[SOLVED] LDAP Server? How to configure?

Issues related to applications and software problems
dperv27
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct
Contact:

[SOLVED] LDAP Server? How to configure?

Post by dperv27 » 2011/07/26 21:50:12

I would like to set up a LDAP Server under CENTOS 6. I did it under CENTOS 5, but the directions aren't the same. I have searched the web and all the directions refer to either RHEL 5 or CENTOS 5. Could someone please help with documentation?? Thanks

Doug

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: LDAP Server? How to configure?

Post by scottro » 2011/07/26 23:47:35

What I have on my page at http://home.roadrunner.com/~computertaijutsu/ldap.html should be working for RHEL6.

They've made some changes at times, usually moderately easy to figure out, but they do seem to break it or change it and not bother to document it--not that LDAP is well-documented anyway, in my extremely unhumble opinion.

They did, for example, break ldap.conf into pam_ldap.conf and nss_ldap.conf or sometihng like that--not sure if it made it into RHEL6, but generally, these undocumented, rather useless changes that add little and break much, do get in there.

(Nah, I'm not cynical, not me.)

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

Re: LDAP Server? How to configure?

Post by r_hartman » 2011/07/27 11:24:33

I haven't setup CentOS 6 as a server yet, but here are the changes for the client side:

In CentOS6, /etc/ldap.conf has been renamed to /etc/pam_ldap.conf, and there's a new file, almost, but not quite identical, /etc/nslcd.conf.

I still have /etc/openldap/ldap.conf, and made /etc/pam_ldap.conf a symbolic link to that file, which in turn is identical to /etc/ldap.conf -> /etc/openldap/ldap.conf on my CentOS5.6 LDAP server.

Much of the config can stay the same as on CentOS5.6; here are my files (anonimized):

/etc/pam_ldap.conf -> /etc/openldap/ldap.conf:
[code]base o=myOrganization
uri ldaps://ldapserver1/ ldaps://ldapserver2/ ldaps://ldapserver3/
tls_reqcert allow

timelimit 120
idle_timelimit 3600
bind_timelimit 120
bind_policy soft

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
ssl on

nss_base_passwd ou=People,o=myOrganization?one
nss_base_shadow ou=People,o=myOrganization?one
nss_base_group ou=Group,o=myOrganization?one

pam_check_host_attr yes
pam_password md5[/code]

/etc/nslcd.conf:
[code]uid nslcd
gid ldap

base o=myOrganization
uri ldaps://ldapserver1/ ldaps://ldapserver2/ ldaps://ldapserver3/
tls_reqcert allow

timelimit 120
idle_timelimit 3600
bind_timelimit 120

ssl on
[/code]

That should at least save you from having to puzzle out two sides simultaneously.

Beware that RHEL6.1 has a [url=https://bugzilla.redhat.com/show_bug.cgi?id=713525]bug[/url] in current openldap which causes LDAP binds to fail in case you specify a tls_cacertdir directive pointing to an empty directory. This is likely not yet an issue in CentOS6.0, since it wasn't in RHEL6.0.
That's why those directives are missing from my files.

dperv27
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct
Contact:

Re: LDAP Server? How to configure?

Post by dperv27 » 2011/07/27 23:09:21

All,

Thanks for the help, but I am having problems getting the procedures to work with CENTOS6 (and RHEL6). When "Creating the Database", the openldap package(s) did not install the migration tools/directory. I did a search of my entire system and 'openldap' is only mentioned in three places. I searched for 'migra' and it isn't mentioned anywhere on the system. I did a rpm -ql openldap-server and migration tools aren't installed with openldap-server-2.4.19-15.el6.x86_64.rpm

Could this be a bug in CENTOS6 with OPENLDAP?? I am running CENTOS is a private VM network. I will build another VM with public/internet access and let CENTOS download/install updated packages to see if there is any difference. More to follow on that, but I just wanted to let the forum know that I was having issues with the current help.

Thanks,
Doug

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: LDAP Server? How to configure?

Post by scottro » 2011/07/28 02:07:04

Looks like you're right. There is a package called migrationtools, which will provide the migration scripts. I have no idea why it is no longer included--maybe they feel you'll use their pretty GUI tools for your ldap, or perhaps it's to push their directory server, or just an oversight by someone.

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

Re: LDAP Server? How to configure?

Post by r_hartman » 2011/07/28 11:12:18

You shouldn't need migrationtools when moving an existing CentOS5 LDAP to CentOS6:
[code]# yum info migrationtools
Loaded plugins: rhnplugin
Available Packages
Name : migrationtools
Arch : noarch
Version : 47
Release : 7.el6
Size : 24 k
Repo : base
Summary : Migration scripts for LDAP
URL : http://www.padl.com/OSS/MigrationTools.html
License : BSD
Description : The MigrationTools are a set of Perl scripts for migrating users, groups,
: aliases, hosts, netgroups, networks, protocols, RPCs, and services from
: existing nameservices (flat files, NIS, and NetInfo) to LDAP.[/code]

I just installed slapd on RHEL6.1, and it basically involved installing the ldap-servers and ldap-clients packages, and copying my CentOS5.6 /etc/openldap/slapd.conf to the new server. I also edited /etc/sysconfig/ldap to disable ldap:// and enable ldaps://

RHEL6.1 LDAP appears to be more critical on the server reference than the RHEL5.6 version: where I could use ldaps://localhost on RHEL5, I have to use the proper servername on RHEL6. This name needs to match the CN in the LDAP certificate. If not, 'ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)' errors will occur.

What was puzzling initially was that openldap 2.4 apparently abandoned slapd.conf, as none was installed when installing ldap-servers. Instead, it uses the cn=config approach in /etc/openldap/slapd.d, which supposedly is the way of the future. However, this is still greatly undocumented, and the openldap.org website's quick install still mentions configuring slapd.conf.

As none of my slapd.conf parameters were acknowledged by the server, in the end I renamed /etc/openldap/slapd.d to /etc/openldap/slapd.d.org, restarted slapd and all magically came to live.

So, recapping:
[code]# yum install ldap-servers ldap-clients

generate a certificate (here: 5 years valid); locations must match slapd.conf directives
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/private/slapdkey.pem -days 1826
# chown root:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/private/slapdkey.pem
# chmod 644 /etc/pki/tls/certs/slapdcert.pem
# chmod 640 /etc/pki/tls/private/slapdkey.pem

copy slapd.conf from the old to the new server
# scp -p rhel5server:/etc/openldap/slapd.conf /etc/openldap

edit /etc/sysconfig/ldap if you want to change settings
# vi /etc/sysconfig/ldap

adapt slapd.conf to the new servername and possibly cert and key locations
# vi /etc/openldap/slapd.conf

Disable the whole cn=config mess
# mv /etc/openldap/slapd.d /etc/openldap.slapd.d.org

start the server
# service slapd start[/code]

You can then query the server:
[code]# ldapsearch -x -H ldaps://<server-CN> -b '' -s base '(objectclass=*)' namingContexts[/code]

Once this is succesfull, you can start populating the server using ldapadd.

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: LDAP Server? How to configure?

Post by scottro » 2011/07/28 12:20:27

I'm going to have to link to this thread on my page. Thanks for your efforts.


As the ldap for rocket scientists' page says, nothing, save perhaps bind, is so badly documented.

dperv27
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct
Contact:

Re: LDAP Server? How to configure?

Post by dperv27 » 2011/07/28 12:35:10

I too got LDAP working on CENTOS6 late last night (can't remember all the steps I did). I had to delete the slapd.d directory so the service would use the slapd.conf. Once I installed the migration tools and located the DB_CONFIG.example, I was good to go.. I used my CENTOS5.6 directions to complete the setup. I think I am still authenticating passwords with MD5. I would like to use TLS in the near future.

I'm going to do it again and document my steps a little bit better.

My goal with this server is to setup a training server to support studying for RHCSA and RHCE exams.

Thanks for all the help with this topic!!

Doug

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: LDAP Server? How to configure?

Post by scottro » 2011/07/28 13:38:28

Actually, I think I remember someone on Fedora Forums also having to delete the slapd.d directory, (and I think I mention that on my own page.)

Glad you got it working. I really don't know why RH (and others) keep making these changes. Assuming the developers aren't of the attitude, Mwahahahaha, let's see if we can mess everyone up, it seems that they would, at least, be sure they were well documented.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] LDAP Server? How to configure?

Post by pschaff » 2011/07/30 18:07:09

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

Post Reply