Configure LDAP Server
2015/04/15
|
Configure LDAP Server in order to share users' accounts in your local networks.
| |
| [1] | Install OpenLDAP Server. |
[root@dlp ~]#
[root@dlp ~]#
yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@dlp ~]#
chown ldap. /var/lib/ldap/DB_CONFIG
[root@dlp ~]#
systemctl start slapd
[root@dlp ~]#
systemctl enable slapd
|
| [2] | Set OpenLDAP admin password. |
# generate encrypted password
[root@dlp ~]#
slappasswd
New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]#
vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" |
| [3] | Import basic Schemas. |
| [root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"[root@dlp ~]#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" |
| [4] | Set your domain name on LDAP DB. |
# generate directory manager's password
[root@dlp ~]#
slappasswd
New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]#
vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=server,dc=world" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=server,dc=world" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@dlp ~]#
vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=server,dc=world objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: Server dn: cn=Manager,dc=server,dc=world objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=server,dc=world objectClass: organizationalUnit ou: People dn: ou=Group,dc=server,dc=world objectClass: organizationalUnit ou: Group
ldapadd -x -D cn=Manager,dc=server,dc=world -W -f basedomain.ldif
Enter LDAP Password:
# directory manager's password
adding new entry "dc=server,dc=world" adding new entry "cn=Manager,dc=server,dc=world" adding new entry "ou=People,dc=server,dc=world" adding new entry "ou=Group,dc=server,dc=world" |
| [5] | If Firewalld is running, allow LDAP service. LDAP uses 389/TCP. |
| [root@dlp ~]#
firewall-cmd --add-service=ldap --permanent
success [root@dlp ~]#
firewall-cmd --reload
success |
Nenhum comentário:
Postar um comentário