===== What? =====
Deploy an ldap server rhel5, used for ldap authentication/authorization.
===== setup pki, generate cert =====
# change 'dir = ../../CA' into 'dir = /etc/pki/tls'
sed -i 's,^\(dir.*= \)\.\..*,dir = /etc/pki/tls # Where everything is kept,' /etc/pki/tls/openssl.cnf
cd /etc/pki/tls
touch index.txt
mkdir -p newcerts
echo 01 >serial
umask 077
openssl genrsa -out private/cakey.pem -des3 2048
openssl req -new -x509 -key private/cakey.pem -days 3650 >cacert.pem
### create ldap-server cert on ldapserver, sign it
mkdir -p /etc/openldap
cd /etc/openldap
umask 077
openssl genrsa 1024 >slapd.key
openssl req -new -key slapd.key -out slapd.csr
# openssl req -in slapd.csr -noout -text # see contents of request
cp slapd.csr /etc/pki/tls
cd /etc/pki/tls
openssl ca -in slapd.csr -out slapd.crt
cp slapd.crt cacert.pem /etc/openldap
===== setup openldap =====
yum -y install openldap-servers openldap-clients
cd /etc/openldap
chown ldap cacert.pem slapd.crt slapd.key
chmod 400 cacert.pem slapd.crt slapd.key
vi slapd.conf
# make sure core, cosine, nis and inetorgperson schema files are included, and ensure these settings:
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd.crt
TLSCertificateKeyFile /etc/openldap/slapd.key
database bdb
suffix "dc=fluxcoil,dc=net"
rootdn "cn=Manager,dc=fluxcoil,dc=net"
rootpw secret
---------------------------
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chkconfig ldap on
service ldap start
===== populate openldap =====
* see the [[snippets/linux_quickshotsetups/ldap_auth_server_populate|ldap_auth_server_populate page]]
===== verify config =====
cp /etc/openldap/cacert.pem /etc/openldap/cacerts/
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel5u6b.site
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel5u6b.site -ZZZ