Setup OpenLDAP on CentOS 6.x

Hi All – I had to setup another LDAP server today and it was just barely painful enough to warrant a writeup ๐Ÿ™‚ Read more for my walkthrough!

First – I started with my “typical” CentOS VM – built plain-jane vanilla (minimal), no X11, latest patches applied. I suggest you begin the same. Then follow these steps:

  1. Update firewall to permit port 389 (secure LDAP over port 636 is preferable but we’ll cover that in a different post). In /etc/sysconfig/iptables add the line:
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
  2. Install OpenLDAP:

    yum -y install openldap openldap-clients openldap-servers
  3. Generate password and modify specifed config files as described below:

    [...enter new password and copy result...]
    cd /etc/openldap/slapd.d/cn\=config
    vi olcDatabase\=\{2\}bdb.ldif
    [...add line 'olcRootPW: (copied password)'...]
    [...change references of 'my-domain' to 'your-domain'...]
    vi olcDatabase\=\{1\}monitor.ldif
    [...modify olcAccess to change 'my-domain' to 'your-domain'...]
    vi olcDatabase\=\{2\}bdb.ldif
    [...BEGIN: add these two lines...]
    olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=yo
     ur-domain,dc=com" write by anonymous auth by * none
    olcAccess: {1}to * by dn.base="cn=Manager,dc=your-domain,dc=com" write by self
     write by * read
    [...END: add these two lines...]
  4. OPTIONAL: Update CRC-32 codes or you get warnings when starting the slapd service. For each modified file, copy to temp file excluding first two lines. Then run the CRC-32 check program – which does not exist on CentOS but I found / built a copy (I’ll write that up later I promise :). Here’s an example of the one I built in action:

    [root@lvinfillx100 cn=config]# tail -n +3 \
      /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif > /tmp/foo.txt
    [root@lvinfillx100 cn=config]# check-crc32 /tmp/foo.txt
    /tmp/foo.txt                     CRC-32 = 5785915f, size = 619 bytes
    [root@lvinfillx100 cn=config]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
    [...update CRC to match above...]
  5. Setup auto-start:

    chkconfig slapd on
    service slapd start
  6. Setup root entry:

    # /root/10-your-domain-com.ldif
    dn: dc=your-domain,dc=com
    objectClass: dcObject
    objectClass: organization
    dc: your-domain
    o : your-domain

    Then enter it into LDAP:

    ldapadd -f 10-your-domain-com.ldif -D cn=Manager,dc=your-domain,dc=com -W

    Perform a quick search if you want to verify:

    [root@lvinfillx100 ~]# ldapsearch -x -LLL -b dc=your-domain,dc=com
    dn: dc=your-domain,dc=com
    objectClass: dcObject
    objectClass: organization
    dc: your-domain
    o: your-domain
  7. Setup memberOf attribute support. This was a pain and took me some time to get right (would justify a blog entry just for this recipe). Note that this recipe is good for 64-bit specifically.

    # /root/15-memberof.ldif
    dn: cn=module,cn=config
    cn: module
    objectClass: olcModuleList
    objectclass: top
    olcModulePath: /usr/lib64/openldap
    dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
    objectclass: olcconfig
    objectclass: olcMemberOf
    objectclass: olcoverlayconfig
    objectclass: top
    olcoverlay: memberof

    Then add the overlay support to OpenLDAP:

    ldapadd -Y EXTERNAL -H ldapi:/// -f ./15-memberof.ldif
  8. Create OU for Users and Groups:

    # /root/20-your-domain-com-ous.ldif
    # OUs for users and groups
    dn: ou=Users,dc=your-domain,dc=com
    objectClass: organizationalUnit
    ou: Users
    dn: ou=Groups,dc=your-domain,dc=com
    objectClass: organizationalUnit
    ou: Groups

    Add to OpenLDAP:

    ldapadd -f 20-your-domain-com-ous.ldif -D cn=Manager,dc=your-domain,dc=com -W

That is all. Enjoy your OpenLDAP!

Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!

Leave a Reply

Your email address will not be published.