LDAP or Lightweight Directory Access Protocol, is a protocol designed to manage and access related information in a centralized, hierarchical file and directory structure. An LDAP server is a non-relational database that is optimized for accessing, but not writing data. For example, it can be used as an address book like email clients or authentication of various services like Samba, or Linux system authentication, where it replaces /etc/passwd and basically holds the user data. 1. Prerequisite a. The LDAP server should have a valid FQDN. b. Install EPEL and REMI repositories to remove any dependencies problems. a. Configure hostname Edit /etc/hosts and add the following # cat /etc/hosts 172.31.1.173 demohost.com com Add hostname in /etc/hostname and /etc/sysconfig/network # cat /etc/hostname demohost # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME="demohost" Check the FQDN of your server by executing following two commands in the terminal. # hostname demohost # hostname -f demohost.com b. Install EPEL/REMI Install REMI repository # wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm # rpm -Uvh remi-release-6.rpm
Now install EPEL repository # wget http://epel.mirror.net.in/epel/6/i386/epel-release-6-8.noarch.rpm # rpm -Uvh epel-release-6-8.noarch.rpm 2. Configure firewall Configure firewall to allow traffic to LDAP server. Add the following lines in /etc/sysconfig/iptables # nano /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT Restart firewall to reload new settings. # service iptables restart
3. Configure LDAP server for performance and security Edit few parameters in the server for performance and security. Edit the file /etc/sysctl.conf # nano /etc/sysctl.conf Append the following lines. net.ipv4.tcp_keepalive_time = 350 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000 Next edit the file /etc/security/limits.conf # nano /etc/security/limits.conf Append the following lines. * soft nofile 8192 * hard nofile 8192 Now edit the file /etc/profile # nano /etc/profile Add the following line at the end. ulimit -n 8192 Lastly edit file /etc/pam.d/login # nano /etc/pam.d/login Add the line at the end.
session required /lib/security/pam_limits.so Reboot the server. 4. Install 389 Directory Server Now create a LDAP user account. # useradd ldapadmin # passwd ldapadmin Install 389 directory server by executing following command # yum install -y 389-ds openldap-clients 5. Configure LDAP server Let us now configure LDAP server. Execute the following command to configure 389 directory server. # setup-ds-admin.pl Answer the questions by reading it carefully.
Would you like to continue with set up? [yes]:yes Would you like to continue? [no]: yes Choose a setup type [2]:2 Computer name:demohost.com System User [nobody]: ldapadmin System Group [nobody]: ldapadmin
Do you want to register this software with an existing configuration directory server? [no]:no Configuration directory server administrator ID [admin]: Password: Password (confirm): Administration Domain[com]: Directory server network port [389]: Directory server identifier [demohost]:demohost
Suffix [dc=com]: Directory Manager DN [cn=directory Manager]: ## Press Enter ## Password: ## Enter the password ## Password (confirm): Administration port [9830]:9830 Are you ready to set up your servers? [yes]:yes If the script runs successfully, then you will get the following messages at the end of installation. Updating the configuration for the httpd engine... Starting admin server... output: Starting dirsrv-admin:
output: [ OK ] The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting... Execute the following two commands to start LDAP server automatically on reboot. # chkconfig dirsrv on # chkconfig dirsrv-admin on 6. Test LDAP server Now test LDAP server using following command. # ldapsearch -x -b "dc=demohost,dc=com" LDAP server is now ready for use. 7. Install phpldapadmin Install phpldapadmin by executing following command in the terminal. # yum install phpldapadmin
Now we need to configure few parameters for phpldapadmin. Edit the file /etc/phpldapadmin/config.php and look for the line $servers->setvalue( login, attr, uid ); uncomment it and comment out this line $servers->setvalue( login, attr, dn ); Next edit /etc/httpd/conf.d/phpldapadmin.conf file. It should look something like this: Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from all </Directory> If you want to access phpldapadmin on the server that phpldapadmin is installed then keep this line. Allow from 127.0.0.1 If you want to access phpldapadmin from the local network where phpldapserver is installed then you may want keep this line. Allow from 127.0.0.1 192.168.0.0/16
Change the network ID from 192.168.x.x to your network ID. I want to access it from anywhere, so i kept this line Allow from all Restart Apache # service httpd restart Now navigate to the following URL using your favorite web browser. http://demohost.com/phpldapadmin Replace demohost.com with your own domain name. Click login from left sidebar.
Enter username and password that you have created in step 5 and click Authenticate. If the authentication is successful, then you will be logged in inside phpldapadmin. LDAP server is installed. Now you can explore all the features of LDAP through phpldapadmin.