This is a tutorial for RHEL 6.
Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname.
Install the following packages:
# yum install -y openldap openldap-servers migrationtools
Generate a LDAP password from a secret key (here redhat):
# slappasswd -s redhat -n > /etc/openldap/passwd
Generate a X509 certificate valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365 Generating a 2048 bit RSA private key .....+++ ..............+++ writing new private key to '/etc/openldap/certs/priv.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:instructor.example.com Email Address []:
Secure the content of the /etc/openldap/certs directory:
# cd /etc/openldap/certs # chown ldap:ldap * # chmod 600 priv.pem
Prepare the LDAP database:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Start the configuration of the LDAP server:
# cd /etc/openldap/slapd.d/cn=config
Edit the olcDatabase={2}bdb.ldif file and replace/type the values specified in bold:
olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com olcRootPW: passwd # password previously generated olcTLSCertificateFile: /etc/openldap/certs/cert.pem olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Edit the olcDatabase={1}monitor.ldif file and replace/type the values specified in bold:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Edit the /etc/sysconfig/ldap file and change the following option from ‘no‘ to ‘yes‘:
SLAPD_LDAPS=yes
Check the LDAP configuration (there should be no error message):
# slaptest -u
Generate database files (don’t worry about error messages!):
# slaptest
Change LDAP database ownership:
# chown ldap:ldap /var/lib/ldap/*
Activate the slapd service at boot:
# chkconfig slapd on
Start the slapd service:
# service slapd start
Check the LDAP activity:
# netstat -lt | grep ldap
Create the /etc/openldap/base.ldif file with the following content:
dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit
Build the structure of the directory service:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif
Create two users for testing:
# mkdir /home/guests # useradd -d /home/guests/ldapuser01 ldapuser01 # passwd ldapuser01 # useradd -d /home/guests/ldapuser02 ldapuser02 # passwd ldapuser02
Go to the directory for the migration of the user accounts:
# cd /usr/share/migrationtools
Edit the migrate_common.ph file and replace in the following lines:
$DEFAULT_MAIL_DOMAIN = "example.com"; $DEFAULT_BASE = "dc=example,dc=com";
Create the current users in the directory service:
# grep ":5[0-9][0-9]" /etc/passwd > passwd # ./migrate_passwd.pl passwd users.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif # grep ":5[0-9][0-9]" /etc/group > group # ./migrate_group.pl group groups.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
Test the configuration with the user called ldapuser01:
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
Add two new rules to the firewall:
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT # iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
Save the firewall configuration:
# service iptables save
Edit the /etc/rsyslog.conf file and add the following line:
local4.* /var/log/ldap.log
Edit the /etc/openldap/slapd.d/cn=config.ldif file and add the following line in the middle of the file:
olcLogLevel: -1
Restart the rsyslog service:
# service rsyslog restart
In addition, Ramdev’s blog provides interesting information (configuration, troubleshooting, etc) on this topic.
Isn’t there a mistake in the step :
Generate database files (don’t worry about error messages!):
# slaptest
Shouldn’t it be like this ? :
# slapadd [ switches arguments ]
No, there is no mistake. These instructions have been thoroughly tested several times.
At the point where I need to build the structure of the directory service, I get the message: base.ldif: no such file or directory. Any advice?
Did you create the base.ldif file?
Were you in the /etc/openldap directory when you typed the ldapadd command?
Getting error:
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
Not sure whats causing it or correct it.
I think you get these errors because you directly wrote into the files instead of using the OpenLDAP commands to update them.
It’s not a serious problem, it’s only annoying.
I explain how to do that in the RHEL 7 LDAP page (http://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/).
Thanks for the guide, managed to get my ldap up, however no luck to create new user besides the original created 2 test user, any guide on that?
Managed to add user after trying, thanks!
might be best to add “RHEL6” to the title of this, accidentally got mixed up >.<
Done.