OpenLDAP/Caos2
From Caos Linux Wiki
To configure a basic OpenLDAP authentication server
Start by installing the OpenLDAP serverices with:
yum install openldap-servers
Then you must edit the default configuration file (/etc/openldap/slapd.conf):
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
#argsfile //var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database ldbm
suffix "dc=localhost,dc=localdomain"
rootdn "cn=Manager,dc=localhost,dc=localdomain"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
schemacheck off
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
Make sure you notice the 'localhost', 'localdomain' and the 'rootpw' entries. These should be changed!The 'dc' entries define the realm that this database should respond to, and multiple 'dc' entries should be used to define each section of the hostname around the '.' (dots). So, localhost.localdomain would be dc=localhost,dc=localdomain.
To generate a new password, you should run:
# slappasswd
Copy and paste the output line of that into the 'rootpw' entry in the config file.
Next you will need to start the ldap server:
# service ldap start
There are migration scripts that you will find in /usr/share/openldap/migration. First you will need to edit the file 'migrate_common.ph' and edit the following lines (replacing the values with what you put in slapd.conf):
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "localhost.localdomain"; # Default base $DEFAULT_BASE = "dc=localhost,dc=localdomain";
Next you will need to generate the base LDAP database configuration for your server. Do this by running this command from the directory /usr/share/openldap/migration:
# ./migrate_base.pl > /tmp/base.ldif
The file /tmp/base.ldif is a file that can be imported directly into the LDAP database. Do this with the command:
ldapadd -W -x -D "cn=Manager,dc=localhost,dc=localdomain" -f /tmp/base.ldif
At this point, you have a base working authentication directory server. Now you need to add users and confiugure systems to look at it for authentication. Authconfig is a program that configures some of the key files to use LDAP for authentication.
# authconfig
You will want to configure "User Information" to "Use LDAP" AND "Authentication" to also "Use LDAP Authentication". The next screen will prompt you to configure which LDAP server you wish to connect to. You should configure as:
Server: localhost.localdomain Base DN: dc=localhost,dc=localdomain
(again changing localhost.localdomain for the real hostname.domain of your LDAP server)
Then press OK. This will change /etc/nsswitch.conf, /etc/ldap.conf, /etc/openldap/ldap.conf and some of the /etc/pam.d/ files to use LDAP. If you get a warning about nss_ldap modules not beind installed, you may need to install them with the command:
# yum install nss_ldap
Finally to add users, you can either do it by hand with 'ldapadd', migrate your current user list with /usr/share/openldap/migration/migrate_passwd.pl (or any of the other migration scripts), or use a tool to deal with user and host configuration. cAos includes one:
# directory_administrator
note: This will add the users to your LDAP database, but it will not create home directories. Consider the following to do that:
# cp -ra /etc/skel /home/[USERNAME] # chown -R [USERNAME]:[GROUP] /home/[USERNAME]
Soon, there will be an update to this to have LDAP use SSL (Secure Sockets) for all communication.
