This tutorial explains how you can set up LDAP user authentication on a CentOS 5.x system.
Domain name: shadow.com
LDAP Server IP: 192.168.56.1
Server Configuration
Packages needed: openldap-servers
[iyunv@icewalker ~]# vi /etc/openldap/slapd.conf
Set these values to:
suffix "dc=shadow,dc=com"
rootdn "cn=root,dc=shadow,dc=com"
Set root’s password:
rootpw your_desired_password
We can encrypt our admin password; for that run the slappasswd command. It will ask you for a password, and after you enter it twice, it'll spit out a line like this:
{SSHA}04b5U6YTzQ651v9EB+l7e0FEXoEmB/Up
and use it as
rootpw {SSHA}04b5U6YTzQ651v9EB+l7e0FEXoEmB/Up
Test your configuration by running the
slaptest -u
command.
[iyunv@icewalker ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[iyunv@icewalker ~]# service ldap start
[iyunv@icewalker ~]# chkconfig ldap on
Now we need to set up our base, authentication and group files. That is, we'll establish our basic parameters for the LDAP server, then migrate over (most of) the user accounts, and (most of) the group accounts.
[iyunv@icewalker ~]# cd /usr/share/openldap/migration
[iyunv@icewalker ~]# ./migrate_base.pl > base.ldif
In base.ldif we require only the following sections:
dn: dc=padl,dc=com
dc: padl
objectClass: top
objectClass: domain
dn: ou=People,dc=padl,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=padl,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Replace all padl with shadow so that it becomes:
dn: dc=shadow,dc=com
dc: shadow
objectClass: top
objectClass: domain
dn: ou=People,dc=shadow,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=shadow,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Now, we can import that information into our LDAP database using this command:
[iyunv@icewalker ~]# ldapadd -x -W -D “cn=root,dc=shadow,dc=com” -f ./base.ldif
We need to tell the script where to find password information. We do that by setting the shell variable ETC_SHADOW to be /etc/shadow. This command will do just that:
[iyunv@icewalker ~]# export ETC_SHADOW=/etc/shadow
Then, we can run
[iyunv@icewalker ~]# ./migrate_passwd.pl /etc/passwd people.ldif
In the people.ldif file delete all sections except the required user's section and replace all padl with shadow.
[iyunv@icewalker migration]# cat people.ldif
dn: cn=basil,ou=Group,dc=shadow,dc=com
objectClass: posixGroup
objectClass: top
cn: basil
userPassword: {crypt}x
gidNumber: 500
After you've done that, it's time to import the two files to ldap:
[iyunv@icewalker migration]# ldapadd -x -W -D “cn=root,dc=shadow,dc=com” -f people.ldif
[iyunv@icewalker migration]# ldapadd -x -W -D “cn=root,dc=shadow,dc=com” -f group.ldif
Now, we have our database populated with info. It's time to test our work. First, you can use the ldapsearch command to look for your username:
[iyunv@icewalker migration]# ldapsearch -x ‘cn=basil’
Client Configuration
Use authconfig-gtk or authconfig-tui:
[iyunv@icewalker migration]# authconfig-gtk
Choose Enable LDAP Support.
LDAP Search Base DN should be dc=shadow,dc=com
LDAP server, we'll enter ldap://192.168.56.1, that is the server's IP.
How To Clear LDAP Database
First stop LDAP:
[iyunv@icewalker ~]# service ldap stop
Go to the /var/lib/ldap directory (this is the directory containing your database; this directory is specified in the slapd.conf file).
[iyunv@icewalker ~]# cd /var/lib/ldap
Remove all databases by using:
[iyunv@icewalker ~]# rm *
Again start the LDAP service and populate it with data.