22.4.2 Configuring an LDAP Server

OpenLDAP is an open-source implementation of LDAP that allows you configure an LDAP directory server.

To configure a system as an LDAP server:

  1. Install the OpenLDAP packages:

    # yum install openldap openldap-servers openldap-clients nss-pam-ldapd

    The OpenLDAP configuration is stored in the following files below /etc/openldap:

    ldap.conf

    The configuration file for client applications.

    slapd.d/cn=config.ldif

    The default global configuration LDIF file for OpenLDAP.

    slapd.d/cn=config/*.ldif

    Configuration LDIF files for the database and schema.

    slapd.d/cn=config/cn=schema/*.ldif

    Schema configuration LDIF files. More information about the OpenLDAP schema is available at http://www.openldap.org/doc/admin/schema.html.

    Note

    You should never need to edit any files under /etc/openldap/slapd.d as you can reconfigure OpenLDAP while the slapd service is running.

  2. If you want configure slapd to listen on port 636 for connections over an SSL tunnel (ldaps://), edit /etc/sysconfig/ldap, and change the value of SLAPD_LDAPS to yes:

    SLAPD_LDAPS=yes

    If required, you can prevent slapd listening on port 389 for ldap:// connections, by changing the value of SLAPD_LDAP to no:

    SLAPD_LDAP=no
  3. Allow incoming TCP connections on port 389 from the local network:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp -dport 389 -j ACCEPT
    # service iptables save

    where subnet_addr/prefix_length specifies the network address, for example 192.168.2.0/24.

    The primary TCP port for LDAP is 389. If you configure LDAP to use an SSL tunnel (ldaps), substitute the port number that the tunnel uses, which is usually 636, for example:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 636 -j ACCEPT
    # service iptables save

    Add similar rules for other networks from which LDAP clients can connect.

  4. Change the user and group ownership of /var/lib/ldap and any files that it contains to ldap:

    # cd /var/lib/ldap
    # chown ldap:ldap ./*
  5. Start the slapd service and configure it to start following system reboots:

    # service slapd start
    # chkconfig slapd on
  6. Generate a hash of the LDAP password that you will use with the olcRootPW entry in the configuration file for your domain database, for example:

    # slappasswd -h {SSHA}
    New password: password
    Re-enter new password: password
    {SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRy
  7. Create an LDIF file with a name such as config-mydom-com.ldif that contains configuration entries for your domain database based on the following example:

    # Load the schema files required for accounts
    include file:///etc/ldap/schema/cosine.ldif
    
    include file:///etc/ldap/schema/nis.ldif
    
    include file:///etc/ldap/schema/inetorgperson.ldif
    
    # Load the HDB (hierarchical database) backend modules
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap
    olcModuleload: back_hdb
    
    # Configure the database settings
    dn: olcDatabase=hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcSuffix: dc=mydom,dc=com
    # The database directory must already exist
    # and it should only be owned by ldap:ldap.
    # Setting its mode to 0700 is recommended
    olcDbDirectory: /var/lib/ldap
    olcRootDN: cn=admin,dc=mydom,dc=com
    olcRootPW: {SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRy
    olcDbConfig: set_cachesize 0 10485760 0
    olcDbConfig: set_lk_max_objects 2000
    olcDbConfig: set_lk_max_locks 2000
    olcDbConfig: set_lk_max_lockers 2000
    olcDbIndex: objectClass eq
    olcLastMod: TRUE
    olcDbCheckpoint: 1024 10
    # Set up access control
    olcAccess: to attrs=userPassword
      by dn="cn=admin,dc=mydom,dc=com"
      write by anonymous auth
      by self write
      by * none
    olcAccess: to attrs=shadowLastChange
      by self write
      by * read
    olcAccess: to dn.base=""
      by * read
    olcAccess: to *
      by dn="cn=admin,dc=mydom,dc=com"
      write by * read
    Note

    This configuration file allows you to reconfigure slapd while it is running. If you use a slapd.conf configuration file, you can also update slapd dynamically, but such changes do not persist if you restart the server.

    For more information, see the slapd-config(5) manual page.

  8. Use the ldapadd command to add the LDIF file:

    # ldapadd -Y EXTERNAL -H ldapi:/// -f config-mydom-com.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=module,cn=config"
    
    adding new entry "olcDatabase=hdb,cn=config"

For more information about configuring OpenLDAP, see the slapadd(8C), slapd(8C), slapd-config(5), and slappasswd(8C) manual pages, the OpenLDAP Administrator’s Guide (/usr/share/doc/openldap-servers-version/guide.html), and the latest OpenLDAP documentation at http://www.openldap.org/doc/.