How to use new cn=config in Openldap under CentOS 5/6


Jephe Wu - http://linuxtechres.blogspot.com

Objective: understanding Openldap new feature cn=config and configure openldap as centralized user login and address book
Environment: CentOS 5
Concept:

Historically, Openldap uses static configuration, which means if you need to modify configuration, you have to stop/start slapd again, it needs downtime. Now we have options to use OLC(On-Line configuration), cn=config and slapd.d configuration.

The feature is (at version 2.4) still optional which means that slapd.conf, while formally deprecated, will continue to work.


Steps:
1. make sure /etc/openldap/slapd.conf contains inetorgperson.schema


include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

Add the following into slapd.conf:

database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}QoTQ3JyrnNgDiMPEYncHY43tDxaezh5w

Note: add it before the first database definition if you need to use the unique feature brought by cn=config configuration.

2. use slappasswd to generate password which will be put in /etc/openldap/slapd.conf 

3. to avoid warnings about performance
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
or
maybe cp /usr/share/doc/openldap-servers-2.*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG


4. convert format to cn=config

# test it first before convert
[root@wordpress schema]# /usr/sbin/slaptest -f //etc/openldap/slapd.conf -v
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=jephe,dc=com.
config file testing succeeded


# convert slapd.conf to cn=config format
cd /etc/openldap
mkdir slapd.d
/usr/sbin/slaptest -f //etc/openldap/slapd.conf -v -F slapd.d
chown -R ldap:ldap *
mv slapd.conf slapd.conf.bak  [not necessary, just for ensuring we are using slapd.d, not slapd.conf]
/etc/init.d/ldap restart


5. view all content of ldap server

slapcat


6. prepare to import data into ldap 

vi /etc/openldap/slapd.conf to modify dn, dc line

If you are using slapd.d(cn=config), you should modify file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file, change
olcSuffix, olcRootDN and olcRootPW(no by default) lines.

Then use the command below to import:
ldapadd -x -D 'cn=Manager,dc=jephe,dc=com' -W -f test.ldif

[root@wordpress openldap]# more root.ldif
dn: dc=jephe,dc=com
dc: jephe
objectClass: dcObject
objectClass: organization
organizationName: Openlogic

# for normal shadow account for only login authentication ldap

[root@wordpress openldap]# more /tmp/jwu.ldif
dn: uid=jwu,dc=jephe,dc=com
uid: jwu
cn: Jephe Wu
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$VDJn0DD1e5OjG04.Uz7NH0
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/jwu
gecos: usuario1

Note: GECOS
This field is optional and used only for informational purposes. Usually, it contains the full username. GECOS stands for "General Electric Comprehensive Operating System", please refer to http://linux.die.net/man/5/passwd.

# for normal shadow account as well as address book purpose

[root@wordpress openldap]# more zwu.ldif
dn: uid=zwu,dc=jephe,dc=com
uid: zwu
cn: Zhitan Wu
sn: Wu
#objectClass: account   #comment out, otherwise it will conflict with inetorgperson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetorgperson
userPassword: {crypt}$1$TEDFGNB3$VDJn0DD1e5OjG04.Uz7NH0
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/zwu
gecos: usuario1
mail: zwu@jephe.com

# for usrpassword authentication only [for Cognos LDAP login]

[root@ldap1 scripts]# more batchuser.ldif
# entry-id: 1
dn: dc=dev,dc=com
dc: dev
objectClass: top
objectClass: domain

# entry-id: 2
dn: ou=Special Users,dc=dev,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts

# entry-id: 3
dn: ou=People,dc=dev,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

# entry-id: 4
dn: ou=Groups,dc=dev,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups

dn: cn=admin,ou=Groups,dc=dev,dc=com
cn: admin
objectClass: top
objectClass: groupofuniquenames
ou: Groups
uniqueMember: uid=jephe,ou=People,dc=dev,dc=com
uniqueMember: uid=zhitan,ou=People,dc=dev,dc=com

# entry-id: 5
dn: uid=zhitan,ou=People,dc=dev,dc=com
uid: zhitan
objectClass: inetorgperson
givenName: Zhitan
sn: Wu
cn: Zhitan Wu
userPassword: {SSHA}h7HBuirlNhYJl1TwVEtKqJlJVCb53cqm


7. References:

http://www.howtoforge.com/install-and-configure-openldap-on-centos-5
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
http://olex.openlogic.com/wazi/2011/using-openldap-for-remote-authentication/

phpldapadmin
http://www.padl.com/OSS/MigrationTools.html

http://www.zytrax.com/books/ldap/ch5/ - OpenLDAP Samples

at 5/27/2012 10:15:00 AM

Labels: ,