Here’s my take on how to setup the OpenLDAP server 2.4.X on CentOS 6. I’ve got an actual system working in a test environment.
Start by installing the required packages.
yum install openldap-servers openldap-clients
Now we need to do the backend configuration, this used to be in configuration files, but it is now stored in a database.
Next generate the Manager or Root password for the openldap server.
slappasswd
Edit the file /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
Make sure you Substitute dc=my-domain,dc=com with you domain, for this example I’ll use dc=example,dc=com.
Here’s a nice vi regular expression: :%s/dc=my-domain,dc=com/dc=example,dc=com/g
You’ll need to change the “olcRootPW” line and add your root password has you generated earlier with slappasswd. Here’s an example.
olcRootPW: {SSHA}yourhashhere
Add these certificate lines as well, we will generate these later (for TLS encryption)
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Now you need to edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif , again, subsitute the default domain name. This will set the “root” account of your Ldap Server, I use Manager for my account name.
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=example,dc=com/g
Create the basic database LDAP needs the first time it runs. The example database may also be in /usr/share/openldap-servers.
cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Change the ownership of /var/lib/ldap to ldap.ldap
chown -R ldap:ldap /var/lib/ldap/
Enable TLS encryption ldap
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Generate the required certificates
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
Set the correct permissions for the certificates
chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Lets test the configuration:
# slaptest -u
config file testing succeeded
So now your backend is setup, lets do the frontend (the user accounts, groups etc)
I’ve created some ldif files which should make creating accounts easier. Just editing the files accordingly, remember to change your dc, cn etc.
UPDATE: I’ve recreated these files as I believe there was some windows crappy formatting in them!
The base.ldif:
https://dl.dropbox.com/u/10655536/openldap/base.ldif
the newgroup.ldif:
https://dl.dropbox.com/u/10655536/openldap/newgroup.ldif
the newpeople.ldif:
https://dl.dropbox.com/u/10655536/openldap/newpeople.ldif
ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f base.ldif
ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f newgroup.ldif
ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f newpeople.ldif
Now query your ldap and see what happens!
ldapsearch -x -b “dc=example,dc=com”
« ZFS Dedup. Powerful when used in the right way. Optus ADSL finally starts behaving! »
I was able to get LDAP and TLS working following this howto. However, there were some critical differences in the file names that caused considerable confusion at first. In fact, I got things half working on a first attempt and the started over. Lets begin:
First, I had to read the comments to sort out what did not work. Like Cristian Romanescu I am running CentOS 6.3 and I had /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif, not /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif.
Second, olcRootPW goes into: /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
…
olcRootPW: {SSHA}+jpj64m5fTWxCQOIQct8UQ3aG2YygN1B
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Finally, there is still something wrong with the sample files posted here for creating the base database and groups, etc. They just would not work.