# certutil -S -n 'OpenLDAP Consumer' -t ",," \ -c LDAP-CA \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=OpenLDAP Consumer,OU=IT,O=Company,L=City,ST=State,C=NL" \ -8 "ldap.domain.tld,ldap.mgmt.domain.tld-example!" \ -v 36 \ -Z SHA256 \ -g 4096
# pk12util -d /etc/openldap/certs -o /root/consumer.p12 -n "OpenLDAP Consumer" -k /etc/openldap/certs/password Enter password for PKCS12 file: ... Re-enter password: ... pk12util: PKCS12 EXPORT SUCCESSFUL
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
# mkdir /etc/openldap/certs
# pwgen -sy 32 1 > /etc/openldap/certs/password
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
# pk12util -d /etc/openldap/certs -i /tmp/consumer.p12 -k /etc/openldap/certs/password Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs
# chmod 440 /etc/openldap/certs/password # chown ldap. /etc/openldap/certs/*
# certutil -L -d /etc/openldap/certs/
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
# certutil -L -d /etc/openldap/certs/ -n "OpenLDAP Consumer"
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Consumer" -u C certutil: certificate is valid
# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel
# vi /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldaps:///" # Any custom options SLAPD_OPTIONS="-g ldap"
# vi /etc/openldap/ldap.conf BASE dc=<domain>,dc=<tld> URI ldaps://<FQDN> TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
slaptest -u systemctl start slapd systemctl enable slapd
core.schema OpenLDAP core (required) cosine.schema Cosine and Internet X.500 (useful) inetorgperson.schema InetOrgPerson (useful) nis.schema Network Information Services (FYI) # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# slappasswd New password: <password> Re-enter new password: <password> {SSHA}<hash>
# export MYHASH="{SSHA}your-hash" # export MYDOMAIN=your-domain # export MYTLD=your-tld
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ${MYHASH} - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage by * none EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=${MYDOMAIN},dc=${MYTLD} - replace: olcRootDN olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD} - add: olcRootPW olcRootPW: ${MYHASH} EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq - EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: "OpenLDAP Consumer" - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1 - replace: olcDisallows olcDisallows: bind_anon - replace: olcIdleTimeout olcIdleTimeout: 120 EOF
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: ${MYHASH} - add: olcRequires olcRequires: LDAPv3 authc EOF
# ldapmodify -H ldaps://<FQDN> -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 EOF
# firewall-cmd --permanent --zone public --add-service=ldaps success # firewall-cmd --reload success
# slaptest -u # systemctl restart slapd # openssl s_client -connect localhost:636 -showcerts -CAfile /etc/openldap/cacerts/ca.crt ... Verify return code: 0 (ok) # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldap://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required or: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD} objectClass: simpleSecurityObject objectClass: organizationalRole cn: replicator userPassword: <your replicator password SSHA hash> EOF
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by dn.exact="cn=replicator,dc=polaire,dc=nl" read by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by dn.exact="cn=replicator,dc=polaire,dc=nl" read by self read by users read by * none EOF
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov EOF
ldapadd -H ldaps://ldapconsumer.yourdomain.tld -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncrepl olcsyncrepl: {0}rid=014 provider=ldaps://ldap.yourdomain.tld type=refreshAndPersist retry="5 5 300 +" searchbase="dc=domain,dc=tld" attrs="*,+" bindmethod=simple binddn="cn=replicator,dc=domain,dc=tld" credentials=yourpassword EOF
# ldapsearch -H ldaps://provider -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN # ldapsearch -H ldaps://consumer -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN