In the following tutorial I will demonstrate how to install and configure OpenLDAP with phpLDAPadmin extension for convenient directory administration on CentOS 6.2 x86_64 machine.
Install OpenLDAP:
1)Install the relevant packages:
#yum install openldap-servers openldap-clients -y
#chkconfig slapd on
Configure OpenLDAP:
This is where things start to get nasty :)
Edit the server configuration file (create it if it does not exist):
#vi /etc/openldap/slapd.conf
And add the following lines (they specify LDAP pid file and arguments file):
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
You can remove the config files under
/etc/openldap/slapd.d:
# \rm -rf /etc/openldap/slapd.d/*
Next we will need to add couple of configurations:
#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
Comment out:
#olcAccess: {0}to * by * none
...and Insert :
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
Another configuration (create a new file if it does not exist):
#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
Insert the following content:
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config
Make sure configuration files owned by 'ldap' user (if the installation has not added it you may add it manually with useradd).
#chown ldap.ldap -R /etc/openldap/slapd.d/
#chmod -R 700 /etc/openldap/slapd.d/
Start the LDAP server and check it is listening on port 389:
#/etc/init.d/slapd start
#netstat -ntulp|grep 389
Import all the needed schema's:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
149 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
150 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
151 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Change the LDAP admin password:
#slappasswd
Save the SSHA hash, we will need it in the next stage
It's time to create our LDAP fronted/backend LDIF files:
Backend LDIF file (server_backend.ldif) will look like this (make sure you paste you SSHA hash at the 'oldRootPW' line and change the dc=*,dc=* with your domain credentials:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=yourdomain,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=yourdomain,dc=com
olcRootPW: {SSHA}xxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=yourdomain,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=yourdomain,dc=com" write by * read
Import the backend LDIF file:
#ldapadd -Y EXTERNAL -H ldapi:/// -f server_backend.ldif
The frontend file will look like this:
dn: dc=yourdomain,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Domain
dc: yourdomain
dn: cn=admin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}wPkUaeo450ckN5rT8ZRE7HEpP7W7V3vJ
dn: ou=users,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: groups
Import the frontend LDIF (server_frondtend.ldif) file:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -W -f server_frontend.ldif
Basic configuration is done.
Add users/groups:
We will create 2 files: users.ldif, groups.ldif.
users.ldif:
dn: uid=paul,ou=users,dc=yourdomain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: paul
sn: paul
givenName: paul
cn: paul
displayName: paul
uidNumber: 500
gidNumber: 500
userPassword: {crypt}!!$1$ErpqdrvZ$MtK5dCLSh2EHuqxMVjsKJ/
gecos: paul
loginShell: /bin/bash
homeDirectory: /home/paul
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15114
Let's add the user:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=org -W -f users.ldif
...
groups.ldif will look like this:
dn: cn=engineering,ou=groups,dc=yourdomain,dc=com
objectClass: posixGroup
cn: engineering
gidNumber: 500
dn: cn=support,ou=groups,dc=yourdomain,dc=com
objectClass: posixGroup
cn: support
gidNumber: 501
We will add the groups via:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=org -W -f groups.ldif
Install phpLDAPadmin:
Get the EPEL repository:
#rpm -Uvh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel-release-6-7.noarch.rpm
Install phpLDAPadmin:
#yum install phpldapadmin -y
Edit phpLDAPadmin configuration file:
#vi /etc/phpldapadmin/config.php
Comment the line:
//$servers->setValue('login','attr','uid');
Un-comment the line:
$servers->setValue('login','attr','dn');
Make sure the apache ACL settings are correct for phpLDAPadmin:
#grep -i -E 'deny|allow' /etc/httpd/conf.d/phpldapadmin.conf
Order Deny,Allow
Deny from all
Allow from 10.100.50.0/24
Allow from ::1
In my case only 10.100.50.0/24 subnet can access phpLDAPadmin.
Restart Apache:
#/etc/init.d/apache restart
You can access phpLDAPadmin via:
http://your-server/ldapadmin