Monday, February 8, 2016

CentOS 6.2 Installing LDAP Directory Services using CLI

Install openldap servers and clients:
yum install openldap-servers openldap-clients
Edit your ldap.conf file and enter the IP address or domain name of your server:
vi /etc/openldap/ldap.conf
URI ldap://192.168.1.222
BASE dc=shan,dc=com
Copy the sample files from /usr/share/openldap to /etc/openldap and var/lib/ldap:
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Setup a new root password:
slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Copy the password as you need to enter the password in slapd.conf:
vi /etc/openldap/slapd.conf
:%s/dc=my-domain/dc=shan/g  #This regex will replace all the instances of my-domain with your domain name.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create a root.ldif file and enter the entries below:
vi /root/root.ldif
#root
dn: dc=shan,dc=com
dc: shan
objectClass: dcObject
objectClass: organizationalUnit
ou: shan.com
#staff
dn: ou=staff,dc=shan,dc=com
ou: staff
objectClass: organizationalUnit
Remove everything in slapd.d dir and tell the slapd for root.ldif file:
rm -rf /etc/openldap/slapd.d/*
slapadd -n 2 -l /root/root.ldif
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
Set the appropriate permissions:
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d
Make sure the service is on on the runlevel 3:
chkconfig –level 235 slapd on
service slapd start
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart
Create an SSL certificate:
cd /etc/pki/tls/certs
rm slapd.pem
make slapd.pem
chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
vi /etc/openldap/slapd.conf
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
Test if everything is up and working fine:
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart
ldapsearch -x -ZZ -h localhost (TLS)
ldapsearch -x -H ldaps://localhost (SSL)
Note: Some additional steps
Open /etc/nsswitch.conf and edit the entry ‘hosts’ and add the ldap first so clients can authenticate  from ldap:
vi /etc/nsswitch.conf
hosts: ldap files
Add the rule in firewall for port 636
iptables -I INPUT -m state –state NEW -p tcp -s 192.168.1.222/24 –dport 636 -j ACCEPT
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)