On the Server
Step 1: first we need to install the required package:
Code:
yum install openldap-servers
Code:
vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
Code:
:%s/dc=my-domain,dc=com/dc=stratus,dc=local/g
add these 3 lines at the end of olcDatabase={2}bdb.ldif:
Code:
olcRootPW: password
olcTLSCertificateFile: /etc/pki/tls/certs/stratus_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/stratus_key.pem
Code:
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
Code:
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=stratus,dc=local/g
Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with
Code:
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Code:
chown -Rf ldap:ldap /var/lib/ldap/
First we need to edit /etc/sysconfig/ldap and change the following lines:
Code:
nano /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Code:
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/stratus_cert.pem -keyout /etc/pki/tls/certs/stratus_key.pem -days 365
Code:
chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Issue the following command:
Code:
slaptest -u
Quote:
config file testing succeeded |
Code:
service slapd start
Code:
TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem
URI ldap://127.0.0.1
BASE dc=stratus,dc=local
Code:
ldapsearch -x -b ”dc=stratus,dc=local”
Quote:
# search result search: 2 |
I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this
This is the base.ldif
Code:
nano /etc/openldap/schema/base.ldif
Quote:
dn: dc=stratus,dc=local dc: stratus objectClass: top objectClass: domain dn: ou=People,dc=stratus,dc=local ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=stratus,dc=local ou: Group objectClass: top objectClass: organizationalUnit |
Code:
nano /etc/openldap/schema/group.ldif
Quote:
dn: cn=thiddy,ou=Group,dc=stratus,dc=local objectClass: posixGroup objectClass: top cn: thiddy userPassword: password gidNumber: 1000 |
Code:
nano /etc/openldap/schema/people.ldif
Quote:
dn: uid=thiddy,ou=People,dc=stratus,dc=local uid: thiddy cn: thiddy thiddy objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: password shadowLastChange: 15140 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/thiddy |
Code:
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f base.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f group.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f people.ldif
Code:
ldapsearch -x -b "dc=stratus,dc=local"
Step 1: Install the required files
Code:
yum install openldap-clients pam_ldap
(See the screen shot)
Code:
authconfig-gtk
For readability the comments have been removed. Note that the bindpw and rootbinddn are not strictly necessary
Quote:
host 192.168.122.33 base dc=stratus,dc=local bindpw password rootbinddn cn=Manager,dc=stratus,dc=local ssl start_tls ssl on tls_cacertfile /etc/pki/tls/certs/stratus_cert.pem |
Most of the file should be in place, but just in case this is what you are trying to achieve
Quote:
URI ldaps://192.168.122.33 BASE dc=stratus,dc=local TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem |
Append this line in order to have home directories created on first login
Quote:
session required pam_mkhomedir.so skel=/etc/skel umask=0077 |
This is only required if you did not setup the download ca certificate in the authconfig. (in this example it would be https://192.168.122.33:636 .
Copy the stratus_cert.pem into the /etc/pki/tls/certs/ folder on the client.
Step 7: Reboot
Most changes to pam require a reboot. You should now be able to authenticate to an ldap server that you just created!
No comments:
Post a Comment