Site Tools


Sidebar

snippets:linux_quickshotsetups:ldap_auth_server6

What?

Deploy an ldap server rhel6, used for ldap authentication/authorization.

setup pki, generate cert

# change 'dir = /etc/pki/CA' into 'dir = /etc/pki/tls'
# sed -i 's,^\(dir.*= /\).*,dir             = /etc/pki/tls          # Where everything is kept,' /etc/pki/tls/openssl.cnf
cd /etc/pki/CA
touch index.txt
mkdir -p newcerts
echo 01 >serial
umask 077
openssl genrsa -out private/cakey.pem -des3 2048
openssl req -new -x509 -key private/cakey.pem -days 3650 >cacert.pem

### create ldap-server cert on ldapserver, sign it
# sed -e "s,^\(commonName.*= \)Common.*,\1$(hostname)," </etc/pki/tls/openssl.cnf >/etc/pki/tls/openssl.cnf.host
mkdir -p /etc/openldap
cd /etc/openldap
umask 077
openssl genrsa 1024 >slapd.key
openssl req -new -key slapd.key -out slapd.csr
# openssl req -in slapd.csr -noout -text # see contents of request
cp slapd.csr /etc/pki/CA
cd /etc/pki/CA
openssl ca -in slapd.csr -out slapd.crt
cp slapd.crt cacert.pem /etc/openldap

setup openldap on RHEL6.0

yum -y install openldap-servers openldap-clients

cd /etc/openldap
chown ldap cacert.pem slapd.crt slapd.key
chmod 400 cacert.pem slapd.crt slapd.key
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

vi slapd.conf
# make sure core, cosine, nis and inetorgperson schema files are included, and ensure these settings:
TLSCACertificateFile /etc/openldap/cacert.pem 
TLSCertificateFile /etc/openldap/slapd.crt
TLSCertificateKeyFile /etc/openldap/slapd.key

database        bdb
suffix          "dc=fluxcoil,dc=net"
checkpoint      1024 15
rootdn          "cn=Manager,dc=fluxcoil,dc=net"
rootpw          secret

access to *
        by dn.exact="cn=Manager,dc=fluxcoil,dc=net" read
        by * none
---------------------------
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

# todo: figure out way to use the default config..
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d 
chown -R ldap:ldap /etc/openldap/slapd.d 
chown -R ldap:ldap /var/lib/ldap*
chmod -R 000 /etc/openldap/slapd.d 
chmod -R u+rwX /etc/openldap/slapd.d 

chkconfig slapd on
service slapd start

setup openldap on RHEL6.1 / 6.2

yum -y install openldap-servers openldap-clients

chown 55:55 /etc/openldap/cacert.pem /etc/openldap/slapd.crt /etc/openldap/slapd.key
chmod 400 /etc/openldap/cacert.pem /etc/openldap/slapd.crt /etc/openldap/slapd.key

# customize config 
sed -ie 's/my-domain/fluxcoil/g' /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif
sed -ie 's/com/net/g' /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif
sed -ie 's/my-domain/fluxcoil/g' /etc/openldap/slapd.d/cn=config/olcDatabase={*}monitor.ldif

echo 'olcRootPW: {SSHA}eQg4MS/auraoK+gZ//tcq58E+/9guX2M' >>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif
echo 'olcTLSCertificateFile: /etc/openldap/slapd.crt' >>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif
echo 'olcTLSCertificateKeyFile: /etc/openldap/slapd.key' >>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif

sed -ie 's,SLAPD_LDAP=no,SLAPD_LDAPS=yes,' /etc/sysconfig/ldap
sed -ie 's,SLAPD_LDAPS=no,SLAPD_LDAPS=yes,' /etc/sysconfig/ldap

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

chkconfig slapd on
service slapd start

populate openldap

increase debuglevel of the slapd

# add option to log to LOCAL5
echo 'SLAPD_OPTIONS="-l LOCAL5"' >>/etc/sysconfig/ldap
# direct local5 to new logfile
echo 'local5.*                                                /var/log/slapd.log' >>/etc/rsyslog.conf
service rsyslog restart
service slapd restart

increase debuglevel of the slapd (alternative)

# add option to log to LOCAL5
cd /etc/openldap/slapd.d/cn=config
echo 'olcLogLevel: 256' >>olcDatabase\=\{1\}monitor.ldif
echo 'olcLogLevel: 256' >>olcDatabase\=\{2\}bdb.ldif

# direct local5 to new logfile
echo 'local5.*                                                /var/log/slapd.log' >>/etc/rsyslog.conf
service rsyslog restart
service slapd restart

verify config

cp /etc/openldap/cacert.pem /etc/openldap/cacerts/
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel6b.site
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel6b.site -ZZZ
snippets/linux_quickshotsetups/ldap_auth_server6.txt ยท Last modified: 2022/11/13 12:06 by 127.0.0.1