Wednesday, July 18, 2007

Howto: Install and configure LDAP Server (slapd) with TLS in Gentoo

1.1. Install openldap on gentoo

# emerge openldap pam_ldap nss_ldap
# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp

1.2. /etc/openldap/slapd.conf

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema

### "#echo rootpw `slappasswd -h {SSHA}` >> /etc/openldap/slapd.conf" to generate a password with SSHA crypt

password-hash {SSHA}

# Define SSL and TLS properties
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap-key.pem
TLSCACertificateFile /etc/ssl/ldap.pem

database bdb # use bdb as backend database
suffix "dc=example, dc=com"
directory /var/lib/openldap-data
rootdn "cn=Manager, dc=example, dc=com"
rootpw {SSHA}ksjdlfjsdlfjslfkjsdlfjl
checkpoint 1024 5

# index
index cn,sn,uid pres,eq,approx,sub
index objectClass eq

# then setup access rules...:
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example, dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read

1.3. /etc/openldap/ldap.conf

BASE         dc=example, dc=com
URI ldaps://server_host[change it to server]:636/

1.4. Genertate SSL certificate

# cd /etc/ssl
# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap-key.pem -days 999999
# chown ldap:ldap /etc/openldap/ssl/ldap.pem

1.5. Modify /etc/conf.d/slapd

OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

1.6. Start slapd

/etc/init.d/slapd start

If success, with this command to test connection, "-d 5" is for debug:

ldapsearch -D "cn=Manager,dc=example,dc=com" -W -d 5

1.7. Autostart slapd service at Systemstart

rc-update slapd default add

1.8. Some issues

  • command "slaptest" for verify slapd.conf
  • if id3entry.bdb not found, try "slapadd"
  • recover DB: db4.3_recover -h .
  • useful log: /var/log/messages

No comments: