Please note that all double quote characters in this example are plain ASCII ” characters not typographical ones!
Step 1: first we need to install the required packages:
#yum install openldap-servers migrationtools
Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Now create the ldap password:
#slappasswd
you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.
# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3: We now set the admin password and specify the location of our encryption certificate and key.
add these 3 lines at the end of the file bdb.ldif file:
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4: Now we have to specify the monitoring privileges
#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
again, we have to replace the default domain name with our domain name
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g
Step 5: Now its time for the Database Cache
#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/
Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Now we can create the certificate
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Step 7: Time to test our configuration
# slaptest -u
config file testing succeeded
Step 8: Start the ldap server
#service sladp start
lets check if our ldap server really works:
#ldapsearch -x -b ”dc=yourdomain,dc=com”
if you get a search: 2 then your on track!
Step 9: Configure the base domain
#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
now we import our base information to the ldap directory:
#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif
Step 10: lets migrate the users
Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif
Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x ”cn=mani” -b ”dc=mycompany,dc=com”
If the test is successful your done 🙂