Setup OpenLDAP on CentOS 6.x
Hi All – I had to setup another LDAP server today and it was just barely painful enough to warrant a writeup ๐ Read more for my walkthrough!
First – I started with my “typical” CentOS VM – built plain-jane vanilla (minimal), no X11, latest patches applied. I suggest you begin the same. Then follow these steps:
- Update firewall to permit port 389 (secure LDAP over port 636 is preferable but we’ll cover that in a different post). In
/etc/sysconfig/iptablesadd the line:-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -
Install OpenLDAP:
yum -y install openldap openldap-clients openldap-servers -
Generate password and modify specifed config files as described below:
slappasswd [...enter new password and copy result...] cd /etc/openldap/slapd.d/cn\=config vi olcDatabase\=\{2\}bdb.ldif [...add line 'olcRootPW: (copied password)'...] [...change references of 'my-domain' to 'your-domain'...] vi olcDatabase\=\{1\}monitor.ldif [...modify olcAccess to change 'my-domain' to 'your-domain'...] vi olcDatabase\=\{2\}bdb.ldif [...BEGIN: add these two lines...] olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=yo ur-domain,dc=com" write by anonymous auth by * none olcAccess: {1}to * by dn.base="cn=Manager,dc=your-domain,dc=com" write by self write by * read [...END: add these two lines...] -
OPTIONAL: Update CRC-32 codes or you get warnings when starting the slapd service. For each modified file, copy to temp file excluding first two lines. Then run the CRC-32 check program – which does not exist on CentOS but I found / built a copy (I’ll write that up later I promise :). Here’s an example of the one I built in action:
[root@lvinfillx100 cn=config]# tail -n +3 \ /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif > /tmp/foo.txt [root@lvinfillx100 cn=config]# check-crc32 /tmp/foo.txt /tmp/foo.txt CRC-32 = 5785915f, size = 619 bytes [root@lvinfillx100 cn=config]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif [...update CRC to match above...] -
Setup auto-start:
chkconfig slapd on service slapd start -
Setup root entry:
# /root/10-your-domain-com.ldif dn: dc=your-domain,dc=com objectClass: dcObject objectClass: organization dc: your-domain o : your-domainThen enter it into LDAP:
ldapadd -f 10-your-domain-com.ldif -D cn=Manager,dc=your-domain,dc=com -WPerform a quick search if you want to verify:
[root@lvinfillx100 ~]# ldapsearch -x -LLL -b dc=your-domain,dc=com dn: dc=your-domain,dc=com objectClass: dcObject objectClass: organization dc: your-domain o: your-domain -
Setup
memberOfattribute support. This was a pain and took me some time to get right (would justify a blog entry just for this recipe). Note that this recipe is good for 64-bit specifically.# /root/15-memberof.ldif dn: cn=module,cn=config cn: module objectClass: olcModuleList objectclass: top olcModuleLoad: memberof.la olcModulePath: /usr/lib64/openldap dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config objectclass: olcconfig objectclass: olcMemberOf objectclass: olcoverlayconfig objectclass: top olcoverlay: memberofThen add the overlay support to OpenLDAP:
ldapadd -Y EXTERNAL -H ldapi:/// -f ./15-memberof.ldif -
Create OU for Users and Groups:
# /root/20-your-domain-com-ous.ldif # OUs for users and groups dn: ou=Users,dc=your-domain,dc=com objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=your-domain,dc=com objectClass: organizationalUnit ou: GroupsAdd to OpenLDAP:
ldapadd -f 20-your-domain-com-ous.ldif -D cn=Manager,dc=your-domain,dc=com -W
That is all. Enjoy your OpenLDAP!
Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!
Leave a Reply