Difference between revisions of "OpenLDAP"
Jump to navigation
Jump to search
↑ https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/
↑ https://www.youtube.com/watch?v=bp8ffdY7Mu4
↑ https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
↑ https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html
↑ https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html
↑ https://howdoilinux.com/2015/05/openldap-to-active-directory-proxy-configuration/
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) (→LDAPS) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
yum -y install openldap openldap-servers | yum -y install openldap openldap-servers | ||
| + | cat <<EOF >>/etc/openldap/slapd.conf | ||
| + | moduleload back_ldap | ||
| + | |||
| + | include /etc/openldap/schema/core.schema | ||
| + | include /etc/openldap/schema/cosine.schema | ||
| + | include /etc/openldap/schema/nis.schema | ||
| + | include /etc/openldap/schema/inetorgperson.schema | ||
| + | |||
| + | |||
| + | pidfile /var/run/openldap/slapd.pid | ||
| + | argsfile /var/run/openldap/slapd.args | ||
| + | |||
| + | sizelimit unlimited | ||
| + | |||
| + | idletimeout 3600 | ||
| + | writetimeout 600 | ||
| + | |||
| + | database ldap | ||
| + | suffix "dc=your,dc=tld" | ||
| + | uri "ldap://domaincontroller" | ||
| + | chase-referrals no | ||
| + | idassert-bind bindmethod=simple | ||
| + | mode=self | ||
| + | binddn="cn=binduser,ou=Users,DC=your,DC=tld" | ||
| + | credentials="password" | ||
| + | |||
| + | logfile /var/log/slapd.log | ||
| + | loglevel 1 | ||
| + | EOF | ||
| + | |||
| + | slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ | ||
| + | systemctl enable slapd | ||
| + | systemctl start slapd | ||
| + | firewall-cmd --permanent --add-service=ldap | ||
| + | firewall-cmd --reload | ||
| + | </pre> | ||
| + | When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing. | ||
| + | <pre> | ||
| + | ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld | ||
| + | </pre> | ||
| + | ====LDAPS==== | ||
| + | Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services<ref>https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/</ref> | ||
| + | <pre> | ||
| + | sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd | ||
</pre> | </pre> | ||
| Line 16: | Line 60: | ||
*A guide by owncloud.org<ref>https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html</ref> | *A guide by owncloud.org<ref>https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html</ref> | ||
*Possible howto on enabling TLS<ref>https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html</ref> | *Possible howto on enabling TLS<ref>https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html</ref> | ||
| + | *Here is someone that has already gone through the work for me. Will be working off of this how-to.<ref>https://howdoilinux.com/2015/05/openldap-to-active-directory-proxy-configuration/</ref> | ||
Latest revision as of 10:56, 19 March 2018
Contents
Active Directory LDAP Proxy
Purpose
To proxy secure LDAP requests from the internet to MS AD.
Commands
CentOS 7
On a clean install with epel-release installed (not needed, but it is part of my initial setup script)
yum -y install openldap openldap-servers
cat <<EOF >>/etc/openldap/slapd.conf
moduleload back_ldap
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
sizelimit unlimited
idletimeout 3600
writetimeout 600
database ldap
suffix "dc=your,dc=tld"
uri "ldap://domaincontroller"
chase-referrals no
idassert-bind bindmethod=simple
mode=self
binddn="cn=binduser,ou=Users,DC=your,DC=tld"
credentials="password"
logfile /var/log/slapd.log
loglevel 1
EOF
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
systemctl enable slapd
systemctl start slapd
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.
ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld
LDAPS
Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services[1]
sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd
Notes
- Interesting YouTube Video that covers everything except enabling TLS[2]
- openLDAP as proxy to Active Directory as stated by SAMBA[3]
- A guide by owncloud.org[4]
- Possible howto on enabling TLS[5]
- Here is someone that has already gone through the work for me. Will be working off of this how-to.[6]
