{"id":7576,"date":"2018-06-16T12:13:04","date_gmt":"2018-06-16T04:13:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=7576"},"modified":"2018-06-16T13:56:15","modified_gmt":"2018-06-16T05:56:15","slug":"centos7-openldap","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7576","title":{"rendered":"centos7 openldap"},"content":{"rendered":"

systemctl stop firewalld.service
\nsetenforce 0<\/p>\n

sed -i s\/^SELINUX=enforcing\/SELINUX=disabled\/g \/etc\/selinux\/config<\/p>\n

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
\n::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
\n192.168.1.70 master.apple.com master
\n192.168.1.71 slave.apple.com slave
\n192.168.1.73 client1.apple.com client1
\n192.168.1.74 client2.apple.com client2<\/p>\n

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools vim<\/p>\n

cd \/etc\/openldap\/slapd.d<\/p>\n

rm -rf<\/p>\n

cp \/usr\/share\/openldap-servers\/slapd.ldif \/root\/ldap\/<\/p>\n

Set OpenLDAP admin password.
\n# generate encrypted password<\/p>\n

slappasswd -s redhat -n > \/etc\/openldap\/passwd<\/p>\n

slappasswd -h {SSHA} -s ldppassword<\/p>\n

[root@ldap ~]# slappasswd<\/p>\n

New password:<\/p>\n

Re-enter new password:<\/p>\n

[root@master ldap]# cat slapd.ldif
\n#
\n# See slapd-config(5) for details on configuration options.
\n# This file should NOT be com readable.
\n#<\/p>\n

dn: cn=config
\nobjectClass: olcGlobal
\ncn: config
\nolcArgsFile: \/var\/run\/openldap\/slapd.args
\nolcPidFile: \/var\/run\/openldap\/slapd.pid
\n#
\n# TLS settings
\n#
\nolcTLSCACertificatePath: \/etc\/openldap\/certs
\nolcTLSCertificateFile: “OpenLDAP Server”
\nolcTLSCertificateKeyFile: \/etc\/openldap\/certs\/password
\n#
\n# Do not enable referrals until AFTER you have a working directory
\n# service AND an understanding of referrals.
\n#
\n#olcReferral: ldap:\/\/root.openldap.org
\n#
\n# Sample security restrictions
\n# Require integrity protection (prevent hijacking)
\n# Require 112-bit (3DES or better) encryption for updates
\n# Require 64-bit encryption for simple bind
\n#
\n#olcSecurity: ssf=1 update_ssf=112 simple_bind=64<\/p>\n

#
\n# Load dynamic backend modules:
\n# – modulepath is architecture dependent value (32\/64-bit system)
\n# – back_sql.la backend requires openldap-servers-sql package
\n# – dyngroup.la and dynlist.la cannot be used at the same time
\n#<\/p>\n

#dn: cn=module,cn=config
\n#objectClass: olcModuleList
\n#cn: module
\n#olcModulepath: \/usr\/lib\/openldap
\n#olcModulepath: \/usr\/lib64\/openldap
\n#olcModuleload: accesslog.la
\n#olcModuleload: auditlog.la
\n#olcModuleload: back_dnsapple.la
\n#olcModuleload: back_ldap.la
\n#olcModuleload: back_mdb.la
\n#olcModuleload: back_meta.la
\n#olcModuleload: back_null.la
\n#olcModuleload: back_passwd.la
\n#olcModuleload: back_relay.la
\n#olcModuleload: back_shell.la
\n#olcModuleload: back_sock.la
\n#olcModuleload: collect.la
\n#olcModuleload: constraint.la
\n#olcModuleload: dds.la
\n#olcModuleload: deref.la
\n#olcModuleload: dyngroup.la
\n#olcModuleload: dynlist.la
\n#olcModuleload: memberof.la
\n#olcModuleload: pcache.la
\n#olcModuleload: ppolicy.la
\n#olcModuleload: refint.la
\n#olcModuleload: retcode.la
\n#olcModuleload: rwm.la
\n#olcModuleload: seqmod.la
\n#olcModuleload: smbk5pwd.la
\n#olcModuleload: sssvlv.la
\n#olcModuleload: syncprov.la
\n#olcModuleload: translucent.la
\n#olcModuleload: unique.la
\n#olcModuleload: valsort.la<\/p>\n

#
\n# Schema settings
\n#<\/p>\n

dn: cn=schema,cn=config
\nobjectClass: olcSchemaConfig
\ncn: schema<\/p>\n

include: file:\/\/\/etc\/openldap\/schema\/corba.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/duaconf.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/dyngroup.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/java.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/misc.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/openldap.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif
\ninclude: file:\/\/\/etc\/openldap\/schema\/collective.ldif<\/p>\n

#
\n# Frontend settings
\n#<\/p>\n

dn: olcDatabase=frontend,cn=config
\nobjectClass: olcDatabaseConfig
\nobjectClass: olcFrontendConfig
\nolcDatabase: frontend
\n#
\n# Sample global access control policy:
\n# Root DSE: allow anyone to read it
\n# Subschema (sub)entry DSE: allow anyone to read it
\n# Other DSEs:
\n# Allow self write access
\n# Allow authenticated users read access
\n# Allow anonymous users to authenticate
\n#
\n#olcAccess: to dn.base=”” by * read
\n#olcAccess: to dn.base=”cn=Subschema” by * read
\n#olcAccess: to *
\n# by self write
\n# by users read
\n# by anonymous auth
\n#
\n# if no access controls are present, the default policy
\n# allows anyone and everyone to read anything but restricts
\n# updates to rootdn. (e.g., “access to * by * read”)
\n#
\n# rootdn can always read and write EVERYTHING!
\n#<\/p>\n

#
\n# Configuration database
\n#<\/p>\n

dn: olcDatabase=config,cn=config
\nobjectClass: olcDatabaseConfig
\nolcDatabase: config
\nolcAccess: to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
\nn=auth” manage by * none<\/p>\n

#
\n# Server status monitoring
\n#<\/p>\n

dn: olcDatabase=monitor,cn=config
\nobjectClass: olcDatabaseConfig
\nolcDatabase: monitor
\nolcAccess: to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
\nn=auth” read by dn.base=”cn=Manager,dc=apple,dc=com” read by * none<\/p>\n

#
\n# Backend database definitions
\n#<\/p>\n

dn: olcDatabase=hdb,cn=config
\nobjectClass: olcDatabaseConfig
\nobjectClass: olcHdbConfig
\nolcDatabase: hdb
\nolcSuffix: dc=apple,dc=com
\nolcRootDN: cn=Manager,dc=apple,dc=com
\nolcRootPW: {SSHA}cc+n64r5WNtLivZppJmYvWWMo3DIhcAy
\nolcDbDirectory: \/var\/lib\/ldap
\nolcDbIndex: objectClass eq,pres
\nolcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub<\/p>\n

rm -rf \/etc\/openldap\/slapd.d\/*<\/p>\n

[root@master ldap]# slapadd -F \/etc\/openldap\/slapd.d\/ -n 0 -l \/root\/ldap\/slapd.ldif
\n_#################### 100.00% eta none elapsed none fast!
\nClosing DB…
\n[root@master ldap]#<\/p>\n

[root@server home]# slaptest -u -F \/etc\/openldap\/slapd.d\/
\nconfig file testing succeeded<\/p>\n

config file testing succeeded<\/p>\n

chown -Rv ldap.ldap \/etc\/openldap\/slapd.d<\/p>\n

[root@server slapd.d]# chown -Rv ldap.ldap \/etc\/openldap\/slapd.d\/<\/p>\n

[root@master ldap]# cd \/etc\/openldap\/slapd.d\/
\n[root@master slapd.d]# ls -la
\ntotal 4
\ndrwxr-x— 3 ldap ldap 45 Jun 15 19:18 .
\ndrwxr-xr-x. 5 root root 92 Jun 15 19:07 ..
\ndrwxr-x— 3 ldap ldap 182 Jun 15 19:18 cn=config
\n-rw——- 1 ldap ldap 589 Jun 15 19:18 cn=config.ldif
\n[root@master slapd.d]#<\/p>\n

[root@master ldap]# systemctl start slapd.service
\n[root@master ldap]# systemctl status slapd.service
\n[root@master ldap]# systemctl enable slapd.service<\/p>\n

[root@master ldap]# cat create_user.sh
\n#!\/bin\/bash
\nUSER_LIST=ldapuser.txt
\nHOME_ldap=\/home\/ldapuser
\nmkdir -pv $HOME_ldap
\nfor USERID in `awk ‘{print $1}’ $USER_LIST`; do
\nUSERNAME=”`grep “$USERID” $USER_LIST | awk ‘{print $2}’`”
\nHOMEDIR=${HOME_ldap}\/${USERNAME}
\nuseradd $USERNAME -u $USERID -d $HOMEDIR
\ngrep “$USERID” $USER_LIST | awk ‘{print $3}’ | passwd –stdin $USERNAME
\ndone<\/p>\n

[root@master ldap]# cat ldapuser.txt
\n5000 lduser1 123456
\n5001 lduser2 123456
\n5002 lduser3 123456
\n5003 lduser4 123456
\n5004 lduser5 123456
\n5005 lduser6 123456
\n[root@master ldap]#<\/p>\n

vim \/usr\/share\/migrationtools\/migrate_common.ph<\/p>\n

# Default DNS domain
\n$DEFAULT_MAIL_DOMAIN = “apple.com”;<\/p>\n

# Default base
\n$DEFAULT_BASE = “dc=apple,dc=com”;<\/p>\n

vim \/usr\/share\/migrationtools\/migrate_common.ph
\n\/usr\/share\/migrationtools\/migrate_base.pl > \/root\/ldap\/base.ldif<\/p>\n

\/usr\/share\/migrationtools\/migrate_passwd.pl \/etc\/passwd \/root\/ldap\/user.ldif
\ncat \/root\/ldap\/user.ldif
\n\/usr\/share\/migrationtools\/migrate_group.pl \/etc\/group \/root\/ldap\/group.ldif<\/p>\n

ldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f base.ldif
\nldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f user.ldif
\nldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f group.ldif<\/p>\n

yum -y install nfs-utils<\/p>\n

yum -y install nfs-utils<\/p>\n

[root@server ~]# cat \/etc\/exports
\n\/home\/ldapuser 192.168.1.0\/24(rw,sync)<\/p>\n

[root@server ~]# systemctl start nfs-server.service<\/p>\n

[root@client home]# exportfs -rv
\nexporting *:\/home\/ldapuser<\/p>\n

systemctl enable nfs-server.service<\/p>\n

vi \/etc\/rsyslog.conf<\/p>\n

local4.* \/var\/log\/ldap.log
\ntouch \/var\/log\/ldap.log<\/p>\n

rsyslog?<\/p>\n

systemctl restart rsyslog.service<\/p>\n

slapd \/var\/log\/messages<\/p>\n

systemctl status slapd.service -l<\/p>\n

tail -f \/var\/log\/messages<\/p>\n

SSL SETUP IN LDAP<\/p>\n

openssl req -nodes -sha256 -newkey rsa:2048 -keyout PrivateKey.key -out CertificateRequest.csr<\/p>\n

2. Optional: Check to see if the CSR really has 256bit signatures<\/p>\n

openssl req -in CertificateRequest.csr -text -noout<\/p>\n

You should see \u201cSignature Algorithm: sha256WithRSAEncryption\u201d<\/p>\n

3. Create the certificate<\/p>\n

We use the CSR and sign it with the private key and create a public certificate<\/p>\n

openssl req -nodes -sha256 -newkey rsa:2048 -keyout PrivateKey.key -out CertificateRequest.csr
\nopenssl req -in CertificateRequest.csr -text -noout
\nopenssl x509 -req -days 365 -sha256 -in CertificateRequest.csr -signkey PrivateKey.key -out my256.crt<\/p>\n

cp my256.crt \/etc\/openldap\/certs\/server.crt<\/p>\n

cp PrivateKey.key \/etc\/openldap\/certs\/server.key<\/p>\n

cp \/etc\/pki\/tls\/certs\/ca-bundle.crt \/etc\/openldap\/certs\/
\ncat my256.crt PrivateKey.key >> master.pem
\ncat my256.crt PrivateKey.key >> slave.pem<\/p>\n

vi mod_ssl.ldif<\/p>\n

# create new
\ndn: cn=config
\nchangetype: modify
\nadd: olcTLSCACertificateFile
\nolcTLSCACertificateFile: \/etc\/openldap\/certs\/ca-bundle.crt
\n–
\nreplace: olcTLSCertificateFile
\nolcTLSCertificateFile: \/etc\/openldap\/certs\/server.crt
\n–
\nreplace: olcTLSCertificateKeyFile
\nolcTLSCertificateKeyFile: \/etc\/openldap\/certs\/server.key<\/p>\n

[root@master ldap]# ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f mod_ssl.ldif
\nSASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nmodifying entry “cn=config”<\/p>\n

[root@master ldap]# vi \/etc\/sysconfig\/slapd
\nadd
\nSLAPD_URLS=”ldapi:\/\/\/ ldap:\/\/\/ ldaps:\/\/\/”<\/p>\n

systemctl restart slapd<\/p>\n

client end<\/p>\n

[root@master ldap]# cat \/etc\/hosts
\n127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
\n::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
\n192.168.1.70 master.apple.com master
\n192.168.1.71 slave.apple.com slave
\n192.168.1.73 client1.apple.com client1
\n192.168.1.74 client2.apple.com client2<\/p>\n

yum -y install sssd-ldap nss-pam-ldapd nfs-utils<\/p>\n

authconfig-tui<\/p>\n

authconfig –enableldap –enableldapauth –ldapserver=ldaps:\/\/master.apple.com –ldapbasedn=”dc=apple,dc=com” –enablemkhomedir –disableldaptls –update
\nauthconfig –enableldap –enableldapauth –ldapserver=ldaps:\/\/slave.apple.com –ldapbasedn=”dc=apple,dc=com” –enablemkhomedir –disableldaptls –update<\/p>\n

reate the c hash of the CA certificate.<\/p>\n

\/etc\/pki\/tls\/misc\/c_hash \/etc\/openldap\/cacerts\/server.pem<\/p>\n

Output:<\/p>\n

997ee4fb.0 => \/etc\/openldap\/cacerts\/server.pem<\/p>\n

Now, symlink the rootCA.pem to the shown 8 digit hex number.<\/p>\n

ln -s \/etc\/openldap\/cacerts\/server.pem 997ee4fb.0<\/p>\n

[root@client1 ~]# echo “TLS_REQCERT allow” >> \/etc\/openldap\/ldap.conf<\/p>\n

[root@client1 ~]# echo “tls_reqcert allow” >> \/etc\/nslcd.conf<\/p>\n

Restart the LDAP client service.<\/p>\n

systemctl restart nslcd<\/p>\n

[root@client1 ~]# getent passwd lduser1
\nlduser1:x:5000:5000:lduser1:\/home\/ldapuser\/lduser1:\/bin\/bash<\/p>\n

[root@client1 \/]# mkdir -p \/home\/ldapuser
\n[root@client1 \/]# mount -t nfs 192.168.1.70:\/home\/ldapuser\/ \/home\/ldapuser\/
\n[root@client1\/]# cd \/home\/ldapuser\/
\n[root@client ldapuser]# ls
\nlduser1 lduser2 lduser3 lduser4 lduser5 lduser6
\n[root@client ldapuser]# su – lduser1
\nLast login: Sat May 20 23:11:00 EDT 2017 on pts\/0<\/p>\n

Configure LDAP Client for TLS connection.
\n[root@client1 ~]# echo “TLS_REQCERT allow” >> \/etc\/openldap\/ldap.conf<\/p>\n

[root@client1 ~]# echo “tls_reqcert allow” >> \/etc\/nslcd.conf<\/p>\n

[root@client1 ~]# authconfig –enableldaptls –update<\/p>\n

getsebool: SELinux is disabled<\/p>\n

scp server.pem root@client1:\/tmp\/<\/p>\n

Enable debug logging on CentOS 7 LDAP Server<\/p>\n

vi \/root\/ldap\/logging.ldif
\n——
\ncat logging.ldif
\ndn: cn=config
\nreplace: olcLogLevel
\nolcLogLevel: -1
\n——<\/p>\n

# apply
\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/ldap\/logging.ldif<\/p>\n

# verify
\nldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config -s base|grep -i LOG<\/p>\n

systemctl restart slapd<\/p>\n

vi \/etc\/rsyslog.conf
\n——
\nlocal4.* -\/var\/log\/slapd.log
\n——<\/p>\n

systemctl restart rsyslog<\/p>\n

vi \/etc\/logrotate.d\/syslog
\n—–
\n# add this line
\n\/var\/log\/slapd.log<\/p>\n

Master slave replication
\nroot@master ldap]# cat rpuser.ldif
\ndn: uid=rpuser,dc=apple,dc=com
\nobjectClass: simpleSecurityObject
\nobjectclass: account
\nuid: rpuser
\ndescription: Replication User
\nuserPassword: root1234<\/p>\n

[root@master ldap]# ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f rpuser.ldif
\nEnter LDAP Password:
\nadding new entry “uid=rpuser,dc=apple,dc=com”<\/p>\n

Configure LDAP Provider. Add syncprov module.
\n[root@master ~]# vi mod_syncprov.ldif
\n# create new<\/p>\n

dn: cn=module,cn=config
\nobjectClass: olcModuleList
\ncn: module
\nolcModulePath: \/usr\/lib64\/openldap
\nolcModuleLoad: syncprov.la<\/p>\n

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f mod_syncprov.ldif<\/p>\n

SASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nadding new entry “cn=module,cn=config”<\/p>\n

[root@master ~]# vi syncprov.ldif
\n# create new<\/p>\n

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
\nobjectClass: olcOverlayConfig
\nobjectClass: olcSyncProvConfig
\nolcOverlay: syncprov
\nolcSpSessionLog: 100<\/p>\n

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f syncprov.ldif<\/p>\n

SASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nadding new entry “olcOverlay=syncprov,olcDatabase={2}hdb,cn=config”<\/p>\n

vi syncrepl.ldif<\/p>\n

[root@slave ldap]# cat syncrepl.ldif
\ndn: olcDatabase={2}hdb,cn=config
\nchangetype: modify
\nadd: olcSyncRepl
\nolcSyncRepl: rid=001
\nprovider=ldap:\/\/192.168.1.70:389\/
\nbindmethod=simple
\nbinddn=”uid=rpuser,dc=apple,dc=com”
\ncredentials=root1234
\nsearchbase=”dc=apple,dc=com”
\nscope=sub
\nschemachecking=on
\ntype=refreshAndPersist
\nretry=”30 5 300 3″
\ninterval=00:00:05:00
\n[root@slave ldap]#<\/p>\n

ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f syncrepl.ldif<\/p>\n

Test the LDAP replication:<\/p>\n

Let\u2019s create a user in LDAP called \u201cldaprptest\u201c, to do that, create a .ldif file on the master LDAP server.<\/p>\n

[root@master ~]# vi ldaprptest.ldif<\/p>\n

Update the above file with below content.<\/p>\n

dn: uid=ldaprptest,ou=People,dc=apple,dc=com
\nobjectClass: top
\nobjectClass: account
\nobjectClass: posixAccount
\nobjectClass: shadowAccount
\ncn: ldaprptest
\nuid: ldaprptest
\nuidNumber: 9988
\ngidNumber: 100
\nhomeDirectory: \/home\/ldaprptest
\nloginShell: \/bin\/bash
\ngecos: LDAP Replication Test User
\nuserPassword: redhat123
\nshadowLastChange: 17058
\nshadowMin: 0
\nshadowMax: 99999
\nshadowWarning: 7<\/p>\n

ldapsearch -x cn=ldaprptest -b dc=apple,dc=com<\/p>\n

[root@master ldap]# slappasswd
\nNew password:
\nRe-enter new password:
\n{SSHA}hbfwS2+203V3p+P6CB5n7nHVZpRB6ns+
\n[root@master ldap]# vi adduser.ldif
\n[root@master ldap]# cat adduser.ldif
\ndn: uid=mohan,ou=People,dc=apple,dc=com
\nobjectClass: top
\nobjectClass: account
\nobjectClass: posixAccount
\nobjectClass: shadowAccount
\ncn: mohan
\nuid: mohan
\nuidNumber: 9999
\ngidNumber: 100
\nhomeDirectory: \/home\/mohan
\nloginShell: \/bin\/bash
\ngecos: Mohan [Admin (at) Apple]
\nuserPassword: {SSHA}uWC6jFxw\/4nY3GEQfwf4Eh\/cq13lvyKy
\nshadowLastChange: 17058
\nshadowMin: 0
\nshadowMax: 99999
\nshadowWarning: 7
\n[root@master ldap]# ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f adduser.ldif
\nEnter LDAP Password:
\nadding new entry “uid=mohan,ou=People,dc=apple,dc=com”<\/p>\n

Backup LDAP with slapcat on CentOS 7<\/p>\n

#!\/bin\/bash
\nexport PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin
\nset -e
\nKEEP=7
\nBASE_DN=’dc=apple,dc=com’
\nLDAPBK=”ldap-$( date +%y%m%d-%H%M ).ldif”
\nBACKUPDIR=’\/root\/ldap-backup’
\ntest -d “$BACKUPDIR” || mkdir -p “$BACKUPDIR”
\nslapcat -b “$BASE_DN” -l “$BACKUPDIR\/$LDAPBK”
\ngzip -9 “$BACKUPDIR\/$LDAPBK”
\nls -1tr $BACKUPDIR\/*.ldif.gz | head -n-$KEEP | xargs rm –<\/p>\n

ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f monitor.ldif<\/p>\n

cp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG
\nchown ldap:ldap \/var\/lib\/ldap\/*<\/p>\n

Add the cosine and nis LDAP schemas.<\/p>\n

ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/cosine.ldif
\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/nis.ldif
\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/inetorgperson.ldif<\/p>\n

Generate base.ldif file for your domain.<\/p>\n

vi base.ldif<\/p>\n

Use the below information. You can modify it according to your requirement.<\/p>\n

dn: dc=apple,dc=com
\ndc: apple
\nobjectClass: top
\nobjectClass: domain<\/p>\n

dn: cn=ldapadm,dc=apple,dc=com
\nobjectClass: organizationalRole
\ncn: ldapadm
\ndescription: LDAP Manager<\/p>\n

dn: cn=Manager,dc=apple,dc=com
\nobjectClass: organizationalRole
\ncn: Manager
\ndescription: Directory Manager<\/p>\n

dn: ou=People,dc=apple,dc=com
\nobjectClass: organizationalUnit
\nou: People<\/p>\n

dn: ou=Group,dc=apple,dc=com
\nobjectClass: organizationalUnit
\nou: Group<\/p>\n

Build the directory structure.<\/p>\n

ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f base.ldif<\/p>\n

ldapsearch -x -W -D ‘cn=Manager,dc=apple,dc=com ‘ -b “” -s base<\/p>\n

ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts<\/p>\n","protected":false},"excerpt":{"rendered":"

systemctl stop firewalld.service setenforce 0<\/p>\n

sed -i s\/^SELINUX=enforcing\/SELINUX=disabled\/g \/etc\/selinux\/config<\/p>\n

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.70 master.apple.com master 192.168.1.71 slave.apple.com slave 192.168.1.73 client1.apple.com client1 192.168.1.74 client2.apple.com client2<\/p>\n

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools vim<\/p>\n

cd \/etc\/openldap\/slapd.d<\/p>\n

rm -rf<\/p>\n

cp \/usr\/share\/openldap-servers\/slapd.ldif \/root\/ldap\/<\/p>\n

Set OpenLDAP admin password. # generate […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[95],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7576"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7576"}],"version-history":[{"count":5,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7576\/revisions"}],"predecessor-version":[{"id":7582,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7576\/revisions\/7582"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}