fluxcoil wiki

Deploy an ldap server rhel5, used for ldap authentication/authorization.

# change 'dir = ../../CA' into 'dir = /etc/pki/tls'
sed -i 's,^\(dir.*= \)\.\..*,dir             = /etc/pki/tls          # Where everything is kept,' /etc/pki/tls/openssl.cnf
cd /etc/pki/tls
touch index.txt
mkdir -p newcerts
echo 01 >serial
umask 077
openssl genrsa -out private/cakey.pem -des3 2048
openssl req -new -x509 -key private/cakey.pem -days 3650 >cacert.pem

### create ldap-server cert on ldapserver, sign it
mkdir -p /etc/openldap
cd /etc/openldap
umask 077
openssl genrsa 1024 >slapd.key
openssl req -new -key slapd.key -out slapd.csr
# openssl req -in slapd.csr -noout -text # see contents of request
cp slapd.csr /etc/pki/tls
cd /etc/pki/tls
openssl ca -in slapd.csr -out slapd.crt
cp slapd.crt cacert.pem /etc/openldap

yum -y install openldap-servers openldap-clients

cd /etc/openldap
chown ldap cacert.pem slapd.crt slapd.key
chmod 400 cacert.pem slapd.crt slapd.key

vi slapd.conf
# make sure core, cosine, nis and inetorgperson schema files are included, and ensure these settings:
TLSCACertificateFile /etc/openldap/cacert.pem 
TLSCertificateFile /etc/openldap/slapd.crt
TLSCertificateKeyFile /etc/openldap/slapd.key

database        bdb
suffix          "dc=fluxcoil,dc=net"
rootdn          "cn=Manager,dc=fluxcoil,dc=net"
rootpw          secret
---------------------------
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

chkconfig ldap on
service ldap start

• see the ldap_auth_server_populate page

cp /etc/openldap/cacert.pem /etc/openldap/cacerts/
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel5u6b.site
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel5u6b.site -ZZZ