CentOS 6 - LDAP With TLS - Quick & Dirty
Please see this post for LDAP changes to CentOS 6.4: CentOS 6.4 LDAP With TLS - Quick & Dirty
This paper is an overview of the commands needed to setup a basic working LDAP TLS server using CentOS 6.
I will also go over the process of creating a POSIX user account and a POSIX group.
Add the following to your iptables configuration to allow access through the firewall. Then install the required packages for your LDAP server. % vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT % service iptables restart % yum install migrationtools openldap-servers openldap openldap-clients\ openldap-devel
Create the LDAP administrative password, be sure to save the SSHA generated string so we can add it to the bdb.ldif config file in the next step. % slappasswd New password: <password> Re-enter new password: <password> {SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE
Open the olcDatabase={1}bdb.ldif file and make the modifications shown below to it. % vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif Change all references in this file from my-domain to your domain name, for example: olcSuffix: dc=my-domain,dc=com Would be changed to read: olcSuffix: dc=localdomain,dc=com Next, add the following 3 lines to the end of the file (replace the SSHA string with the string saved earlier) olcRootPW: {SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem Last, to allow users to modify their passwords, etc, you will have to add the following after the last olcDbIndex line in this file, again replace the domain name with yours. olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=localdomain,dc=com" write by * none olcAccess: to * by self write by dn.base="cn=Manager,dc=localdomain,dc=com" write by * read
Next modify the monitoring configuration file with our domain. Again, change all references to my-domain with your domain. % vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
Now it's time to setup the LDAP database % cd /usr/share/doc/openldap-servers-2.4.19 % cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG % chown -Rf ldap:ldap /var/lib/ldap
Setup a certificate for TLS, first edit /etc/sysconfig/ldap, uncomment SLAPD_LDAPS and change from 'no' to 'yes'. % vi /etc/sysconfig/ldap SLAPD_LDAPS=yes % openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem\ -keyout /etc/pki/tls/certs/slapdkey.pem -days 365 This will create the two required keys in the /etc/pki/tls/certs/ directory. Now we need to make them readable: % chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem % chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Test the configuration, start the LDAP server and set it to start at boot. % slaptest -u config file testing succeeded % service slapd start % chkconfig slapd on
Check if our LDAP server is working and responding to search requests. First add the following to the end of your /etc/openldap/ldap.conf % vi /etc/openldap/ldap.conf TLS_CACERT /etc/pki/tls/certs/slapdcert.pem % ldapsearch -x -b "dc=localdomain,dc=com" You should get a 'search: 2' somewhere in the output. Test to make sure encrypted searches are also working. % ldapsearch -x -b "dc=localdomain,dc=com" -ZZ You should get a 'search: 3' somewhere in the output.
Now we must configure the base domain, and import the information into our LDAP server. % vi base.ldif dn: dc=localdomain,dc=com dc: localdomain objectClass: top objectClass: domain dn: ou=People,dc=localdomain,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=localdomain,dc=com ou: Group objectClass: top objectClass: organizationalUnit Now import the base.ldif file into LDAP. % ldapadd -x -W -D "cn=Manager,dc=localdomain,dc=com" -f base.ldif Enter LDAP Password: <password> adding new entry "dc=localdomain,dc=com" adding new entry "ou=People,dc=localdomain,dc=com" adding new entry "ou=Group,dc=localdomain,dc=com"
Next create a POSIX user that can use our central LDAP server. Create a temporary password for the new user and set the users group. % vi posix_user.ldif dn: uid=mnichols,ou=People,dc=localdomain,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: Matt Nichols uid: mnichols uidNumber: 3000 gidNumber: 3000 homeDirectory: /staff/mnichols loginShell: /bin/bash gecos: Matt Nichols,Teacher,Room 16,626-135-0011,409-111-1372 userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 Add the user information to our LDAP server. % ldapadd -x -W -D "cn=Manager,dc=localdomain,dc=com" -f posix_user.ldif Enter LDAP Password: <password> adding new entry "uid=mnichols,ou=People,dc=localdomain,dc=com" Set the new users temporary password. % ldappasswd -s newpassword -D "cn=Manager,dc=localdomain,dc=com" -w\ ldapadminpassword -x uid=mnichols,ou=People,dc=localdomain,dc=com Next set the users group up. % vi posix_group.ldif dn: cn=mnichols,ou=Group,dc=localdomain,dc=com objectClass: top objectClass: posixGroup cn: mnichols userPassword: {crypt}x gidNumber: 3000 % ldapadd -x -W -D "cn=Manager,dc=localdomain,dc=com" -f posix_group.ldif Enter LDAP Password: <password> adding new entry "cn=mnichols,ou=Group,dc=localdomain,dc=com"