Install OpenLDAP cn=config
Environment
- CentOS 7.6 x64
slapd2.4.44 (May 16 2018 09:55:53)
Excerpt http://www.zytrax.com/books/ldap/ch7/
Log 2019 / 11
1. Provider (Source)
1.1. Installation
root@athos:~# yum -y update
root@athos:~# yum -y install openldap-servers openldap-clients
root@athos:~# slapd -VVV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/
openldap-2.4.44/openldap-2.4.44/servers/slapd
Included static backends:
config
ldif
monitor
bdb
hdb
mdb
1.2. Schemas, Module & syncprov Configuration
root@athos:~# rm -rf /var/lib/ldap/*
root@athos:~# rm -rf /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
root@athos:~# systemctl enable --now slapd
root@athos:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif
root@athos:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
root@athos:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif
root@athos:~# ldapadd -Y EXTERNAL -H ldapi:// <<EOF
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
dn: cn=module{0},cn=config
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap/
olcModuleLoad: {0}syncprov
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
EOF
1.3. olcDatabase={2}bdb.ldif
root@athos:# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2feca2db
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcBdbConfig
entryUUID: d314d3bc-63dc-1038-80c9-550d6144a018
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20181014091105Z
entryCSN: 20181014091105.610889Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20181014091105Z
root@athos:~#
1.4. slappasswd
root@athos:~# slappasswd -h {SSHA} -s p@ssw0rd
{SSHA}v7enzTGfyL9Vq04zCh8Gkp2tT64sfRmI
1.5. Change Domain Component, RootDN & RootPW
root@athos:~# ldapmodify -Y EXTERNAL -H ldapi:// <<EOF
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=athos,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=athos,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}v7enzTGfyL9Vq04zCh8Gkp2tT64sfRmI
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any
EOF
1.6. DIT
root@athos:~# ldapadd -H ldap:// -D "cn=admin,dc=athos,dc=local" -w p@ssw0rd <<EOF
dn: dc=athos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: athos
dc: athos
description: athos.local
dn: ou=GIT,dc=athos,dc=local
objectClass: top
objectClass: organizationalUnit
ou: GIT
description: Group IT
dn: cn=Group IT,ou=GIT,dc=athos,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 40010
cn: Group IT
dn: uid=zuhdi,ou=GIT,dc=athos,dc=local
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
givenName: zuhdi
sn: najib
displayName: Zuhdi Najib
homeDirectory: /home/zuhdi
loginShell: /bin/bash
cn: Zuhdi Najib
uidNumber: 5000
gidNumber: 40010
uid: zuhdi
gecos: Zuhdi Najib
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
EOF
1.7. rsyslog
root@athos:~# journalctl -e -u slapd
root@athos:~# ldapsearch -H ldap:// -x -LLL -b "" -s base namingContexts
root@athos:~# ldapsearch -H ldap:// -x -LLL -b "dc=athos,dc=local" "(objectclass=*)"
root@athos:~# ldapsearch -H ldapi:// -LLL -b "cn=config" "(objectClass=olcGlobal)"
root@athos:~# ldapsearch -H ldapi:// -LLL -b "cn=config"
root@athos:~# rpm -qa | grep rsyslog
rsyslog-8.24.0-41.el7_7.2.x86_64
root@athos:~# echo "local4.* /var/log/openldap/openldap.log" >> /etc/rsyslog.conf
root@athos:~# mkdir /var/log/openldap/
root@athos:~# systemctl restart rsyslog
root@athos:~# systemctl restart slapd
2. Consumer (Destination)
2.1. Installation
root@chimera:~# yum -y update
root@chimera:~# yum -y install openldap-servers openldap-clients
2.2. Schemas, Module & syncprov Configuration
root@chimera:~# rm -rf /var/lib/ldap/*
root@chimera:~# rm -rf /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
root@chimera:~# systemctl enable --now slapd
root@chimera:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif
root@chimera:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
root@chimera:~# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif
root@chimera:~# ldapadd -Y EXTERNAL -H ldapi:// <<EOF
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
dn: cn=module{0},cn=config
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap/
olcModuleLoad: {0}syncprov
EOF
2.3. Change Domain Component, RootDN, RootPW & syncrepl
root@chimera:~# ldapmodify -Y EXTERNAL -H ldapi:// <<EOF
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=athos,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=athos,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}v7enzTGfyL9Vq04zCh8Gkp2tT64sfRmI
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001
provider="ldap://athos.host"
bindmethod=simple
binddn="cn=admin,dc=athos,dc=local"
credentials=p@ssw0rd
searchbase="dc=athos,dc=local"
type=refreshAndPersist
retry="30 30 300 +"
attrs="*,+"
EOF