The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

23.4.2 Configuring an LDAP Server

OpenLDAP is an open-source implementation of LDAP that allows you configure an LDAP directory server.

To configure a system as an LDAP server:

  1. Install the OpenLDAP packages: 

    # yum install openldap openldap-servers openldap-clients nss-pam-ldapd

    The OpenLDAP configuration is stored in the following files below /etc/openldap:

    ldap.conf

    The configuration file for client applications.

    slapd.d/cn=config.ldif

    The default global configuration LDIF file for OpenLDAP.

    slapd.d/cn=config/*.ldif

    Configuration LDIF files for the database and schema.

    slapd.d/cn=config/cn=schema/*.ldif

    Schema configuration LDIF files. More information about the OpenLDAP schema is available at http://www.openldap.org/doc/admin/schema.html.

    Note

    You should never need to edit any files under /etc/openldap/slapd.d as you can reconfigure OpenLDAP while the slapd service is running.

  2. If you want configure slapd to listen on port 636 for connections over an SSL tunnel (ldaps://), edit /etc/sysconfig/ldap, and change the value of SLAPD_LDAPS to yes: 

    SLAPD_LDAPS=yes

    If required, you can prevent slapd listening on port 389 for ldap:// connections, by changing the value of SLAPD_LDAP to no: 

    SLAPD_LDAP=no

  3. Allow incoming TCP connections on port 389 from the local network: 

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp -dport 389 -j ACCEPT
# service iptables save

    In the example, subnet_addr/prefix_length specifies the network address, for example 192.168.2.0/24.

    The primary TCP port for LDAP is 389. If you configure LDAP to use an SSL tunnel (ldaps), substitute the port number that the tunnel uses, which is usually 636, for example: 

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp --dport 636 -j ACCEPT
# service iptables save

    Add similar rules for other networks from which LDAP clients can connect.

  4. Change the user and group ownership of /var/lib/ldap and any files that it contains to ldap: 

    # cd /var/lib/ldap
# chown ldap:ldap ./*

  5. Start the slapd service and configure it to start following system reboots: 

    # service slapd start
# chkconfig slapd on

  6. Generate a hash of the LDAP password that you will use with the olcRootPW entry in the configuration file for your domain database, for example: 

    # slappasswd -h {SSHA}
New password: password
Re-enter new password: password
{SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRy

  7. Create an LDIF file with a name such as config-mydom-com.ldif that contains configuration entries for your domain database based on the following example: 

    # Load the schema files required for accounts
include file:///etc/ldap/schema/cosine.ldif

include file:///etc/ldap/schema/nis.ldif

include file:///etc/ldap/schema/inetorgperson.ldif

# Load the HDB (hierarchical database) backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Configure the database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydom,dc=com
# The database directory must already exist
# and it should only be owned by ldap:ldap.
# Setting its mode to 0700 is recommended
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydom,dc=com
olcRootPW: {SSHA}lkMShz73MZBic19Q4pfOaXNxpLN3wLRy
olcDbConfig: set_cachesize 0 10485760 0
olcDbConfig: set_lk_max_objects 2000
olcDbConfig: set_lk_max_locks 2000
olcDbConfig: set_lk_max_lockers 2000
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 1024 10
# Set up access control
olcAccess: to attrs=userPassword
  by dn="cn=admin,dc=mydom,dc=com"
  write by anonymous auth
  by self write
  by * none
olcAccess: to attrs=shadowLastChange
  by self write
  by * read
olcAccess: to dn.base=""
  by * read
olcAccess: to *
  by dn="cn=admin,dc=mydom,dc=com"
  write by * read
    Note

    This configuration file allows you to reconfigure slapd while it is running. If you use a slapd.conf configuration file, you can also update slapd dynamically, but such changes do not persist if you restart the server.

    For more information, see the slapd-config(5) manual page.

  8. Use the ldapadd command to add the LDIF file: 

    # ldapadd -Y EXTERNAL -H ldapi:/// -f config-mydom-com.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

For more information about configuring OpenLDAP, see the slapadd(8C), slapd(8C), slapd-config(5), and slappasswd(8C) manual pages, the OpenLDAP Administrator’s Guide (/usr/share/doc/openldap-servers-version/guide.html), and the latest OpenLDAP documentation at http://www.openldap.org/doc/.

Copyright © 2013, 2021, Oracle and/or its affiliates. Legal Notices