8/21/2016

LDAP: On-Line Configuration (OLC) and Static slapd.conf

LDAP: On-Line Configuration (OLC) and Static slapd.conf


Installing OpenLDAP 

To install both the client and server packages on RHEL/CentOS 7:

yum -y install openldap-servers openldap-clients

Enable and start the service:

systemctl enable slapd
systemctl start slapd


OLC

Until OpenLDAP 2.3, an OpenLDAP server was configured by editing a /etc/openldap/slapd.conf. This required that the server had to be restarted to make changes to the server configuration.

With OpenLDAP 2.3+ On-Line Configuration of the server was made possible by adding a Directory Information Tree (DIT) called cn=config.

To view the OLC, you can execute as root:

ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=config


olcSuffix, olcRootDN and olcRootPW
The first step in configuring your domain will be to set the suffix for the DIT for your domain, the information about the administrative user's Distinguished Name (DN) and password. The olcRootDN must end with the same suffix specified by the olcSuffix.

Create an LDIF file with the follow contents updated for your own domain, and the olcRootPW generated by executing slappasswd. This information can then be modified on the LDAP server with the following command:

ldapmodify -H ldapi:/// -Y EXTERNAL -f olc-root.ldif

olc-root.ldif:


dn:  olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=samba,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=samba,dc=org
-
replace: olcRootPW
olcRootPW: {SSHA}GTeZbB7rpAMtPHVNxBZFN6ZFhwe+kINv

Configuring Logging with OLC

ldapmodify -H ldapi:/// -Y EXTERNAL -f olc-logging.ldif

olc-logging.ldif:

dn: cn=config
changetype: modify
add: olcLogFile
olcLogFile: /var/log/slapd.log
-
add: olcLogLevel
olcLogLevel: filter config acl



Configuring Organizational Units(OUs)

If want to configure the LDAP Directory to contain information for authenticating users of your domain, then you will need to create the following dcObject, organization, and organization unit entries. The simpleSecurityObject and organizationalRole entry can be used as a administrator account for the suffix. Entries for this suffix will need to be modified using the DN of this LDAP Administrator entry.

Create an LDIF file with the follow contents updated for your own domain, and then update the LDAP server by executing:

ldapadd -D cn=admin,dc=samba,dc=org -w secret -f olc-domain.ldif

olc-domain.ldif:

dn: dc=samba,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: samba.org
dc: samba

dn: cn=admin,dc=samba,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret

dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers


Configuring OLC Schema

To discover which schema have been added to your server, you can execute the following query:

ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=schema,cn=config cn

Most installations will only have the "core" schema installed. The others that are often added for use in authentication by executing the following commands in order, otherwise an attribute that may be defined in one schema that cannot be referenced will prevent adding another schema. 

ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif

ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/corba.ldif

ldapadd -H ldapi:/// -Y EXTERNAL -f \ /etc/openldap/schema/inetorgperson.ldif

ldapadd -H ldapi:/// -Y EXTERNAL -f \
/usr/share/doc/samba-4.2.3/LDAP/samba.ldif





No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.