This guide will install OpenLDAP with TLS. Tested on CentOS 6.5 minimal install.
iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -m comment --comment LDAP iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -m comment --comment LDAPS service iptables save
yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel
Put your CA root certificate, server certificate and private key in the directories below.
/etc/openldap/certs/cacert.pem #CA root certificate /etc/openldap/certs/server.key #private key /etc/openldap/certs/server.crt #server certificate
vi /etc/sysconfig/ldap SLAPD_LDAPS=yes
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -Rf ldap:ldap /var/lib/ldap
slappasswd New password: <password> Re-enter new password: <password> {SSHA}<hash>
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif olcSuffix: <your DN>
To enable password change from users, append the next lines after the last olcDbIndex line in the same file.
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,<your DN>" write by * none olcAccess: to * by self write by dn.base="cn=Manager,<your DN>" write by * read
Set root password, last line of same file file:
olcRootPW: {SSHA}<hash>
Correct the DN in olcDatabase={1}monitor.ldif
vi olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,<your DN>" read by * none
slaptest -u service slapd start chkconfig slapd on
authconfig-tui [*] Use LDAP [*] Use Shadow passwords [*] Use LDAP Authentication [*] Local authorization is sufficient [*] Use TLS Server: ldaps://<server:636> Base DN: <your DN>
Test:
ldapsearch -x -b "dc=localdomain,dc=com"
Output: search: 2
Test TLS:
ldapsearch -x -b "dc=localdomain,dc=com" -ZZ
Output: search: 3
# ldapadd -x -W -D "cn=Manager,<your DN>" -f base.ldif dn: <your DN> dc: <your org name> objectClass: top objectClass: domain dn: ou=People,<your DN> ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,<your DN> ou: Group objectClass: top objectClass: organizationalUnit
# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_user.ldif # # set password # ldappasswd -s newpassword -D "cn=Manager,<your DN>" -W -x uid=ben,ou=People,<your DN> dn: uid=username,ou=People,<your DN> objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: User Name uid: username uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/username loginShell: /bin/bash gecos: User Name userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_group.ldif dn: cn=ben,ou=Group,<your DN> objectClass: top objectClass: posixGroup cn: username gidNumber: 3000