Tuesday, June 19, 2012

OpenLDAP with phpLDAPadmin (CentOS6)

In the following tutorial I will demonstrate how to install and configure OpenLDAP with phpLDAPadmin extension for convenient directory administration on CentOS 6.2 x86_64 machine.

Install OpenLDAP:

1)Install the relevant packages: 
#yum install openldap-servers openldap-clients -y

#chkconfig slapd on


Configure OpenLDAP:

This is where things start to get nasty :)

Edit the server configuration file (create it if it does not exist):
#vi /etc/openldap/slapd.conf

And add the following lines (they specify LDAP pid file and arguments file):
 pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

You can remove the config files under /etc/openldap/slapd.d:
# \rm -rf /etc/openldap/slapd.d/*

Next we will need to add couple of configurations:
 #vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif

Comment out:
#olcAccess: {0}to *  by * none
...and Insert :
olcAccess:  {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

Another configuration (create a new file if it does not exist):
#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif

Insert the following content:
 dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

Make sure configuration files owned by 'ldap' user (if the installation has not added it you may add it manually with useradd).
#chown ldap.ldap -R /etc/openldap/slapd.d/
#chmod -R 700 /etc/openldap/slapd.d/

Start the LDAP server and check it is listening on port 389:
#/etc/init.d/slapd start
#netstat -ntulp|grep 389

Import all the needed schema's:
 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
  149  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
  150  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
  151  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Change the LDAP admin password:
#slappasswd

Save the SSHA hash, we will need it in the next stage
It's time to create our LDAP fronted/backend LDIF files:

Backend LDIF file (server_backend.ldif) will look like this (make sure you paste you SSHA hash at the 'oldRootPW' line and change the dc=*,dc=* with your domain credentials:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=yourdomain,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=yourdomain,dc=com
olcRootPW: {SSHA}xxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=yourdomain,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=yourdomain,dc=com" write by * read

Import the backend LDIF file:
#ldapadd -Y EXTERNAL -H ldapi:/// -f server_backend.ldif


The frontend file will look like this:

dn: dc=yourdomain,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Domain
dc: yourdomain

dn: cn=admin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}wPkUaeo450ckN5rT8ZRE7HEpP7W7V3vJ

dn: ou=users,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=yourdomain,dc=com
objectClass: organizationalUnit
ou: groups

Import the frontend LDIF (server_frondtend.ldif) file:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -W -f server_frontend.ldif

Basic configuration is done.


Add users/groups:

We will create 2 files: users.ldif, groups.ldif.

users.ldif:
dn: uid=paul,ou=users,dc=yourdomain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: paul
sn: paul
givenName: paul
cn: paul
displayName: paul
uidNumber: 500
gidNumber: 500
userPassword: {crypt}!!$1$ErpqdrvZ$MtK5dCLSh2EHuqxMVjsKJ/
gecos: paul
loginShell: /bin/bash
homeDirectory: /home/paul
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15114

Let's add the user:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=org -W -f users.ldif
 ...

groups.ldif will look like this:

dn: cn=engineering,ou=groups,dc=yourdomain,dc=com
objectClass: posixGroup
cn: engineering
gidNumber: 500

dn: cn=support,ou=groups,dc=yourdomain,dc=com
objectClass: posixGroup
cn: support
gidNumber: 501
We will add the groups via:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=org -W -f groups.ldif




Install phpLDAPadmin:


Get the EPEL repository:
#rpm -Uvh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel-release-6-7.noarch.rpm

Install phpLDAPadmin:
#yum install phpldapadmin -y

Edit phpLDAPadmin configuration file:
#vi /etc/phpldapadmin/config.php

Comment the line:
//$servers->setValue('login','attr','uid');

Un-comment the line:
$servers->setValue('login','attr','dn');

Make sure the apache ACL settings are correct for phpLDAPadmin:
#grep -i -E 'deny|allow' /etc/httpd/conf.d/phpldapadmin.conf 

  Order Deny,Allow
  Deny from all
  Allow from 10.100.50.0/24
  Allow from ::1

In my case only 10.100.50.0/24 subnet can access phpLDAPadmin.

Restart Apache:
#/etc/init.d/apache restart

You can access phpLDAPadmin via:
http://your-server/ldapadmin


2 comments:

quasimotoca said...

Hi:

I get insufficient access(50) when trying to add the ldif files:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Insufficient access (50)

Dave

Unknown said...

Most of these steps are now automated. See my article with an updated guide

http://www.itmanx.com/kb/centos63-openldap-phpldapadmin