Revision as of 00:53, 29 July 2020

OpenLDAP

Overview

Installed on CentOS 7

Installation

~$ sudo yum install -y openldap-clients openldap-servers
~$ systemctl start slapd
~$ systemctl enable slapd

Configuration

LDAP User Account

Setup new user account for ldap admin

~$ sudo useradd ldapadmin -d /home/ldapadmin/ -G wheel
~$ sudo passwd ldapadmin

Setup LDAP Admin password

Create a SHA hash of the desired password for the ldap admin and add it to the ldap config. The parameter may not exist in the config file, you may need to add it.

~$ slappasswd -h {SSHA} -s ldappassword
==Configure LDAP Server==
create db.ldif and update:
*SSHA password
*olcRootDN
 <nowiki>~$ vim db.ldif
...
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3

Send the configuration to the server.

~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

restrict the monitor access only to ldap root. Update:

dn.base

~$ vim monitor.ldif
...
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none

update the server.

~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

Setup Database

~$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
~$ sudo chown -R ldap:ldap /var/lib/ldap
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Setup the domain information. Update:

dn (x4)

~$ vim base.ldif
...
dn: dc=itzgeek,dc=local
dc: itzgeek
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=itzgeek,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=itzgeek,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=itzgeek,dc=local
objectClass: organizationalUnit
ou: Group

Build the directory structure

~$ sudo ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif

@@ Line 1: / Line 1: @@
 [[Oracle_Linux/OpenLDAP|OpenLDAP]]
 =Overview=
-Installed on CentOS 6
+Installed on CentOS 7
 =Installation=
-  <nowiki>~$ sudo yum install -y openldap-clients openldap-servers</nowiki>
+  <nowiki>~$ sudo yum install -y openldap-clients openldap-servers
+~$ systemctl start slapd
+~$ systemctl enable slapd</nowiki>
 =Configuration=
@@ Line 11: / Line 13: @@
   <nowiki>~$ sudo useradd ldapadmin -d /home/ldapadmin/ -G wheel
 ~$ sudo passwd ldapadmin</nowiki>
-==Set as LDAP Admin==
-Set new admin as LDAP admin
- <nowiki>~$ sudo vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
-...
-olcRootDN: cn=ldapadmin,dc=my-domain,dc=com</nowiki>
 ==Setup LDAP Admin password==
 Create a SHA hash of the desired password for the ldap admin and add it to the ldap config.  The parameter may not exist in the config file, you may need to add it.
-  <nowiki>~$ slappasswd
+  <nowiki>~$ slappasswd -h {SSHA} -s ldappassword
-~$ sudo vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
+==Configure LDAP Server==
+create db.ldif and update:
+*SSHA password
+*olcRootDN
+ <nowiki>~$ vim db.ldif
 ...
-olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6</nowiki>
+dn: olcDatabase={2}hdb,cn=config
-==Setup Domain==
+changetype: modify
-  <nowiki>~$ sudo vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
+replace: olcSuffix
+olcSuffix: dc=itzgeek,dc=local
+dn: olcDatabase={2}hdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
+dn: olcDatabase={2}hdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3</nowiki>
+Send the configuration to the server.
+  <nowiki>~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif</nowiki>
+restrict the monitor access only to ldap root.  Update:
+*dn.base
+ <nowiki>~$ vim monitor.ldif
 ...
-olcSuffix: dc=localhost,dc=localdomain</nowiki>
+dn: olcDatabase={1}monitor,cn=config
-Make sure you also update the <code>olcRootDN</code> to match your new domain
+changetype: modify
-  <nowiki>~$ sudo vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
+replace: olcAccess
-...
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none</nowiki>
-olcRootDN: cn=ldapadmin,dc=localhost,dc=localdomain</nowiki>
+update the server.
-Finally make sure you update the ldap admin and domain in <code>olcDatabase\=\{1\}monitor.ldif</code> as well.
+ <nowiki>~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif</nowiki>
-  <nowiki>~$ sudo vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
+==Setup Database==
+  <nowiki>~$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
+~$ sudo chown -R ldap:ldap /var/lib/ldap
+~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
+~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
+~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif</nowiki>
+Setup the domain information. Update:
+*dn (x4)
+  <nowiki>~$ vim base.ldif
 ...
-olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
+dn: dc=itzgeek,dc=local
- nal,cn=auth" read  by dn.base="cn=ldapadmin,dc=localhost,dc=localdomain" read  by * n
+dc: itzgeek
- one</nowiki>
+objectClass: top
+objectClass: domain
-=Startup=
+dn: cn=ldapadm ,dc=itzgeek,dc=local
- <nowiki>~$ sudo service slapd start
+objectClass: organizationalRole
-~$ sudo service slapd status</nowiki>
+cn: ldapadm
+description: LDAP Manager
-=Setup LDAP DN entry=
+dn: ou=People,dc=itzgeek,dc=local
-create a tmp file to import the needed data, then import and check.
+objectClass: organizationalUnit
- <nowiki>~$ printf "dn: dc=localhost,dc=localdomain\nobjectClass: dcObject\nobjectClass: organization\ndc: localhost\no: localhost" > /tmp/localdomain.ldif</nowiki>
+ou: People
-Import the data
- <nowiki>~$ sudo ldapadd -f /tmp/localhost.ldif -D cn=ldapadmin,dc=localhost,dc=localdomain -w p@ssw0rd</nowiki>
-verify
- <nowiki>~$ ldapsearch -x -LLL -b dc=localhost,dc=localdomain</nowiki>
-=Allow iptables=
+dn: ou=Group,dc=itzgeek,dc=local
-  <nowiki>~$ sudo iptables -A INPUT -p tcp --dport 389 -j ACCEPT -m comment --comment "allow ldap"
+objectClass: organizationalUnit
-~$ sudo iptables -A INPUT -p tcp --dport 636 -j ACCEPT -m comment --comment "allow ldaps" </nowiki>
+ou: Group</nowiki>
+Build the directory structure
+  <nowiki>~$ sudo ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif</nowiki>

Oracle Linux/OpenLDAP

Revision as of 00:53, 29 July 2020

Contents

Overview

Installation

Configuration

LDAP User Account

Setup LDAP Admin password

Setup Database

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Mediawiki

Confluence

DevOps Tools

Ubuntu

Ubuntu 22

Mac OSX

Oracle Linux

AWS

Windows

OpenVPN

Grafana

InfluxDB2

TrueNas

OwnCloud

Pivotal

osTicket

OTRS

phpBB

WordPress

VmWare ESXI 5.1

Crypto currencies

HTML

CSS

Python

Java Script

PHP

Raspberry Pi

Canvas LMS

Kaltura Media Server

Plex Media Server

MetaSploit

Zoneminder

ShinobiCE

Photoshop CS2

Fortinet

Uploaded

Certifications

General Info

Games

Meal Plans

NC Statutes

2020 Election

Volkswagen

Covid

NCDMV

Toolbox