Some certification tests may require you to know how to setup an LDAP client. Rather hard to do in your home lab if you don't have an LDAP Server! Here's some basic instructions on how to setup something that will work.
Step 1: Install the required packages:
#yum install openldap-servers migrationtools
Step2: The configuration for LDAPD is stored inside the LDAP server itself. The configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Create the ldap password:
#slappasswd
You’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the encrypted string we will have to add to the bdb.ldif config file.
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
Substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3: Set the admin password and specify the location of the encryption certificate and key.
Add these 3 lines at the end of the file bdb.ldif file, replacing the encrypted string shown, with the one you created in step 2:
olcRootPW: {SSHA}V7TQ2kZ7IWEHOb2Qs4zrXi4ufvlU9W/O
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4: Specify the monitoring privileges:
#vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
We have to replace the default domain name with our domain name:
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=example,dc=com/g
Step 5: Configure the Database Cache
#updatedb
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/
Step 6: Set up a certificate for TLS. Edit the /etc/sysconfig/ldap file and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Create the certificate:
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. Make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem ; chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Step 7: Test the configuration
# slaptest -u
config file testing succeeded
Step 8: Start the ldap server
#service slapd start
Check if the ldap server works:
#ldapsearch -x -b "dc=yourdomain,dc=com"
If you get a "search: 2" then it's working
Step 9: Configure the base domain
#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Groups,dc=yourdomain,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit
Import base information to the ldap directory:
#ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Step 10: Migrate the users
Go to the directory /usr/share/migrationtools. Edit the file
# vi /usr/share/migrationtools/migrate_common.ph
Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ":5[0-9][0-9]" /etc/passwd > passwd
#grep ":5[0-9][0-9]" /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e "s/ou=Group/ou=Groups/g" group.ldif > groups.ldif
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f users.ldif
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f groups.ldif
Step 11: Test the ldap server. Check if user "mani" exists. (try this with a userid that does exist)
#ldapsearch -x "cn=mani" -b "dc=example,dc=com"
If the test is successful, you're done!
