01624 836806
[email protected]

CentOS 6.3 - Install and Configure OpenLDAP + phpLDAPadmin

Author: Christian Salway Date: 18 Feb 2013

Environment

CentOS-6.3-x86_64-minimal [Download]

I used nano as the text editor, but you can just as easily use vi. To install nano, type yum install -y nano.

I used Putty [Download] as the SSH client to connect remotely to my CentOS install.

Typography

Characters in code can sometimes be ambiguous. To make it clear which characters are what, I have listed the characters below for comparison.

1 (one) L (UC el) l (lc el)    0 (zero) O (UC ow) o (lc ow)    8 (eight) B (UC be) b (lc be)    5 (five) S (UC es) s (lc es)

a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

Prerequisites

It is assumed you have already installed CentOS with networking enabled and, although not mandatory but advised, configured a static IP.

Disable SELINUX

I haven't tried installing with selinux enabled so I don't know if this is necessary but I think phpldapadmin won't work properly otherwise.

nano /etc/sysconfig/selinux
SELINUX=disabled

After the next step, you are told to reboot but if you can't, you can run setenforce 0 to disable selinux until you can.

Configure Firewall

Make sure you add any other rules not listed here which you are using.

nano /etc/sysconfig/iptables

Change -s 192.168.0.0/16 to your own network

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 192.168.0.0/16
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -s 192.168.0.0/16
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

In the next step, you are told to reboot but if you can't, you can run service iptables restart instead.

Reboot System

reboot

Confirm configuration

iptables -L
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldaps
sestatus
SELinux status:                 disabled
yum repolist
base                                         CentOS-6 - Base
extras                                       CentOS-6 - Extras
updates                                      CentOS-6 - Updates

If you're not using a fresh install, you may have additional repos, I haven't tested with others so I don't know the implications. Please see If Not True Then False for instructions on how to remove repositories.

Install and Configure OpenLDAP

Install OpenLDAP

yum install -y openldap-servers openldap-clients

Wait for it to finish before proceeding

Enable logging

mkdir /var/log/slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/
sed -i "/local4.*/d" /etc/rsyslog.conf
cat >> /etc/rsyslog.conf << EOF
local4.*                        /var/log/slapd/slapd.log
EOF
service rsyslog restart

Create Certificate

cd /etc/pki/tls/certs
make slapd.pem

The following is just an example. You should enter your own responses.

Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Isle of Man
Locality Name (eg, city) [Default City]:Colby
Organization Name (eg, company) [Default Company Ltd]:ITManx Ltd
Organizational Unit Name (eg, section) []:ICT
Common Name (eg, your name or your server's hostname) []:itmanx.com
Email Address []:[email protected]

You can run openssl x509 -in slapd.pem -noout -text to view the certificate.

chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/certs/slapd.pem

Generate LDAP Manager password

slappasswd

This function will return a string in the format {SSHA}********************* which you will need in a following step, so copy it when it appears.

New password: ******
Re-enter new password: ******
{SSHA}qK4HQqJXV97FFJI4vYDxqR5NRlpC+5Tn

Copy example files

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Update slapd config file

nano /etc/openldap/slapd.conf
  1. Find and replace all dc=my-domain to your own domain.

  2. Find and replace the following three lines
    TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    TLSCertificateFile /etc/pki/tls/certs/slapd.pem
    TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
    
  3. Search for rootpw and add the {SSHA}********************* you copied earlier, ensuring all other rootpw are commented out

    # rootpw                secret
    # rootpw                {crypt}ijFYNcSNctBYg
    rootpw                  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    

Enable SSL over LDAP

nano /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Update ldap config file

nano /etc/openldap/ldap.conf

The dc=my-domain,dc=com should be the same that you set in /etc/openldap/slapd.conf

BASE dc=my-domain,dc=com
URI ldap://localhost
TLS_REQCERT never       #this line probably won't exist so add it to the bottom

Create initial LDAP structure

nano /root/root.ldif

The dc=my-domain,dc=com should be the same that you set in /etc/openldap/slapd.conf

dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com

dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit
rm -rf /etc/openldap/slapd.d/*
slapadd -v -n 2 -l /root/root.ldif
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d

Test LDAP config

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d

Setup SLAPD service

chkconfig --level 235 slapd on
service slapd start

Test LDAP

ldapsearch -x -ZZ -h localhost
ldapsearch -x -H ldaps://localhost

Example of the returned results. The second test should produce same results but with search: 2

# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com

# people, my-domain.com
dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

# groups, my-domain.com
dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3

Name Service Switch

[Further reading]

nano /etc/nsswitch.conf
hosts: ldap files dns

Install and Configure phpLDAPadmin

Add EPEL repository

rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install phpLDAPadmin

yum install -y phpldapadmin

Allow access from your network

nano /etc/httpd/conf.d/phpldapadmin.conf

Change 192.168.0 to your own network

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.0

Disable automatic login mechanism

nano /etc/phpldapadmin/config.php

Comment out the following (line 398)

//$servers->setValue('login','attr','uid');

Setup HTTPD service

chkconfig httpd on
service httpd start

Log in to phpLDAPadmin

http://webserver/ldapadmin
un: cn=Manager,dc=my-domain,dc=com
pw: (Password you entered in slappasswd earlier)

Monitoring SLAPD

tail -f /var/log/slapd/slapd.log

References and Credit

http://zee.linxsol.com/system-administration/centos-62-installing-ldap-directory-services-using-cli.html
Comments Fill in only if you need us to contact you. Your email address will not be displayed. Are you human? Type the code into the box
Captcha Image

Rules

Please let us know if you have any comments or amendments