Difference between revisions of "OpenLDAP"

From Michael's Information Zone
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 44: Line 44:
 
firewall-cmd --permanent --add-service=ldap
 
firewall-cmd --permanent --add-service=ldap
 
firewall-cmd --reload
 
firewall-cmd --reload
 +
</pre>
 +
When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.
 +
<pre>
 +
ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld
 +
</pre>
 +
====LDAPS====
 +
Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services<ref>https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/</ref>
 +
<pre>
 +
sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd
 
</pre>
 
</pre>
  

Latest revision as of 10:56, 19 March 2018

Active Directory LDAP Proxy

Purpose

To proxy secure LDAP requests from the internet to MS AD.

Commands

CentOS 7

On a clean install with epel-release installed (not needed, but it is part of my initial setup script)


yum -y install openldap openldap-servers
cat <<EOF >>/etc/openldap/slapd.conf

moduleload              back_ldap

include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/inetorgperson.schema


pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args

sizelimit               unlimited

idletimeout             3600
writetimeout            600

database                ldap
suffix                  "dc=your,dc=tld"
uri                     "ldap://domaincontroller"
chase-referrals         no
idassert-bind           bindmethod=simple
                        mode=self
                        binddn="cn=binduser,ou=Users,DC=your,DC=tld"
                        credentials="password"

logfile                 /var/log/slapd.log
loglevel                1
EOF

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
systemctl enable slapd
systemctl start slapd
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.

ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld

LDAPS

Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services[1]

sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd

Notes

  • Interesting YouTube Video that covers everything except enabling TLS[2]
  • openLDAP as proxy to Active Directory as stated by SAMBA[3]
  • A guide by owncloud.org[4]
  • Possible howto on enabling TLS[5]
  • Here is someone that has already gone through the work for me. Will be working off of this how-to.[6]
  • https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/
  • https://www.youtube.com/watch?v=bp8ffdY7Mu4
  • https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
  • https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html
  • https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html
  • https://howdoilinux.com/2015/05/openldap-to-active-directory-proxy-configuration/