The installation steps below were carried out on CentOS 6.4

== Installation ==

yum install openldap-servers openldap-clients

== Configuration ==

Edit your ldap.conf file and enter the IP address or domain name of your server:

vi /etc/openldap/ldap.conf
URI ldap://88.88.88.75
BASE dc=my-domain,dc=com

Copy the sample files from /usr/share/openldap to /etc/openldap and var/lib/ldap

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Setup a new LDAP Admin password:

slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Copy the encrypted password from STDOUT as it will need to be put in to configuration.

=== /etc/openldap/slapd.conf ===

Search and replace the “dc=my-domain” with “dc=my-domain”
replace the rootpw password with above encrypted password so it looks like

rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the config file in use

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

loglevel 	-1

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap

# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
rootdn		"cn=admin,cn=config"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none

#######################################################################
# database definitions
#######################################################################
database	bdb
suffix		"dc=my-domain,dc=com"
rootdn		"cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# 		secret
# 		{crypt}ijFYNcSNctBYg
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

access to dn.subtree="dc=my-domain,dc=com"
    by self write
    by set="[cn=Administrators,ou=groups,dc=my-domain,dc=com]/member* & user" write
    by set="[cn=Operators,ou=groups,dc=my-domain,dc=com]/member* & user" read
    by * break

access to attrs=userPassword
  by anonymous auth
  by self =rwdx
  by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage
  by dn.children="ou=Special Accounts,dc=my-domain,dc=com" auth

#access to attrs=uid,userPassword,mail
#    by self write
#    by set="[cn=Administrators,ou=group,dc=my-domain,dc=com]/member* & user" manage
#    by set="[cn=Operators,ou=group,dc=my-domain,dc=com]/member* & user" read
#    by * none

#access to *
#  by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage
#  by * break

#access to dn.children="ou=people,dc=my-domain,dc=com"
#  attrs=givenName,sn,displayName,cn,telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st
#  by self write
#  by * break

#access to dn.children="ou=people,dc=my-domain,dc=com"
#  attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,title,initials,givenName,sn,displayName,cn,fax,organizationName,organizationalUnitName,pager,postalAddress,l,st,c
#  by * read

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay memberof

cachesize 10000
checkpoint	1024 15

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

create a new file root.ldif with following content

dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: my-domain

dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit

dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

Remove everything in slapd.d dir and tell the slapd for root.ldif file

rm -rf /etc/openldap/slapd.d/*
slapadd -n 2 -l /root/root.ldif
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Set the appropriate permissions:

chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d

Make sure the service is active on the runlevel 3:

chkconfig --level 235 slapd on
service slapd start

== LDAPS ==

cd /etc/pki/tls/certs
rm slapd.pem
make slapd.pem
chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
vi /etc/openldap/slapd.conf
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

== Test ==

Test if everything is up and working fine:

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart

ldapsearch -x -ZZ -h localhost #(TLS)
ldapsearch -x -H ldaps://localhost #(SSL)

CentOS Authenticating to LDAP

system-config-authentication
Advertisements