{{tag>[security openldap centos6.5]}}
=====CentOS 6 - OpenLDAP 2.4 server with TLS=====
This guide will install OpenLDAP with TLS. Tested on CentOS 6.5 minimal install.
**Note: ** [[openldap_centos7_tls|Please see my updated CentOS7 guide]]
==== Configure iptables ====
* Edit /etc/sysconfig/iptables. The example below will insert the rules on line 6 and 7, then saves the ruleset to make it persistent across reboots.
iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -m comment --comment LDAP
iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -m comment --comment LDAPS
service iptables save
==== Install OpenLDAP 2.4 ====
=== Install packages ===
yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel
=== Configure SSL certificates ===
Put your CA root certificate, server certificate and private key in the directories below.
/etc/openldap/certs/cacert.pem #CA root certificate
/etc/openldap/certs/server.key #private key
/etc/openldap/certs/server.crt #server certificate
===Enale LDAPS===
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
===Use DB config example ===
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
===Set permissons===
chown -Rf ldap:ldap /var/lib/ldap
===Set LDAP root password===
slappasswd
New password:
Re-enter new password:
{SSHA}
===Change default DN===
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix:
To enable password change from users, append the next lines after the last olcDbIndex line in the same file.
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager," write
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager," write
by * read
Set root password, last line of same file file:
olcRootPW: {SSHA}
Correct the DN in olcDatabase={1}monitor.ldif
vi olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager," read by * none
====Test server config and start====
slaptest -u
service slapd start
chkconfig slapd on
====Configure as client====
authconfig-tui
[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient
[*] Use TLS
Server: ldaps://
Base DN:
Test:
ldapsearch -x -b "dc=localdomain,dc=com"
Output: search: 2
Test TLS:
ldapsearch -x -b "dc=localdomain,dc=com" -ZZ
Output: search: 3
==== Configure LDAP server ====
=== Configure base domain ===
# ldapadd -x -W -D "cn=Manager," -f base.ldif
dn:
dc:
objectClass: top
objectClass: domain
dn: ou=People,
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,
ou: Group
objectClass: top
objectClass: organizationalUnit
=== Create posix user ===
# ldapadd -x -W -D "cn=Manager," -f posix_user.ldif
#
# set password
# ldappasswd -s newpassword -D "cn=Manager," -W -x uid=ben,ou=People,
dn: uid=username,ou=People,
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: User Name
uid: username
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/username
loginShell: /bin/bash
gecos: User Name
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
=== Create posix group ===
# ldapadd -x -W -D "cn=Manager," -f posix_group.ldif
dn: cn=ben,ou=Group,
objectClass: top
objectClass: posixGroup
cn: username
gidNumber: 3000