Step-by-step OpenLDAP Installation and Configuration

Submitted by ganesh35 (Contact Author) (Forums) on Fri, 2007-02-16 16:41. :: Linux

Step-by-step OpenLDAP Installation and Configuration

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client.

Step by Step Installation and Configuration OpenLDAP Server

Software:  OS-Cent OS 4.4, openldap 2.2.13-6.4E
System name:   ldap.adminmart.com
Domain name:   adminmart.com
System IP:     192.168.1.212

Note: Use your domain name and IP instead of adminmart.

Easy steps for adding users:
    1. Create unix user
    2. Create unix user's ldap passwd file
    3. Convert passwd.file to ldif file
    4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E
    openldap-clients.i386 0:2.2.13-6.4E
    openldap-devel.i386 0:2.2.13-6.4E
    openldap-servers.i386 0:2.2.13-6.4E
    openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

 

Step #2. Start the service

[root@ldap ~]# chkconfig --levels 235 ldap on
[root@ldap ~]# service ldap start 

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd
    New password:
    Re-enter new password:
    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW
[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb
    #69 suffix          "dc=adminmart,dc=com"
    #70 rootdn          "cn=Manager,dc=adminmart,dc=com"
    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW 

Step #5. Apply Changes

[root@ldap ~]# service ldap restart 

Step #6. Create test users

[root@ldap ~]# useradd test1
[root@ldap ~]# passwd test1
    Changing password for user test1.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]# useradd test2
[root@ldap ~]# passwd test2
    Changing password for user test2.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]#

Note: Repeat the same for the rest of users 

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root
[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1
[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

 Note: Repeat the same for the rest of users

Step #8. Update default settings on file /usr/share/openldap/migration/migrate_common.ph

    #71 $DEFAULT_MAIL_DOMAIN = "adminmart.com";
    #74 $DEFAULT_BASE = "dc=adminmart,dc=com";

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file 

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users

Step #10. Update root.ldif file for the "Manager" of LDAP Server 

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=adminmart,dc=com
    #2 uid: root
    #3 cn: Manager
    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/adminmart.com.ldif)

[root@ldap ~]# cat /etc/openldap/adminmart.com.ldif

    dn: dc=adminmart,dc=com
    dc: adminmart
    description: LDAP Admin
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: rootobject 
    dn: ou=People, dc=adminmart,dc=com
    ou: People
    description: Users of adminmart
    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file 

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/adminmart.com.ldif
    Enter LDAP Password:
    adding new entry "dc=adminmart,dc=com"
    adding new entry "ou=People, dc=adminmart,dc=com"
[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/root.ldif
    Enter LDAP Password:
    adding new entry "uid=root,ou=People,dc=adminmart,dc=com"
    adding new entry "uid=operator,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test1.ldif
    Enter LDAP Password:
    adding new entry "uid=test1,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test2.ldif
    Enter LDAP Password:
    adding new entry "uid=test2,ou=People,dc=adminmart,dc=com"
 [root@ldap ~]#

 Note: Repeat the same for the rest of users

Step #13. Apply Changes 

[root@ldap ~]# service ldap restart 

Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b 'dc=adminmart,dc=com' '(objectclass=*)' 


Copyright © 2007 Ganesh Kumar
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
I can't add the domain ldif
Submitted by Ken (not registered) on Fri, 2008-09-19 20:02.

I can't add the domain ldif file - I get prompted for the password, I enter the password used in the slapd.conf (tried both encrypted and plaintext) but still get the error below:

ldap_bind: Can't contact LDAP server (-1)

Thoughts?

reply | view as pdf view as pdf
Groups and shadow
Submitted by Revantine (registered user) on Mon, 2007-03-12 20:22.
I had to add a blank line to fix an error in /etc/openldap/adminmart.com.ldif, and I added for groups : 
dn: dc=adminmart,dc=com
dc: adminmart
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=adminmart,dc=com
ou: People
description: Users of adminmart
objectClass: organizationalUnit

dn: ou=Group, dc=adminmart,dc=com
ou: Group
description: Groups of adminmart
objectClass: organizationalUnit
I copied all of my groups that I wanted in ldap from /etc/groups to /etc/openldap/groups.txt and then ran:
/usr/share/openldap/migration/migrate_groups.pl /etc/openldap/groups.txt /etc/openldap/groups.ldif
After I imported users, and groups, I used phpldapadmin to import shadow passwords. I opened /etc/shadow and copied the password field:
username:$1$0oDpBoKc$qw6grPT4jqgfqkc5Kzd/G.:_____:_:_____:_:::
as {crypt}$1$0oDpBoKc$qw6grPT4jqgfqkc5Kzd/G.
And selected clear in the drop down so it would not try to re-encrypt (mangle) the password.

There is likely a scripted solution for shadow passwords, but I only had about 15 users and it was faster to just do it.
reply | view as pdf view as pdf
Replication
Submitted by nicolargo (registered user) on Mon, 2007-02-19 17:39.

Thanks for the tuto.

Here is a link to  help you configure a backup server (slave server) and another one to configure ProFTPD to use LDAP for authentication (french link but you can google translate ;)).

Nicolargo 

reply | view as pdf view as pdf