OpenLDAP step by step how-to

I need an authentication system with compatibility and many extended features(like bio-device). So, I’ve got AD, IPA and OpenLDAP to choose from. AD comes from MS and it is too “heavy” for the not-very-large system. IPA and OpenLDAP are almost same, but I prefer latter, since it’s compatible with oVirt(This why I choose CentOS rather than debian).

The simplest OpenLDAP server

A basic LDAP without any security or additional features.

OpenLDAP with SASL

Add SASL to our LDAP.

OpenLDAP with SAMBA

To add Windows PC to our domain.

OpenLDAP with Kerberos

This is what we want finally.
============================================================

1. The simplest OpenLDAP server

I’ve got 2 ways to setup an openldap server: 389-ds script and manually configure.

1.1 Using 389-ds script

Here’s the original article.

Preparation

Before setup, this configuration should be modified.
Add following:

Add following:

Add following:

Add following:

Then reboot the machine to make above configurations work.

Setup 389-ds

Then you’ll see some questions like this(sorry for the high-lighting…):

Then make these two services start on startup.

With 389-ds scripts, you could use 389-console, please refer to the link above.

1.2 Manually configure

Here’s the original article.

Install the packages

Change the configuration

/etc/openldap/slapd.d/cn\=config.ldif
Delete olcAllows: bind_v2 if you want only v3.
Modify olcIdleTimeout from 0 to 30 if you want close the idle connection for more than 30 seconds.

Before next step, run this command to generate a SHA encrypted password.

Then copy the output to your clipboard.

/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
Modify olcSuffix, RootDN, olcRootPW to this:

Start service

Add rootdn and groups

Import the ldif:

Create a user

Add following content to user.ldif

Provide a password:

Add or delete a member from group(myteam)

Add:

Delete:

Use TSL

Here’s the original article.

(NOT NECESSARY)Generate CA

Follow this script.

I think you should notice that the private key password is “mypassword”.
Then you will get three files: cacert.p12, cacert.pem, servercert.p12.
And, that’s all.

2. Add SASL to OpenLDAP

OKay, we’ll add SASL to our ldap connections.

Install cyrus-sasl package.

Leave a Reply

Your email address will not be published.


nine × = 18

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">