The following section describes how to install and configure OpenLDAP on Redhat or CentOS 6.3.
From the terminal window, enter the following command to install the OpenLDAP components:
LDAP needs a parameter file to start a new database. This file must be copied to the LDAP database directory:
Verify that the /var/lib/ldap directory is owned by the ldap user, or just run:
The LDAP database is now set up and can now be started. You will also want to start LDAP automatically when restarting the machine:
The slappasswd utility will prompt you to enter the password that you will use the admin account. It will then generate a hashed value representing that password.
Make a copy of the ldap.conf file so that you can modify it to suit your configuration needs:
Create a file called slapd.conf under /etc/openldap using the template below. The template includes PPolicy.
Update the file below to reflect your environment: database section where the domain and password are updated. The password is the output of the slappasswd utility.
To complete the configuration necessary for the PPolicy, create file called ppolicy.ldif in the /etc/openldap directory:
To start the ldap server, enter the following command from a terminal window:
Test that you can connect to the ldap server:
Next load some initial data into the directory. You can do this using an LDIF file like the one shown below. Then run the ldapadd command:
Sample LDIF file to create directory structure:
The openldap-servers package provided by Red Hat/CentOS does not include MigrationTools from PADL Software Pty Ltd. You have to download Perl scripts from http://www.padl.com/OSS/MigrationTools.html and copy to /usr/share/openldap/migration folder. You will use them to migrate data from the Linux system files such as /etc/group and /etc/password to the LDAP LDIF format, a representation of the database in a text format. The format is line-delimited, colon-separated attribute-value pairs.
A collection of Perl scripts is installed in /usr/share/openldap/migration/ to perform the migration. The configuration information for these Perl scripts is contained at the beginning of the include file migrate_common.ph. For your purposes, it is sufficient to modify the variable for the naming suffix to use in entries' distinguished names, as follows:
After making this change, run the script migrate_base.pl, which creates the root entry and the next lower level organizational unit entries for Hosts, Networks, Group, and People, among others:
Edit base.ldif, removing all entries except as follows:
Working from the LDAP server, insert the entries below into the database using the OpenLDAP client tool, ldapadd. Simple authentication must be specified with the option
-x. The Distinguished Name to authenticate, the
rootdnspecified in slapd.conf, is cn=Manager,dc=openiam,dc=com. For simple authentication, a password is required. The option
-Wforces a password prompt. This password is the value of the
rootpwparameter specified in the slapd.conf file. The LDIF file containing the entries is specified with the option
Next, migrate the ldapuser group from /etc/group:
Finally, migrate the ldapuser information from /etc/passwd and /etc/shadow:
At this point, check the information that has been added to the database. Listing 9 shows the complete output.
The populated OpenLDAP database in LDIF format:
Enable SSL/TLS on OpenLDAP
DAP sends all information, including passwords, over the network in clear text. You employ the encryption provided by TLS, the successor to SSL, to resolve this problem. At the transport layer, the data is encrypted and wrapped in the TLS protocol, for transport across the network. The tools used to configure encryption are provided by the OpenSSL package.
Encryption is a complex topic, but a basic overview of how TLS works is needed to use the OpenSSL package. The bulk of the data is encrypted using a symmetric key algorithm that encrypts and decrypts data using a single secure key. You have a problem of how to avoid initially sending the single secure key from the LDAP server to the LDAP client in plain text. A public key algorithm, in which the client can encrypt the single key using a freely available public key and only the server can decrypt the single secure key, is used to resolve this problem.
The public key is created and distributed as part of a certificate, which contains supporting information such as an ID, an expiration date, and the Fully Qualified Domain Name (FQDN) of the LDAP server providing the certificate. Before the LDAP client uses a certificate for encryption, it verifies that the server it is talking with owns the certificate by encrypting a challenge and verifying that the server can decrypt it.
To verify that the server issuing the certificate is an approved LDAP server, the client is configured only to accept certificates that are signed by a local Certificate Authority (CA). It uses the public key in a certificate generated by the CA and stored on the client to verify that the certificate presented by the LDAP server is valid.
In this example, you will set up your LDAP server as a Certificate Authority and create a self-signed certificate to be used by LDAP clients and servers in encrypting information.
The Red Hat Enterprise Linux release 4 Update 1 package used to set up the TLS server is:
- openssl-1.0.0j-1.43.amzn1.x86_64: Includes a certificate management tool and shared libraries that provide various cryptographic algorithms and protocols.
To set up the environment in which the Certificate Authority works and to generate your self-signed certificate, run the /etc/pki/tls/misc/CA (or here /usr/share/ssl/misc/CA) shell script, which is a wrapper around the
opensslcommand. Privacy Enhanced Mail (PEM) is a format for encrypting and text encoding data:
Next, generate the server certificate that will be signed by the Certificate Authority. The
nodesoption is used so that the certificate will not need a pass phrase every time the OpenLDAP server daemon, slapd, is started. The signed public key is embedded in certificate request slapd-req.pem; the private key that matches it is in slapd-key.pem:
Sign the certificate using the CA certificate you created in the first step:
The next step copies over all the required certificates to where slapd can find them. In addition, the correct permissions are enforced on each file:
On the OpenLDAP server, add the lines below to the
globalsection of the /etc/openldap/slapd.conf file. The
TLSCertificateKeyFilespecify the paths to the certificate file and private-key file.
TLSCipherSuitespecifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference.
HIGHmeans "all ciphers using key lengths greater than 128 bits";
MEDIUMis short for "all ciphers using key lengths equal to 128 bits"; and
+SSLv2means "all ciphers specified in the SSL protocol, Version 2, regardless of key strength."
Add the following lines to the secondary configuration file for the LDAP server, /etc/openldap/ldap.conf:
To allow secure connections from the OpenLDAP client, add the following to the /etc/openldap/ldap.conf file:
Next add access settings.
Turn on only SSL/TLS for LDAP server. Apply changes in both configuration files: /etc/init.d/slapd and /etc/sysconfig/ldap:
Restart service: service slapd restart.
For reference, below are the complete listings of the configuration files used in this article.
The client /etc/ldap.conf file used in the examples:
The server /etc/openldap/ldap.conf file used in the examples:
Server LDAP configuration /etc/sysconfig/ldap:
Linux help commands:
Setup OpenLDAP on CentOS step by step:
- Migration tool for CentOS here: http://www.padl.com/OSS/MigrationTools.html
- LDAP Security: http://www.zytrax.com/books/ldap/ch15/#tls