Configure LDAP Server2015/12/01 |
|
Configure LDAP Server in order to share users' accounts in your local networks.
|
|
| [1] | Install OpenLDAP. |
|
dlp:~ #
zypper -n install openldap2 openldap2-client
dlp:~ #
vi /etc/sysconfig/openldap # line 37: change OPENLDAP_START_LDAPI=" yes "
# line 149: change OPENLDAP_CONFIG_BACKEND=" ldap "
mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.org dlp:~ # touch /etc/openldap/slapd.conf dlp:~ # rm -rf /etc/openldap/slapd.d/* dlp:~ # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d config file testing succeeded
dlp:~ #
vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif # line 2: remove the line # CRC32 xxxxxxxx # line 6: change olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dlp:~ #
chown -R ldap. /etc/openldap/slapd.d dlp:~ # chmod -R 700 /etc/openldap/slapd.d dlp:~ # systemctl start slapd dlp:~ # systemctl enable slapd
# generate encrypted password dlp:~ # slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dlp:~ #
vi chrootpw.ldif # specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" |
| [2] | Import basic Schemas. |
|
dlp:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=core,cn=schema,cn=config"dlp:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"dlp:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"dlp:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" |
| [3] | Set your domain name on LDAP DB. |
|
# generate directory manager's password dlp:~ # slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dlp:~ #
vi backend.ldif # create new # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=srv,dc=world
olcRootDN: cn=Manager,dc=srv,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config"
dlp:~ #
vi basedomain.ldif # replace to your own domain name for "dc=***,dc=***" section dn: dc=srv,dc=world objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: Server dn: cn=Manager,dc=srv,dc=world objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=srv,dc=world objectClass: organizationalUnit ou: People dn: ou=Group,dc=srv,dc=world objectClass: organizationalUnit ou: Group ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif Enter LDAP Password: # directory manager's password adding new entry "dc=srv,dc=world" adding new entry "cn=Manager,dc=srv,dc=world" adding new entry "ou=People,dc=srv,dc=world" adding new entry "ou=Group,dc=srv,dc=world" |
| [4] |
SSSD which is used on SLES 12 LDAP Client needs encrypted connection, so Configure LDAP TLS.
Create Certificates first, refer to here.
|
| [5] | Configure LDAP TLS. |
|
dlp:~ # mkdir /etc/openldap/certs
dlp:~ #
cp /etc/ssl/private/server.key \ /etc/ssl/private/server.crt \ /etc/ssl/ca-bundle.pem \ /etc/openldap/certs/ dlp:~ # chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \ /etc/openldap/certs/ca-bundle.pem
dlp:~ #
vi mod_ssl.ldif # create new dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
dlp:~ #
vi /etc/sysconfig/openldap # line 27: change OPENLDAP_START_LDAPS=" yes "
systemctl restart slapd |
| Sponsored Link |