English
Русский
Install OpenLDAP in CentOS
Table of Contents
1. Prepare
First, install the packages
yum -y install openldap openldap-clients openldap-servers
Verify that LDAP ports are free
netstat -tlnp | egrep "389|636"
Setup certificate authority as described here and obtain the CA certificate /etc/pki/ca/ca.crt.
Create SSL certificate for LDAP server as described here and obtain certificate /etc/pki/ldap/server.cert and key /etc/pki/ldap/server.key.
2. Setup LDAP server
Configure Berkeley database
cp /etc/openldap/DB_CONFIG.example /etc/openldap/DB_CONFIG ln -s /etc/openldap/DB_CONFIG /var/lib/ldap/
Setup slapd password
mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.orig slappasswd > /etc/openldap/slapd.conf
Edit /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP TLSCACertificateFile /etc/pki/ca/ca.crt TLSCertificateFile /etc/pki/ldap/server.crt TLSCertificateKeyFile /etc/pki/ldap/server.key #TLSVerifyClient never # require secure connections only (LDAP+StartTLS or LDAPS) security ssf=128 password-hash {SSHA} access to attrs=userPassword by self write by * auth access to * by self write by users read by anonymous none database bdb suffix "dc=ourdom.com" rootdn "cn=root,dc=ourdom.com" rootpw {SSHA}dYFhmHySSrpCR5WUF3KlpWY8N1v8ltZ/ directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail eq,pres,sub index uidNumber,gidNumber eq,pres index uid,memberUid eq,pres,sub
Since the file contains root LDAP password, even in encrypted form, noone but slapd daemon should have access to it:
cd /etc/openldap chown root:ldap slapd.conf chmod 640 slapd.conf
Enable LDAPS in /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Start the service
chkconfig ldap on service ldap restart
Create bundle of server certificates
cat /etc/pki/ca/ca.crt /etc/pki/ldap/server.crt >> /etc/openldap/cacerts.pem cd /etc/openldap/cacerts cp /etc/pki/ca/ca.crt . ln -s ca.crt `cat ca.crt | openssl x509 -hash -noout`.0
3. Configure LDAP client
Edit /etc/openldap/ldap.conf
URI ldaps://server.ourdom.com
BASE dc=ourdom.com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem
TLS_REQCERT demand
TLS_CIPHER_SUITE ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
TIMELIMIT 15
DEREF never
4. Initialize LDAP database
Import an initial LDAP tree from a file like attached below:
ldapadd -D cn=root,dc=ourdom.com -x -w ROOTPASS -f /path/to/dump.ldif
Remember the line "access to * ... by anonymous none". It is a good practice to prevent browsing your directory by anonymous users from outside. One needs a LDAP account to browse the directory. Unfortunately the standard NSS PAM LDAP LDAP library bundled with such Linuxes as Ubuntu or CentOS takes credentials of such an account from the /etc/ldap.conf file which is readable by every user logged on to the machine. Apparently we cannot use a real login account for this, or everybody on the system would know its password.
Let's create a special LDAP entry just to password-protect LDAP reads. Run the shell script attached to this page:
sh build-ldap-pwd-entry.sh dc=ourdom.com browse secretpass > temp.ldif
ldapadd -D cn=root,dc=ourdom.com -x -w ROOTPASS -f temp.ldif
The first argument is your LDAP search base. The second argument gives a CN name of the created entry. The last one is the password. The new entry will be similar to this:
dn: cn=browse,dc=ourdom.com cn: browse sn: browse objectClass: top objectClass: person userPassword:: e1NxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKT3IK
Now verify the results:
ldapsearch -D cn=root,dc=ourdom.com -x -w ROOTPASS -LLL '(cn=ibunin)' 'cn'
Repeat the test with your browsing user "-D cn=browse,dc=ourdom.com" and check the results.
You are done.
Bookmark this post on:
Comments
Post new comment