Hello everybody, today we are going to
create an OpenLDAP server for central authentication. I won't give
you introduction to LDAP service, but show just a basic
configuration. In the end you will have a working server without any
objects and with one access rule.
I'm going to install openldap server on
CentOS 6.3 as a binary package, not from the source. The current version of the openldap-servers package up to the day I'm writing this is 2.4.23.
# yum install openldap-servers
Since version 2.3 openldap has a new
configuration engine and use LDIF files for configuring the server
and the directory database. The new dynamic runtime configuration
engine with LDIF files is a little bit tricky while you get used to
it.
First you need a username and password
for the slapd configuration database, later you can use it to add
another database or module, or you can use it to extend the default
schema. Next you need another admin user for configuration of the
actual LDAP tree database. These two accounts are configured in
different files.
For the configuration database you
should add these two lines in
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
olcRootDN: cn=root,cn=config
olcRootPW:
{SSHA}rtCwogFExs+w4sE2Mp1RtNnio2SWgijY
The olcRootDN contains the
administrator distinguish name (the first common name could be admin
or manager, whatever you like, but the second one should be config
ex. cn=admin,cn=config) and olcRootPW attribute contains the
password. The password is not in plain text, but it is a hash (SHA)
and to the hash is added a salt, known only by the slapd server. This
is the most secured option and if even someone reads the file it is
almost impossible to get the original password. You can generate a
password hash with slappasswd utility. Copy the output to the
olcRootPW attribute.
# slappasswd
Notice: You can insert your
password directly in a plain text in the configuration file, without
using the slappasswd program. This is not recommended from security
point. The password should look like this:
olcRootPW: {CLEARTEXT}MyPassword
Every LDAP tree has an admin account
for adding objects to the tree and changing object's attributes. This
is the first object you should create, when you configuring the directory tree. Openldap comes with preinstalled database and its
file in CentOS is in
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
The olcRootDN
attribute is already populated by default. You can keep the common
name, but you should change the domain component to reflect your
organization structure. Use again the slappasswd for generating
password hash and add the olcRootPW attribute with the output of
slappasswd command.
olcRootDN:
cn=admin,dc=mycompany,dc=com
olcRootPW:
{SSHA}rtCwogFExs+w4sE2Mp1RtNnio2SWgijY
Note: Do not copy paste directly the
olcRootPW attribute from here!
In the
etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif you
should change the olcSuffix attribute too, so it represents
your organization structure. The default configuration of the
directory tree doesn`t include any access rules. I`ll give a rule I
think is mandatory for every directory, but it's up to you to add
more rules, that suits your organization needs:
olcAccess: to *
by self write
by anonymous auth
by users read
The order of the
rules is very important, because slapd stops at the first rule that
matches the entry and/or attribute. The
corresponding access
directive is the one slapd will use to evaluate access. If there is
no match access is deny. More information and details about
configuring ACLs can be found in the OpenLDAP Administartion Guide.
Before starting
the slapd daemon you can check for errors with slaptest command. On
CentOS the files inside /var/lib/ldap are owned by root, so you
should change that:
# chown ldap.ldap
/var/lib/ldap/*
And finally start
the daemon with :
#
/etc/init.d/slapd start
If everything is
ok check if the daemon listens with the command:
#netstat -patune |
grep slapd
By default slapd
messages are not logged and if you want to know what happens to the
daemon you should add the following line to /etc/rsyslog.conf
#Log file for slap daemon
local4.* /var/log/slapd.log
One more thing to do to get slapd log files – inside
/etc/openldap/slapd.d/cn\=config.ldif add the following line.
olcLogLevel:
0x20 0x40 0x80 0x100
These log levels
give information about search filter pocessing (0x20), configuration
file processing (0x40), access control list processing (0x80) and
stats log connections/operations/results (0x100). You can add even
more, all log levels are well documented in manual pages of
slapd-config. Restart both rsyslog and slapd for changes to
take effect.
#
/etc/init.d/rsync restart
#
/etc/init.d/slapd restart
More
information can be found inside OpenLDAP Administration guide
http://www.openldap.org/doc/, full reference of configuration
attributes can be found inside manual
pages of slapd-config.
I highly recommend the book Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services for more configuration options and information about LDAP protocol and OpenLDAP server. The only downside is, that it is written for the old configuration syntax with slapd.conf and configuration examples must be rebuild to suit the new one.
