Configure LDAP in CentOS 6.2

On the Server

Step 1: first we need to install the required package:

Code:

yum install openldap-servers

Step2: Edit the database file to reflect your domain

Code:

vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

Use a handy sed substitution to globally change the defaults in the file

Code:

:%s/dc=my-domain,dc=com/dc=stratus,dc=local/g

Step 3: Set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of olcDatabase={2}bdb.ldif:

Code:

olcRootPW: password
olcTLSCertificateFile: /etc/pki/tls/certs/stratus_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/stratus_key.pem

Step 4: Now we have to specify the monitoring privileges

Code:

vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

again, we have to replace the default domain name with my domain:

Code:

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=stratus,dc=local/g

Step 5: Now its time for the Database Cache

Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with

Code:

updatedb

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

We want to make sure the database has the proper permissions:

Code:

chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Set up a certificate for TLS.

First we need to edit /etc/sysconfig/ldap and change the following lines:

Code:

nano /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate. Feel free to extend the number of days the cert is good for

Code:

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/stratus_cert.pem -keyout /etc/pki/tls/certs/stratus_key.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. Now set the proper permissions on the files required for TLS

Code:

 chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
 chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Test The configuration

Issue the following command:

Code:

slaptest -u

It should return the following message if there are no syntax errors

Quote:

config file testing succeeded

Step 8: Start the ldap server

Code:

service slapd start

To verify that this works you will need to modify /etc/openldap/ldap.conf and add the following:

Code:

TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem
URI ldap://127.0.0.1
BASE dc=stratus,dc=local

You should now be able to search your database:

Code:

ldapsearch -x  -b ”dc=stratus,dc=local”

You should receive some output with at least the following:

Quote:

# search result search: 2

Step 9: Create a base.ldif

I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this

This is the base.ldif

Code:

nano /etc/openldap/schema/base.ldif

Quote:

dn: dc=stratus,dc=local dc: stratus objectClass: top objectClass: domain dn: ou=People,dc=stratus,dc=local ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=stratus,dc=local ou: Group objectClass: top objectClass: organizationalUnit

And then add a group:

Code:

nano /etc/openldap/schema/group.ldif

Quote:

dn: cn=thiddy,ou=Group,dc=stratus,dc=local objectClass: posixGroup objectClass: top cn: thiddy userPassword: password gidNumber: 1000

Finally, we need to create a user:

Code:

nano /etc/openldap/schema/people.ldif

Quote:

dn: uid=thiddy,ou=People,dc=stratus,dc=local uid: thiddy cn: thiddy thiddy objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: password shadowLastChange: 15140 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/thiddy

After the files are created, add them into the LDAP database

Code:

ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f base.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f group.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f people.ldif

Verify that there are now users by re-running the ldapsearch command

Code:

ldapsearch -x -b "dc=stratus,dc=local"

On the client


Step 1: Install the required files

Code:

yum install openldap-clients pam_ldap

Step 2: Run the authentication GUI

(See the screen shot)

Code:

authconfig-gtk

Step 3: Edit /etc/pam_ldap.conf

For readability the comments have been removed. Note that the bindpw and rootbinddn are not strictly necessary

Quote:

host 192.168.122.33 base dc=stratus,dc=local bindpw password rootbinddn cn=Manager,dc=stratus,dc=local ssl start_tls ssl on tls_cacertfile /etc/pki/tls/certs/stratus_cert.pem

Step 4: Edit /etc/openldap/ldap.conf

Most of the file should be in place, but just in case this is what you are trying to achieve

Quote:

URI ldaps://192.168.122.33 BASE dc=stratus,dc=local TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem

Step 5: Edit /etc/pam.d/system-auth file

Append this line in order to have home directories created on first login

Quote:

session required pam_mkhomedir.so skel=/etc/skel umask=0077

Step 6: Optional

This is only required if you did not setup the download ca certificate in the authconfig. (in this example it would be https://192.168.122.33:636 .

Copy the stratus_cert.pem into the /etc/pki/tls/certs/ folder on the client.

Step 7: Reboot

Most changes to pam require a reboot. You should now be able to authenticate to an ldap server that you just created!