2014/12/30

Quick OpenLDAP Setup on CentOS 6.6

  1. Install the necessary files:
    yum install openldap openldap-clients openldap-servers
  2. Modify the following options in the /etc/openldap/slapd.d/cn\=config.ldif configuration file:
    #olcAllows: bind_v2  
    olcIdleTimeout: 60
    
    
  3. Generate the SSHA hash for the admin user:
    slappasswd -s password
    (example output: {SSHA}abunchofhash)
    
  4. Modify the following configuration options in /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif. The domain will be test.com
    olcSuffix: dc=test,dc=com
    olcRootDN: cn=admin,dc=test,dc=com
    olcRootPW: {SSHA}abunchofhash
    
    
    
  5. Modify the olcAccess option in /etc/openldap/slapd.d/cn\=config/olcDatabase={1}monitor.ldif so the dn is correct:
    olcAccess: {0}to *  by/ dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"/
    read  by dn.base="cn=admin,dc=test,dc=com" read  by * none
    
    
  6. Start the OpenLDAP server and configure it to start at boot time:
    chkconfig slapd on
    service slapd start
    
    
  7. Create an LDIF (LDAP Interchange Format) file with the configuration for our organization LDAP tree. Here we will create two organizational units one called People, where all users be a member of this ou, and another ou called Groups, which will be used to create groups for our organization. At the end of the file specify who is the RootDN for this LDAP tree (cn=admin,dc=example,dc=com).  I named this file ldapconfig.ldif:
    dn: dc=test,dc=com
    objectclass: dcObject
    objectclass: organization
    o: Test Org
    dc: test
    
    dn: ou=Users,dc=test,dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: Users
    
    dn: ou=Groups,dc=test,dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: Groups
    
    dn: cn=admin,dc=test,dc=com
    objectclass: organizationalRole
    cn: admin
  8. Apply our LDIF file and test if the LDAP tree is ready with the ldapsearch command:
    ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f ldapconfig.ldif
    ldapsearch -x -b 'dc=test,dc=com' '(objectclass=*)'
  9. Create an ldap user by adding the below to an ldif file and running ldapadd as above:
    dn: uid=user1,ou=Users,dc=test,dc=com
    objectclass: top
    objectclass: person
    objectclass: inetOrgPerson
    objectclass: organizationalPerson
    uid: user1
    cn: User 1
    sn: 1
    givenName: User 1
    
    
  10. Assign a password for the user:
    ldappasswd -S -x -D "cn=admin,dc=test,dc=com" -W/ uid=user1,ou=People,dc=test,dc=com
    
    
  11. Create a group in the Groups organizational unit by adding the below to an ldif file and running ldapadd as above:
    dn: cn=group1,ou=Groups,dc=test,dc=com
    cn: group1

    objectclass: groupofnames
    member: uid=user1,ou=Users,dc=test,dc=com
    
    
  12. To add a newly created user to the group after the initial creation create another ldif file and add the below text to it.  Then modify the group with ldapmodify:
    dn: cn=group1,ou=Groups,dc=test,dc=com
    changetype: modify
    add: member
    member: uid=user2,ou=Users,dc=test,dc=com

    ldapmodify -x -D "cn=admin,dc=test,dc=com" -W -f addto_group1.ldif
    
    
  13. To remove a user from a group create another ldif file and add the below text.  Use ldapmodify to again modify the group:
    dn: cn=group1,ou=Groups,dc=test,dc=com
    changetype: modify
    delete: member
    member: uid=user2,ou=Users,dc=test,dc=com

    ldapmodify -x -D "cn=admin,dc=test,dc=com" -W -f removefrom_group1.ldif