Unleash your inner root

Configuring openLDAP with Fusion-Directory

Greetings Meta-Wizards, this week we’re visiting a rough subject for me. OpenLDAP. Its frustrating, Its annoying, and its pretty much been my admin life for the last few months.
This tutorial will walk you through a basic setup of openLDAP-server on CentOS/RHEL: 6.7

For those just looking for results, I provide A script on Github that will run through this entire process for you.

After the initial ldap setup, I go on to walk you through setting up fusion-directory which is my current LDAP web front-end of choice.
This walkthrough has been proven to be accurate in my configurations, however if something doesn’t work on your end, please let me know, it is possible that formatting has gone awry somewhere. If something with an LDIF doesn’t work, note that spacing is fairly important and it is possible that somewhere my spacing got offset without me realizing it, but my last test of these settings was good.

  • Install openLDAP server/Client

    • This is fairly basic, we’re installing the openldap packages, and then copying the basic configuration for the database into the correct folder.
    Once done, we provide the correct ownership for that config file.

    yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
  • Start the openLDAP Service

    • Again, simple, starting the service. The latest versions of openLDAP use the cn=config model of settings management
    and can only be modified while the services are online.

    service slapd start
chkconfig slapd on
  • Prepare LDAP Configuration

    • I like to keep track of all my configurations in one easy to manage place.

    mkdir /root/ldap_config
  • Set your LDAP Admin password

    • These will walk you through the LDIF process of setting the password for your ldap rootDN password.

    1. Issue the following command, you will be prompted for password:
      2. slappasswd

      Output should look similar to:

      {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
    2. Create a new LDIF File in your LDAP_config Directory
      3. vim /root/ldap_config/change_rootPW.ldif
    3. Edit in the following information:
      4. dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
    4. Enforce new LDIF Settings:
      5. 
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_config/change_rootPW.ldif
  • Configure LDAP Domain Settings

    • These LDIF’s will setup basic domain information.

    1. Issue the following command, you will be prompted for password:
      2. slappasswd
    2. Output should look similar to:
      3. {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/
    3. Create a new LDIF File in your LDAP_config Directory
      4. vim /root/ldap_config/change_domainSettings.ldif
    4. Edit in the following information:
      5. dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by 	dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=metashell,dc=net" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=metashell,dc=net

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=metashell,dc=net

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}NYHJkdBGUWbeFVsVqXUcbNtUBnFTe2X/

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=metashell,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=metashell,dc=net" write   by * read
    5. Enforce your new LDIF settings
      6. ldapmodify -Y EXTERNAL -H ldapi:/// -f change_domainSettings.ldif
  • Configure TLS/SSL
    1. Make Server key
      2. cd /etc/pki/tls/certs
openssl genrsa -aes128 2048 > server01.key
    2. Remove Passphrase from the Private Key (You will be prompted for your original passphrase)
      3. openssl rsa -in server01.key -out server01.key
    3. Make server.csr 
      4. openssl req -utf8 -new -key server01.key -out server01.csr

      (1)	US
(2)	California
(3)	City
(4)	Group
(5)	Group
(6)	server01
(7)	email [] #leave blank
(8)	password [] #leave blank
(9)	An optional company name[] #Leave blank
    4. Create Self Signed Certificate
      5. openssl x509 -in server01.csr -out server01.crt -req -signkey server01.key -days 3650
    5. Copy required files to openldap certificate directory
      6. cp /etc/pki/tls/certs/server01.key /etc/openldap/certs/
cp /etc/pki/tls/certs/server01.crt /etc/openldap/certs/
cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
chown ldap. /etc/openldap/certs/server01*
chown ldap. /etc/openldap/certs/ca-bundle.crt
    6. Create ssl_config.ldif in ldap_config folder
      7. vim ssl_config.ldif
    7. Edit In the following:
      8. dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server01.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server01.key
    8. Enforce new LDIF Settings
      9. ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl_config.ldif
    9. Modify /etc/sysconfig/ldap
      10. change: SLAPD_LDAPS=no to SLAPD_LDAPS=yes
  • Install Fusion Directory
    1. Create fusion.repo
      2. vim /etc/yum.repos.d/fusion.repo
    2. Add the following
      3. [fusiondirectory]
name=Fusiondirectory Packages for RHEL / CentOS 6
baseurl=http://repos.fusiondirectory.org/rhel6/RPMS
enabled=1
gpgcheck=0

[fusiondirectory-extra]
name=Fusiondirectory Packages for RHEL / CentOS 6
baseurl=http://repos.fusiondirectory.org/rhel6-rpm-extra/RPMS/
enabled=1
gpgcheck=0
    3. Begin Installation
      4. yum install fusiondirectory fusiondirectory-schema
yum install php-pear-MDB2
fusiondirectory-insert-schema
fusiondirectory-setup --check-directories --update-cache --update-locales
chgrp -R apache /var/cache/fusiondirectory/*
chmod g+rw /var/cache/fusiondirectory/class.cache
    4. Set Expose_php to “off” in /etc/php.ini
      5. sed -i 's/^expose_php = On$/expose_php = Off/g' /etc/php.ini
    5. Create dummy fusiondirectory.conf
      6. touch /var/cache/fusiondirectory/template/fusiondirectory.conf
    6. change permissions
      7. chgrp apache /var/cache/fusiondirectory/template/fusiondirectory.conf 
chmod g+rw /var/cache/fusiondirectory/template/fusiondirectory.conf
    7. Start web Service
      8. service httpd start
    8. Begin Web configuration
      9. http://server01.metashell.net/fusiondirectory
    9. Follow Setup Instructions
    10. Once setup is complete, add modules as desired/Needed.

      11. Fusiondirectory Homepage
      Fusiondirectory main documentation page
      Fusion Directories Plugin List

fusiondirectorygithubopenldapopenldap ssl

Brandon.Graves • December 10, 2015

Previous Post

Next Post

Leave a Reply

Your email address will not be published / Required fields are marked *

%d bloggers like this: