1.

2.
3.
4.
5.
6.
7.
Installing OpenLDAP on Redhat / CentOS 6.3
The following section describes how to install and configure OpenLDAP on Redhat or CentOS 6.3.
From the terminal window, enter the following command to install the OpenLDAP components:
yum install openldap-servers openldap-clients
yum install sssd perl-LDAP.noarch
LDAP needs a parameter file to start a new database. This file must be copied to the LDAP database directory:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Verify that the directory is owned by the ldap user, or just run: /var/lib/ldap
chown -R ldap:ldap /var/lib/ldap
cd /etc/openldap
# remove the slap.d directory
mv slapd.d slapd.d.original

# run the password utility to run generate a secure password

slappasswd

The LDAP database is now set up and can now be started. You will also want to start LDAP automatically when restarting the machine:
service slapd start
chkconfig slapd on
The utility will prompt you to enter the password that you will use the admin account. It will then generate a hashed value slappasswd
representing that password.
Make a copy of the file so that you can modify it to suit your configuration needs: ldap.conf
mv ldap.conf ldap.conf.original
cp ldap.conf.original ldap.conf
Create a file called under using the template below. The template includes PPolicy. slapd.conf /etc/openldap
Update the file below to reflect your environment: database section where the domain and password are updated. The password is the
output of the utility. slappasswd
7.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Added for policy
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
7.
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=openiamdemo,dc=com"
rootdn "cn=Manager,dc=openiamdemo,dc=com"
rootpw {SSHA}lh7jQlIZu8bjXKfAcBn2iBfFpHU/I2PM
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiamdemo,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
7.
8.
9.
10.
11.
12.
index nisMapName,nisMapEntry eq,pres,sub
To complete the configuration necessary for the PPolicy, create file called in the directory: ppolicy.ldif /etc/openldap
dn: ou = policies,dc=openiam,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies
# default, policies, example.com
dn: cn=default,ou=policies,dc=openiam,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: default
sn: dummy value
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 14482463
pwdMinLength: 2
pwdMaxFailure: 10
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMustChange: FALSE
pwdAllowUserChange: FALSE
pwdSafeModify: FALSE
To start the ldap server, enter the following command from a terminal window:
service slapd start
Test that you can connect to the ldap server:
ldapsearch -h localhost -D "cn=Manager,dc=openiamdemo,dc=com" -w openiam -b
"dc=openiamdemo,dc=com" -s sub "objectclass=*"
Next load some initial data into the directory. You can do this using an LDIF file like the one shown below. Then run the comman ldapadd
d:
ldapadd -x -D "cn=Manager,dc=openiamdemo,dc=com" -W -f ldap-init.ldif
Sample LDIF file to create directory structure:
12.
1.
2.
3.
dn: dc=openiamdemo,dc=com
objectClass: top
objectClass: domain
dc: openiamdemo
dn: ou=dev,dc=openiamdemo,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: dev
dn: ou=prod,dc=openiamdemo,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: prod
dn: ou=people,ou=prod,dc=openiamdemo,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: people
dn: ou=people,ou=dev,dc=openiamdemo,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: people
Migrate the password and shadow information
The openldap-servers package provided by Red Hat/CentOS does not include MigrationTools from PADL Software Pty Ltd. You have to
download Perl scripts from and copy to folder. You will use them to http://www.padl.com/OSS/MigrationTools.html /usr/share/openldap/migration
migrate data from the Linux system files such as and to the LDAP LDIF format, a representation of the database in a text /etc/group /etc/password
format. The format is line-delimited, colon-separated attribute-value pairs.
A collection of Perl scripts is installed in to perform the migration. The configuration information for these /usr/share/openldap/migration/
Perl scripts is contained at the beginning of the include file . For your purposes, it is sufficient to modify the variable migrate_common.ph
for the naming suffix to use in entries' distinguished names, as follows:
$DEFAULT_BASE = "dc=openiam,dc=com"
After making this change, run the script , which creates the root entry and the next lower level organizational unit entries migrate_base.pl
for Hosts, Networks, Group, and People, among others:
# migrate_base.pl > base.ldif
Edit , removing all entries except as follows: base.ldif
3.
4.
5.
6.
# cat base.ldif
dn: dc=openiam,dc=com
dc: openiam
objectClass: top
objectClass: domain
dn: ou=People,dc=openiam,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=openiam,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Working from the LDAP server, insert the entries below into the database using the OpenLDAP client tool, ldapadd. Simple authentication
must be specified with the option . The Distinguished Name to authenticate, the specified in , is -x rootdn slapd.conf cn=Manager,dc=op
. For simple authentication, a password is required. The option forces a password prompt. This password is the value eniam,dc=com -W
of the parameter specified in the file. The LDIF file containing the entries is specified with the option rootpw slapd.conf : -f
# ldapadd -x -D "cn=Manager,dc=openiam,dc=com" -W -f base.ldif
Next, migrate the group from : ldapuser /etc/group
# grep ldapuser /etc/group > group.in
# ./migrate_group.pl group.in > group.ldif
# cat group.ldif
dn: cn=ldapuser,ou=Group,dc=openiam,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
userPassword: {crypt}x
gidNumber: 500
# ldapadd -x -D "cn=Manager,dc=openiam,dc=com" -W -f group.ldif
Finally, migrate the information from and : ldapuser /etc/passwd /etc/shadow
6.
7.
# grep ldapuser /etc/passwd > passwd.in
# ./migrate_passwd.pl passwd.in > passwd.ldif
# cat passwd.ldif
dn: uid=ldapuser,ou=People,dc=openiam,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt$1$TeOlOcMc$cpQaa0WpLSFRC1HIHW5bt1
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: ldapuser
# ldapadd -x -D "cn=Manager,dc=openiam,dc=com" -W -f passwd.ldif
At this point, check the information that has been added to the database. Listing 9 shows the complete output.
The populated OpenLDAP database in LDIF format:
7.
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# openiam.com
dn: dc=openiam,dc=com
dc: openiam
objectClass: top
objectClass: domain
# People, openiam.com
dn: ou=People,dc=openiam,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, openiam.com
dn: ou=Group,dc=openiam,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser, Group, openiam.com
dn: cn=ldapuser,ou=Group,dc=openiam,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
gidNumber: 500
# ldapuser, People, openiam.com
dn: uid=ldapuser,ou=People,dc=openiam,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: test2
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
1.
2.
Enable SSL/TLS on OpenLDAP
DAP sends all information, including passwords, over the network in clear text. You employ the encryption provided by TLS, the successor to
SSL, to resolve this problem. At the transport layer, the data is encrypted and wrapped in the TLS protocol, for transport across the network. The
tools used to configure encryption are provided by the OpenSSL package.
Encryption is a complex topic, but a basic overview of how TLS works is needed to use the OpenSSL package. The bulk of the data is encrypted
using a symmetric key algorithm that encrypts and decrypts data using a single secure key. You have a problem of how to avoid initially sending
the single secure key from the LDAP server to the LDAP client in plain text. A public key algorithm, in which the client can encrypt the single key
using a freely available public key and only the server can decrypt the single secure key, is used to resolve this problem.
The public key is created and distributed as part of a certificate, which contains supporting information such as an ID, an expiration date, and the
Fully Qualified Domain Name (FQDN) of the LDAP server providing the certificate. Before the LDAP client uses a certificate for encryption, it
verifies that the server it is talking with owns the certificate by encrypting a challenge and verifying that the server can decrypt it.
To verify that the server issuing the certificate is an approved LDAP server, the client is configured only to accept certificates that are signed by a
local Certificate Authority (CA). It uses the public key in a certificate generated by the CA and stored on the client to verify that the certificate
presented by the LDAP server is valid.
In this example, you will set up your LDAP server as a Certificate Authority and create a self-signed certificate to be used by LDAP clients and
servers in encrypting information.
The Red Hat Enterprise Linux release 4 Update 1 package used to set up the TLS server is:
openssl-1.0.0j-1.43.amzn1.x86_64: Includes a certificate management tool and shared libraries that provide various cryptographic
algorithms and protocols.
To set up the environment in which the Certificate Authority works and to generate your self-signed certificate, run the /etc/pki/tls/misc/C
(or here ) shell script, which is a wrapper around the command. Privacy Enhanced Mail (PEM) is a A /usr/share/ssl/misc/CA openssl
format for encrypting and text encoding data:
# cd /etc/pki/tls/misc
# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into
your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:New York
Organization Name (eg, company) [My Company Ltd]:OpenIAM
Organizational Unit Name (eg, section) []:openiam
Common Name (eg, your name or your server's hostname) []:lnx06.openiam.com
Email Address []:root@lnx06.openiam.com
Next, generate the server certificate that will be signed by the Certificate Authority. The option is used so that the certificate will nodes
2.
3.
4.
not need a pass phrase every time the OpenLDAP server daemon, slapd, is started. The signed public key is embedded in certificate
request ; the private key that matches it is in : slapd-req.pem slapd-key.pem
# openssl req -new -nodes -subj '/CN=lnx06.openiam.com/O=OpenIAM/C=US/ST=New
York/L=New York' -keyout slapd-key.pem -out slapd-req.pem -days 365
Generating a 1024 bit RSA private key
...............++++++
.....................................++++++
writing new private key to 'slapd-key.pem'
-----
Sign the certificate using the CA certificate you created in the first step:
# openssl ca -out slapd-cert.pem -infiles slapd-req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 25 02:50:05 2012 GMT
Not After : Oct 25 02:50:05 2013 GMT
Subject:
countryName = US
stateOrProvinceName = New York
organizationName = OpenIAM
commonName = lnx06.openiam.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
11:A2:FB:59:42:A4:B3:26:73:1D:6D:F5:4D:2F:80:F0:FA:10:38:F5
X509v3 Authority Key Identifier:
keyid:F7:6A:25:F5:76:BE:20:E7:8D:0F:51:EF:D8:86:7B:AF:2C:74:2F:80
DirName:/C=US/ST=New York/L=New
York/O=OpenIAM/OU=openiam/CN=lnx06.openiam.com
/emailAddress=root@lnx06.openiam.com
serial:00
Certificate is to be certified until Oct 25 02:50:05 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
The next step copies over all the required certificates to where slapd can find them. In addition, the correct permissions are enforced on
each file:
4.
5.
6.
7.
8.
# cp -p slapd-key.pem /etc/openldap/slapdkey.pem
# cp -p slapd-cert.pem /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdcert.pem
# chmod 644 /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdkey.pem
# chmod 400 /etc/openldap/slapdkey.pem
# mkdir /etc/openldap/cacerts/
# cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem
On the OpenLDAP server, add the lines below to the section of the file. The a global /etc/openldap/slapd.conf TLSCertificateFile
nd specify the paths to the certificate file and private-key file. specifies a list of OpenSSL TLSCertificateKeyFile TLSCipherSuite
ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. means "all ciphers HIGH
using key lengths greater than 128 bits"; is short for "all ciphers using key lengths equal to 128 bits"; and means "all MEDIUM +SSLv2
ciphers specified in the SSL protocol, Version 2, regardless of key strength."
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
Add the following lines to the secondary configuration file for the LDAP server, : /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
To allow secure connections from the OpenLDAP client, add the following to the file: /etc/openldap/ldap.conf
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
Next add access settings.
8.
9.
10.
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=openiam,dc=com" read
by * none
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
Turn on only SSL/TLS for LDAP server. Apply changes in both configuration files: and /etc/sysconfig/ldap /etc/init.d/slapd :
# Define default values of options allowed in /etc/sysconfig/ldap
SLAPD_LDAP="no"
SLAPD_LDAPI="no"
SLAPD_LDAPS="yes"
Restart service: service slapd restart.
Conclusion
For reference, below are the complete listings of the configuration files used in this article.
/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
loglevel 296
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldaps://lnx06.openiamdemo.com
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
TLSCACertificatePath /etc/openldap/cacerts
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Use the following if client authentication is required
#TLSVerifyClient never
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=openiam,dc=com" read
by * none
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=openiam,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=openiam,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}ZK1Z0ZXGWuEn+tTD6fT2LyLbrnPOfbP3
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
The client file used in the examples: /etc/ldap.conf
host lnx06.openiamdemo.com
base dc=openiam,dc=com
ssl start_tls
tls_checkpeer yes
# CA certificates for server certificate verification
tls_cacertfile /etc/openldap/cacerts/cacert.pem
pam_password ssha
The server file used in the examples: /etc/openldap/ldap.conf
URI ldap://lnx06.openiamdemo.com/
BASE dc=openiam,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
#ssl start_tls
#tls_checkpeer yes
#tls_cacertfile /etc/openldap/cacerts/cacert.pem
Server LDAP configuration /etc/sysconfig/ldap:
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=no
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI
options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI
options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS="ldaps:///"
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
Linux help commands:
slapd -d 16383 [run OpenLDAP with logs in console]
lsof -i :389 [Check: ldap demon]
Links
Setup OpenLDAP on CentOS step by step:
https://www.ibm.com/developerworks/linux/library/l-openldap/
Migration tool for CentOS here: http://www.padl.com/OSS/MigrationTools.html
LDAP Security: http://www.zytrax.com/books/ldap/ch15/#tls