LDAP (Lightweight Directory Ac
Software required minimum.
• | openldap-2.2.13 |
• | openldap-clients-2.2.13 |
• | openldap-servers-2.2. |
• | authconfig-06.04.1910 |
• | authconfig-gtk-04/06/1910 (optional) |
Installing via yum.
yum-y install openldap openldap-clients openldap-servers authconfig authconfig-gtk
Installing via up2date.
up2date-i openldap openldap-clients openldap-servers authconfig authconfig-gtk
Procedures.
For purposes of organization will create a specific directory for this directory and configure access permissions only to the user and group ldap.
mkdir / var / lib / ldap / authenticate chmod 700 / var / lib / ldap / authentication ldap.ldap chown / var / lib / ldap / authentication
Create the password to be assigned to the user in the LDAP directory administrator. Just run from a terminal:
slappasswd
This should give as output a ciphertext as shown below:
(SSHA) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The output text will be used later in the file / etc / openldap / slapd.conf and defined the user Administrator as used for access with full privileges to the directory.
Edit the file / etc / openldap / slapd.conf and verifies that the minimum required schema files are present. Thus, it should be something like:
# # See slapd.conf (5) for details on configuration options. # This file should NOT be world readable. # Include / etc / openldap / schema / core.schema include / etc / openldap / schema / cosine.schema include / etc / openldap / schema / inetorgperson.schema include / etc / openldap / schema / nis.schema
Regardless of what you already have configured, and will not be touched, is appended to the file / etc / openldap / slapd.conf as follows in order to define the new directory which will henceforth be used to authenticate all the web local:
database bdb suffix "dc = codigolibre, dc = local" rootdn "cn = admin, dc = codigolibre, dc = local" (SSHA) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Start the LDAP service and add it to the rest of the services that start with the system:
service ldap start chkconfig ldap on
Edit the file / usr / share / openldap / migration / migrate_common.ph and modify the values of the variables $ DEFAULT_MAIL_DOMAIN and $ DEFAULT_BASE so that they are as follows:
# Default DNS domain $ DEFAULT_MAIL_DOMAIN = "codigolibre.local" # Default base $ DEFAULT_BASE = "dc = codigolibre, dc = local;
Then you must create the object which in turn contain the rest of the data in the directory. Create a file base.ldif follows:
/ Usr / share / openldap / migration / migrate_base.pl> base.ldif
Ldapadd is used to insert the necessary data. The options used with this command are:
-X-W request simple authentication password-D binddn Distinguished Name (dn) to use-h host LDAP server to access file-f file to use
Once understood the above, we proceed to insert the information generated in the directory using the following:
ldapadd-x-W-D 'cn = admin, dc = codigolibre, dc = local'-h 127.0.0.1-f base.ldif
Once done, it can begin to populate the directory with data. The first will import the existing users and groups in the system. Perform the import using the scripts for users as follows:
/ Usr / share / openldap / migration / migrate_group.pl / etc / group group.ldif
/ Usr / share / openldap / migration / migrate_passwd.pl / etc / passwd passwd.ldif
This will create the files and passwd.ldif group.ldif, which include group information and accounts on the system, including passwords. The data can be inserted into the LDAP directory using the following:
ldapadd-x-W-D 'cn = Administrator, dc = your-network-local, dc = com "-h 127.0.0.1-f group.ldif
ldapadd-x-W-D 'cn = Administrator, dc = your-network-local, dc = com "-h 127.0.0.1-f passwd.ldif
Checks.
Before you configure the system to use LDAP to authenticate, but check that everything works correctly.
The following command verifies that there are directories available on the server 127.0.0.1.
ldapsearch-h 127.0.0.1-x-b''-s base '(objectclass =*)' namingContexts
This should return output similar to the following:
# Extended LDIF
#
# LDAPv3
# Base <> with scope base
# Filter: (objectclass =*)
# Requesting: namingContexts
#
#
dn:
namingContexts: codigolibre dc =, dc = local
# Search result
search: 2
result: 0 Success
# NumResponses: 2
# NumEntries: 1
The following command should return all the information of all the requested directory (dc = your-network-local, dc = com).
ldapsearch-x-b 'dc = codigolibre, dc = local' '(objectclass =*)'
Another example is to perform a specific search for a particular user. Assuming that the system has a user named guy, can be implemented:
ldapsearch-x-b 'uid = guy, ou = People, dc = codigolibre, dc = local'
This should return something like the following:
# Extended LDIF
#
# LDAPv3
# Base with scope sub
# Filter: (objectclass =*)
# Requesting: ALL
#
# Guy, People, codigolibre.local
dn: uid = guy, ou = People, dc = codigolibre, dc = local
uid: guy
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxx
shadowLastChange: 12 594
shadowMax: 99999
shadowWarning: 7
loginShell: / bin / bash
uidNumber: 505
gidNumber: 505
HomeDirectory: / home / guy
# Search result
search: 2
result: 0 Success
# NumResponses: 2
# NumEntries: 1
Configuring clients.
Define the values for the parameters and base host to establish to what server and what directory to connect. For practical purposes, the value of basic parameters must be the same as specified in the file / etc / openldap / slapd.conf for the parameter suffix.
# Your LDAP server. Must be resolvable Without using LDAP.
# Multiple hosts May be specified, separated by a Each
# Space. How long nss_ldap Takes to failover depends on
# Whether your LDAP client library Supports configurable
# Network or connect timeouts (see bind_timelimit).
host 192.168.1.200
# The distinguished name of the search base.
codigolibre base dc =, dc = local
What follows is to use either or authconfig authconfig-gtk to configure the system so as to use the LDAP server to authenticate.
authconfig (text mode)
Enable the check boxes and Using LDAP Authentication Using LDAP and press Tab to Next and press Enter and verify data and directory server to use are correct.
Authconfig, main screen.
Authconfig, main screen.
Administration
There are a lot of programs to access and manage LDAP servers. One of the most comprehensive currently phpldapadmin. http://
Simply download the phpldapadmin and place it in your apache root folder.
tar-xvzf phpldapadmin (version). tar.gz
Just rename the folder with the name phpldapadmin.
mv phpldapadmin (version) phpldapadmin
Then we go to the browser and type http://ipdelservidorweb/
In the login screen, type in the following
DN Login
dc = admin, cn = codigolibre, dc = local
And then the key.
Now with this we have the ldap server functional.
Data backup.
You must stop the LDAP service before proceeding with data backup.
service ldap stop
Then the tool is used slapcat, using the configuration file / etc / openldap / slapd.conf.
slapcat-v-f / etc / openldap / slapd.conf-l backup-$ (date +% Y% m% d). ldif
Upon completion of the data backup process can start again the ldap service.
service ldap start
Restoring data.
The procedure requires stopping the service.
service ldap stop
Should be removed to restore directory data.
rm-f / var / lib / ldap / authentication / *
Then slapadd tool is used to load data from a backup file *. dif.
slapadd-v-c-l-20061003.ldif backup-f / etc / openldap / slapd.conf
You must run the tool slapindex, which is used to regenerate the indexes LDAP.
slapindex
Completed the process of restoring data, you can start again the ldap service.
service ldap start
Bibliography.
http://www.zytrax.com/books/
http://www.alcancelibre.org
