Академический Документы
Профессиональный Документы
Культура Документы
1/13 peclog.com/conen/Minimal_LDAP_configaion_on_RHEL6_in_age_and_deail
Minimal LDAP configaion on RHEL6 in age
and deail
From SpectLog
: ldap
This page gives rather extensively detailed commands to set up LDAP server and client Ior user authentication. The
stages are redundant meaning that intermediate conIiguration is overridden by the Iinal changes. However, all
intermediate stages are useIul to get simple things working beIore moving Iorward.
Conen
1 Note about slapd.conI Iile and slapd.d directory (dinamic or cnconIig) conIiguration
2 Stage 0: Installing and setting up LDAP server and client
2.1 Install and set up OpenLDAP server
2.2 Prepare conIiguration Iile Ior conversion into dynamic conIiguration back-end (cnconIig)
2.3 Install and set up OpenLDAP client
2.4 Prepare initial content Iiles Ior LDAP server
2.5 Clean up previous LDAP content and conIiguration and reinitialize them
2.6 Test initial conIiguration
3 Prepare LDIF Iiles and add single test user and group to LDAP
3.1 In regular /etc/passwd and /etc/group Iiles create test user and group Ior migration
3.2 Prepare tools Ior migration oI user and group data to LDAP
3.3 Migrate single test user and group Irom /etc/passwd and /etc/group Iiles into corresponding
LDIF Iormat
4 Stage 1: ConIigure authentication through LDAP without encrypted connection
5 Stage 2: Enable encrypted connection
5.1 Allow read/write access to dynamic cnconIig conIiguration
5.2 ConIigure LDAP to use encrypted connection
5.3 ConIigure LDAP server to use ldaps:// URI scheme exclusively
5.4 Make corresponding changes on LDAP client side and test everything
6 Test: Trying to use auth conIiguration with sssd service (instead oI nslcd) which does not work
7 Stage 3: Creating CA certiIicate to avoid using selI-signed LDAP server certiIicates
8 Final client conIiguration: Using sssd service (instead oI nslcd) Ior LDAP authentication
9 Troubleshooting
10 ReIerences
11 Feedback
Noe abo slapd.conf file and slapd.d dieco (dinamic o
2/25/12 Minimal LDAP configaion on RHEL6 in age and deail - SpecLog
2/13 peclog.com/conen/Minimal_LDAP_configaion_on_RHEL6_in_age_and_deail
cn=config) configaion
Content oI ///.. provides example conIiguration described in
. man page which is legacy conIiguration approach. Current way oI conIiguring OpenLDAP is to
use dynamic conIiguration (=) described in slapd-conIig man page.
Dynamic = conIiguration should be modiIiable by regular LDAP commands. However, it is prohibited
by deIault conIiguration (at least on RHEL6 it was impossible). Manual LDIF Iile changes under .
directory seems to be even worse option than converting the sample ///..
Iile. ThereIore, instead oI using = directly Irom the beginning, conversion Irom . Iile is
used initially. As soon as the initial dynamic LDAP conIiguration is set, small modiIication to LDIF Iiles in
. directory is required to allow subsequent changes through dynamic request using LDAP client utilities.
Sage 0: Inalling and eing p LDAP ee and clien
Inall and e p OpenLDAP ee
Install the packages:
-
Add the Iollowing lines to /// Iile:
-A INPUT - -- NEW - - -- 389 - ACCEPT
-A INPUT - -- NEW - - -- 389 - ACCEPT
Restart the Iirewall:
Make sure service can run:
Pepae configaion file fo coneion ino dnamic configaion back-end
(cn=config)
Make sure service is not running:
Prepare customized conIiguration Iile in ..:
///.. ..
Generate root password Ior LDAP = conIiguration: