Instalasi Open LDAP di CentOS

Kali ini saya akan sharing bagaimana cara membuat LDAP menggunakan OPEN-LDAP di CentOS/RHEL.

1) Langkah pertama install OPEN-LDAP-nya dengan command dibawah ini, dengan catetan udah konek ke repository lokal atau publik yah gan hehe :

[root@ldap1 ~]# yum install openldap openldap-servers openldap-clients -y

2) Copy contoh file dari konfigurasi ldapnya bernama slapd.conf ke /etc/openldap/ 

[root@ldap1 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

3) Generate password untuk rootdn yg dipake oleh si /etc/openldap/slapd.conf

[root@ldap1 ~]# slappasswd

New password:

Re-enter new password:

{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX

4) Copy password yg sudah di generate lalu edit file /etc/openldap/slapd.conf

NOTE : Edit yg di BOLD yah

[root@ldap1 ~]# vim /etc/openldap/slapd.conf

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit system)

# - back_sql.la overlay requires openldap-server-sql package

# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap

# moduleload accesslog.la

# moduleload auditlog.la

# moduleload back_sql.la

# moduleload chain.la

# moduleload collect.la

# moduleload constraint.la

# moduleload dds.la

# moduleload deref.la

# moduleload dyngroup.la

# moduleload dynlist.la

# moduleload memberof.la

# moduleload pbind.la

# moduleload pcache.la

# moduleload ppolicy.la

# moduleload refint.la

# moduleload retcode.la

# moduleload rwm.la

# moduleload seqmod.la

# moduleload smbk5pwd.la

# moduleload sssvlv.la

# moduleload syncprov.la

# moduleload translucent.la

# moduleload unique.la

# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a

# dummy test certificate which you can generate by running

# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk

# at self-signed certificates, however.

#TLSCACertificatePath /etc/openldap/certs

#TLSCertificateFile ""OpenLDAP Server""

#TLSCertificateKeyFile /etc/openldap/certs/password

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)

database config

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none

# enable server status monitoring (cn=monitor)

database monitor

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

        by dn.exact="cn=Manager,dc=example,dc=com" read

        by * none

#######################################################################

# database definitions

#######################################################################

database        bdb

suffix          "dc=example,dc=com"

checkpoint      1024 15

rootdn          "cn=Manager,dc=example,dc=com"

rootpw          {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX

loglevel        256

sizelimit       unlimited

# Cleartext passwords, especially for the rootdn, should

# be avoided.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw                secret

# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/ldap

# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog

#replica host=ldap-1.example.com:389 starttls=critical

#     bindmethod=sasl saslmech=GSSAPI

#     authcId=host/[email protected] 

Setelah selesai save konfigurasi.

5) Remove existing konfig LDAP sebelumnya (bila ada), lalu di re-inisialisasi :

[root@ldap1 ~]# rm -rf /var/lib/ldap/*

[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*

6) Copy sample DB_CONFIG file ke /var/lib/ldap/

[root@ldap1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

7) Set permission di /var/lib/ldap/ dan /etc/openldap/slapd.d/ ownernya jadi milik user 'ldap'

[root@ldap1 ~]# chown -Rf ldap. /etc/openldap/slapd.d/

[root@ldap1 ~]# chown -Rf ldap. /var/lib/ldap/

[root@ldap1 ~]# chmod 700 /var/lib/ldap/

[root@ldap1 ~]# chmod 700 /etc/openldap/slapd.d/

8) Cek & ricek apakah ada error di file konfigurasi /etc/openldap/slapd.conf : 

[root@ldap1 ~]# slaptest -u

config file testing succeeded

9) Convert file konfigurasi kedalam dinamik konfigurasi pada direktori /etc/openldap/slapd.d/ 

[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

10) Start slapd daemon untuk nyalain open-ldapnya :

[root@ldap1 ~]# /etc/init.d/slapd start

11) Confirm dengan menggunakan command dibawah ini : 

[root@ldap1 ~]# service slapd status

slapd (pid  1301) is running...[root@ldap1 ~]# netstat -ntlup | grep slapd

tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1301/slapd

tcp        0      0 :::389                      :::*                        LISTEN      1301/slapd

[root@ldap1 ~]# ps -ef | grep slapd

ldap      1301     1  0 08:21 ?        00:00:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap

root      1318   1208  0 08:23  pts/1    00:00:00 grep slapd

12) Apabila menggunakan iptables gunakan command dibawah ini :

[root@ldap1 ~]# netstat -ntlup | grep slapd

tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1402/slapd

tcp        0      0 :::389                      :::*                        LISTEN      1402/slapd

[root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 389 -j ACCEPT

[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 389 -j ACCEPT

[root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 636 -j ACCEPT

[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 636 -j ACCEPT

[root@ldap1 ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

13) Create base DIT (Directory Information Tree) file menggunakan file dibawah ini :

[root@ldap1 ~]# vim dit.ldif

#Lalu isi dengan dibawah ini :

# Creates a base for DIT

dn: dc=example,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: Example Organization

dc: Example

description: Example Inc DIT

# Creates a Users OU (Organizational Unit)

dn: ou=Users,dc=example,dc=com

objectClass: organizationalUnit

ou: Users

# Creates a Groups OU

dn: ou=Groups,dc=example,dc=com

objectClass: organizationalUnit

ou: Groups

dn: ou=Admins,dc=example,dc=com

objectClass: organizationalUnit

ou: Admins

# Create a user student1 with some basic info

dn: uid=student1,ou=Users,dc=example,dc=com

uid: student1

cn: student1

sn: 1

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

loginShell: /bin/bash

homeDirectory: /home/student1

uidNumber: 15000

gidNumber: 10000

userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5

mail: [email protected]

gecos: Student1 User

# Create a user student2 with some basic info

dn: uid=student2,ou=Users,dc=example,dc=com

uid: student2

cn: student2

sn: 2

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

loginShell: /bin/bash

homeDirectory: /home/student2

uidNumber: 15001

gidNumber: 10000

userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5

mail: [email protected]

gecos: Student2 User

# Creates a ldapusers group under Groups OU

dn: cn=ldapusers,ou=Groups,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapusers

userPassword: {crypt}x

gidNumber: 10000

memberuid: uid=student1

memberuid: uid=student2

14 ) Ubah file /etc/openldap/ldap.conf menjadi seperti dibawah ini :

[root@ldap1 ~]# vim /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE   dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs

ssl             start_tls

TLS_REQCERT     allow

BASE            dc=example,dc=com

URI             ldap://ldap.example.com #optional tergantung domain name anda

HOST            192.168.124.251 #optional tergantung ip address anda

15)  Execute file dit.ldif dengan command dibawah ini :

[root@ldap1 ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f dit.ldif -H ldaps://ldap1.example.com 

LDAP Password: {masukan password yg tadi dibuat dgn command slappasswd}

adding new entry "dc=example,dc=com"

adding new entry "ou=Users,dc=example,dc=com"

adding new entry "ou=Groups,dc=example,dc=com"

adding new entry "uid=student1,ou=Users,dc=example,dc=com"

adding new entry "uid=student2,ou=Users,dc=example,dc=com"

adding new entry "cn=ldapusers,ou=Groups,dc=example,dc=com"

16 ) Verifikasi data yg dimasukan dari file dit.ldif tadi sudah ada di dalem ldap databasenya dengan command dibawah ini :

[root@ldap1 ~]# ldapsearch -x -b "dc=example,dc=com" -H ldap://ldap.example.com

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# example.com

dn: dc=example,dc=com

objectClass: top

objectClass: dcObject

objectClass: organization

o: Example Organization

dc: Example

description: Example Inc DIT

# Users, example.com

dn: ou=Users,dc=example,dc=com

objectClass: organizationalUnit

ou: Users

# Groups, example.com

dn: ou=Groups,dc=example,dc=com

objectClass: organizationalUnit

ou: Groups

# student1, Users, example.com

dn: uid=student1,ou=Users,dc=example,dc=com

uid: student1

cn: student1

sn: 1

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

loginShell: /bin/bash

homeDirectory: /home/student1

uidNumber: 14583100

gidNumber: 14564100

userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=

mail: [email protected]

gecos: Student1 User

# student2, Users, example.com

dn: uid=student2,ou=Users,dc=example,dc=com

uid: student2

cn: student2

sn: 2

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

loginShell: /bin/bash

homeDirectory: /home/student2

uidNumber: 14583101

gidNumber: 14564100

userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=

mail: [email protected]

gecos: Student2 User

# ldapusers, Groups, example.com

dn: cn=ldapusers,ou=Groups,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapusers

userPassword:: e2NyeXB0fXg=

gidNumber: 14564100

memberUid: uid=student1

memberUid: uid=student2

# search result

search: 2

result: 0 Success

# numResponses: 8

# numEntries:7

17) Membuat PHP-LDAP-ADMIN

Note: PHP-LDAP-ADMIN memudahkan kita dalam administrasi ldap database, menggunakan aplikasi ini kita gak perlu repot2 bikin pake dit.ldif seperti dilangkah ke 13.

*) Install phpldapadmin nya

[root@ldap1 ~]# yum install -y phpldapadmin 

*) Edit file konfigurasi httpd nya dengan menambahkan wording ini dibaris paling bawah :

[root@ldap1 ~]# vim /etc/httpd/conf/http.conf

#  Web-based tool for managing LDAP servers

#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin /usr/share/phpldapadmin/htdocs

  Order Deny,Allow

  Deny from all

  Allow from all

*) Restart httpd server

[root@ldap1 ~]# /etc/init.d/httpd restart 

*) Buka ldap php adminnya dari web browser :

http://ldap_server_ip/ldapadmin

18) Agar bisa login dengan DN dari phpldapadmin, ubah parameter di /etc/phpldapadmin/config.php :

$servers->setValue('login','attr','uid');

menjadi 

$servers->setValue('login','attr','dn');

lalu restart lagi httpd nya :

[root@ldap1 ~]# /etc/init.d/httpd restart 

Selamat mencoba.