The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
OpenLDAP is an open-source implementation of LDAP that allows you configure an LDAP directory server.
To configure a system as an LDAP server:
Install the OpenLDAP packages:
#
yum install openldap openldap-servers openldap-clients nss-pam-ldapd
The OpenLDAP configuration is stored in the following files below
/etc/openldap
:-
ldap.conf
The configuration file for client applications.
-
slapd.d/cn=config.ldif
The default global configuration LDIF file for OpenLDAP.
-
slapd.d/cn=config/*.ldif
Configuration LDIF files for the database and schema.
-
slapd.d/cn=config/cn=schema/*.ldif
Schema configuration LDIF files. More information about the OpenLDAP schema is available at http://www.openldap.org/doc/admin/schema.html.
NoteYou should never need to edit any files under
/etc/openldap/slapd.d
as you can reconfigure OpenLDAP while theslapd
service is running.-
If you want configure
slapd
to listen on port 636 for connections over an SSL tunnel (ldaps://
), edit/etc/sysconfig/ldap
, and change the value ofSLAPD_LDAPS
toyes
:SLAPD_LDAPS=yes
If required, you can prevent
slapd
listening on port 389 forldap://
connections, by changing the value ofSLAPD_LDAP
tono
:SLAPD_LDAP=no
Allow incoming TCP connections on port 389 from the local network:
#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp -dport 389 -j ACCEPT
#service iptables save
In the example,
subnet_addr
/
prefix_length
specifies the network address, for example192.168.2.0/24
.The primary TCP port for LDAP is 389. If you configure LDAP to use an SSL tunnel (
ldaps
), substitute the port number that the tunnel uses, which is usually 636, for example:#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 636 -j ACCEPT
#service iptables save
Add similar rules for other networks from which LDAP clients can connect.
Change the user and group ownership of
/var/lib/ldap
and any files that it contains toldap
:#
cd /var/lib/ldap
#chown ldap:ldap ./*
Start the
slapd
service and configure it to start following system reboots:#
service slapd start
#chkconfig slapd on
Generate a hash of the LDAP password that you will use with the
olcRootPW
entry in the configuration file for your domain database, for example:#
slappasswd -h {SSHA}
New password:
Re-enter new password:password
{SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRypassword
Create an LDIF file with a name such as
config-mydom-com.ldif
that contains configuration entries for your domain database based on the following example:# Load the schema files required for accounts include file:///etc/ldap/schema/cosine.ldif include file:///etc/ldap/schema/nis.ldif include file:///etc/ldap/schema/inetorgperson.ldif # Load the HDB (hierarchical database) backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Configure the database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix:
dc=mydom,dc=com
# The database directory must already exist # and it should only be owned by ldap:ldap. # Setting its mode to 0700 is recommended olcDbDirectory: /var/lib/ldap olcRootDN:cn=admin,dc=mydom,dc=com
olcRootPW:{SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRy
olcDbConfig: set_cachesize 0 10485760 0 olcDbConfig: set_lk_max_objects 2000 olcDbConfig: set_lk_max_locks 2000 olcDbConfig: set_lk_max_lockers 2000 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 1024 10 # Set up access control olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydom,dc=com
" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=mydom,dc=com
" write by * readNoteThis configuration file allows you to reconfigure
slapd
while it is running. If you use aslapd.conf
configuration file, you can also updateslapd
dynamically, but such changes do not persist if you restart the server.For more information, see the
slapd-config(5)
manual page.Use the ldapadd command to add the LDIF file:
#
ldapadd -Y EXTERNAL -H ldapi:/// -f config-mydom-com.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config"
For more information about configuring OpenLDAP, see the
slapadd(8C)
, slapd(8C)
,
slapd-config(5)
, and
slappasswd(8C)
manual pages, the
OpenLDAP Administrator’s Guide
(/usr/share/doc/openldap-servers-
),
and the latest OpenLDAP documentation at
http://www.openldap.org/doc/.
version
/guide.html