Installing LDAP on Centos 6.2

  1. Install Centos 6.2 Basic Server

  2. Name your server “ldap.yourdomain.com” (Where ever you see “yourdomain.com” change for your own domain name)

  3. Install “openldap-servers” and “openldap-clients” with yum

 

yum install openldap-servers openldap-clients

 

  1. Create the following scripts, changing the “yourdomain.com” (remember to make it executable “chmod 777 scriptname.sh”)

 

----------start example-----------

#!/bin/bash

#Change to the directory and clear out the old certs

cd /etc/openldap/certs

rm -rf *

#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help

#automate the process. This will be the password for your certificate. Change this as appropriate

echo "password" > /etc/openldap/certs/password

export PATH=/usr/bin/:$PATH

echo falkdjfdajkhfaksj >> noise.txt

 

#Associate the password with the certificates which will be generated in the current directory

certutil -N -d . -f /etc/openldap/certs/password

certutil -G -d . -z noise.txt -f /etc/openldap/certs/password

 

#Generate a CA certificate for the 389 server

certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

 

#anwsers are Y, <enter accepting defaults>, Y

#This builds the server cert

certutil -S -n "OpenLDAP Server" -s "cn=ldap.yourdomain.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

 

#This exports the cacert in case you need it

pk12util -d . -o cacert.p12 -n "CA certificate"

 

#This exports the server-cert which you will need on the windows AD

pk12util -d . -o servercert.p12 -n "OpenLDAP Server"

 

#This exports the CA cert for ldap clients

certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem

 

#Make the files in here readable

chmod 644 *

 

#Set the system to use LDAPS

sed -i 's/SLAPD_LDAPS=no/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap

 

#Add a firewall exception in case the user has not configured their firewall properly

iptables -I INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT

/etc/init.d/iptables save

 

#Restart slapd to make the changes take effect

/etc/init.d/slapd restart

 

----------end example------------

 

  1. Run the script

  2. type the following commands.

 

Updatedb

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -Rf ldap:ldap /var/lib/ldap/

  1. Type the following command to generate a password.

 

slappasswd

 

  1. Edit the following file by typing the following at the prompt

 

vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

 

  1. Change the “olcRootDN” and “olcSuffix:” to suit your domain.

  2. Add “olcRootPW:” and put in the password you got in previous step as per the following example:

olcRootPW: {SSHA}cEBU4qaLUXvUY4pCRzYMpT4yYPN34L30

  1. Edit /etc/openldap/schema/base.ldif as per the example below, changing “yourdomain.com”

 

-----------begin example---------

dn: dc=yourdomain,dc=com

dc: yourdomain

objectClass: top

objectClass: domain

 

dn: ou=People,dc=yourdomain,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

 

dn: ou=Group,dc=yourdomain,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

-----------End example-----------

  1. Create a group called “fred” by creating /etc/openldap/schema/group.ldif with the following content:

 

--------Start Example-------

dn: cn=fred,ou=People,dc=yourdomain,dc=com

objectClass: posixGroup

objectClass: top

cn: fred

userPassword: password

gidNumber: 1000

--------End example--------

 

 

  1. Create a User called “fred” by creating /etc/openldap/schema/people.ldif with the following content:

---------Start Example--------

dn: uid=fred,ou=People,dc=yourdomain,dc=com

uid: fred

cn: fred fred

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: password

shadowLastChange: 15140

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/fred

---------End Example---------

 

  1. Type the following command:

cd /etc/openldap/slapd.d/cn\=config

Then

vi olcDatabase\=\{1\}monitor.ldif

 

  1. Edit the file to change “yourdomain.com” as needed as follows:

----------Start Example--------------

dn: olcDatabase={1}monitor

objectClass: olcDatabaseConfig

olcDatabase: {1}monitor

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa

l,cn=auth" read by dn.base="cn=manager,dc=yourdomain,dc=com" read by * none

olcAddContentAcl: FALSE

olcLastMod: TRUE

olcMaxDerefDepth: 15

olcReadOnly: FALSE

olcSyncUseSubentry: FALSE

olcMonitoring: FALSE

structuralObjectClass: olcDatabaseConfig

entryUUID: 5ff4ae96-b538-1032-99cc-8b417a2755b7

creatorsName: cn=config

createTimestamp: 20130919053044Z

entryCSN: 20130919053044.317836Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20130919053044Z

----------End Example---------------

 

 

  1. Add the above to the LDAP Database by running the following commands (change yourdomain.com):

 

ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f base.ldif

ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f people.ldif

ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f group.ldif

 

  1. Check to see if they have been added with the following command (Change the yourdomain.com):

 

ldapsearch -x -b "dc=stratus,dc=local"

 

  1. Reboot the server