Thursday, 9 April 2009

Set up and configure openLDAP server on CENTOS

LDAP installation, configuration and replication

Installation:
yum install openldap-servers

Configuration
vi /etc/openldap/slapd.conf

suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"

Change password for LDAP root:
slappasswd
copy resulted string to /etc/openldap/slapd.conf
rootpw {SSHA}1w+/HjiQKwkU5OCawEH08FFmEtnIoAWJ

Important
Only the root user can use /usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldap

Start LDAP server
/etc/init.d/ldap start

Add initial entries to directory
Create a new file:
vi /root/manager.ldif
insert the following lines:
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example

dn: cn=root,dc=example,dc=com
objectclass: organizationalRole
cn: root


Add initial records by using command

ldapadd -f /root/manager.ldif -xv -D "cn=root,dc=example,dc=com" -h localhost -W
ldap_initialize( ldap://localhost )
Enter LDAP Password:
add objectclass:
dcObject
organization
add o:
Example Company
add dc:
example
adding new entry "dc=example,dc=com"
modify complete

add objectclass:
organizationalRole
add cn:
root
adding new entry "cn=root,dc=example,dc=com"
modify complete

Test that LDAP server is working

ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

Limits

The default sizelimit is 500 entries and the default timelimit is 3600 seconds. To change defaults use the following entries in slapd.conf:

sizelimit {|unlimited}
timelimit {|unlimited}

timelimit is maximum number of seconds (in real time) slapd will spend answering a search request.


LDAP replication

Master SLAPD.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
#======= For master to allow replication
overlay syncprov
syncprov-checkpoint 100 10
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap

*Access lists
access to *
by self write
by users read
by anonymous auth

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel acl sync
logfile /var/log/ldap/ldap.log



More on LDAP access lists


Slave LDAP server

Extracts from the OpenLdap Admin Guide:

The content of the syncrepl replica is defined using a search specification as its result set.The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The searchbase parameter has no default value and must always be specified. The scope defaults to sub, the filter defaults to (objectclass=*), attrs defaults to "*,+" to replicate all user and operational attributes, and attrsonly is unset by default. Both sizelimit and timelimit default to "unlimited", and only positive integers or "unlimited" may be specified.

The LDAP Content Synchronization protocol has two operation types:
refreshOnly and refreshAndPersist. The operation type is specified by the type parameter. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the interval parameter. It is set to one day by default. In the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd instance. Further updates to the master replica will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search.

If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in <# of retries> means indefinite number of retries until success.



Slave slapd.conf example
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}1w+/HjiQKwkU5OCawEH08FFmEtnIoAWJ

directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

#Logs
loglevel sync
logfile /var/log/ldap/ldap.log
syncrepl rid=123
provider=ldap://192.168.1.1:389 # master server IP
type=refreshOnly
interval=00:00:00:10
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*,+"
schemachecking=off
bindmethod=simple
binddn="cn=root,dc=example,dc=com"
credentials=qwerty


Please take into account that if you use any access lists on master LDAP server, similar access lists have to be set on all slave servers!

Additional information:
Setup LDAP logging
Test LDAP with ldapsearch
LDAP logging levels

Set up and configure
phpLDAPAdmin
phpLDAPAdmin is a useful tool to manage LDAP server. To set up and configure see link above.

2 comments:

cephas kamuchira said...

How do i delete a user in ldap database. my LDAP server is running fine but i have a user i would like to delete and i dont know how?

your help will be appreciated

Andrey Ivanov said...

Hi, Cephas!

There are many ways how to do this. There are ldapdelete command line tool (good description is here: http://www.zytrax.com/books/ldap/ch14/) and PHPLdapAdmin web interface to LDAP administration (http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page). I prefer to use web interface - it is simple and easy to use, but you have to install and setup it first.

Regards,
Andrey