mardi 4 novembre 2014

Install & configure openldap 2.4.23

How to install and configure openldap 2.4.23 on OEL6.5 :

- Ntp Server : 
On each server, ntp must be configured.
Update /etc/ntp.conf with customer ntp, if enterprise ntp server can be joined.
If not, it is possible to use Ops Center virtual server as ntp server.
After modification, restart ntp service :
# service ntpd stop
Shutting down ntpd:                                        [  OK  ]
# service ntpd start
Starting ntpd:                                             [  OK  ]

- Name service :

To complete configuration, it is recommended to add ldap servers in Enterprise Name Service directory.
If not possible, add each entry in /etc/hosts file, and each ldap servers node, and in each ldap clients node.

Rpm packages :
If no yum repository is configured, you can install rpm openldap with dependencies rpm.
On each ldap client machine : 

On each ldap server : 

Configuration file : 
Make a backup of this file before any modification.

Edit the cn=config.ldif file to provide security informations : 
Delete ldapv2 connections, allow only ldapv3, by deleting this line : 
olcAllows: bind_v2

Add Idle Connection Timeout to avoid maintaining Idle connections, add or modify the following line :
olcIdleTimeout 60

Database files
Create a Rootpassword : 
Create an encoded root password for ldap directory with slappasswd command : 
# slappasswd
New password:
Re-enter new password:

Edit Database file : olcDatabase={2}bdb.ldif
Make a backup of this file before any modification.

Edit /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif :
Modify olcSuffix to desired ldap configuration : 
 olcSuffix: dc=el01,dc=com

Modify ldap administrator olcRootDN : 
 olcRootDN: cn=manager,dc=el01,dc=com

Add Root password (with password generated in 4.2.1) : 
olcRootPW: {SSHA}F8SO2XunEKdP2qK4ZTFWicmaF/DrkW1Q

Start ldap service
Start the ldap service to check configuration files and to populate database online.

# chkconfig sldapd on
# service slapd start
Starting slapd: [OK]

Populate database (online)
Populate the database with ldif file for creating users and groups branchs : 
Create ldif file for create ldap tree (following contents is an example) : 
# vi /tmp/ldapentries.ldif
dn: dc=el01,dc=com
objectclass: dcObject
objectclass: organization
o: el01 com
dc: el01

dn: ou=People,dc=el01,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Group,dc=el01,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Group

dn: cn=admin,dc=el01,dc=com
objectclass: organizationalRole
cn: admin

# Add a user to test ldap
dn: uid=ddewailly,ou=People,dc=el01,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: ddewailly
cn: David Dewailly
sn: Dewailly
givenName: David

Use clear text mode : 
If you don't want to use ldaps, modify /etc/sysconfig/authconfig file and replace FORCELEGACY=no by FORCELEGACY=yes

Populate with ldapadd command : 
# ldapadd -f /tmp/ldapentries.ldif -x -D cn=Manager,dc=el01,dc=com -W -c

Note : No space must be placed at the end of each line, use only new line characters.

Make a search to control entries previously added : 
# ldapsearch -x -D cn=Manager,dc=el01,dc=com -W -b 'dc=el01,dc=com' '(objectclass=*)'

Aucun commentaire:

Enregistrer un commentaire