum install openldap-devel
  • yum install cyrus-sasl
  • yum install cyrus-sasl-ldap

Configure LDAP Server

Backend

  • vi /etc/sysconfig/iptables
    • Add these lines to open firewall for LDAP server: 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
    • service iptables restart
  • Generate root password for openldap server: /usr/sbin/slappasswd
  • cd /etc/openldap/slapd.d/cn=config
  • vi olcDatabase={2}bdb.ldif
    • change oldSuffix to: dc=ucsd,dc=edu
    • change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
    • add a line for olcRootPW to end of file: 
      olcRootPW: {SSHA}yourhashhere
    • add certificate lines to end of file: 
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
    • add these lines after the last olcDbIndex line: 
olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * read
  • vi olcDatabase={1}monitor.ldif
    • in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
  • cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    • chown -Rf ldap:ldap /var/lib/ldap
  • vi /etc/sysconfig/ldap
    • set: SLAPD_LDAPS=yes
  • openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
    • Country Name (2 letter code) [XX]:US
    • State or Province Name (full name) []:California
    • Locality Name (eg, city) [Default City]:San Diego
    • Organization Name (eg, company) [Default Company Ltd]:UCSD
    • Organizational Unit Name (eg, section) []:Calit2
    • Common Name (eg, your name or your server's hostname) []:IVL
    • Email Address []: <email_address>
  • chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
  • chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
  • vi /etc/openldap/ldap.conf
    • Add to end of file: 
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
  • slaptest -u
    • this should return "config file testing succeeded"
  • service slapd start
    • should return "Starting slapd: [ OK ]"
  • chkconfig slapd on
    • shouldn't return anything
  • Test server:
    • ldapsearch -x -b "dc=ucsd,dc=edu"
    • You should get a ‘search: 2′ somewhere in the output

Frontend

  • create file base.ldif with this content: 
dn: dc=ucsd,dc=edu
dc: ucsd
objectClass: top
objectClass: domain

dn: ou=People,dc=ucsd,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ucsd,dc=edu
ou: Group
objectClass: top
objectClass: organizationalUnit
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif
  • create a new user group 'calvr' by creating a file newgroup.ldif with this content: 
dn: cn=calvr,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: calvr
userPassword: {crypt}x
gidNumber: 1212
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif
  • create a new user 'jschulze' with file newuser.ldif and this content: 
dn: uid=jschulze,ou=People,dc=ucsd,dc=edu
uid: jschulze
cn: Jurgen Schulze
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}x
loginShell: /bin/tcsh
uidNumber: 4009
gidNumber: 1212
gecos: Jurgen Schulze, room 2125
homeDirectory: /home/jschulze
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif
  • set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword>
    • ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu

Configure CentOS Client

  • yum install nss-pam-ldapd
  • run authconfig-tui
    • Select LDAP and LDAP Authetication.
    • Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case.
    • Give the base DN as dc=localdomain,dc=com
    • Do not select TLS.
    • [*] Use LDAP
    • [*] Use Shadow Passwords
    • [*] Use LDAP Authetication
    • [*] Local authorization is sufficient
    • [ ] Use TLS
    • Server: ldap://192.168.1.2
    • Base DN: dc=localdomain,dc=com
  • By default home dirs are not created after login, but can be turned on like this:
    • authconfig --enablemkhomedir --update

Install Web-Based Administration Interface

  • yum install phpldapadmin
  • vi /etc/httpd/conf.d/phpldapadmin.conf
    • change 127.0.0.1 to local IP (137.110.119.xxx)
  • vi /etc/phpldapadmin/config.php
    • search for line $servers->setValue('login','attr','uid');
    • comment it out to: //$servers->setValue('login','attr','uid');
  • service httpd restart
  • log in to web interface:
Retrieved from "http://ivl.calit2.net/wiki/index.php?title=LDAP-Server-setup&oldid=5168"