MANUAL DE INSTALACIN OPENLDAP EN CENTOS

1. Instalacin SO Centos 2. Instalacin OpenLdap Server

2.1. Instalacin de OpenLDAP [root@dir ~]# yum -y install openldap-servers openldap-clients [root@dir ~]# vi /etc/sysconfig/ldap # line 16: uncomment and change SLAPD_LDAPI= yes

[root@dir ~]# vi /etc/openldap/slapd.conf # create new pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args

[root@dir ~]# rm -rf /etc/openldap/slapd.d/* [root@dir ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d config file testing succeeded [root@dir ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif # line 4: change olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

[root@dir ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif # create new dn: olcDatabase={1}monitor objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig creatorsName: cn=config modifiersName: cn=config

[root@dir ~]# chown -R ldap. /etc/openldap/slapd.d [root@dir ~]# chmod -R 700 /etc/openldap/slapd.d [root@dir ~]# /etc/rc.d/init.d/slapd start Starting slapd: [ OK ] [root@dir ~]# chkconfig slapd on

2.2. Configuracin Inicial [root@dir ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=core,cn=schema,cn=config" [root@dir ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@dir ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@dir ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" [root@dir ~]# slappasswd # generate password New password: # input any one Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx [root@dir ~]# vi backend.ldif # create new # replace the section "dc=***,dc=***" to your own suffix # replace the section "olcRootPW: ***" to your own password generated by slappasswd above dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib64/openldap olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: dc=ldap-prueba,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=ldap-prueba,dc=com olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcMonitoring: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc= ldap-prueba,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=ldap-prueba,dc=com" write by * read

[root@dir ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config" [root@dir ~]# vi frontend.ldif # create new # replace the section "dc=***,dc=***" to your own suffix # replace the section "userPassword: ***" to your own password generated by slappasswd above dn: dc=server,dc=world objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: Server dn: cn=admin,dc=ldap-prueba,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: ou=people,dc=ldap-prueba,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=ldap-prueba,dc=com objectClass: organizationalUnit ou: groups

[root@dir ~]# ldapadd -x -D cn=admin,dc=ldap-prueba,dc=com -W -f frontend.ldif Enter LDAP Password: # password you set adding new entry "dc=ldap-prueba,dc=com" adding new entry "cn=admin,dc=ldap-prueba,dc=com" adding new entry "ou=people,dc=ldap-prueba,dc=com" adding new entry "ou=groups,dc=ldap-prueba,dc= com"

2.3. Configuracin de interfaz de administracin web [root@master ~]# yum --enablerepo=epel -y install phpldapadmin # install from EPEL [root@master ~]# vi /etc/phpldapadmin/config.php # line 397: uncomment, line 398: make it comment $servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid');

[root@master ~]# vi /etc/httpd/conf.d/phpldapadmin.conf Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs < Directory /usr/share/phpldapadmin/htdocs> Order Deny,Allow Deny from all Allow from 127.0.0.1 10.0.0.0/24 # IP address you allow Allow from ::1 < /Directory>

[root@master ~]# /etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]