Install rpm packages
yum -y install openldap openldap-clients openldap-servers
First build a slapd.conf whith basic configuration
[root@lopenldap1 ~]# mkdir ldap ; cd ldap [root@lopenldap1 ldap]# rpm -ql openldap-servers krb5-server-ldap | grep '\.schema$' | sed -e "/README/d" -e "s/^/include /g" | tee -a slapd.conf.temp include /etc/openldap/schema/collective.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema [root@lopenldap1 ldap]# cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema [root@lopenldap1 ldap]# echo "include /etc/openldap/schema/sudo.schema" | tee -a slapd.conf.temp
[root@lopenldap1 ldap]# slappasswd New password: Re-enter new password: {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX [root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF database bdb directory /var/lib/ldap suffix "dc=mydomain.org" rootdn "cn=admin,dc=mydomain.org" rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args EOF
[root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF # All access directives until the next ^database keyword will end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file. # Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage # Give access to the userPassword attribute for authentication. access to attrs=userPassword by self write by * auth # Let everyone search this suffix but don't let them read it # This sounds strange, but it's required by OpenLDAP 2.4. access to dn.base=dc=mydomain.org by * search by * none # Configure the monitor backend. # All the lines below this point will end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file. database monitor # Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0 # and to the rootdn, but not to any other users. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=mydomain.org" manage by * none # Configure the config backend. # All lines below this point end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file. database config # Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage # the configuration. But not any other users. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=mydomain.org" manage by * none EOF
[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp 543f7cde /etc/openldap/schema/collective.schema: line 65 attributeType: AttributeType not found: "l" slaptest: bad configuration file!
As the config is not successful, we have to reorder the lines like this:
[root@lopenldap1 ldap]# cat slapd.conf.temp include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/sudo.schema database bdb directory /var/lib/ldap suffix "dc=mydomain.org" rootdn "cn=admin,dc=mydomain.org" rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # All access directives until the next ^database keyword will end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file. # Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage # Give access to the userPassword attribute for authentication. access to attrs=userPassword by self write by * auth # Let everyone search this suffix but don't let them read it # This sounds strange, but it's required by OpenLDAP 2.4. access to dn.base=dc=mydomain.org by * search by * none # Configure the monitor backend. # All the lines below this point will end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file. database monitor # Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0 # and to the rootdn, but not to any other users. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=mydomain.org" manage by * none # Configure the config backend. # All lines below this point end up in the # /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file. database config # Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage # the configuration. But not any other users. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=mydomain.org" manage by * none # EOF
Now the test is successful:
[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp config file testing succeeded
[root@lopenldap1 ldap]# slapcat -f slapd.conf.temp -F /root/ldap -n 0 dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf.temp olcConfigDir: /root/ldap olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 .............. [root@lopenldap1 ldap]# ll total 12 drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config -rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif -rw-r--r--. 1 root root 808 Oct 16 10:23 slapd.conf.temp
Cleanup /etc/openldap/slapd.d, and move your new config files:
[root@lopenldap1 ldap]# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.unused [root@lopenldap1 ldap]# mkdir /etc/openldap/slapd.d [root@lopenldap1 ldap]# ll total 12 drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config -rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif -rw-r--r--. 1 root root 808 Oct 16 10:23 slapd.conf.temp [root@lopenldap1 ldap]# cp -rp cn\=config* /etc/openldap/slapd.d [root@lopenldap1 ldap]# chown -R ldap:ldap /etc/openldap/slapd.d
Prepare the DB config file:
[root@lopenldap1 ldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # (cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/DB_CONFIG) [root@lopenldap1 ldap]# chown ldap:ldap /var/lib/ldap [root@lopenldap1 ldap]# chmod 700 /var/lib/ldap
Modif the /etc/sysconfig/slapd
[root@lopenldap1 ldap]# vi /etc/sysconfig/slapd # OpenLDAP server configuration # see 'man slapd' for additional information # Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap:///" # Any custom options: /usr/sbin/slapd -h SLAPD_OPTIONS="-4 -d 2" # Run slapd with -h "... ldap:/// ..." # yes/no, default: yes SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no # Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds) SLAPD_SHUTDOWN_TIMEOUT=15 # Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
Add the following lines after RULES in /etc/rsyslog.conf
#### RULES #### # Send slapd(8c) logs to /var/log/slapd.log if $programname == 'slapd' then /var/log/slapd.log & ~
And restart rsyslog service:
systemctl restart rsyslog
Add an entry in logrotate:
[root@lopenldap1 ldap]# cat >> /etc/logrotate.d/slapd << EOF # /etc/logrotate.d/slapd # # Rotate slapd(8) log file. /var/log/slapd.log { rotate 7 compress } EOF
Start manually:
[root@lopenldap1 ldap]# slapd -d 16383 ..... [root@lopenldap1 ldap]# netstat -an | grep LIST tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::389 :::* LISTEN
Or start using services:
[root@lopenldap1 ldap]# systemctl start slapd.service Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details. [root@lopenldap1 ldap]# journalctl -xn -- Logs begin at Wed 2014-10-15 16:29:34 CEST, end at Thu 2014-10-16 14:35:25 CEST. -- Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session closed for user ldap Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: Checking configuration file failed: Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d olcDbDirectory: value #0: invalid path: Permission denied Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: slaptest: bad configuration file! Oct 16 14:35:25 lopenldap1 slapd[12027]: @(#) $OpenLDAP: slapd 2.4.39 (Jun 9 2014 23:23:12) $ mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd Oct 16 14:35:25 lopenldap1 systemd[1]: slapd.service: control process exited, code=exited status=1 Oct 16 14:35:25 lopenldap1 systemd[1]: Failed to start OpenLDAP Server Daemon. -- Subject: Unit slapd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit slapd.service has failed. -- -- The result is failed. Oct 16 14:35:25 lopenldap1 systemd[1]: Unit slapd.service entered failed state.
Before testing on another server, test on local:
[root@lopenldap1 ~]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 BASE dc=mydomain.org URI ldap://lopenldap1 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on [root@lopenldap1 ~]# ldapwhoami -WD cn=admin,dc=mydomain.org Enter LDAP Password: dn:cn=admin,dc=mydomain.org
Debug on the server:
[root@lopenldap1 ldap]# slapd -d 2 -F /etc/openldap/slapd.d/ -u ldap 543fbd3e @(#) $OpenLDAP: slapd 2.4.39 (Jun 9 2014 23:23:12) $ mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd 543fbd3f slapd starting ldap_read: want=8, got=8 0000: 30 38 02 01 01 60 33 02 08...`3. ldap_read: want=50, got=50 0000: 01 03 04 1d 63 6e 3d 61 64 6d 69 6e 2c 64 63 3d ....cn=admin,dc= 0010: 72 61 69 66 66 65 69 73 65 6e 2c 64 63 3d 6f 72 mydomain.or 0020: 67 80 0f 72 61 69 66 66 65 69 73 73 65 6e 31 32 g..mydomain12 0030: 33 34 34 ldap_read: want=8 error=Resource temporarily unavailable ldap_write: want=14, written=14
Service don't start, but slapd can run manually on root user
[root@lopenldap1 ldap]# systemctl status slapd.service slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled) Active: failed (Result: exit-code) since Thu 2014-10-16 17:09:22 CEST; 6min ago Process: 12371 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE) Process: 12357 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_bv2dn(cn=admin,dc=mydomain,dc=org)=0 Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272) Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0 Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272) Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0 Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 olcDbDirectory: value #0: invalid path: Permission denied Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 send_ldap_result: err=80 matched="" text="" Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 slapd stopped. Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 connections_destroy: nothing to destroy. [root@lopenldap1 ldap]# cat /usr/lib/systemd/system/slapd.service [Unit] Description=OpenLDAP Server Daemon After=syslog.target network.target [Service] Type=forking PIDFile=/var/run/openldap/slapd.pid Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" EnvironmentFile=/etc/sysconfig/slapd ExecStartPre=/usr/libexec/openldap/check-config.sh ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS [Install] WantedBy=multi-user.target [root@lopenldap1 ldap]# chmod g+rw /var/lib/ldap/* [root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required. Read/write permissions for DB file '/var/lib/ldap/__db.002' are required. Read/write permissions for DB file '/var/lib/ldap/alock' are required. Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required. Read/write permissions for DB file '/var/lib/ldap/__db.003' are required. Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required. Read/write permissions for DB file '/var/lib/ldap/__db.001' are required. [root@lopenldap1 ldap]# ll /var/lib/ldap/ total 19124 -rw-rw-r--. 1 root root 2048 Oct 16 16:16 alock -rw-rw----. 1 root root 2326528 Oct 16 16:16 __db.001 -rw-rw----. 1 root root 17448960 Oct 16 16:16 __db.002 -rw-rw----. 1 root root 1884160 Oct 16 16:16 __db.003 -rw-rw-r--. 1 ldap ldap 845 Oct 16 15:14 DB_CONFIG -rw-rw----. 1 root root 8192 Oct 16 15:27 dn2id.bdb -rw-rw----. 1 root root 32768 Oct 16 15:27 id2entry.bdb -rw-rw----. 1 root root 10485760 Oct 16 16:16 log.0000000001 [root@lopenldap1 ldap]# ll /var/lib/ ... drwx------. 2 ldap ldap 4096 Oct 16 17:17 ldap ... [root@lopenldap1 ldap]# chown -R ldap.ldap /var/lib/ [root@lopenldap1 ldap]# ll /var/lib/ldap/ total 19124 -rw-rw-r--. 1 ldap ldap 2048 Oct 16 16:16 alock -rw-rw----. 1 ldap ldap 2326528 Oct 16 16:16 __db.001 -rw-rw----. 1 ldap ldap 17448960 Oct 16 16:16 __db.002 -rw-rw----. 1 ldap ldap 1884160 Oct 16 16:16 __db.003 -rw-rw-r--. 1 ldap ldap 845 Oct 16 15:14 DB_CONFIG -rw-rw----. 1 ldap ldap 8192 Oct 16 15:27 dn2id.bdb -rw-rw----. 1 ldap ldap 32768 Oct 16 15:27 id2entry.bdb -rw-rw----. 1 ldap ldap 10485760 Oct 16 16:16 log.0000000001 [root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh
Now it works
Test the start options from /etc/sysconfig/slapd file:
Ex:
/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:///" -4 -d 2
strace -f /etc/rc.d/init.d/slapd start >& /tmp/slapd.trace
During config file generation, my file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif has a bad format:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 1580b7b9 dn: olcDatabase={1}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcSuffix: dc=mydomain,dc=org olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to attrs=userPassword by self write by * auth olcAccess: {2}to dn.base="dc=mydomain,dc=org" by * search by * none olcAddContentAcl: FALSE
But after modifying file manually, I've a checksum error