Configuring openLDAP with Fusion-Directory
Greetings Meta-Wizards, this week we’re visiting a rough subject for me. OpenLDAP. Its frustrating, Its annoying, and its pretty much been my admin life for the last few months.
This tutorial will walk you through a basic setup of openLDAP-server on CentOS/RHEL: 6.7
For those just looking for results, I provide A script on Github that will run through this entire process for you.
After the initial ldap setup, I go on to walk you through setting up fusion-directory which is my current LDAP web front-end of choice.
This walkthrough has been proven to be accurate in my configurations, however if something doesn’t work on your end, please let me know, it is possible that formatting has gone awry somewhere. If something with an LDIF doesn’t work, note that spacing is fairly important and it is possible that somewhere my spacing got offset without me realizing it, but my last test of these settings was good.
- Install openLDAP server/Client
This is fairly basic, we’re installing the openldap packages, and then copying the basic configuration for the database into the correct folder.
Once done, we provide the correct ownership for that config file.
yum -y install openldap-servers openldap-clients cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap. /var/lib/ldap/DB_CONFIG
Again, simple, starting the service. The latest versions of openLDAP use the cn=config model of settings management
and can only be modified while the services are online.
service slapd start chkconfig slapd on
I like to keep track of all my configurations in one easy to manage place.
mkdir /root/ldap_config
These will walk you through the LDIF process of setting the password for your ldap rootDN password.
- Issue the following command, you will be prompted for password:
- Create a new LDIF File in your LDAP_config Directory
- Edit in the following information:
- Enforce new LDIF Settings:
slappasswd
Output should look similar to:
{SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
vim /root/ldap_config/change_rootPW.ldif
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_config/change_rootPW.ldif
These LDIF’s will setup basic domain information.
- Issue the following command, you will be prompted for password:
- Output should look similar to:
- Create a new LDIF File in your LDAP_config Directory
- Edit in the following information:
- Enforce your new LDIF settings
slappasswd
{SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
vim /root/ldap_config/change_domainSettings.ldif
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=metashell,dc=net" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=metashell,dc=net dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=metashell,dc=net dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/ dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=metashell,dc=net" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=metashell,dc=net" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f change_domainSettings.ldif
- Make Server key
- Remove Passphrase from the Private Key (You will be prompted for your original passphrase)
- Make server.csr
- Create Self Signed Certificate
- Copy required files to openldap certificate directory
- Create ssl_config.ldif in ldap_config folder
- Edit In the following:
- Enforce new LDIF Settings
- Modify /etc/sysconfig/ldap
cd /etc/pki/tls/certs openssl genrsa -aes128 2048 > server01.key
openssl rsa -in server01.key -out server01.key
openssl req -utf8 -new -key server01.key -out server01.csr
(1) US (2) California (3) City (4) Group (5) Group (6) server01 (7) email [] #leave blank (8) password [] #leave blank (9) An optional company name[] #Leave blank
openssl x509 -in server01.csr -out server01.crt -req -signkey server01.key -days 3650
cp /etc/pki/tls/certs/server01.key /etc/openldap/certs/ cp /etc/pki/tls/certs/server01.crt /etc/openldap/certs/ cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/ chown ldap. /etc/openldap/certs/server01* chown ldap. /etc/openldap/certs/ca-bundle.crt
vim ssl_config.ldif
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server01.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server01.key
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl_config.ldif
change: SLAPD_LDAPS=no to SLAPD_LDAPS=yes
- Create fusion.repo
- Add the following
- Begin Installation
- Set Expose_php to “off” in /etc/php.ini
- Create dummy fusiondirectory.conf
- change permissions
- Start web Service
- Begin Web configuration
- Follow Setup Instructions
- Once setup is complete, add modules as desired/Needed.
vim /etc/yum.repos.d/fusion.repo
[fusiondirectory] name=Fusiondirectory Packages for RHEL / CentOS 6 baseurl=http://repos.fusiondirectory.org/rhel6/RPMS enabled=1 gpgcheck=0 [fusiondirectory-extra] name=Fusiondirectory Packages for RHEL / CentOS 6 baseurl=http://repos.fusiondirectory.org/rhel6-rpm-extra/RPMS/ enabled=1 gpgcheck=0
yum install fusiondirectory fusiondirectory-schema yum install php-pear-MDB2 fusiondirectory-insert-schema fusiondirectory-setup --check-directories --update-cache --update-locales chgrp -R apache /var/cache/fusiondirectory/* chmod g+rw /var/cache/fusiondirectory/class.cache
sed -i 's/^expose_php = On$/expose_php = Off/g' /etc/php.ini
touch /var/cache/fusiondirectory/template/fusiondirectory.conf
chgrp apache /var/cache/fusiondirectory/template/fusiondirectory.conf chmod g+rw /var/cache/fusiondirectory/template/fusiondirectory.conf
service httpd start
http://server01.metashell.net/fusiondirectory
Fusiondirectory Homepage
Fusiondirectory main documentation page
Fusion Directories Plugin List