This post will cover post-installation steps necessary to go from a completely unmanaged machine to a machine that is setup to be an LDAP server with a basic DIT. This will also setup phpldapadmin for web-based administration of your LDAP directory.<\/p>\n
Note<\/strong>: I use nginx here simply because I find it easier to deal with. There’s no requirement for it and you may find it easier to use apache.<\/p>\n The post-install script used to setup the LDAP server is below. The reason this is used is because there are a lot of one time things that happen during the installation of an LDAP server and I have not yet been able to represent some of these events in bcfg2<\/a>. The script below depends on some files that are hosted on another web server. I will provide the necessary files needed below.<\/p>\n The custom php packages are available from\u00a0http:\/\/blog.famillecollet.com\/pages\/Config-en<\/a>. The reason for using these packages is that php-fpm is not available from the stock RHEL repositories or from EPEL<\/a>. Since I am already familiar with php-fpm and I prefer to use it, I decided to simply download only the necessary packages rather than use the entire repository.<\/p>\n Here are the accompanying ldif files needed.<\/p>\n These can be changed to match your needs. In this case, anyone in the group You will want to modify these settings according to your replication needs.<\/p>\n Here are the relevant bits from the ldap bundle in the bcfg2 repository<\/p>\n The My nginx configuration for I needed the following lines in Lastly, you will need to modify This post will cover post-installation steps necessary to go from a completely unmanaged machine to a machine that is setup to be an LDAP server with a basic DIT. This will also setup phpldapadmin for web-based administration of your LDAP directory. Note: I use nginx here simply because I find it easier to deal with. […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,3,14,20],"tags":[],"_links":{"self":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/300"}],"collection":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/comments?post=300"}],"version-history":[{"count":8,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":333,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/300\/revisions\/333"}],"wp:attachment":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/media?parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/categories?post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/tags?post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}#!\/bin\/bash\r\n\r\n# ssl settings\r\nWEBCERT=\"\/etc\/pki\/tls\/certs\/phpldapadmin.crt\"\r\nWEBKEY=\"\/etc\/pki\/tls\/private\/phpldapadmin.key\"\r\nSLAPDCERT=\"\/etc\/openldap\/cacerts\/slapd.crt\"\r\nSLAPDMASTERCERT=\"\/etc\/openldap\/cacerts\/slapd-master.crt\"\r\nSLAPDKEY=\"\/etc\/pki\/tls\/private\/slapd.key\"\r\nSSLSUBJ=\"\/C=Country Code\/ST=Some State\/L=City\/O=Organization Name\/OU=Organizational Unit Name\/CN=${HOSTNAME}\"\r\n\r\n# misc settings\r\nLDAPDIR=\"\/root\/ldap-setup\"\r\nHTTPDIR=\"http:\/\/web.server\/ldap\"\r\nLDIFDIR=\"${HTTPDIR}\/ldif\"\r\nRPMS=\"${HTTPDIR}\/rpms\/php-5.3.8-5.el6.remi.x86_64.rpm\r\n${HTTPDIR}\/rpms\/php-cli-5.3.8-5.el6.remi.x86_64.rpm\r\n${HTTPDIR}\/rpms\/php-common-5.3.8-5.el6.remi.x86_64.rpm\r\n${HTTPDIR}\/rpms\/php-fpm-5.3.8-5.el6.remi.x86_64.rpm\r\n${HTTPDIR}\/rpms\/php-ldap-5.3.8-5.el6.remi.x86_64.rpm\r\nopenldap-clients\r\nopenldap-servers\r\nautofs\"\r\n\r\nPASSWD=\"changeme\"\r\nSLAPPASSWD=\"\"\r\nBCFG2PASSWD=\"\"\r\n\r\nselinux-disable()\r\n{\r\n #FIXME: remove when bcfg2 selinux policy works properly\r\n setenforce 0\r\n}\r\n\r\nselinux-enable()\r\n{\r\n #FIXME: remove when bcfg2 selinux policy works properly\r\n setenforce 1\r\n}\r\n\r\ninst-packages()\r\n{\r\n echo -n \"Installing custom php packages for phpldapadmin...\"\r\n yum -y --nogpgcheck install ${RPMS} >\/dev\/null\r\n # FIXME: update the kernel (kernel panics when not done here)\r\n yum -y update kernel >\/dev\/null\r\n echo \"done\"\r\n}\r\n\r\ngen-ssl-certs()\r\n{\r\n \/usr\/bin\/openssl req -batch -new -x509 -nodes \\\r\n -subj \"${SSLSUBJ}\" \\\r\n -out ${WEBCERT} \\\r\n -keyout ${WEBKEY} -days 3600 >\/dev\/null\r\n \/usr\/bin\/openssl req -batch -new -x509 -nodes \\\r\n -subj \"${SSLSUBJ}\" \\\r\n -out ${SLAPDCERT} \\\r\n -keyout ${SLAPDKEY} -days 3600 >\/dev\/null\r\n\r\n cacertdir_rehash \/etc\/openldap\/cacerts\r\n}\r\n\r\nget-passwds()\r\n{\r\n # setup ldap admin password\r\n echo -n \"Please enter a new ldap admin password: \"\r\n read -s PASSWD\r\n # get bcfg2 password\r\n echo -n \"Please enter the bcfg2 password (can be found in \/etc\/bcfg2.conf on an existing client): \"\r\n read -s BCFG2PASSWD\r\n echo\r\n}\r\n\r\ngen-slappasswd()\r\n{\r\n if [ -x \/usr\/sbin\/slappasswd ]\r\n then\r\n SLAPPASSWD=$(\/usr\/sbin\/slappasswd -s ${PASSWD})\r\n else\r\n echo \"Failed to find slappasswd. Aborting.\"\r\n exit 1\r\n fi\r\n}\r\n\r\nsetup-ldap()\r\n{\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/fix-admin-account.ldif ${LDIFDIR}\/fix-admin-account.ldif\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/new-ldap-setup.ldif ${LDIFDIR}\/new-ldap-setup.ldif\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/base.ldif ${LDIFDIR}\/base.ldif\r\n sed -i \"s|PWREPLACE|${SLAPPASSWD}|\" ${LDAPDIR}\/fix-admin-account.ldif ${LDAPDIR}\/new-ldap-setup.ldif\r\n # this seems wrong. if someone knows how to do this better, please inform me.\r\n echo \"olcRootPW: ${SLAPPASSWD}\" >> \/etc\/openldap\/slapd.d\/cn=config\/olcDatabase={0}config.ldif\r\n \/bin\/cp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG\r\n chown -R ldap. \/var\/lib\/ldap\r\n \/sbin\/service slapd start && sleep 1 # FIXME: how do you do this properly?\r\n ldapadd -w ${PASSWD} -x -D \"cn=config\" -f ${LDAPDIR}\/fix-admin-account.ldif\r\n ldapadd -w ${PASSWD} -x -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/new-ldap-setup.ldif\r\n ldapadd -w ${PASSWD} -x -D \"cn=Manager,dc=uh,dc=edu\" -f ${LDAPDIR}\/base.ldif\r\n}\r\n\r\nadd-sudo()\r\n{\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/sudo-index.ldif ${LDIFDIR}\/sudo-index.ldif\r\n cp \/usr\/share\/doc\/$(rpm -q sudo --qf \"%{NAME}\"-\"%{VERSION}\")\/schema.OpenLDAP \/etc\/openldap\/schema\/sudo.schema\r\n restorecon -F -R -v \/etc\/openldap\/schema\r\n mkdir ${LDAPDIR}\/sudo-ldap\r\n echo \"include \/etc\/openldap\/schema\/sudo.schema\" > ${LDAPDIR}\/sudo-ldap\/sudoschema.conf\r\n slapcat -f ${LDAPDIR}\/sudo-ldap\/sudoschema.conf -F \/tmp \\\r\n -n0 -s \"cn={0}sudo,cn=schema,cn=config\" > ${LDAPDIR}\/sudo-ldap\/sudo-tmp.ldif\r\n sed -i 's\/{0}sudo\/sudo\/' ${LDAPDIR}\/sudo-ldap\/sudo-tmp.ldif\r\n head -n-8 ${LDAPDIR}\/sudo-ldap\/sudo-tmp.ldif > ${LDAPDIR}\/sudo-ldap\/sudo.ldif\r\n echo -e \"\\n$(cat ${LDAPDIR}\/sudo-index.ldif)\" >> ${LDAPDIR}\/sudo-ldap\/sudo.ldif # add in our sudo index\r\n rm ${LDAPDIR}\/sudo-index.ldif\r\n ldapadd -w ${PASSWD} -x -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/sudo-ldap\/sudo.ldif\r\n}\r\n\r\nadd-autofs()\r\n{\r\n cp \/usr\/share\/doc\/$(rpm -q autofs --qf \"%{NAME}\"-\"%{VERSION}\")\/autofs.schema \/etc\/openldap\/schema\/autofs.schema\r\n restorecon -F -R -v \/etc\/openldap\/schema\r\n mkdir ${LDAPDIR}\/autofs\r\n echo \"include \/etc\/openldap\/schema\/core.schema\" > ${LDAPDIR\/autofs\/autofs.conf\r\n echo \"include \/etc\/openldap\/schema\/cosine.schema\" >> ${LDAPDIR\/autofs\/autofs.conf\r\n echo \"include \/etc\/openldap\/schema\/autofs.schema\" >> ${LDAPDIR\/autofs\/autofs.conf\r\n slapcat -f ${LDAPDIR}\/autofs\/autofs.conf -F \/tmp \\\r\n -n0 -s \"cn={2}autofs,cn=schema,cn=config\" > ${LDAPDIR}\/autofs\/autofs-tmp.ldif\r\n sed -i 's\/{2}autofs\/autofs\/' ${LDAPDIR}\/autofs\/autofs-tmp.ldif\r\n head -n-8 ${LDAPDIR}\/autofs\/autofs-tmp.ldif > ${LDAPDIR}\/autofs\/autofs.ldif\r\n ldapadd -w ${PASSWD} -x -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/autofs\/autofs.ldif\r\n}\r\n\r\nimport-db()\r\n{\r\n while true; do\r\n echo -n \"Is this machine a master or a slave? [m\/s] \"\r\n read status\r\n case $status in\r\n m*|M*)\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/olcaccess.ldif ${LDIFDIR}\/olcaccess.ldif\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/syncprov-module.ldif ${LDIFDIR}\/syncprov-module.ldif\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/syncprov.ldif ${LDIFDIR}\/syncprov.ldif\r\n ldapmodify -w ${PASSWD} -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/olcaccess.ldif\r\n ldapmodify -w ${PASSWD} -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/syncprov-module.ldif\r\n ldapadd -w ${PASSWD} -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/syncprov.ldif\r\n break\r\n ;;\r\n s*|S*)\r\n # grab master SSL certificate\r\n \/usr\/bin\/curl -o ${SLAPDMASTERCERT} ${HTTPDIR}\/slapd-master.crt\r\n cacertdir_rehash \/etc\/openldap\/cacerts\r\n\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/olcaccess-slave.ldif ${LDIFDIR}\/olcaccess-slave.ldif\r\n \/usr\/bin\/curl -o ${LDAPDIR}\/syncrepl.ldif ${LDIFDIR}\/syncrepl.ldif\r\n ldapmodify -w ${PASSWD} -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/olcaccess-slave.ldif\r\n ldapmodify -w ${PASSWD} -D \"cn=admin,cn=config\" -f ${LDAPDIR}\/syncrepl.ldif\r\n break\r\n ;;\r\n *)\r\n echo \"Invalid response.\"\r\n ;;\r\n esac\r\n done\r\n}\r\n\r\nrun-bcfg2()\r\n{\r\n \/usr\/sbin\/bcfg2 -vqe -S https:\/\/bcfg2.server:6789 -x ${BCFG2PASSWD} --ca-cert=\/etc\/bcfg2.ca -r packages\r\n \/usr\/sbin\/bcfg2 -vqer packages\r\n}\r\n\r\nselinux-disable\r\nmkdir -p ${LDAPDIR}\r\nget-passwds\r\ninst-packages\r\ngen-ssl-certs\r\ngen-slappasswd\r\nsetup-ldap\r\nadd-sudo\r\nimport-db\r\nrun-bcfg2\r\nselinux-enable\r\necho \"Setup complete. Please reboot.\"<\/pre>\nfix-admin-account.ldif<\/code><\/p>\n# Set password for cn=admin,cn=config\r\ndn: olcDatabase={0}config,cn=config\r\nchangetype: modify\r\nreplace: olcRootPW\r\nolcRootPW: PWREPLACE\r\n-\r\nreplace: olcRootDN\r\nolcRootDN: cn=admin,cn=config<\/pre>\nldif\/new-ldap-setup.ldif<\/code><\/p>\n# create modules area\r\ndn: cn=module,cn=config\r\nobjectClass: olcModuleList\r\ncn: module{0}\r\nolcModulePath: \/usr\/lib64\/openldap\r\n\r\n# set access for the monitor db.\r\ndn: olcDatabase={1}monitor,cn=config\r\nchangetype: modify\r\nreplace: olcAccess\r\nolcAccess: {0}to * by dn.base=\"cn=Manager,dc=yourcompany,dc=com\" read by * none\r\n\r\n# change LDAP domain, password and access rights.\r\ndn: olcDatabase={2}bdb,cn=config\r\nchangetype: modify\r\nreplace: olcSuffix\r\nolcSuffix: dc=yourcompany,dc=com\r\n-\r\nreplace: olcRootDN\r\nolcRootDN: cn=Manager,dc=yourcompany,dc=com\r\n-\r\nreplace: olcRootPW\r\nolcRootPW: PWREPLACE\r\n\r\n# setup SSL\r\ndn: cn=config\r\nchangetype:modify\r\nreplace: olcTLSCertificateKeyFile\r\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/private\/slapd.key\r\n-\r\nreplace: olcTLSCertificateFile\r\nolcTLSCertificateFile: \/etc\/openldap\/cacerts\/slapd.crt\r\n-\r\nreplace: olcTLSCipherSuite\r\nolcTLSCipherSuite: HIGH:MEDIUM:-SSLv2<\/pre>\nbase.ldif<\/code><\/p>\n# setup basic tree\r\ndn: dc=yourcompany,dc=com\r\ndc: uh\r\nobjectClass: top\r\nobjectClass: domain\r\n\r\ndn: ou=People,dc=yourcompany,dc=com\r\nou: People\r\nobjectClass: top\r\nobjectClass: organizationalUnit\r\n\r\ndn: ou=Group,dc=yourcompany,dc=com\r\nou: Group\r\nobjectClass: top\r\nobjectClass: organizationalUnit\r\n\r\ndn: cn=replicator,dc=yourcompany,dc=com\r\ncn: replicator\r\nobjectClass: organizationalRole\r\nobjectClass: simpleSecurityObject\r\nobjectClass: top\r\ndescription: LDAP replication user\r\nuserPassword: changeme<\/pre>\n
ldif\/sudo-index.ldif<\/code><\/p>\n# add sudo index\r\ndn: olcDatabase={2}bdb,cn=config\r\nchangetype: modify\r\nadd: olcDbIndex\r\nolcDbIndex: sudoUser eq<\/pre>\ncn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com<\/code> is given full access to the LDAP directory (UPDATE: Please note that the ldapadmin cn is a groupOfNames objectClass [_not_ a posixGroup]<\/strong>).
\nldif\/olcaccess.ldif<\/code><\/p>\ndn: olcDatabase={2}bdb,cn=config\r\nchangetype: modify\r\nadd: olcAccess\r\nolcAccess: {0}to * by dn.base=\"cn=replicator,dc=yourcompany,dc=com\" read by * break\r\nolcAccess: {1}to * by group.exact=\"cn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com\" write by * break\r\nolcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none\r\nolcAccess: {3}to attrs=shadowLastChange by self write by * read\r\nolcAccess: {4}to * by * read\r\n-<\/pre>\nldif\/syncprov-module.ldif<\/code><\/p>\n# setup syncprov module\r\ndn: cn=module{0},cn=config\r\nchangetype: modify\r\nadd: olcModuleLoad\r\nolcModuleLoad: {1}syncprov<\/pre>\nldif\/syncprov.ldif<\/code><\/p>\ndn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config\r\nobjectClass: olcSyncProvConfig\r\nolcOverlay: {0}syncprov\r\nolcSpCheckpoint: 100 10\r\nolcSpSessionlog: 100<\/pre>\nldif\/olcaccess-slave.ldif<\/code><\/p>\ndn: olcDatabase={2}bdb,cn=config\r\nchangetype: modify\r\nadd: olcAccess\r\nolcAccess: {0}to * by group.exact=\"cn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com\" write by * break\r\nolcAccess: {1}to attrs=userPassword by self write by anonymous auth by * none\r\nolcAccess: {2}to * by * read\r\n-<\/pre>\nldif\/syncrepl.ldif<\/code><\/p>\ndn: olcDatabase={2}bdb,cn=config\r\nchangetype: modify\r\nadd: olcSyncrepl\r\nolcSyncrepl: {0}rid=000 provider=ldaps:\/\/ldap-master-server searchbase=dc=yourcompany,dc=com type=refreshAndPersist retry=\"5 5 300 +\" bindmethod=simple binddn=\"cn=re\r\nplicator,dc=yourcompany,dc=com\" credentials=\"changeme\" tls_cacertdir=\/etc\/openldap\/cacerts -<\/pre>\n<Bundle name='ldap'>\r\n <Group name='ldap-server'>\r\n <BoundPath name='\/etc\/openldap\/cacerts\/slapd.crt' type='permissions' owner='ldap' group='ldap' perms='0600'\/>\r\n <BoundPath name='\/etc\/pki\/tls\/private\/slapd.key' type='permissions' owner='ldap' group='ldap' perms='0600'\/>\r\n <Package name='ldapvi'\/>\r\n <Package name='openldap-clients'\/>\r\n <Package name='openldap-servers'\/>\r\n <Path name='\/etc\/sysconfig\/ldap'\/>\r\n <BoundPath name='\/etc\/openldap\/slapd.d' type='directory' owner='ldap' group='ldap' perms='0700'\/>\r\n\r\n <Service name='slapd'\/>\r\n\r\n <!-- phpLDAPadmin settings -->\r\n <Package name='php'\/>\r\n <BoundPath name='\/var\/lib\/php\/session' type='directory' owner='root' group='nginx' perms='0770'\/>\r\n <Package name='php-fpm'\/>\r\n <Path name='\/etc\/php-fpm.d\/www.conf'\/>\r\n <Package name='php-ldap'\/>\r\n <Package name='nginx'\/>\r\n <Package name='phpldapadmin'\/>\r\n <Service name='php-fpm'\/>\r\n <Service name='nginx'\/>\r\n <Path name='\/etc\/nginx\/conf.d\/phpldapadmin.conf'\/>\r\n <Path name='\/etc\/openldap\/ldap.conf'\/>\r\n <Path name='\/etc\/phpldapadmin\/config.php'\/>\r\n <BoundPath name='\/var\/www\/html\/phpldapadmin' type='symlink' to='\/usr\/share\/phpldapadmin\/htdocs'\/>\r\n <Path name='\/usr\/share\/phpldapadmin\/templates\/creation\/custom_uh.xml'\/>\r\n <\/Group>\r\n<\/Bundle><\/pre>\n
\/etc\/sysconfig\/ldap<\/code> file needs to be modified to allow LDAPS by uncommenting SLAPD_LDAPS=yes<\/code>. In \/etc\/php-fpm.d\/www.conf<\/code>, you need to make sure the user\/group are set to nginx (if you are using nginx as your web server).<\/p>\n\/etc\/nginx\/conf.d\/phpldapadmin.conf<\/code> looks like this.<\/p>\nserver {\r\n listen 80;\r\n server_name ldap-server-hostname;\r\n rewrite ^\/(.*) https:\/\/ldap-server-hostname\/$1 permanent;\r\n}\r\n\r\nserver {\r\n listen 443; # listen also for IPv4 traffic on \"regular\" IPv4 sockets\r\n server_name ldap-server-hostname;\r\n access_log \/var\/log\/nginx\/ssl-access.log;\r\n error_log \/var\/log\/nginx\/ssl-error.log;\r\n root \/var\/www\/html\/phpldapadmin;\r\n\r\n ssl on;\r\n ssl_certificate \/etc\/pki\/tls\/certs\/phpldapadmin.crt;\r\n ssl_certificate_key \/etc\/pki\/tls\/private\/phpldapadmin.key;\r\n\r\n index index.php index.html;\r\n\r\n location ~ \\.php$ {\r\n fastcgi_pass localhost:9000;\r\n fastcgi_index index.php;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n include fastcgi_params;\r\n fastcgi_param HTTPS on;\r\n }\r\n}<\/pre>\n\/etc\/openldap\/ldap.conf<\/code> to get phpldapadmin working properly.<\/p>\nURI ldaps:\/\/localhost\/\r\nTLS_CACERTDIR \/etc\/openldap\/cacerts\r\nTLS_REQCERT never<\/pre>\n
\/etc\/phpldapadmin\/config.php<\/code> with appropriate values for your site.<\/p>\n","protected":false},"excerpt":{"rendered":"