This post is an overview of the commands needed to setup a basic working LDAP TLS server using CentOS 6.4. I will also go over the process of creating a POSIX user account and a POSIX group. The archived version of this is for CentOS 6 and can be found here: CentOS 6 LDAP With TLS
Add the following to your iptables configuration to allow access through the firewall, then install the required packages for your LDAP server.
/etc/sysconfig/iptables
1 2 3 4 5 6 |
|
Note: The steps for creating the certificates are crucial for TLS to work properly and have changed since CentOS 6.0
Backup the old /etc/openldap/certs directory and create a new one so we can generate new certificates
1 2 3 4 5 |
|
Associate the password with the certificates which will be generated in the current directory
1 2 |
|
Generate a CA certificate for the server
1
|
|
If prompted: Anwsers are Y, enter accepting defaults, Y
Next build the server cert
1
|
|
This exports the cacert in case you need it
1
|
|
Export the CA cert for ldap clients
1
|
|
Make the files in /etc/openldap/certs
readable
1
|
|
Edit /etc/sysconfig/ldap, uncomment SLAPD_LDAPS and change from ‘no’ to ‘yes’
1 2 |
|
Setup the base database to use
1
|
|
Set permissions to the ldap user account on /var/lib/ldap
1
|
|
Create the LDAP administrative password, be sure to save the SSHA generated string so we can add it to the bdb.ldif config file in the next step.
1 2 3 4 |
|
Open the olcDatabase={1}bdb.ldif
file and make the modifications shown below to it. /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}bdb.ldif
Change all references in this file from my-domain to your domain name, for example:
1 2 3 |
|
To allow users to modify their passwords, etc, you will have to add the following after the last olcDbIndex
line in this file, again replace the domain name with yours.
1 2 3 4 5 6 7 8 9 |
|
Add the following to the end of this file to set the root password (replace the SSHA string with the string saved earlier):
1
|
|
Next modify the monitoring configuration file changing all references to my-domain to your domain.
/etc/openldap/slapd.d/cn\=config/olcDatabase\={2}monitor.ldif
Test the configuration, start the LDAP server and set it to start at boot.
1 2 3 4 5 6 |
|
Now we can configure the LDAP client. Do this on the LDAP server first to make sure everything is working properly.
First create the cacerts directory for the client certificates and copy the ldap certificate we created earlier into this directory
1 2 |
|
Next use authconfig-tui
to configure the client configuration files
1 2 3 4 5 6 7 |
|
Check if our LDAP server is working and responding to search requests.
1
|
|
You should get a search: 2
somewhere in the output.
Test to make sure encrypted searches are also working.
1
|
|
You should get a search: 3
somewhere in the output.
Now we must configure the base domain, and import the information into our LDAP server.
Create the file base.ldif
with the following contents:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
Now import the base.ldif file into LDAP.
1 2 3 4 5 6 7 |
|
Next create a POSIX user that can use our central LDAP server. Create a temporary password for the new user and set the users group. Create the file posix_user.ldif
substituting for your environment:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
Add the user information to our LDAP server.
1 2 3 |
|
Set the new users temporary password.
1
|
|
Next set the users group up. Create the file posix_group.ldif
substituting for your environment:
1 2 3 4 5 6 |
|
Add the information to our LDAP server:
1 2 3 |
|
You should now have a fully functioning LDAP server with TLS encryption.