RHEL6 openldap server

Please note that all  double quote characters in this example are plain ASCII ” characters not  typographical ones!

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g

Step 3: We now  set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb

#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Time to test our configuration

# slaptest -u
config file testing succeeded

Step 8:  Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x  -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif

dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain

dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit

now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file

# vim /usr/share/migrationtools/migrate_common.ph

Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;

#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists

#ldapsearch -x ”cn=mani”  -b ”dc=mycompany,dc=com”

If the test is successful your done 🙂