- Joined
- Jan 24, 2006
- Location
- South Dakota
First of all let me say that things seem to have changed in a few packages since I originally wrote this guide
After several users complained about TLS/LDAPS support not working using the original method for CentOS 6.2, I started looking into it. I found that slapd would go into an endless loop opening and closing the cert file that we generated.
With the help of serveroomhell we managed to track down a workable solution.
To be honest I am a little ashamed of myself for not fixing this guide sooner as the method for TLS is very similar to the 389 Directory Server Guide I wrote earlier
At any rate I will be reconstructing the guide in its fixed state here.
I have found the steps to be reduced from the original guide, but I have run through these numerous times to ensure that they do in fact work. I even went so far as to block everything but 22 and 636 on the firewall
On the Server
Step 1: first we need to install the required package:
Step2: Create the certs.
In this step you can just run the following script, altering it for your own domain. This is the crucial step for TLS, and has changed since CentOS/RHEL 6.
Step 3: Now its time for the Database Cache
Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with
We want to make sure the database has the proper permissions:
Step 4: Test The configuration
Issue the following command:
It should return the following message if there are no syntax errors
To verify that LDAPS works you will simply try an ldapsearch
NOTE: You may have to do the client side setup in order for this to work properly
You should receive some output with at least the following:
Step 5: Edit the database file to reflect your domain
Use a handy sed substitution to globally change the defaults in the file
and add your password
Alternatively you can create a hashed password
This will give you an SHA password that you can put in place of a plain text password
Step 6: Create a base.ldif
I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this
This is the base.ldif
And then add a group:
Finally, we need to create a user:
After the files are created, add them into the LDAP database
Verify that there are now users by re-running the ldapsearch command
IMPORTANT NOTE: there must be a new line between each section in your schema! if you get errors it is likely that there was a problem cutting and pasting directly from this guide. Try typing it in manually
IMPORTANT NOTE2: make sure that the double quotes around the commands are correct or you will get an Invalid DN error
After several users complained about TLS/LDAPS support not working using the original method for CentOS 6.2, I started looking into it. I found that slapd would go into an endless loop opening and closing the cert file that we generated.
With the help of serveroomhell we managed to track down a workable solution.
To be honest I am a little ashamed of myself for not fixing this guide sooner as the method for TLS is very similar to the 389 Directory Server Guide I wrote earlier
At any rate I will be reconstructing the guide in its fixed state here.
I have found the steps to be reduced from the original guide, but I have run through these numerous times to ensure that they do in fact work. I even went so far as to block everything but 22 and 636 on the firewall
On the Server
Step 1: first we need to install the required package:
Code:
yum install openldap-servers openldap-clients
Step2: Create the certs.
In this step you can just run the following script, altering it for your own domain. This is the crucial step for TLS, and has changed since CentOS/RHEL 6.
Code:
#!/bin/bash
#Change to the directory and clear out the old certs
cd /etc/openldap/certs
rm -rf *
#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help
#automate the process. This will be the password for your certificate. Change this as appropriate
echo "password" > /etc/openldap/certs/password
export PATH=/usr/bin/:$PATH
echo falkdjfdajkhfaksj >> noise.txt
#Associate the password with the certificates which will be generated in the current directory
certutil -N -d . -f /etc/openldap/certs/password
certutil -G -d . -z noise.txt -f /etc/openldap/certs/password
#Generate a CA certificate for the 389 server
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password
#anwsers are Y, <enter accepting defaults>, Y
#This builds the server cert
certutil -S -n "OpenLDAP Server" -s "cn=ldap.stratus.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password
#This exports the cacert in case you need it
pk12util -d . -o cacert.p12 -n "CA certificate"
#This exports the server-cert which you will need on the windows AD
pk12util -d . -o servercert.p12 -n "OpenLDAP Server"
#This exports the CA cert for ldap clients
certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem
#Make the files in here readable
chmod 644 *
#Set the system to use LDAPS
sed -i 's/SLAPD_LDAPS=no/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
#Add a firewall exception in case the user has not configured their firewall properly
iptables -I INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT
/etc/init.d/iptables save
#Restart slapd to make the changes take effect
/etc/init.d/slapd restart
Step 3: Now its time for the Database Cache
Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with
Code:
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
We want to make sure the database has the proper permissions:
Code:
chown -Rf ldap:ldap /var/lib/ldap/
Step 4: Test The configuration
Issue the following command:
Code:
slaptest -u
It should return the following message if there are no syntax errors
config file testing succeeded
To verify that LDAPS works you will simply try an ldapsearch
NOTE: You may have to do the client side setup in order for this to work properly
Code:
ldapsearch -x -H "ldaps://ldap.stratus.local"
You should receive some output with at least the following:
# search result
search: 2
Step 5: Edit the database file to reflect your domain
Code:
vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
Use a handy sed substitution to globally change the defaults in the file
Code:
:%s/dc=my-domain,dc=com/dc=stratus,dc=local/g
and add your password
Code:
olcRootPW: password
Alternatively you can create a hashed password
Code:
slappasswd
This will give you an SHA password that you can put in place of a plain text password
Step 6: Create a base.ldif
I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this
This is the base.ldif
Code:
nano /etc/openldap/schema/base.ldif
dn: dc=stratus,dc=local
dc: stratus
objectClass: top
objectClass: domain
dn: ou=People,dc=stratus,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=stratus,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit
And then add a group:
Code:
nano /etc/openldap/schema/group.ldif
dn: cn=thiddy,ou=Group,dc=stratus,dc=local
objectClass: posixGroup
objectClass: top
cn: thiddy
userPassword: password
gidNumber: 1000
Finally, we need to create a user:
Code:
nano /etc/openldap/schema/people.ldif
dn: uid=thiddy,ou=People,dc=stratus,dc=local
uid: thiddy
cn: thiddy thiddy
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/thiddy
After the files are created, add them into the LDAP database
Code:
ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f base.ldif
ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f group.ldif
ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f people.ldif
Verify that there are now users by re-running the ldapsearch command
Code:
ldapsearch -x -b "dc=stratus,dc=local"
IMPORTANT NOTE: there must be a new line between each section in your schema! if you get errors it is likely that there was a problem cutting and pasting directly from this guide. Try typing it in manually
IMPORTANT NOTE2: make sure that the double quotes around the commands are correct or you will get an Invalid DN error
Last edited: