Configuring OpenLDAP server on CentoS 6
Introduction
LDAP (Lightweight Directory Access Protocol) is commonly used for managing users and groups for authentication purposes, or for system configuration information. It can also serve as a virtual phone directory and address book, allowing users to access information about other users in the directory.
CentoS 6.2 ships with OpenLDAP 2.4.23 which contains the cn=config Directory Information Tree (DIT) that is used to dynamically configure the slapd daemon. This allows modification of schema definitions, indexes, ACLs, etc without stopping the service.
The goal in this post is to configure OpenLDAP so that it can be used for user authentication. For simplicity, the Samba file sharing configuration and user migration will be handled in separate posts.
Getting Started
I happen to be starting with a fresh install of CentoS 6.2 and have already run yum update to get all existing packages to the latest releases. From this point, we can install what we need by running:
]# yum install openldap openldap-servers openldap-clients
LDAP needs a parameter file to start a new database. This file must be copied to the LDAP database directory.
]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Verify that the /var/lib/ldap directory is owned by the ldap user, just or run:
]# chown -R ldap:ldap /var/lib/ldap
We can pretty much assume here that the LDAP server is not running yet while we finish the configuration.
Editing the Configuration
Ok, so the configuration options are in the /etc/openldap/slapd.d/ directory. The first thing we’re going to do is get a rootdn password to use. Use slappasswd to do that:
]# slappasswd
New password:
Re-enter new password:
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
In Putty, the resulting password can be copied to the clipboard by high lighting it and pressing Alt-c. Then edit the file:
]# cd /etc/openldap/slapd.d/cn=config
]# vi olcDatabase={2}bdb.ldif
Edit the line: olcSuffix: dc=my-domain,dc=com
to olcSuffix: dc=example,dc=com or whatever.
Edit the line: olcRootDN: cn=Manager,dc=my-domain,dc=com
This will be root, or admin user for the LDAP database. I left the cn=Manager but changed the dc values to match what was used in the olcSuffix entry above.
Add a new line below olcRootDN:
olcRootPW: <the password created with slappasswd>
Save this file and edit olcDatabase={1}monitor.ldif.
]# vi olcDatabase={1}monitor.ldif
Edit the line: olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=”cn=Manager,dc=my-domain,dc=com” read by * none
Change the common name (cn) and domain components (dc) values to match what was used earlier.
Lets test the configuration:
]# slaptest -u
config file testing succeeded
The LDAP database is now set up and can now be started. You’ll also want to start LDAP automatically when re-starting the machine.
]# service slapd start
]# chkconfig slapd on
Creating Base Entries
To be able to use your new LDAP directory, you will need to import some base entries. To do this, create a file, call it base.ldif with the following contents:
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
Remember, that you’ll have to edit the domain components to suit your needs. Once saved, run this command to import the ldif file.
]# ldapadd -x -W -D cn=Manager,dc=example,dc=com -f base.ldif
It will ask for the password that was created using slappasswd above and it should list the entries as they are added. Running an ldap search like this should list everything in the LDAP database:
]# ldapsearch -x -b dc=example,dc=com
At this point, this should be a working LDAP Database. Time for a break and think about the next steps needed to make it useable.
Next Steps
Even though this LDAP server works, there’s three things that need to be done. First, the System Security Services Daemon (sssd) requires TLS, and the second is that we need to configure the server to use it to authenticate users. The third and final item will be to create users and groups in LDAP.
Generating a Certificate for the LDAP server
The quickest and easiest way to add a certificate to use with LDAP is to use openssl. Check to is if it is installed with:
]# yum list openssl*
and if it’s not installed, just run:
]# yum install openssl
Generate a key and certificate with the following command:
]# openssl req -new -x509 -nodes -out /etc/openldap/cacerts/slapdcert.pem -keyout /etc/openldap/cacerts/slapdkey.pem -days 1825
This will generate a certificate and key pair in the /etc/openldap/cacerts directory. The hostname you use in the certificate will have to match in the authconfig-tui configuration in the next step. Also note that -days is 1825 which is 5 years, but I guess a person could make this anything they wanted.
The certificate and key also need entries in the LDAP server configuration.
]# vi /etc/openldap/slapd.d/cn=config.ldif
Add these to lines to the cn=config.ldif file.
olcTLSCertificateFile: /etc/openldap/cacerts/slapdcert.pem
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapdkey.pem
Re-start LDAP.
]# service slapd restart
Configuring CentoS 6 to use LDAP Authentication
If nss-pam-ldapd isn’t already installed, run:
]# yum install nss-pam-ldapd
Next, run:
]# authconfig-tui
These are the settings that I chose on the two screens in this utility.
Adding Users and Groups
I have used the Webmin LDAP Users and Groups module for a pretty long time and it works pretty well. I wasn’t sure how it would do with this LDAP configuration, but all I had to do was follow the steps on this page, and it worked, first try.
If the Webmin LDAP Users and Groups module complains about perl-LDAP, install it using yum:
]# yum install perl-LDAP.noarch
An important note though, is to click Yes for : Show fields for given name and surname in the Webmin LDAP Users and Groups configuration page,… this will save your users with the inetOrgPerson structural object class along with Person, which allows a lot more attributes. Useful if you later plan to have a company address book. Please see this page for a reference
The inetOrgPerson objectClass cannot be added later, you’ll get a message like “structural object class modification from ‘person’ to ‘inetOrgPerson’ not allowed” and will have to delete your users and re-enter them to add this objectClass.
Once I configured the Webmin module, I was able to add a test group and user and log in using ssh.
If this information helped you (or not) please leave a comment. I’d be glad to hear your experience.
Leave a Reply
