openldap configuration leaning note

hostname // to display the computer name

hostname <changed name> // to change

go to: /etc/sysconfig/network, add/modify HOSTNAME=NEWNAME to change permenately

dont forget to change /etc/hosts after you change your hostname,

127.0.0.1 localhost.localdomain localhost

 

 

// the following part mainly is from brightmoon 's blog:

http://blog.csdn.net/hitabc141592/article/details/22931179

 

 

// copy template

# cd /etc/openldap/
# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

 

// create a passwd for ldap admin# slappasswd{SSHA}pfAJm+JJa4ec2y8GjTc8uMEJpoR5YKLy

a passwd like the above would be displayed, save/remember it for later use

 

// edit config file

# vim /etc/openldap/slapd.conf

database        bdb
suffix          "dc=centos,dc=com"
checkpoint      1024 15
rootdn          "cn=admin,dc=centos,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw {SSHA}pfAJm+JJa4ec2y8GjTc8uMEJpoR5YKMn

 

//for rootdn, if your hostname is centos.com, and your current user is in admin group, it should be like this

rootdn          "cn=admin,dc=centos,dc=com"

 

// copy db config file# cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG

 

// remove all file under /etc/openldap/slapd.d/* -- very very important!

// actually, I found the files are not deleted by using the following,

// when I navigate to /etc/openldap/slapd.d/ , I saw there are still file under this directory

// so I used rm -rf * under this directory

// when you delete all file under /etc/openldap/slapd.d/, make sure all file under this directory are deleted

// or you would always get "invalid credential" error# rm -rf /etc/openldap/slapd.d/*

 

// restart server and make slapd automaticall started by default# service slapd restart
# chkconfig slapd on

 

// grant access to ldap:ldap user# chown -R ldap:ldap /var/lib/ldap
# chown -R ldap:ldap /etc/openldap/

 

// test and generate config file under /etc/openldap/slapd.d , very important

// once this step is done, it should be displayed the message: config file testing succeeded,

slaptest  -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

 

// check /etc/openldap/slapd.d/cn=config to cat the file olcDatabase={2}bdb.ldif

// if it is correctly executed, you update in /etc/openldap/slapd.conf should be mapped as following:

// if it is not changed to map your update, there must be something wrong with your previous steps

// got check util you see the right update, or you would always got "credential errors"

olcSuffix: dc=centos,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,dc=centos,dc=com

// grant ldap:ldap full access, others not

# chown -R ldap:ldap /etc/openldap/slapd.d
# service slapd restart

 

// use migrationtools to export all existing system accounts to ldif files# yum install migrationtools -y

 

# vi  migrate_common.ph

 

...

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "centos.com";
# Default base
$DEFAULT_BASE ="dc=centos,dc=com";

 

# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_passwd.pl  /etc/passwd > /tmp/passwd.ldif
# ./migrate_group.pl  /etc/group > /tmp/group.ldif

 

 

the password admin is the password set in slapd.conf file, "cn=admin,dc=centos,dc=com"  is the rootdn # ldapadd -x -D "cn=admin,dc=centos,dc=com" -w admin -f /tmp/base.ldif
# ldapadd -x -D "cn=admin,dc=centos,dc=com" -w admin -f /tmp/passwd.ldif
# ldapadd -x -D "cn=admin,dc=centos,dc=com" -w admin -f /tmp/group.ldif

# service slapd restart

 

once you set up the configuration, the following comand can be used to fetch all the entries under the base dn:

ldapsearch -x -H ldap://centos.com -b 'dc=centos,dc=com'

 

ldap browser can be used