Thursday, September 22, 2011

OpenLDAP configuration On CentOS

OpenLDAP – Centos5 – Server Configuration
****

Usage: A quick and dirty guide for an OpenLDAP Server Configuration on Centos 5.5 64-bit Environment

****

1. install the software

[root@ldap ~]# yum install openldap-servers openldap-servers-overlays openldap-clients

****

2. make proper directories for your setup

[root@ldap openldap]# pwd
/etc/openldap

[root@ldap openldap]# mkdir /var/lib/ldap/bar.com

[root@ldap openldap]# ls -la
total 72
drwxr-xr-x 4 root root 4096 Mar 8 12:30 .
drwxr-xr-x 79 root root 4096 Mar 7 17:35 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig

[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/bar.com/DB_CONFIG

****

3. configure your slapd.conf

[root@ldap openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# loglevel
#loglevel 768
loglevel stats acl

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema

# Allow LDAPv2 client connections. This is NOT the default.
#allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
TLSVerifyClient allow

# Access restricted for normal users
defaultaccess none

access to attrs=userPassword
by self write
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by anonymous auth
by * none

access to *
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by self write
by * read

# enable monitoring
database monitor

# allow only rootdn to read the monitor
access to *
by dn.exact=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” read
by * none

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix “dc=bar,dc=com”
rootdn “uid=LDAPMaster,dc=foo,dc=bar,dc=com”
rootpw {SSHA}Ai+3urKCuCoWgg/KPV

directory /var/lib/ldap/bar.com

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index sudoUser eq
#index nisMapName,nisMapEntry eq,pres,sub

###
#
modulepath /usr/lib64/openldap

# required if the overlay is built dynamically
#
# for dnylist by muda
moduleload dynlist.la
# for ppolicy by muda
moduleload ppolicy.la
#moduleload refint.la
#moduleload unique.la

# other overlay directives
#
# for dnylist by muda
overlay dynlist
# for ppolicy by muda
overlay ppolicy
#overlay refint
#overlay unique

# define the default policy – by muda
ppolicy_default “cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com”

#This would not return account locked in case the account is locked, for securty puppose – by muda
ppolicy_use_lockout

dynlist-attrset extensibleObject labeledURI member

#refint_attributes member
#refint_nothing “uid=muda,o=auth_user,dc=foo,dc=bar,dc=com”

****

4. install a http server with ssl support (not really needed but helpful)

[root@ldap private]# yum install httpd mod_ssl

****

5. create the proper directories which are needed for our CA

[root@ldap CA]# pwd
/etc/pki/CA

[root@ldap CA]# mkdir certs
[root@ldap CA]# mkdir crl
[root@ldap CA]# mkdir newcerts
[root@ldap CA]# touch index.txt

[root@ldap CA]# ls -la
total 52
drwx—— 6 root root 4096 Mar 8 13:28 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
drwx—— 2 root root 4096 Mar 8 13:28 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Dec 15 16:31 private

****

6. create the proper keys for the CA which is needed for our LDAP configuration

[root@ldap CA]# openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 1024 bit RSA private key
….++++++
………….++++++
writing new private key to ‘private/ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:

[root@ldap private]# ln -s ca.key cakey.pem
[root@ldap private]# ls -la
total 28
drwx—— 2 root root 4096 Mar 8 13:36 .
drwx—— 6 root root 4096 Mar 8 13:28 ..
-rw——- 1 root root 963 Mar 8 13:31 ca.key
lrwxrwxrwx 1 root root 6 Mar 8 13:36 cakey.pem -> ca.key

[root@ldap CA]# ln -s certs/ca.crt cacert.pem
[root@ldap CA]# ls -la
total 56
drwx—— 6 root root 4096 Mar 8 13:38 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private

[root@ldap CA]# touch serial
[root@ldap CA]# ls -la
total 60
drwx—— 6 root root 4096 Mar 8 13:39 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private

[root@ldap workspace.muda]# vi ../../CA/serial
insert ’00′

****

7. create the proper keys for TLS support which is needed for our LDAP configuration

[root@ldap workspace.muda]# openssl req -newkey rsa:2048 -keyout key.pem -keyform PEM -out req.pem -outform PEM -nodes
Generating a 2048 bit RSA private key
………………………………………………….+++
…………………………………………………………….+++
writing new private key to ‘key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:webmaster@bar.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

****

8. sign the key with your CA

[root@ldap workspace.muda]# openssl ca -in req.pem -notext -out cert.pem -config ../openssl.cnf
Using configuration from ../openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0×2)
Validity
Not Before: Mar 8 14:07:44 2011 GMT
Not After : Mar 5 14:07:44 2021 GMT
Subject:
countryName = UK
stateOrProvinceName = London
organizationName = bar LTD
commonName = ldap1.foo.bar.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate

Certificate is to be certified until Mar 5 14:07:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@ldap workspace.muda]# ls -la
total 48
drwx—— 3 root root 4096 Mar 8 15:07 .
drwxr-xr-x 6 root root 4096 Mar 8 12:57 ..
drwx—— 2 root root 4096 Mar 8 13:58 backup
-rw——- 1 root root 1233 Mar 8 15:07 cert.pem
-rw——- 1 root root 1679 Mar 8 15:07 key.pem
-rw——- 1 root root 1017 Mar 8 15:07 req.pem

****

9. copy the keys to the proper locations

[root@ldap workspace.muda]# cp cert.pem /etc/openldap/slapdcert.pem
[root@ldap workspace.muda]# cp key.pem /etc/openldap/slapdkey.pem

[root@ldap workspace.muda]# chmod 400 /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# chown ldap /etc/openldap/slapd*.pem

[root@ldap workspace.muda]# ls -la /etc/openldap/
total 88
drwxr-xr-x 4 root root 4096 Mar 8 15:10 .
drwxr-xr-x 81 root root 4096 Mar 8 12:53 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-r——– 1 ldap root 1233 Mar 8 15:10 slapdcert.pem
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
-r——– 1 ldap root 1679 Mar 8 15:11 slapdkey.pem

[root@ldap workspace.muda]# cd ../../CA/certs/
[root@ldap certs]# ls -la
total 24
drwx—— 2 root root 4096 Mar 8 13:31 .
drwx—— 6 root root 4096 Mar 8 15:07 ..
-rw——- 1 root root 1289 Mar 8 13:31 ca.crt

[root@ldap certs]# cp ca.crt /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chown ldap /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chmod 400 /etc/openldap/cacerts/cacert.pem

****

10. create the sudoers ldap schema

[root@ldap schema]# cat sudo.schema
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME ‘sudoUser’
DESC ‘User(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME ‘sudoHost’
DESC ‘Host(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME ‘sudoCommand’
DESC ‘Command(s) to be executed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME ‘sudoRunAs’
DESC ‘User(s) impersonated by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME ‘sudoOption’
DESC ‘Options(s) followed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME ‘sudoRole’ SUP top STRUCTURAL
DESC ‘Sudoer Entries’
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
description )
)

[root@ldap schema]# ls -la
total 292
drwxr-xr-x 3 root root 4096 Mar 8 15:16 .
drwxr-xr-x 4 root root 4096 Mar 8 15:10 ..
-rw-r–r– 1 root root 8231 Nov 29 09:49 corba.schema
-rw-r–r– 1 root root 20591 Nov 29 09:49 core.ldif
-rw-r–r– 1 root root 19762 Nov 29 09:49 core.schema
-rw-r–r– 1 root root 74080 Nov 29 09:49 cosine.schema
-rw-r–r– 1 root root 1553 Nov 29 09:49 dyngroup.schema
-rw-r–r– 1 root root 6360 Nov 29 09:49 inetorgperson.schema
-rw-r–r– 1 root root 13984 Nov 29 09:49 java.schema
-rw-r–r– 1 root root 2471 Nov 29 09:49 misc.schema
-rw-r–r– 1 root root 7723 Nov 29 09:49 nis.schema
-rw-r–r– 1 root root 3391 Nov 29 09:49 openldap.ldif
-rw-r–r– 1 root root 1601 Nov 29 09:49 openldap.schema
-rw-r–r– 1 root root 19689 Nov 29 09:49 ppolicy.schema
-rw-r–r– 1 root root 2968 Nov 29 09:49 README
drwxr-xr-x 2 root root 4096 Mar 7 17:26 redhat
-rw——- 1 root root 1255 Mar 8 15:16 sudo.schema

[root@ldap schema]# chmod 644 sudo.schema

****

11. made some sanity work for proper user rights

[root@ldap bar.com]# pwd
/var/lib/ldap/bar.com

[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 root root 921 Mar 8 15:22 DB_CONFIG

[root@ldap bar.com]# chown ldap *
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 ldap root 921 Mar 8 15:22 DB_CONFIG

****

12. start the ldap service for the first config issues

[root@ldap schema]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

****

13. start with the initial load setup

[root@ldap schema]# pwd
/etc/openldap/schema

[root@ldap schema]# cat sd_initial.ldif
dn: dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: bar AG
dc: bar

dn: dc=foo,dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: Hosting bar AG
dc: foo

dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster

****

14. load the initial with slapadd

[root@ldap schema]# slapadd -v -l sd_initial.ldif -b dc=foo,dc=bar,dc=com
added: “dc=bar,dc=com” (00000001)
added: “dc=foo,dc=bar,dc=com” (00000002)
added: “cn=LDAPMaster,dc=foo,dc=bar,dc=com” (00000003)

****

15. check for it with slapcat

[root@ldap schema]# slapcat -f /etc/openldap/slapd.conf -b “dc=bar,dc=com”
dn: dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: bar LTD
dc: bar
structuralObjectClass: organization
entryUUID: ef58d566-dddc-102f-8722-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000000#00#000000

dn: dc=foo,dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: Hosting bar LTD
dc: foo
structuralObjectClass: organization
entryUUID: ef59994c-dddc-102f-8723-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000001#00#000000

dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
structuralObjectClass: organizationalRole
entryUUID: ef59ce1c-dddc-102f-8724-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000002#00#000000

****

15. check the ‘/etc/openldap/ldap.conf’

[root@ldap openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=foo,dc=bar,dc=com
URI ldap://ldap1.foo.bar.com

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

****

16. check again for proper user rights (ldap) and fix it if necessary

[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 root root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 root root 1024 Mar 8 15:34 bar.com

[root@ldap ldap]# chown -R ldap *
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 ldap root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 ldap root 1024 Mar 8 15:34 bar.com

[root@ldap ldap]# cd bar.com/
[root@ldap bar.com]# ls -la
total 88278
drwx—— 2 ldap root 1024 Mar 8 15:34 .
drwx—— 3 ldap ldap 1024 Mar 8 12:34 ..
-rw——- 1 ldap root 8192 Mar 8 15:34 cn.bdb
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.001
-rw——- 1 ldap root 104857600 Mar 8 15:35 __db.002
-rw——- 1 ldap root 335552512 Mar 8 15:35 __db.003
-rw——- 1 ldap root 2359296 Mar 8 15:35 __db.004
-rw——- 1 ldap root 557056 Mar 8 15:35 __db.005
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.006
-rw——- 1 ldap root 921 Mar 8 15:31 DB_CONFIG
-rw——- 1 ldap root 8192 Mar 8 15:34 dn2id.bdb
-rw——- 1 ldap root 32768 Mar 8 15:34 id2entry.bdb
-rw——- 1 ldap root 10485760 Mar 8 15:34 log.0000000001
-rw——- 1 ldap root 8192 Mar 8 15:34 objectClass.bdb

****

17. config the ldap base for our tree and load it

[root@ldap schema]# cat sd_base.ldif
# hostgroup
dn: ou=hosts,dc=foo,dc=bar,dc=com
ou: hosts
objectClass: organizationalunit

# sudoers group
dn: ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

# authenticated groups
dn: o=auth_group,dc=foo,dc=bar,dc=com
o: auth_group
objectclass: organization

# authenticated users
dn: o=auth_user,dc=foo,dc=bar,dc=com
o: auth_user
objectclass: organization

# pw policy group
dn: ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: pwpolicies

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_base.ldif -vv

****

18. config the ldap group base for our tree and load it

[root@ldap schema]# cat sd_auth_group.ldif
dn: cn=testXusergrp,o=auth_group,dc=foo,dc=bar,dc=com
objectClass: posixGroup
objectClass: top
cn: testXusergrp
gidNumber: 5500
userPassword:: e2NyeXg=

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_group.ldif -vv

****

19. config the ldap user base for our tree and load it

[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=

19.1 alternative config the ldap user base for our tree and load it

I had a problem with the ‘objectClass:account’ because i need a entry for ‘mail’ to run a script for check if a account pwd came to expiration. So i changed the structural ‘objectClass’ to ‘inetOrgPerson’ which gives me the possibility to work with that (sn is a must, mail is a option).

Check: http://www.zytrax.com/books/ldap/ape/#inetorgperson

[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
sn: checkit
mail: checkit@foo.bar.com
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_user.ldif -vv

HINT: You can do this with existing entries in your tree this should work:
You just have to write the LDIF in such a way that the removal and adding of account and inetOrgPerson happens in one go.

dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
changetype: modify
add: objectclass
objectclass: inetOrgPerson
-
delete: objectclass
objectclass: account
-
add: sn
sn: checkit

****

20. config the ldap sudoers base for our tree and load it

[root@ldap schema]# cat sd_sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOption’s
sudoOption: !lecture
sudoOption: log_host
sudoOption: log_year
sudoOption: ignore_dot
sudoOption: logfile=/var/log/sudolog
sudoOption: passwd_tries=3
sudoOption: timestamp_timeout=5
sudoOption: passwd_timeout=1
sudoOption: syslog=authpriv
sudoOption: root_sudo
sudoOption: authenticate
sudoOption: ignore_local_sudoers

dn: cn=administration,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: administration
description: Administration Role
sudoCommand: ALL
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/bin/more *sudoers
sudoCommand: !/bin/cp *sudoers
sudoCommand: !/bin/mv *sudoers
sudoCommand: !/bin/cat *sudoers
sudoCommand: !/bin/su “”
sudoCommand: !/bin/su * root
sudoCommand: !/bin/su -
sudoCommand: !/bin/su -[! ]*
sudoCommand: !/bin/su root
sudoCommand: !/bin/vi *sudoers
sudoOption: !authenticate
sudoHost: ldap1.foo.bar.com
sudoRunAs: root
sudoUser: checkit

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_sudoers.ldif -vv

****

21. config the ldap password policy base for our tree and load it

[root@ldap schema]# cat sd_ppolicy.ldif
dn: cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: device
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdInHistory: 7
pwdLockout: TRUE
pwdMaxAge: 2592000
pwdMaxFailure: 6
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_ppolicy.ldif -vv

****

22. Uncomment in the ppolicy.schema following section:

( 1.3.6.1.4.1.42.2.27.8.1.23
NAME ‘pwdPolicySubentry’
DESC ‘The pwdPolicy subentry in effect for this object’
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation )

****

23. script to check the ldap pwd expiration (with password policy support)

https://ltb-project.org/svn/ldap-scripts/trunk/checkLdapPwdExpiration.sh

****

24. download apache directory studio for further config
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)