Unleash your inner root

Configuring openLDAP with Fusion-Directory

Greetings Meta-Wizards, this week we’re visiting a rough subject for me. OpenLDAP. Its frustrating, Its annoying, and its pretty much been my admin life for the last few months.
This tutorial will walk you through a basic setup of openLDAP-server on CentOS/RHEL: 6.7

For those just looking for results, I provide A script on Github that will run through this entire process for you.

After the initial ldap setup, I go on to walk you through setting up fusion-directory which is my current LDAP web front-end of choice.
This walkthrough has been proven to be accurate in my configurations, however if something doesn’t work on your end, please let me know, it is possible that formatting has gone awry somewhere. If something with an LDIF doesn’t work, note that spacing is fairly important and it is possible that somewhere my spacing got offset without me realizing it, but my last test of these settings was good.

  • Install openLDAP server/Client
  • This is fairly basic, we’re installing the openldap packages, and then copying the basic configuration for the database into the correct folder.
    Once done, we provide the correct ownership for that config file.

    yum -y install openldap-servers openldap-clients
    cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    chown ldap. /var/lib/ldap/DB_CONFIG
  • Start the openLDAP Service
  • Again, simple, starting the service. The latest versions of openLDAP use the cn=config model of settings management
    and can only be modified while the services are online.

    service slapd start
    chkconfig slapd on
  • Prepare LDAP Configuration
  • I like to keep track of all my configurations in one easy to manage place.

    mkdir /root/ldap_config
  • Set your LDAP Admin password
  • These will walk you through the LDIF process of setting the password for your ldap rootDN password.

    1. Issue the following command, you will be prompted for password:
    2. slappasswd

      Output should look similar to:

    3. Create a new LDIF File in your LDAP_config Directory
    4. vim /root/ldap_config/change_rootPW.ldif
    5. Edit in the following information:
    6. dn: olcDatabase={0}config,cn=config
      changetype: modify
      add: olcRootPW
      olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
    7. Enforce new LDIF Settings:
      ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_config/change_rootPW.ldif
  • Configure LDAP Domain Settings
  • These LDIF’s will setup basic domain information.

    1. Issue the following command, you will be prompted for password:
    2. slappasswd
    3. Output should look similar to:
    5. Create a new LDIF File in your LDAP_config Directory
    6. vim /root/ldap_config/change_domainSettings.ldif
    7. Edit in the following information:
    8. dn: olcDatabase={1}monitor,cn=config
      changetype: modify
      replace: olcAccess
      olcAccess: {0}to * by 	dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
        read by dn.base="cn=Manager,dc=metashell,dc=net" read by * none
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      replace: olcSuffix
      olcSuffix: dc=metashell,dc=net
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      replace: olcRootDN
      olcRootDN: cn=Manager,dc=metashell,dc=net
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      add: olcRootPW
      olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      add: olcAccess
      olcAccess: {0}to attrs=userPassword,shadowLastChange by
        dn="cn=Manager,dc=metashell,dc=net" write by anonymous auth by self write by * none
      olcAccess: {1}to dn.base="" by * read
      olcAccess: {2}to * by dn="cn=Manager,dc=metashell,dc=net" write   by * read
    9. Enforce your new LDIF settings
    10. ldapmodify -Y EXTERNAL -H ldapi:/// -f change_domainSettings.ldif
  • Configure TLS/SSL
    1. Make Server key
    2. cd /etc/pki/tls/certs
      openssl genrsa -aes128 2048 > server01.key
    3. Remove Passphrase from the Private Key (You will be prompted for your original passphrase)
    4. openssl rsa -in server01.key -out server01.key
    5. Make server.csr
    6. openssl req -utf8 -new -key server01.key -out server01.csr
      (1)	US
      (2)	California
      (3)	City
      (4)	Group
      (5)	Group
      (6)	server01
      (7)	email [] #leave blank
      (8)	password [] #leave blank
      (9)	An optional company name[] #Leave blank
    7. Create Self Signed Certificate
    8. openssl x509 -in server01.csr -out server01.crt -req -signkey server01.key -days 3650
    9. Copy required files to openldap certificate directory
    10. cp /etc/pki/tls/certs/server01.key /etc/openldap/certs/
      cp /etc/pki/tls/certs/server01.crt /etc/openldap/certs/
      cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
      chown ldap. /etc/openldap/certs/server01*
      chown ldap. /etc/openldap/certs/ca-bundle.crt
    11. Create ssl_config.ldif in ldap_config folder
    12. vim ssl_config.ldif
    13. Edit In the following:
    14. dn: cn=config
      changetype: modify
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
      replace: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/openldap/certs/server01.crt
      replace: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/openldap/certs/server01.key
    15. Enforce new LDIF Settings
    16. ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl_config.ldif
    17. Modify /etc/sysconfig/ldap
    18. change: SLAPD_LDAPS=no to SLAPD_LDAPS=yes
  • Install Fusion Directory
    1. Create fusion.repo
    2. vim /etc/yum.repos.d/fusion.repo
    3. Add the following
    4. [fusiondirectory]
      name=Fusiondirectory Packages for RHEL / CentOS 6
      name=Fusiondirectory Packages for RHEL / CentOS 6
    5. Begin Installation
    6. yum install fusiondirectory fusiondirectory-schema
      yum install php-pear-MDB2
      fusiondirectory-setup --check-directories --update-cache --update-locales
      chgrp -R apache /var/cache/fusiondirectory/*
      chmod g+rw /var/cache/fusiondirectory/class.cache
    7. Set Expose_php to “off” in /etc/php.ini
    8. sed -i 's/^expose_php = On$/expose_php = Off/g' /etc/php.ini
    9. Create dummy fusiondirectory.conf
    10. touch /var/cache/fusiondirectory/template/fusiondirectory.conf
    11. change permissions
    12. chgrp apache /var/cache/fusiondirectory/template/fusiondirectory.conf 
      chmod g+rw /var/cache/fusiondirectory/template/fusiondirectory.conf
    13. Start web Service
    14. service httpd start
    15. Begin Web configuration
    16. http://server01.metashell.net/fusiondirectory
    17. Follow Setup Instructions
    18. Once setup is complete, add modules as desired/Needed.
    19. Fusiondirectory Homepage
      Fusiondirectory main documentation page
      Fusion Directories Plugin List

fusiondirectorygithubopenldapopenldap ssl

Brandon.Graves • December 10, 2015

Previous Post

Next Post

Leave a Reply

Your email address will not be published / Required fields are marked *

%d bloggers like this: