Server Setupyum install openldap openldap-servers openldap-clients
slappasswdcopy the generated password in the rootpw field of /etc/openldap/slapd.conf provided below. It must belong to group ldap and be readable by that group.
The rootpw directive should be commented out after populating the ldap directorygenerate CA certificatecd /usr/share/ssl/misc/
modify CA script to have days=3650./CA –newca
this creates cacert.pem in a subdir. Rename it
servername.cacert.pemNext, create a cert request and private key for the server:
openssl req –new –nodes –keyout newreq.pem –out newreq.pem
Sign the certificate using the newly created CA to create newcert.pem:
./CA –sign
Update /etc/openldap/slapd.conf:
TLSCACertificateFile /place/cacert.pem
TLSCertificateFile /place/newcert.pem
TLSCertificateKeyFile /place/newreq.pem
Fully qualified host name must be used
Enable logging
Start the service
service ldap start
ldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f base.ldifldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f group.ldif
ldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f user.ldif
test:ldapsearch -LL -H ldap://localhost -b"dc=to,dc=infn,dc=it" -x "(uid=argiro)"
Setup clientcopy name.cacert.pem to /etc/openldap/cacerts
use the command authconfig to setup ldap authentication
with TLS or
authconfig --enableshadow --enablemd5 --enableldap --ldapserver=cmsfarm02.to.infn.it \ --ldapbasedn="dc=to,dc=infn,dc=it" --enableldapauth --enableldaptls --enablecache --kickstart --disablenis
if necessary run
authconfig --update
on systems withouth authconfigcopy /etc/ldap.conf
copy /etc/pam.d/system-auth
copy /etc/pam.d/passwd
copy /etc/nsswitch.conf
Autohome
modify /etc/pam.d/system-auth and add
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077
Files :www.to.infn.it/~argiro/slapd.confwww.to.infn.it/~argiro/ldap.conf
www.to.infn.it/~argiro/base.ldifwww.to.infn.it/~argiro/group.ldifwww.to.infn.it/~argiro/user.ldif
www.to.infn.it/~argiro/system-authwww.to.infn.it/~argiro/passwdwww.to.infn.it/~argiro/nsswitch.conf
Backup and restore
#slapadd -v -c -l ldap-backup.ldif -f /etc/openldap/slapd.conf
then run
slapindex
Referenceshttp://linsec.ca/Using_OpenLDAP_for_User_Authentication
http://www-unix.mcs.anl.gov/~gawor/ldap/ (ldap browser editor)
slappasswdcopy the generated password in the rootpw field of /etc/openldap/slapd.conf provided below. It must belong to group ldap and be readable by that group.
The rootpw directive should be commented out after populating the ldap directorygenerate CA certificatecd /usr/share/ssl/misc/
modify CA script to have days=3650./CA –newca
this creates cacert.pem in a subdir. Rename it
servername.cacert.pemNext, create a cert request and private key for the server:
openssl req –new –nodes –keyout newreq.pem –out newreq.pem
Sign the certificate using the newly created CA to create newcert.pem:
./CA –sign
Update /etc/openldap/slapd.conf:
TLSCACertificateFile /place/cacert.pem
TLSCertificateFile /place/newcert.pem
TLSCertificateKeyFile /place/newreq.pem
Fully qualified host name must be used
Enable logging
Add in /etc/syslog local4.* /var/log/slapd.log restart the syslog syslog daemon. service syslog restart
Start the service
service ldap start
ldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f base.ldifldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f group.ldif
ldapadd -x -D "cn=root,dc=to,dc=infn,dc=it" -W -f user.ldif
test:ldapsearch -LL -H ldap://localhost -b"dc=to,dc=infn,dc=it" -x "(uid=argiro)"
Setup clientcopy name.cacert.pem to /etc/openldap/cacerts
use the command authconfig to setup ldap authentication
with TLS or
authconfig --enableshadow --enablemd5 --enableldap --ldapserver=cmsfarm02.to.infn.it \ --ldapbasedn="dc=to,dc=infn,dc=it" --enableldapauth --enableldaptls --enablecache --kickstart --disablenis
if necessary run
on systems withouth authconfigcopy /etc/ldap.conf
copy /etc/pam.d/system-auth
copy /etc/pam.d/passwd
copy /etc/nsswitch.conf
Autohome
modify /etc/pam.d/system-auth and add
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077
Files :www.to.infn.it/~argiro/slapd.confwww.to.infn.it/~argiro/ldap.conf
www.to.infn.it/~argiro/base.ldifwww.to.infn.it/~argiro/group.ldifwww.to.infn.it/~argiro/user.ldif
www.to.infn.it/~argiro/system-authwww.to.infn.it/~argiro/passwdwww.to.infn.it/~argiro/nsswitch.conf
Backup and restore
backup
#slapcat -f /etc/openldap/slapd.conf -b "dc=to,dc=infn,dc=it" -l ldap-backup.ldif
restore#slapadd -v -c -l ldap-backup.ldif -f /etc/openldap/slapd.conf
then run
slapindex
Referenceshttp://linsec.ca/Using_OpenLDAP_for_User_Authentication
http://www-unix.mcs.anl.gov/~gawor/ldap/ (ldap browser editor)
