Installing OpenLDAP 2.4 and Configuring Apache DS – Part 1
This web series is brought to you by: dOpenSource and Flyball Labs
This post is PART 1 of a series that details how to install Apache Directory Studio and OpenLDAP server and connect the two seamlessly. OpenLDAP is what’s referred to as an “Lightweight Directory Access Protocol” or LDAP for short, and is based on X.500 standards.
OpenLDAP can be used to manage user and groups in an organization and authenticate them on your systems, through certificate validation. APache DS is the front-end GUI we will be using to interface with our OpenLDAP server to manage our users and groups.
A quick note before we begin; in this post we use angle brackets to denote that you either need to input information there, or that there will be information output there. Great, lets get started!
Requirements
This guide assumes you have either a Debian-based or cent-os / red-hat based linux distro.
This guide also assumes that you have root access on the server to install the software.
Installing OpenLDAP Server
Switch to root user and enter your root users pw
Either using sudo:
sudo -i
Or if you prefer using su:
su
Install OpenLDAP dependencies using you package manager
On Debian based systems would be:
apt-get update -q -y
apt-get install -q -y dpkg slapd ldap-utils ldapscripts
On cent-os / rhel systems:
yum -y -q update
yum -y -q install openldap compat-openldap openldap-clients \
openldap-servers openldap-servers-sql openldap-devel
The debian package may ask you for the admin ldap password now, no worries. We are going to write over this in the next step so put the same password that you will use throughout the tutorial.
Create a password for the admin ldap user
slappasswd
<enter secret pw here>
<re-enter secret pw here>
<you will see hash of pw here>
Copy the hash that is output from this cmd to your clipboard.
Update the ldap conf file with the new password
We are going to move to the dir where our ldap configs are:
For centos / rhel that is here: /etc/openldap/slapd.d/cn\=config
For debian / ubuntu that is here: /etc/ldap/slapd.d/cn\=config
Then we need to add the root pw hash we copied from last step.
cd /etc/*ldap/slapd.d/cn\=config
echo "olcRootPW: {SSHA}<pw hash goes here>" >> olcDatabase\=\{2\}bdb.ldif
Modify the distinguished name or (DN) for short; of the olcSuffix. This can be done using sed:
You should set the suffix to your DNS domain name. This will be appended to the DN in your tree.
For example, for dopensource.com would be:
sed -i "s/olcSuffix:.*/olcSuffix: dc=dopensource,dc=com/" olcDatabase\=\{2\}bdb.ldif
sed -i "s/olcRootDN:.*/olcRootDN: cn=Manager,dc=dopensource,dc=com/" olcDatabase\=\{2\}bdb.ldif
You would replace dopensource && com with your own domain.
Now change the monitor.ldif file to match tholcRootDN we changed earlier in bdb/ldif:
sed -i 's/olcAccess:.*/olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=dopensource,dc=com" read by * none/' olcDatabase={1}monitor.ldif
sed -ie '7d;' olcDatabase={1}monitor.ldif
Restrict users from viewing other users’ password hashes:
echo 'olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=dopensource,dc=com" write by anonymous auth by * none' >> olcDatabase\=\{2\}bdb.ldif
echo 'olcAccess: {1}to * by dn.base="cn=Manager,dc=dopensource,dc=com" write by self write by * read' >> olcDatabase\=\{2\}bdb.ldif
Set OpenLDAP service to start on boot
chkconfig slapd on
service slapd start
If you get any echecksum errors, such as:
5900f369 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"
5900f369 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5900f369 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
Then you must run the following commands to fix your checksums before adding any entries.
Fixing checksum errors in config files
Copy the file(s) shown to have bad checksums when starting slapd to /tmp
mkdir -p /tmp/fixes &&
/bin/cp -rf /etc/openldap/slapd.d/cn=config/{olcDatabase={0}config.ldif,olcDatabase={1}monitor.ldif,olcDatabase={2}bdb.ldif} /tmp/fixes &&
cd /tmp/fixes
Remove the first 2 lines containing the old checksums:
for file in /tmp/fixes/*; do
sed -i '1,2d' "${file}"
done
Install the zlib dev package and perl archive utils if not installed
For centos based systems:
yum -y -q install zlib-dev perl-Archive-Zip
For debian based sytems:
apt-get -y -q install zlib1g-dev libarchive-zip-perl
Now we can go ahead and calculate the new checksums:
for file in /tmp/fixes/*; do
CRC=$(crc32 "$file")
read -r -d '' INSERT_LINES << EOF
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ${CRC}
EOF
cat << EOF > "${file}"
${INSERT_LINES}
$(cat ${file})
EOF
done
Then copy back the fixed files over the originals & delete tmp folder:
/bin/cp -rf /tmp/fixes/* /etc/openldap/slapd.d/cn=config/
cd /tmp && rm -Rf fixes
Create the root entry in our ldap tree.
The root entry is going to be configured as a special entry called a domain controller. To do this we will add the same domain name we have been using to the domain controller root entry.
Create the root entry in a temp file, should be named after your domain:
cat << EOF > /tmp/dopensource.ldif
dn: dc=dopensource,dc=com
objectClass: dcObject
objectClass: organization
dc: dopensource
o : dopensource
EOF
Add the contents of the file to your tree (pw is the amdmin ldap user):
ldapadd -f /tmp/dopensource.ldif -D cn=Manager,dc=dopensource,dc=com -w <your ldap admin pw>
Verify it was added (you should see the same info you added displayed):
ldapsearch -x -LLL -b dc=dopensource,dc=com
If you got back the same entry you put in, then delete the temp file:
rm -f /tmp/dopensource.ldif
We add in a symlink for better portable here:
ln -s /etc/openldap /etc/ldap
Allow access to the ldap server in your firewall rules:
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
/sbin/service iptables save
iptables -F
service iptables restart
To ensure your iptables rule persisted you can check with:
iptables -L
To verify ldap is up check on port 389:
netstat -antup | grep -i 389 --color=auto
<terminal output here>
You should see LISTEN in your output, something like this:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22905/slapd
tcp 0 0 :::389 :::* LISTEN 22905/slapd
For More Information
For more information, the next post in the series or for any questions visit us at:
For Professional services and Ldap configurations see:
dOpenSource OepnLDAP
dOpenSource OpenLDAP Services
Written By:
DevOpSec
Software Engineer
Flyball Labs