Note: Very high level instructions. Should work with OpenLDAP 2.4.38 (has been tested) as well and RHEL 5.10. Possibly other versions also.
My directory structure is as follows:
software install location - /opt
schema file location - /usr/local/etc/
slapd.conf file location - /usr/local/etc/openldap/
database file location - /var/openldap/openldap-data/
certs location - /usr/local/etc/openldap
Install Berkely DB
Download db-6.0.30.tar.gz and untar in /opt
cd /opt
tar xvf db-6.0.30.tar.gz
cd db-6.0.30/build_unix
../dist/configure --enable-cxx --prefix=/usr/local/BerkeleyDB.6.0
make
make install
Do this step so that libs can be found without having to go through creating messy links:
cd /etc/ld.so.conf.d
vi berkely_db.conf
/usr/lib
/sbin/ldconfig
Install OpenSSL
Download openssl-1.0.1g.tar.gz and untar in /opt
cd /opt
tar xvf openssl-1.0.1g.tar.gz
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib"
cd openssl-1.0.1g
./config shared
make
make test
make install
Install Cyrus-SASL
Download cyrus-sasl-2.1.26.tar.gz and untar in /opt
cd /opt
tar xvf cyrus-sasl-2.1.26.tar.gz
cd db-6.0.20/
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib -L/usr/local/ssl/lib"
./configure --with-openssl=/usr/local/ssl --libdir=/usr/local/lib64
make
make install
After the install, note the following message:
********************************************************
* WARNING:
* Plugins are being installed into /usr/local/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
********************************************************
I set the SASL_PATH environment variable in the .bash_profile file as follows:
SASL_PATH=/usr/local/lib/sasl2
export SASL_PATH
Install OpenLDAP
Download OpenLDAP openldap-2.4.39.tar.gz
cd /opt
tar xvf openldap-2.4.39.tar.gz
cd openldap-2.4.39
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include -I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib -L/usr/local/ssl/lib"
./configure --with-tls --with-cyrus-sasl --sysconfdir=/usr/local --bindir=/usr/local --libdir=/usr/local/lib64
make depend
make
make test
make install
Copy Schema Files
mkdir /usr/local/etc
cp -rfp /opt/openldap-2.4.39/servers/slapd/schema /usr/local/etc/.
Copy slapd.conf
mkdir /usr/local/etc/openldap/
cp -rfp /opt/openldap-2.4.39/servers/slapd/slapd.conf /usr/local/etc/openldap/
Generate the Encrypted Admintrator LDAP Password
This can be entered into the slapd.conf file so that OpenLDAP can be started without user interaction:
/opt/openldap-2.4.39/servers/slapd/slappasswd -s password
{SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O
Copy this value and paste it into the /usr/local/etc/openldap/slapd.conf file:
rootpw {SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O
The slapd.conf file may end up looking like this:
include /usr/local/etc/schema/core.schema
include /usr/local/etc/schema/cosine.schema
include /usr/local/etc/schema/inetorgperson.schema
pidfile /var/openldap/run/slapd.pid
argsfile /var/openldap/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap/openldap-data/my-domain
# Indices to maintain
index objectClass eq
index cn eq
index uid eq
Starting OpenLDAP Services
cd /usr/local/etc/openldap/slapd.conf
nohup /opt/openldap-2.4.39/servers/slapd/slapd -f /usr/local/etc/openldap/slapd.conf -d 1 &
View status of the OpenLDAP server:
tail -f nohup.out
Stoping OpenLDAP Services
kill -INT `cat /var/openldap/run/slapd.pid`
Enabling SSL
Request a server certificate from your RA or CA.
Place the issuing CA certificate file here:
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
The signed server certificate file here:
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
And the private key file (only readable by the process that starts the OpenLDAP server) here:
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
No comments:
Post a Comment