Changes
Page history
Create Create LDAP server
authored
Aug 25, 2022
by
Yi Sun
Show whitespace changes
Inline
Side-by-side
Create-LDAP-server.md
0 → 100644
View page @
31ea3b5c
This instruction is used to create LDAP server on Centos 7. The schema is for BAND environment. It is currently does not support other schemas. It will require changes to other BAND components if you would like to use your own schema.
## create CentOS server and ssh to it ##
`yum update`
`yum install openssl openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel`
`cd /etc/pki/CA`
create index.txt and serial file to keep track of issued certs
`echo 0001 > serial`
`touch index.txt`
create root ca
`openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem`
create CA certificate
`openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem`
generate key and certificates for LDAP
`cd /etc/pki/CA`
`openssl genrsa -out private/ldap-dev.eosc-life.eu.key`
`openssl req -new -key private/ldap-dev.eosc-life.eu.key -out certs/ldap-dev.eosc-life.eu.csr`
sign certificate with CA
`openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in certs/ldap-dev.eosc-life.eu.csr -out certs/ldap-dev.eosc-life.eu.crt`
check index.txt make sure certs are properly signed
`cat index.txt`
verify all issued certs against CA
`openssl verify -CAfile certs/ca.cert.pem certs/ldap-dev.eosc-life.eu.crt`
copy certs file to /etc/openldap/certs, make sure user
'
ldap
'
has rw right to the folder
`cp -v certs/* /etc/openldap/certs/`
`cp -v private/ldap-dev.eosc-life.eu.key /etc/openldap/certs/`
`cp -v certs/ca.cert.pem /etc/openldap/certs/`
download all files from
[
https://git.embl.de/ysun/ldap-dev-files
](
https://git.embl.de/ysun/ldap-dev-files
)
modify userPassword in users.ldif with hashed value
ex:
`slappasswd -h {SSHA} -s PASSWORD`
start slapd
`systemctl start slapd.service`
`systemctl enable slapd.service`
push config
`ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif`
restrict monitor access to admin user
`ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif`
push certs config
`ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif`
copy sample db configuration file to /var/lib/ldap and update permission
`cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG`
`chown ldap:ldap /var/lib/ldap/*`
add cosine and nis LDAP schemas
`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif`
`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif`
`ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif`
push base.ldif to openldap using admin user
`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f base.ldif`
push groups and users
`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f groups.ldif`
`ldapadd -x -W -D "cn=admin,dc=eosc-life,dc=eu" -f users.ldif`
secure ldap with tls
`ldapmodify -Y EXTERNAL -H ldapi:// -f tls.ldif`
`ldapmodify -Y EXTERNAL -H ldapi:// -f /home/centos/tls1.ldif`
check tls config point to the correct directory
`slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile"`
add
"
ldaps:///
"
to /etc/sysconfig/sldapd
make sure
`TLSREQCERT allow`
is in /etc/openldap/ldap.conf
restart slapd
`systemctl restart slapd`
test search
`ldapsearch -v -W -ZxLLLD cn=admin,dc=eosc-life,dc=eu -b dc=eosc-life,dc=eu "(objectClass=posixAccount)"`
NOTES on LDAP client (compute node, login node, mgmt node in the cluster)
*
make sure ca.pem.key is in /etc/openldap/certs
*
make sure /etc/openldap/certs has correct permission
*
make sure
`TLSREQCERT allow`
is in /etc/openldap/ldap.conf
\ No newline at end of file
