(Click to open topic with navigation)
These instructions are intended to help first-time LDAP administrators get up and running. The following procedures contain instructions for getting started using OpenLDAP on a CentOS 6 system. For more complete information on how to set up OpenLDAP see the OpenLDAP documentation.
In this topic:
Adaptive Computing is not responsible for creating, maintaining, or supporting customer LDAP or Active Directory configurations.
Installing and Configuring OpenLDAP on Centos 6
First, you will need to install OpenLDAP. These instructions explain how you can do this on a CentOS 6 system.
To install and configure OpenLDAP on Centos 6
[root]# yum -y install openldap openldap-clients openldap-servers
[root]# slappasswd New password : p@ssw0rd Re-enter new password : p@ssw0rd {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv
[root]# cd /etc/openldap/slapd.d/cn\=config [root]# vi olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv ...
For example, let's say your company is called Acme Corporation, and that your domain name is "acme.com." You might make the following changes to the olcDatabase={2}bdb.ldif file:
olcSuffix: dc=acme,dc=com ... olcRootDN: cn=Manager,dc=acme,dc=com ... olcRootPW: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv ...
Throughout the following examples in this topic, you will see dc=acme,dc=com. "acme" is only used as an example to illustrate what you would use as your own domain controller if your domain name was "acme.com." You should replace any references to "acme" with your own organization's domain name.
Do not set the cn of your root user to "root" (cn=root,dc=acme,dc=com), or OpenLDAP will have problems.
[root]# vi olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=acme,dc=com" read by * none
A full discussion on configuring access control in OpenLDAP is beyond the scope of this tutorial. For help, see the OpenLDAP Access Control documentation.
[root]# vi olcDatabase\=\{2\}bdb.ldif
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=acme,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=acme,dc=com" write by self write by * read
These lines allow a user to read and write his or her own password. It also allows a manager to read and write anyone's password. Anyone, including anonymous users, is allowed to view non-password attributes of other users.
[root]# chkconfig slapd on [root]# service slapd start
An LDAP directory is analogous to a tree. Nodes in this tree are called LDAP "entries" and may represent users, groups, organizational units, domain controllers, or other objects. The attributes in each entry are determined by the LDAP schema. In this tutorial we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default).
In order to build our LDAP tree we must first create the root entry. Root entries are usually a special type of entry called a domain controller (DC). Because we are assuming that the organization is called Acme Corporation, and that the domain is "acme.com," we will create a domain controller LDAP entry called dc=acme,dc=com. Again, you will need to replace "acme" with your organization's domain name. Also note that dc=acme,dc=com is what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry.
Do the following:
[root]# cd /tmp [root]# vi acme.ldif
dn: dc=acme,dc=com objectClass: dcObject objectClass: organization dc: acme o : acme
[root]# ldapadd -f acme.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
[root]# ldapsearch -x -LLL -b dc=acme,dc=com dn: dc=acme,dc=com objectClass: dcObject objectClass: organization dc: acme o: acme
[root]# sudo iptables -L [root]# sudo service iptables save
Configuring your firewall is beyond the scope of this tutorial; however, it may be helpful to know that the default firewall on CentOS is a service called iptables. (For more information, see the documentation on iptables.) In the most basic case, you may be able to add a rule to your firewall that accepts connections to port 389 by doing the following:
[root]# vi /etc/sysconfig/iptables
# ... lines with ACCEPT should be above -A INPUT -p tcp --dport 389 -j ACCEPT # .. lines with REJECT should be below
For example, here is a sample iptables file with this line added:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root]# service iptables reload
Although providing instructions is beyond the scope of this tutorial, it is also highly recommended that you set up OpenLDAP to use SSL or TLS security to prevent passwords and other sensitive data from being sent in plain text. For information on how to do this, see the OpenLDAP TLS documentation.
Now that you have installed and set up Open LDAP, you are ready to add organizational units (see Adding an Organizational Unit (OU)).
Adding an Organizational Unit (OU)
These instructions will describe how to populate the LDAP tree with organizational units (OUs), groups, and users, all of which are different types of LDAP entries. The examples that follow also presume an InetOrgPerson schema, because the InetOrgPerson schema is delivered with OpenLDAP by default.
To add an organizational unit (OU) entry to the LDAP tree
In this example, we are going to add an OU called "Users."
[root]# cd /tmp [root]# vi users.ldif
dn: ou=Users,dc=acme,dc=com objectClass: organizationalUnit ou: Users
[root]# ldapadd -f users.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
To add a user to LDAP
In this example, we will add a user named "Bob Jones" to LDAP inside the "Users" OU.
[root]# cd /tmp [root]# vi bob.ldif
dn: cn=Bob Jones,ou=Users,dc=acme,dc=com cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword: p@ssw0rd uid: bjones
[root]# ldapadd -f bob.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
To add a group to LDAP
In this example, we will add a group called "Engineering" to LDAP inside the "Users" OU.
[root]# cd /tmp [root]# vi engineering.ldif
dn: cn=Engineering,ou=Users,dc=acme,dc=com cn: Engineering objectClass: groupOfNames member: cn=Bob Jones,ou=Users,dc=acme,dc=com
[root]# ldapadd -f engineering.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
To add a user to an LDAP group
In this example, we will add an LDAP member named "Al Smith" to the "Engineering" LDAP group. This example assumes that user, Al Smith, has already been added to LDAP.
Before you add a user to an LDAP group, the user must first be added to LDAP. For more information, see Adding a User.
[root]# cd /tmp [root]# vi addUserToGroup.ldif
dn: cn=Engineering,ou=Users,dc=acme,dc=com changetype: modify add: member member: cn=Al Smith,ou=Users,dc=acme,dc=com
[root]# ldapadd -f addUserToGroup.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
Related Topics