[SOLVED] LDAP Server? How to configure?

Issues related to applications and software problems

[SOLVED] LDAP Server? How to configure?

Postby dperv27 » 2011/07/26 21:50:12

I would like to set up a LDAP Server under CENTOS 6. I did it under CENTOS 5, but the directions aren't the same. I have searched the web and all the directions refer to either RHEL 5 or CENTOS 5. Could someone please help with documentation?? Thanks

Doug
dperv27
 
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct

Re: LDAP Server? How to configure?

Postby scottro » 2011/07/26 23:47:35

What I have on my page at http://home.roadrunner.com/~computertaijutsu/ldap.html should be working for RHEL6.

They've made some changes at times, usually moderately easy to figure out, but they do seem to break it or change it and not bother to document it--not that LDAP is well-documented anyway, in my extremely unhumble opinion.

They did, for example, break ldap.conf into pam_ldap.conf and nss_ldap.conf or sometihng like that--not sure if it made it into RHEL6, but generally, these undocumented, rather useless changes that add little and break much, do get in there.

(Nah, I'm not cynical, not me.)
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

Re: LDAP Server? How to configure?

Postby r_hartman » 2011/07/27 11:24:33

I haven't setup CentOS 6 as a server yet, but here are the changes for the client side:

In CentOS6, /etc/ldap.conf has been renamed to /etc/pam_ldap.conf, and there's a new file, almost, but not quite identical, /etc/nslcd.conf.

I still have /etc/openldap/ldap.conf, and made /etc/pam_ldap.conf a symbolic link to that file, which in turn is identical to /etc/ldap.conf -> /etc/openldap/ldap.conf on my CentOS5.6 LDAP server.

Much of the config can stay the same as on CentOS5.6; here are my files (anonimized):

/etc/pam_ldap.conf -> /etc/openldap/ldap.conf:
Code: Select all
base                            o=myOrganization
uri                             ldaps://ldapserver1/ ldaps://ldapserver2/ ldaps://ldapserver3/
tls_reqcert                     allow

timelimit                       120
idle_timelimit                  3600
bind_timelimit                  120
bind_policy                     soft

nss_initgroups_ignoreusers      root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
ssl                             on

nss_base_passwd                 ou=People,o=myOrganization?one
nss_base_shadow                 ou=People,o=myOrganization?one
nss_base_group                  ou=Group,o=myOrganization?one

pam_check_host_attr             yes
pam_password                    md5


/etc/nslcd.conf:
Code: Select all
uid nslcd
gid ldap

base                            o=myOrganization
uri                             ldaps://ldapserver1/ ldaps://ldapserver2/ ldaps://ldapserver3/
tls_reqcert                     allow

timelimit                       120
idle_timelimit                  3600
bind_timelimit                  120

ssl                             on


That should at least save you from having to puzzle out two sides simultaneously.

Beware that RHEL6.1 has a bug in current openldap which causes LDAP binds to fail in case you specify a tls_cacertdir directive pointing to an empty directory. This is likely not yet an issue in CentOS6.0, since it wasn't in RHEL6.0.
That's why those directives are missing from my files.
r_hartman
 
Posts: 701
Joined: 2009/03/23 15:08:11
Location: Netherlands

Re: LDAP Server? How to configure?

Postby dperv27 » 2011/07/27 23:09:21

All,

Thanks for the help, but I am having problems getting the procedures to work with CENTOS6 (and RHEL6). When "Creating the Database", the openldap package(s) did not install the migration tools/directory. I did a search of my entire system and 'openldap' is only mentioned in three places. I searched for 'migra' and it isn't mentioned anywhere on the system. I did a rpm -ql openldap-server and migration tools aren't installed with openldap-server-2.4.19-15.el6.x86_64.rpm

Could this be a bug in CENTOS6 with OPENLDAP?? I am running CENTOS is a private VM network. I will build another VM with public/internet access and let CENTOS download/install updated packages to see if there is any difference. More to follow on that, but I just wanted to let the forum know that I was having issues with the current help.

Thanks,
Doug
dperv27
 
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct

Re: LDAP Server? How to configure?

Postby scottro » 2011/07/28 02:07:04

Looks like you're right. There is a package called migrationtools, which will provide the migration scripts. I have no idea why it is no longer included--maybe they feel you'll use their pretty GUI tools for your ldap, or perhaps it's to push their directory server, or just an oversight by someone.
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

Re: LDAP Server? How to configure?

Postby r_hartman » 2011/07/28 11:12:18

You shouldn't need migrationtools when moving an existing CentOS5 LDAP to CentOS6:
Code: Select all
# yum info migrationtools
Loaded plugins: rhnplugin
Available Packages
Name        : migrationtools
Arch        : noarch
Version     : 47
Release     : 7.el6
Size        : 24 k
Repo        : base
Summary     : Migration scripts for LDAP
URL         : http://www.padl.com/OSS/MigrationTools.html
License     : BSD
Description : The MigrationTools are a set of Perl scripts for migrating users, groups,
            : aliases, hosts, netgroups, networks, protocols, RPCs, and services from
            : existing nameservices (flat files, NIS, and NetInfo) to LDAP.


I just installed slapd on RHEL6.1, and it basically involved installing the ldap-servers and ldap-clients packages, and copying my CentOS5.6 /etc/openldap/slapd.conf to the new server. I also edited /etc/sysconfig/ldap to disable ldap:// and enable ldaps://

RHEL6.1 LDAP appears to be more critical on the server reference than the RHEL5.6 version: where I could use ldaps://localhost on RHEL5, I have to use the proper servername on RHEL6. This name needs to match the CN in the LDAP certificate. If not, 'ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)' errors will occur.

What was puzzling initially was that openldap 2.4 apparently abandoned slapd.conf, as none was installed when installing ldap-servers. Instead, it uses the cn=config approach in /etc/openldap/slapd.d, which supposedly is the way of the future. However, this is still greatly undocumented, and the openldap.org website's quick install still mentions configuring slapd.conf.

As none of my slapd.conf parameters were acknowledged by the server, in the end I renamed /etc/openldap/slapd.d to /etc/openldap/slapd.d.org, restarted slapd and all magically came to live.

So, recapping:
Code: Select all
# yum install ldap-servers ldap-clients

generate a certificate (here: 5 years valid); locations must match slapd.conf directives
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/private/slapdkey.pem -days 1826
# chown root:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/private/slapdkey.pem
# chmod 644 /etc/pki/tls/certs/slapdcert.pem
# chmod 640 /etc/pki/tls/private/slapdkey.pem

copy slapd.conf from the old to the new server
# scp -p rhel5server:/etc/openldap/slapd.conf /etc/openldap

edit /etc/sysconfig/ldap if you want to change settings
# vi /etc/sysconfig/ldap

adapt slapd.conf to the new servername and possibly cert and key locations
# vi /etc/openldap/slapd.conf

Disable the whole cn=config mess
# mv /etc/openldap/slapd.d /etc/openldap.slapd.d.org

start the server
# service slapd start


You can then query the server:
Code: Select all
# ldapsearch -x -H ldaps://<server-CN> -b '' -s base '(objectclass=*)' namingContexts


Once this is succesfull, you can start populating the server using ldapadd.
r_hartman
 
Posts: 701
Joined: 2009/03/23 15:08:11
Location: Netherlands

Re: LDAP Server? How to configure?

Postby scottro » 2011/07/28 12:20:27

I'm going to have to link to this thread on my page. Thanks for your efforts.


As the ldap for rocket scientists' page says, nothing, save perhaps bind, is so badly documented.
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

Re: LDAP Server? How to configure?

Postby dperv27 » 2011/07/28 12:35:10

I too got LDAP working on CENTOS6 late last night (can't remember all the steps I did). I had to delete the slapd.d directory so the service would use the slapd.conf. Once I installed the migration tools and located the DB_CONFIG.example, I was good to go.. I used my CENTOS5.6 directions to complete the setup. I think I am still authenticating passwords with MD5. I would like to use TLS in the near future.

I'm going to do it again and document my steps a little bit better.

My goal with this server is to setup a training server to support studying for RHCSA and RHCE exams.

Thanks for all the help with this topic!!

Doug
dperv27
 
Posts: 3
Joined: 2011/07/26 21:39:31
Location: Preston, Ct

Re: LDAP Server? How to configure?

Postby scottro » 2011/07/28 13:38:28

Actually, I think I remember someone on Fedora Forums also having to delete the slapd.d directory, (and I think I mention that on my own page.)

Glad you got it working. I really don't know why RH (and others) keep making these changes. Assuming the developers aren't of the attitude, Mwahahahaha, let's see if we can mess everyone up, it seems that they would, at least, be sure they were well documented.
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

[SOLVED] LDAP Server? How to configure?

Postby pschaff » 2011/07/30 18:07:09

Thanks for reporting back. Marking this thread [SOLVED] for posterity.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Next

Return to CentOS 6 - Software Support

Who is online

Users browsing this forum: No registered users and 4 guests