1.1. Install openldap on gentoo
# emerge openldap pam_ldap nss_ldap
# chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp
1.2. /etc/openldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
### "#echo rootpw `slappasswd -h {SSHA}` >> /etc/openldap/slapd.conf" to generate a password with SSHA crypt
password-hash {SSHA}
# Define SSL and TLS properties
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap-key.pem
TLSCACertificateFile /etc/ssl/ldap.pem
database bdb # use bdb as backend database
suffix "dc=example, dc=com"
directory /var/lib/openldap-data
rootdn "cn=Manager, dc=example, dc=com"
rootpw {SSHA}ksjdlfjsdlfjslfkjsdlfjl
checkpoint 1024 5
# index
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
# then setup access rules...:
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example, dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
1.3. /etc/openldap/ldap.conf
BASE dc=example, dc=com
URI ldaps://server_host[change it to server]:636/
TLS_REQCERT allow
1.4. Genertate SSL certificate
# cd /etc/ssl
# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap-key.pem -days 999999
# chown ldap:ldap /etc/openldap/ssl/ldap.pem
1.5. Modify /etc/conf.d/slapd
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
1.6. Start slapd
/etc/init.d/slapd start
If success, with this command to test connection, "-d 5" is for debug:
ldapsearch -D "cn=Manager,dc=example,dc=com" -W -d 5
1.7. Autostart slapd service at Systemstart
rc-update slapd default add
1.8. Some issues
- command "slaptest" for verify slapd.conf
- if id3entry.bdb not found, try "slapadd"
- recover DB: db4.3_recover -h .
- useful log: /var/log/messages
No comments:
Post a Comment