How to Setup the Openldap on Fedora 19 (Without slapd.conf)

NOTE: all passwords generated via slappasswd utility

1. Install openldap

# yum install openldap-servers

2. Start up the service

# systemctl start slapd && systemctl status slapd

3. Check root dn access

# ldapsearch -Y EXTERNAL -H ldapi:/// -s base -b 'cn=config'
# ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config'

4. [NOT REQUIRED] Configure access rights (users can see ‘cn=config’)

4.1. Generate rootdn password (example: s3cr3t):

# slappasswd
New password:
Re-enter new password:
{SSHA}hYiqFHUSXWQCWZfrsJYuX+M0F98u2M+j

4.2. Grant root access to cn=config for root dn: cn=admin,cn=config

# ldapmodify -Y EXTERNAL -H ldapi:///

Copy-paste now:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
-
add: olcRootPW
olcRootPW: {SSHA}hYiqFHUSXWQCWZfrsJYuX+M0F98u2M+j

4.3 Test that access granted for any non-root user

$ ldapsearch -H ldapi:/// -D 'cn=admin,cn=config' -W -s base -b 'cn=config'

5. Fixing default domain, rootdn and rootpw for main db

For instance, default rootdn is cn=Manager,dc=my-domain,dc=com:

# ldapmodify -Y EXTERNAL -H ldapi:///

Copy-paste now:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
-
add: olcRootPW
olcRootPW: {SSHA}hYiqFHUSXWQCWZfrsJYuX+M0F98u2M+j

6. Simplify using ldap* commands

Change values in /etc/openldap/ldap.conf:

BASE    dc=example,dc=com
URI     ldapi:///

7. Add tree (now we using root)

# ldapadd -D 'cn=admin,dc=demo,dc=example,dc=com' -W

Copy-paste now:

version: 1

# Domain
dn: dc=demo,dc=example,dc=com
dc: demo
description: demo.example.com domain
objectClass: dcObject
objectClass: organization
o: EXAMPLE.COM, LLC

# Users
dn: ou=Users,dc=demo,dc=example,dc=com
ou: Users
description: Users of demo.example.com
objectClass: top
objectClass: organizationalUnit

# People
dn: ou=People,dc=demo,dc=example,dc=com
ou: People
description: Peoples of demo.example.com
objectClass: organizationalUnit

# Groups
dn: ou=Groups,dc=demo,dc=example,dc=com
ou: Groups
description: Groups of demo.example.com
objectClass: organizationalUnit

# Roles
dn: ou=Roles,dc=demo,dc=example,dc=com
ou: Roles
description: Roles of demo.example.com
objectClass: top
objectClass: organizationalUnit

8. Adding special roles

This step may be useful when you need grant privileges for system daemons, like saslauthd:

# ldapadd -D 'cn=admin,dc=demo,dc=example,dc=com' -W

Copy-paste now:

# ldap-reader, Roles, localdomain
#
# password: peeNg>o!M7iefai7
#
#
dn: cn=ldap-reader,ou=Roles,dc=demo,dc=example,dc=com
userPassword: {SSHA}mZAtNLKz9bEYQ32nT2RL3jYHlwZeZaeS
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-reader
description: LDAP reader user for any unrestricted reads (i.e. for NSS)

# ldap-manager, Roles, localdomain
#
# password: Eere=o9EP"ien4Ne
#
#
dn: cn=ldap-manager,ou=Roles,dc=demo,dc=example,dc=com
userPassword: {SSHA}tifKMRgC5y/7bLdQBAbCbHweGXPMckTq
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldap-manager
description: LDAP manager user for any unrestricted read/writes (i.e. root-like)

8.1 Check access rights for new roles

# ldapsearch -D 'cn=ldap-reader,ou=Roles,dc=demo,dc=example,dc=com' -W
# ldapsearch -D 'cn=ldap-manager,ou=Roles,dc=demo,dc=example,dc=com' -W

9. [NOT REQUIRED] SASL setup

9.1 Install required software

# yum install cyrus-sasl-plain cyrus-sasl-ldap cyrus-sasl-md5

9.2 Modify configuration file of sasl

Apply changes below in file /etc/saslauthd.conf:

# ldap configuration
ldap_servers: ldapi:///
ldap_search_base: dc=example,dc=com
ldap_auth_method: bind

#ldap_default_domain: localdomain
#ldap_start_tls: no
#ldap_use_sasl: no
#ldap_version: 3

ldap_bind_dn: cn=ldap-reader,ou=Roles,dc=example,dc=com
ldap_bind_pw: peeNg>o!M7iefai7
ldap_filter: uid=%u
ldap_password_attr: userPassword
ldap_cache_ttl: 30
ldap_cache_mem: 32768

10. Generate TLS certificates

# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/openldap/certs/password -out /etc/openldap/certs/ldapcert.pem
# ldapmodify -Y EXTERNAL

Copy-paste now:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
-
add: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

10.1 Accept self-created certificate

Apply changes below in file /etc/openldap/ldap.conf:

TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     never

If you need support for ldaps protocol apply neccessary change in file /etc/sysconfig/slapd:

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

10.2 Restart slapd

# systemctl restart slapd && systemctl status slapd

10.3 Test TLS

$ ldapsearch -ZZ -H ldap:/// -D 'cn=admin,cn=config' -W -s base -b 'cn=config'

Q. Why not ldaps?
A. See answer on openldap list

11. Additional LDAP schemas

# ldapadd -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -f /etc/openldap/schema/inetorgperson.ldif

11.1 POSIX Account support

# ldapadd -Y EXTERNAL -f /etc/openldap/schema/nis.ldif

That’s all. Good luck!