====== Install OpenLDAP 2.4 on CentOS 7 ======
===== Install packages on the server =====
Install rpm packages
yum -y install openldap openldap-clients openldap-servers
===== Generate the LDAP config file =====
First build a slapd.conf whith basic configuration
==== List schemas to add to your config file ====
[root@lopenldap1 ~]# mkdir ldap ; cd ldap
[root@lopenldap1 ldap]# rpm -ql openldap-servers krb5-server-ldap | grep '\.schema$' | sed -e "/README/d" -e "s/^/include /g" | tee -a slapd.conf.temp
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
[root@lopenldap1 ldap]# cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
[root@lopenldap1 ldap]# echo "include /etc/openldap/schema/sudo.schema" | tee -a slapd.conf.temp
==== Add suffix and login information ====
[root@lopenldap1 ldap]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
[root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF
database bdb
directory /var/lib/ldap
suffix "dc=mydomain.org"
rootdn "cn=admin,dc=mydomain.org"
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
EOF
==== Add access restrictions parameters ====
[root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF
# All access directives until the next ^database keyword will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file.
# Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
# Give access to the userPassword attribute for authentication.
access to attrs=userPassword by self write by * auth
# Let everyone search this suffix but don't let them read it
# This sounds strange, but it's required by OpenLDAP 2.4.
access to dn.base=dc=mydomain.org by * search
by * none
# Configure the monitor backend.
# All the lines below this point will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file.
database monitor
# Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0
# and to the rootdn, but not to any other users.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.base="cn=admin,dc=mydomain.org" manage
by * none
# Configure the config backend.
# All lines below this point end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file.
database config
# Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage
# the configuration. But not any other users.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.base="cn=admin,dc=mydomain.org" manage
by * none
EOF
===== Test your config file =====
[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp
543f7cde /etc/openldap/schema/collective.schema: line 65 attributeType: AttributeType not found: "l"
slaptest: bad configuration file!
As the config is not successful, we have to reorder the lines like this:
[root@lopenldap1 ldap]# cat slapd.conf.temp
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema
database bdb
directory /var/lib/ldap
suffix "dc=mydomain.org"
rootdn "cn=admin,dc=mydomain.org"
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# All access directives until the next ^database keyword will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file.
# Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
# Give access to the userPassword attribute for authentication.
access to attrs=userPassword by self write by * auth
# Let everyone search this suffix but don't let them read it
# This sounds strange, but it's required by OpenLDAP 2.4.
access to dn.base=dc=mydomain.org by * search
by * none
# Configure the monitor backend.
# All the lines below this point will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file.
database monitor
# Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0
# and to the rootdn, but not to any other users.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.base="cn=admin,dc=mydomain.org" manage
by * none
# Configure the config backend.
# All lines below this point end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file.
database config
# Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage
# the configuration. But not any other users.
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.base="cn=admin,dc=mydomain.org" manage
by * none
# EOF
Now the test is successful:
[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp
config file testing succeeded
===== Create the new configuration files for OpenLDAP 2.4 =====
[root@lopenldap1 ldap]# slapcat -f slapd.conf.temp -F /root/ldap -n 0
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf.temp
olcConfigDir: /root/ldap
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
..............
[root@lopenldap1 ldap]# ll
total 12
drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config
-rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif
-rw-r--r--. 1 root root 808 Oct 16 10:23 slapd.conf.temp
===== Prepare your configuration files =====
Cleanup /etc/openldap/slapd.d, and move your new config files:
[root@lopenldap1 ldap]# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.unused
[root@lopenldap1 ldap]# mkdir /etc/openldap/slapd.d
[root@lopenldap1 ldap]# ll
total 12
drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config
-rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif
-rw-r--r--. 1 root root 808 Oct 16 10:23 slapd.conf.temp
[root@lopenldap1 ldap]# cp -rp cn\=config* /etc/openldap/slapd.d
[root@lopenldap1 ldap]# chown -R ldap:ldap /etc/openldap/slapd.d
Prepare the DB config file:
[root@lopenldap1 ldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # (cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/DB_CONFIG)
[root@lopenldap1 ldap]# chown ldap:ldap /var/lib/ldap
[root@lopenldap1 ldap]# chmod 700 /var/lib/ldap
Modif the /etc/sysconfig/slapd
[root@lopenldap1 ldap]# vi /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"
# Any custom options: /usr/sbin/slapd -h
SLAPD_OPTIONS="-4 -d 2"
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
SLAPD_SHUTDOWN_TIMEOUT=15
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
===== Add logs for slapd process =====
Add the following lines after RULES in /etc/rsyslog.conf
#### RULES ####
# Send slapd(8c) logs to /var/log/slapd.log
if $programname == 'slapd' then /var/log/slapd.log
& ~
And restart rsyslog service:
systemctl restart rsyslog
Add an entry in logrotate:
[root@lopenldap1 ldap]# cat >> /etc/logrotate.d/slapd << EOF
# /etc/logrotate.d/slapd
#
# Rotate slapd(8) log file.
/var/log/slapd.log {
rotate 7
compress
}
EOF
===== Start LDAP server in debug mode =====
Start manually:
[root@lopenldap1 ldap]# slapd -d 16383
.....
[root@lopenldap1 ldap]# netstat -an | grep LIST
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::389 :::* LISTEN
Or start using services:
[root@lopenldap1 ldap]# systemctl start slapd.service
Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details.
[root@lopenldap1 ldap]# journalctl -xn
-- Logs begin at Wed 2014-10-15 16:29:34 CEST, end at Thu 2014-10-16 14:35:25 CEST. --
Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session closed for user ldap
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: Checking configuration file failed:
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: slaptest: bad configuration file!
Oct 16 14:35:25 lopenldap1 slapd[12027]: @(#) $OpenLDAP: slapd 2.4.39 (Jun 9 2014 23:23:12) $
mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 16 14:35:25 lopenldap1 systemd[1]: slapd.service: control process exited, code=exited status=1
Oct 16 14:35:25 lopenldap1 systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit slapd.service has failed.
--
-- The result is failed.
Oct 16 14:35:25 lopenldap1 systemd[1]: Unit slapd.service entered failed state.
====== Client configuration and test ======
Before testing on another server, test on local:
[root@lopenldap1 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=mydomain.org
URI ldap://lopenldap1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
[root@lopenldap1 ~]# ldapwhoami -WD cn=admin,dc=mydomain.org
Enter LDAP Password:
dn:cn=admin,dc=mydomain.org
Debug on the server:
[root@lopenldap1 ldap]# slapd -d 2 -F /etc/openldap/slapd.d/ -u ldap
543fbd3e @(#) $OpenLDAP: slapd 2.4.39 (Jun 9 2014 23:23:12) $
mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
543fbd3f slapd starting
ldap_read: want=8, got=8
0000: 30 38 02 01 01 60 33 02 08...`3.
ldap_read: want=50, got=50
0000: 01 03 04 1d 63 6e 3d 61 64 6d 69 6e 2c 64 63 3d ....cn=admin,dc=
0010: 72 61 69 66 66 65 69 73 65 6e 2c 64 63 3d 6f 72 mydomain.or
0020: 67 80 0f 72 61 69 66 66 65 69 73 73 65 6e 31 32 g..mydomain12
0030: 33 34 34
ldap_read: want=8 error=Resource temporarily unavailable
ldap_write: want=14, written=14
====== Debug Openldap ======
===== Check config consistency =====
Service don't start, but slapd can run manually on root user
[root@lopenldap1 ldap]# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled)
Active: failed (Result: exit-code) since Thu 2014-10-16 17:09:22 CEST; 6min ago
Process: 12371 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 12357 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_bv2dn(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272)
Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272)
Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 send_ldap_result: err=80 matched="" text=""
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 slapd stopped.
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 connections_destroy: nothing to destroy.
[root@lopenldap1 ldap]# cat /usr/lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target
[root@lopenldap1 ldap]# chmod g+rw /var/lib/ldap/*
[root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh
Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.002' are required.
Read/write permissions for DB file '/var/lib/ldap/alock' are required.
Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.003' are required.
Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.001' are required.
[root@lopenldap1 ldap]# ll /var/lib/ldap/
total 19124
-rw-rw-r--. 1 root root 2048 Oct 16 16:16 alock
-rw-rw----. 1 root root 2326528 Oct 16 16:16 __db.001
-rw-rw----. 1 root root 17448960 Oct 16 16:16 __db.002
-rw-rw----. 1 root root 1884160 Oct 16 16:16 __db.003
-rw-rw-r--. 1 ldap ldap 845 Oct 16 15:14 DB_CONFIG
-rw-rw----. 1 root root 8192 Oct 16 15:27 dn2id.bdb
-rw-rw----. 1 root root 32768 Oct 16 15:27 id2entry.bdb
-rw-rw----. 1 root root 10485760 Oct 16 16:16 log.0000000001
[root@lopenldap1 ldap]# ll /var/lib/
...
drwx------. 2 ldap ldap 4096 Oct 16 17:17 ldap
...
[root@lopenldap1 ldap]# chown -R ldap.ldap /var/lib/
[root@lopenldap1 ldap]# ll /var/lib/ldap/
total 19124
-rw-rw-r--. 1 ldap ldap 2048 Oct 16 16:16 alock
-rw-rw----. 1 ldap ldap 2326528 Oct 16 16:16 __db.001
-rw-rw----. 1 ldap ldap 17448960 Oct 16 16:16 __db.002
-rw-rw----. 1 ldap ldap 1884160 Oct 16 16:16 __db.003
-rw-rw-r--. 1 ldap ldap 845 Oct 16 15:14 DB_CONFIG
-rw-rw----. 1 ldap ldap 8192 Oct 16 15:27 dn2id.bdb
-rw-rw----. 1 ldap ldap 32768 Oct 16 15:27 id2entry.bdb
-rw-rw----. 1 ldap ldap 10485760 Oct 16 16:16 log.0000000001
[root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh
Now it works
===== Check slapd starting options =====
Test the start options from /etc/sysconfig/slapd file:
Ex: \\
/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:///" -4 -d 2
===== Trace the slapd process =====
strace -f /etc/rc.d/init.d/slapd start >& /tmp/slapd.trace
===== Error in config file =====
During config file generation, my file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif has a bad format:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 1580b7b9
dn: olcDatabase={1}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=mydomain,dc=org
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" manage
olcAccess: {1}to attrs=userPassword by self write by * auth
olcAccess: {2}to dn.base="dc=mydomain,dc=org" by * search by * none
olcAddContentAcl: FALSE
But after modifying file manually, I've a checksum error
http://www.flagword.net/2013/02/openldap-with-tls-ppolicy-and-master-master-replication-on-rhel6-3/comment-page-1/
http://www.vincentliefooghe.net/content/open-ldap-setup
http://itdavid.blogspot.lu/2012/05/howto-centos-6.html