LDAP

OpenLDAP

Firewall

• firewall settings

Install

yum install openldap-servers openldap-clients

• ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
• copy parameter file to the ldap directory /var/lib/ldap

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

• change owner of ldap directory or just ldap user

chown -R ldap:ldap /var/lib/ldap

• create password hash using slappasswd to set Administrator Password

slappasswd

• after typing in password twice save the output hash to set it as your administrator password
• change to config directory of slapd

cd /etc/openldap/slapd.d/cn\=config

• edit the bdb.ldif

vim olcDatabase\=\{2\}bdb.ldif

• substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu

:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu

• create the attribute olcRootPW if not in the file already and paste the password hash rite next to it

olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1

• do not use hash above, just a hash for "test" to show example
• save the file
• modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif

vim olcDatabase\=\{1\}monitor.ldif
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu

• your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
• Now edit bdb.ldif again so that you can hide password hashes from users in the ldap

 vim olcDatabase\=\{2\}bdb.ldif

• add these two lines at the bottom of the file

olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read

• now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup

mkdir /etc/openldap/setup 
cd /etc/openldap/setup 

• in this directory create an ldif file with filename base.ldif in setup directory

vim base.ldif

• in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain

dn: dc=domain,dc=name,dc=edu
dc: eri
objectClass: top
objectClass: domain

dn: ou=People,dc=domain,dc=name,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=domain,dc=name,dc=edu
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers,dc=domain,dc=name,dc=edu
ou: Computers
objectClass: top
objectClass: organizationalUnit

Server

cd /etc/opendlap

• configuration ldap.conf

URI     ldap://servername.domainl.name.edu/
BASE    dc=domain,dc=name,dc=edu
TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     allow

• CA certs generated and stored in certs folder

vim slapd.conf

• make sure samba schema is included

include /etc/openldap/schema/samba.schema

• in slapd.conf, proper access settings!!!!!
• must copy over schema and configure properly in cn=config

vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif

• change olcSuffix, olcRootDN, olcRootPW
• add samba schema ldif to appropitae location

cd /etc/openldap/slapd.d/cn=config/cn=schema

• samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf

Client

vim /etc/ldap.conf

TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://servername.domain.name.edu
BASE dc=domain,dc=name,dc=edu

vim pam_ldap.conf

tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
uri ldap://servename.domain.name.edu
base dc=domain,dc=name,dc=edu
host 128.***.***.***
ssl start_tls
pam_password exop
nss_base_passwd ou=People,dc=domain,dc=name,dc=edu
nss_base_shadow ou=People,dc=domain,dc=name,dc=edu
nss_base_group  ou=Groups,dc=domain,dc=name,dc=edu

• vim /etc/smbldap-tools/smbldap.conf
• vim /etc/smbldap-tools/smbldap_bind.conf

• yum install sssd

authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall

• add the following to sssd.conf in /etc/sssd/

ldap_tls_reqcert = allow
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = secret
debug_level = 8

• test an ldap user using id command to verify working

Links

• http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
• http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
• http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
• http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
• http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
• http://www.overclockers.com/forums/showthread.php?t=726947

ldap commands

• useful:
• delete by dn, enter every dn you want to delete

ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W

• populate ldap with Windows accounts

smbldap-populate