Difference between revisions of "LDAP"
From Stadm
Jump to navigationJump to search (→TLS) |
(→TLS) |
||
Line 73: | Line 73: | ||
cd /etc/pki/tls/misc | cd /etc/pki/tls/misc | ||
./CA -newca | ./CA -newca | ||
− | openssl req -new -nodes -subj '/CN= | + | openssl req -new -nodes -subj '/CN=dapper.eri.ucsb.edu/O=Earth Research Institute/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650 |
==Server== | ==Server== |
Revision as of 13:09, 21 October 2013
OpenLDAP
Firewall
- firewall settings
Install
yum install openldap-servers openldap-clients
- ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
- copy parameter file to the ldap directory /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- change owner of ldap directory or just ldap user
chown -R ldap:ldap /var/lib/ldap
- create password hash using slappasswd to set Administrator Password
slappasswd
- after typing in password twice save the output hash to set it as your administrator password
- change to config directory of slapd
cd /etc/openldap/slapd.d/cn\=config
- edit the bdb.ldif
vim olcDatabase\=\{2\}bdb.ldif
- substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
- do not use hash above, just a hash for "text" to show example
- save the file
- modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
vim olcDatabase\=\{1\}monitor.ldif :%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
- Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
vim olcDatabase\=\{2\}bdb.ldif
- add these two lines at the bottom of the file
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
- now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
mkdir /etc/openldap/setup cd /etc/openldap/setup
- in this directory create an ldif file with filename base.ldif in setup directory
vim base.ldif
- in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
dn: dc=domain,dc=name,dc=edu dc: domainname objectClass: top objectClass: domain dn: ou=People,dc=domain,dc=name,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=domain,dc=name,dc=edu ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Computers,dc=domain,dc=name,dc=edu ou: Computers objectClass: top objectClass: organizationalUnit
- add the base ou to the ldap using the administrator account created in the steps above
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
- if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
- verify that the ou got added by performing an ldap search
ldapsearch -x -b dc=domain,dc=name,dc=edu
- return results should be the ou's you added with base.ldif
TLS
- the following shows how to enable start_tls with your ldap server
- important things to remember:
- LDAPS is directed at port 636
- ldap + start_tls is directed at port 389
- make sure openssl is insatlled and navigate to /etc/pki/tls/misc
cd /etc/pki/tls/misc ./CA -newca openssl req -new -nodes -subj '/CN=dapper.eri.ucsb.edu/O=Earth Research Institute/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650
Server
cd /etc/opendlap
- configuration ldap.conf
URI ldap://servername.domainl.name.edu/ BASE dc=domain,dc=name,dc=edu TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow
- CA certs generated and stored in certs folder
vim slapd.conf
- make sure samba schema is included
include /etc/openldap/schema/samba.schema
- in slapd.conf, proper access settings!!!!!
- must copy over schema and configure properly in cn=config
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
- change olcSuffix, olcRootDN, olcRootPW
- add samba schema ldif to appropitae location
cd /etc/openldap/slapd.d/cn=config/cn=schema
- samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf
Client
vim /etc/ldap.conf
TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts URI ldap://servername.domain.name.edu BASE dc=domain,dc=name,dc=edu
vim pam_ldap.conf
tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts uri ldap://servename.domain.name.edu base dc=domain,dc=name,dc=edu host 128.***.***.*** ssl start_tls pam_password exop nss_base_passwd ou=People,dc=domain,dc=name,dc=edu nss_base_shadow ou=People,dc=domain,dc=name,dc=edu nss_base_group ou=Groups,dc=domain,dc=name,dc=edu
- vim /etc/smbldap-tools/smbldap.conf
- vim /etc/smbldap-tools/smbldap_bind.conf
- yum install sssd
authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall
- add the following to sssd.conf in /etc/sssd/
ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu ldap_group_member = member ldap_group_nesting_level = 4 ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu ldap_default_authtok_type = password ldap_default_authtok = secret debug_level = 8
- test an ldap user using id command to verify working
Links
- http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
- http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
- http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
- http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
- http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
- http://www.overclockers.com/forums/showthread.php?t=726947
ldap commands
- useful:
- delete by dn, enter every dn you want to delete
ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
- populate ldap with Windows accounts
smbldap-populate