Tags

, , , ,

For those who’d like to take LDAP for a spin without wading through other tutorials and production-ready builds, here’s a rough and ready LDAP server setup on Centos 6.8 (Because CentOS7/SystemD is the worst). This guide assumes a good familiarity with Linux: installing packages, editing text files, managing service, and troubleshooting errors.

All domain names in this guide should be replaced with your desired name. The example domain name is “nixland.local”. The server’s IP address is 192.168.2.10/24 and hostname is “DS1”. Console lines preceded by a “#” symbol indicate a command entered in the shell, and should be entered as root or with the sudo command prepended.

Server Setup

1) Install Packages

OpenLDAP, OpenLDAP-Clients, and OpenLDAP-Server packages are needed.

# yum install openldap openldap-clients openldap-server

2) Create Configuration

i) Edit the /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file

Change the line

olcRootDN: cn=Manager,dc=my-domain,dc=com

to

olcRootDN: cn=Manager,dc=nixland,dc=local

This is the admin LDAP account that we’ll use to administer the database.

Modify the line that begins with olcSuffix as follows:

olcSuffix: dc=nixland,dc=local

ii) Edit the /etc/openldap/slapd.d/cn\=config.ldif file

Execute the slappasswd command and specify a password, which will generate a hash output:

slappasswd

Paste the entire output text into the file as shown:

 olcrootpw

iii) Verify and Start Services

Run the slaptest –u command to verify the configuration files. Checksum errors can be ignored.

slaptest-u

Start the slapd service.

startldapservice

Verify ldap search:

ldapsearch

ldapsearch_2

Your results will be fewer than mine, as I had previously-created objects in the above search.

3) Create LDAP objects

To create entries, objects, or other entities in the LDAP structure, you first create a .ldif file that contains the entity’s definition and attributes. Then you import that file using the LDAP admin (“Manager”) credentials and write the file’s contents into the LDAP database. It is recommended the .ldif files be created inside a seperate directory such as /root or /home/poweruser for ease of access.

i) Create base information

Create 10-nixland-local.ldif as follows:

dn: dc=nixland,dc=local
objectClass: dcObject
objectClass: organization
dc: nixland
o: nixland

ii) Create MemberOf information

Create 15-memberof.ldif (I’m not really sure what this does – I think it has to do with allowing objects to be members of other objects or groups?)

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectclass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectclass: olcconfig
objectclass: olcMemberOf
objectclass: olcoverlayconfig
objectclass: top
olcoverlay: memberof

ii) Create Organization Units (OUs)

Create 20-nixland-local-ous.ldif as follows, with an entry for each OU you’d like:

dn: ou=Users,dc=nixland,dc=local
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=nixland,dc=local
objectClass: organizationalUnit
ou: Groups

iv) Import the files into LDAP

# ldapadd –x –W –D “cn=Manager,dc=nixland,dc=local” –f 10-nixland-local.ldif

# ldapadd –x –W –D “cn=Manager,dc=nixland,dc=local” –f 15-memberof.ldif

# ldapadd –x –W –D “cn=Manager,dc=nixland,dc=local” –f 20-nixland-local-ous.ldif

v) Enable openLDAP server on startup

   # chkconfig openldap-server on

4) Install phpLDAPadmin package

phpLDAPadmin provides a graphical web interface that is much easier to administer and view than text files and command lines.

i) Install the EPEL repository and the phpLDAPadmin package.

# yum install –y epel-release

# yum install –y phpldapadmin

ii) Edit the configuration files

Comment line 398 and un-comment line 397 of  /etc/phpldapadmin/config.php

config-php

Add your local subnet to the httpd allowed directive in /etc/httpd/conf.d/phpldapadmin.conf

phpldapadmin-conf

iii) Enable Apache startup

# chkconfig httpd on

iv) Login to phpLDAPadmin:

Browse to http://DS1.nixland.local /ldapadmin, and press login:

phpldapadmin-login

phpldapadmin-login_2

v) Users and Groups

Add a Group. Users must belong to a group, so this is done prior to user creation.

group

group2

group3

Add users inside OUs, selecting a GID group when applicable.

users

Commit your user add on the next screen, and voila!
Your server is now ready to accept domain join and logon requests from client workstations and devices. Have fun with your new LDAP server!

Advertisements