Wednesday, May 7, 2008

Creating new LDAP Server with OpenLDAP







* 1. Install RHEL 5.1 x86_64 Server

* 2. install openldap server and client RPMs
    rpm -qa | grep -i openldap must be show
    openldap-2.3.27-8
    openldap-servers-2.3.27-8

* 3. Copy /etc/openldap/DB_CONFIG.example to /var/lib/ldap/
and rename to just DB_CONFIG


* 4. Create or edit /etc/openldap/slapd.conf
Those of lines must be added;

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

access to attrs=userPassword
    by self write
    by anonymous auth
    by * none
access to *
    by * read

database        bdb
suffix          "dc=uybhm,dc=itu,dc=edu,dc=tr"
rootdn          "cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr"

#rootpw          "This value must be set later"

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub


* 5. Create a new Manager password which will be use later for
top level LDAP administration tasks
    slappasswd -h {SSHA} (type a pasword twice when asked)
Grab output and paste to rootpw line and edit like this;
rootpw          {SSHA}F/a/QvcnCrWHj7/eyJtWd/HdGtCpqsHt
Change owner of slapd.conf to just ldap:ldap and remove
"group" and "other" permissions.


* 6. Start LDAP service and check initial working status;
/etc/init.d/ldap restart

If you see OK than jump to next step.



* 7 Run a query
ldapsearch x -b "dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


* 8. Prepare a base domain record and insert to LDAP server
# This is base record of uybhm.idu.edu.tr
# This record must be add before all of other LDIFs

dn: dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: dcObject
objectClass: organization
o: UYBHM Administrators
dc: uybhm

dn: cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr
objectclass: organizationalRole
cn: Manager

# users, uybhm.itu.edu.tr
dn: ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: top
objectClass: organizationalUnit
ou: users

# groups, uybhm.itu.edu.tr
dn: ou=groups,dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: top
objectClass: organizationalUnit
ou: groups



ldapadd -W -x -D "cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1 -f 1.uybhm-domain.record.ldif
Enter LDAP Password:
adding new entry "dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "ou=groups,dc=uybhm,dc=itu,dc=edu,dc=tr"



* 9. Check to result
ldapsearch -x -b "dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1

# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# uybhm.itu.edu.tr
dn: dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: dcObject
objectClass: organization
o: UYBHM Administrators
dc: uybhm

# Manager, uybhm.itu.edu.tr
dn: cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: organizationalRole
cn: Manager

# users, uybhm.itu.edu.tr
dn: ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: top
objectClass: organizationalUnit
ou: users

# groups, uybhm.itu.edu.tr
dn: ou=groups,dc=uybhm,dc=itu,dc=edu,dc=tr
objectClass: top
objectClass: organizationalUnit
ou: groups

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4


* 10. Prepare or reinject user records

ldapadd -W -x -D "cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1 -f 2.users.ldif
Enter LDAP Password:
adding new entry "uid=lsfadmin,ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "uid=efadmin,ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "uid=efnobody,ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr"
adding new entry "uid=bench,ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr"

A sample user record file is here;

# mahmut.un, users, uybhm.itu.edu.tr
dn: uid=mahmut.un,ou=users,dc=uybhm,dc=itu,dc=edu,dc=tr
uid: mahmut.un
cn: Mahmut UN
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13735
shadowMax: 999999
shadowWarning: 7
uidNumber: 620
gidNumber: 620
homeDirectory: /rs/users/mahmut.un
gecos: Mahmut UN
userPassword: {SSHA}QjoA6jcZmiX92h5uchz7U3uY80eoJulS
loginShell: /bin/bash

* 11. Query and see all of added records
ldapsearch -x -b "dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1
If you want to see password hash also you must initialize a Manager query like this;
ldapsearch -W -x -D "cn=Manager,dc=uybhm,dc=itu,dc=edu,dc=tr" -h 127.0.0.1

1 comment:

Anonymous said...

You can create passwords for ldif files;
slappasswd -h {CLEARTEXT} -s deneme
slappasswd -h {CRYPT} -s deneme
slappasswd -h {MD5} -s deneme
slappasswd -h {SHA} -s deneme
slappasswd -h {SSHA} -s deneme

Intel stretches HPC dev tools across chubby clusters

SC11 Supercomputing hardware and software vendors are getting impatient for the SC11 supercomputing conference in Seattle, which kick...