Prerequisites
- Ntp Server :
On each server, ntp must be configured.
Update /etc/ntp.conf with customer ntp, if enterprise ntp server can be joined.
If not, it is possible to use Ops Center virtual server as ntp server.
After modification, restart ntp service :
# service ntpd stop
Shutting down ntpd: [ OK ]
# service ntpd start
Starting ntpd: [ OK ]
- Name service :
To complete configuration, it is recommended to add ldap servers in Enterprise Name Service directory.
If not possible, add each entry in /etc/hosts file, and each ldap servers node, and in each ldap clients node.
Installation
Rpm packages :
If no yum repository is configured, you can install rpm openldap with dependencies rpm.
On each ldap client machine :
Openldap-clients
nss-pam-ldapd
nss-util
authconfig-gtk
pam_ldap
On each ldap server :
Openldap-servers
Nss-ldap
Libtool-ltld
cyrus-sasl-devel
Configure
Configuration file :
/etc/openldap/slapd.d/cn=config.ldif
Make a backup of this file before any modification.
Edit the cn=config.ldif file to provide security informations :
Delete ldapv2 connections, allow only ldapv3, by deleting this line :
olcAllows: bind_v2
Add Idle Connection Timeout to avoid maintaining Idle connections, add or modify the following line :
olcIdleTimeout 60
Database files
Create a Rootpassword :
Create an encoded root password for ldap directory with slappasswd command :
# slappasswd
New password:
Re-enter new password:
{SSHA}F8SO2XunEKdP2qK4ZTFWicmaF/DrkW1Q
Edit Database file : olcDatabase={2}bdb.ldif
Make a backup of this file before any modification.
Edit /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif :
Modify olcSuffix to desired ldap configuration :
olcSuffix: dc=el01,dc=com
Modify ldap administrator olcRootDN :
olcRootDN: cn=manager,dc=el01,dc=com
Add Root password (with password generated in 4.2.1) :
olcRootPW: {SSHA}F8SO2XunEKdP2qK4ZTFWicmaF/DrkW1Q
Start ldap service
Start the ldap service to check configuration files and to populate database online.
# chkconfig sldapd on
# service slapd start
Starting slapd: [OK]
Populate database (online)
Populate the database with ldif file for creating users and groups branchs :
Create ldif file for create ldap tree (following contents is an example) :
# vi /tmp/ldapentries.ldif
dn: dc=el01,dc=com
objectclass: dcObject
objectclass: organization
o: el01 com
dc: el01
dn: ou=People,dc=el01,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Group,dc=el01,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: cn=admin,dc=el01,dc=com
objectclass: organizationalRole
cn: admin
# Add a user to test ldap
dn: uid=ddewailly,ou=People,dc=el01,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: ddewailly
cn: David Dewailly
sn: Dewailly
givenName: David
Use clear text mode :
If you don't want to use ldaps, modify /etc/sysconfig/authconfig file and replace FORCELEGACY=no by FORCELEGACY=yes
Populate with ldapadd command :
# ldapadd -f /tmp/ldapentries.ldif -x -D cn=Manager,dc=el01,dc=com -W -c
Note : No space must be placed at the end of each line, use only new line characters.
Make a search to control entries previously added :
# ldapsearch -x -D cn=Manager,dc=el01,dc=com -W -b 'dc=el01,dc=com' '(objectclass=*)'
Aucun commentaire:
Enregistrer un commentaire