Install OpenLDAP in CentOS

1. Prepare

First, install the packages

yum -y install openldap openldap-clients openldap-servers<

Verify that LDAP ports are free

netstat -tlnp | egrep "389|636"<

Setup certificate authority as described here< and obtain the CA certificate /etc/pki/ca/ca.crt.

Create SSL certificate for LDAP server as described here< and obtain certificate /etc/pki/ldap/server.cert and key /etc/pki/ldap/server.key.

2. Setup LDAP server

Configure Berkeley database

cp /etc/openldap/DB_CONFIG.example /etc/openldap/DB_CONFIG
ln -s /etc/openldap/DB_CONFIG /var/lib/ldap/
<

Setup slapd password

mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.orig
slappasswd > /etc/openldap/slapd.conf
<

Edit /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCipherSuite        ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
TLSCACertificateFile  /etc/pki/ca/ca.crt
TLSCertificateFile    /etc/pki/ldap/server.crt
TLSCertificateKeyFile /etc/pki/ldap/server.key
#TLSVerifyClient never

# require secure connections only (LDAP+StartTLS or LDAPS)
security ssf=128
password-hash {SSHA}

access to attrs=userPassword by self write by * auth
access to * by self write by users read by anonymous none

database  bdb
suffix    "dc=ourdom.com"
rootdn    "cn=root,dc=ourdom.com"
rootpw    {SSHA}dYFhmHySSrpCR5WUF3KlpWY8N1v8ltZ/

directory       /var/lib/ldap

index objectClass             eq,pres
index ou,cn,mail              eq,pres,sub
index uidNumber,gidNumber     eq,pres
index uid,memberUid           eq,pres,sub
<

Since the file contains root LDAP password, even in encrypted form, noone but slapd daemon should have access to it:

 cd /etc/openldap
chown root:ldap slapd.conf
chmod 640 slapd.conf 
<

Enable LDAPS in /etc/sysconfig/ldap

SLAPD_LDAPS=yes
<

Start the service

chkconfig ldap on
service ldap restart
<

Create bundle of server certificates

cat /etc/pki/ca/ca.crt /etc/pki/ldap/server.crt >> /etc/openldap/cacerts.pem
cd /etc/openldap/cacerts
cp /etc/pki/ca/ca.crt .
ln -s ca.crt `cat ca.crt | openssl x509 -hash -noout`.0
<

3. Configure LDAP client

Edit /etc/openldap/ldap.conf

URI  ldaps://server.ourdom.com
BASE  dc=ourdom.com
 TLS_CACERTDIR  /etc/openldap/cacerts
TLS_CACERT  /etc/openldap/cacerts.pem
TLS_REQCERT  demand
TLS_CIPHER_SUITE  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
TIMELIMIT  15
DEREF  never
<

4. Initialize LDAP database

 Import an initial LDAP tree from a file like attached below<:

ldapadd -D cn=root,dc=ourdom.com -x -w ROOTPASS -f /path/to/dump.ldif<

Remember the line "access to * ... by anonymous none". It is a good practice to prevent browsing your directory by anonymous users from outside. One needs a LDAP account to browse the directory. Unfortunately the standard NSS PAM LDAP LDAP library bundled with such Linuxes as Ubuntu or CentOS takes credentials of such an account from the /etc/ldap.conf file which is readable by every user logged on to the machine. Apparently we cannot use a real login account for this, or everybody on the system would know its password.

Let's create a special LDAP entry just to password-protect LDAP reads. Run the shell script< attached to this page:

 sh build-ldap-pwd-entry.sh dc=ourdom.com browse secretpass > temp.ldif
ldapadd -D cn=root,dc=ourdom.com -x -w ROOTPASS -f temp.ldif<

The first argument is your LDAP search base. The second argument gives a CN name of the created entry. The last one is the password. The new entry will be similar to this:

 dn: cn=browse,dc=ourdom.com
cn: browse
sn: browse
objectClass: top
objectClass: person
userPassword:: e1NxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKT3IK 
<

Now verify the results:

ldapsearch -D cn=root,dc=ourdom.com -x -w ROOTPASS -LLL '(cn=ibunin)' 'cn'<

Repeat the test with your browsing user "-D cn=browse,dc=ourdom.com" and check the results.

You are done.

Вложения