# Prerequisite
dnf install libtool libtool-ltdl-devel openssl-devel tcp_wrappers cyrus-sasl-devel systemd-devel perl-devel
# Account
groupadd --gid 389 --system ldap
useradd --uid 389 --gid 389 --system --no-create-home -d /var/lib/openldap --shell /usr/sbin/nologin ldap
# Download
export VER=2.6.0
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-$VER.tgz
# Compile
./configure --prefix=/usr --sysconfdir=/etc \
`# Optional Features` \
--disable-static \
--enable-debug \
--enable-dynamic \
--enable-syslog \
--enable-ipv6 \
--enable-local \
`# Optional Packages` \
--with-tls=openssl \
--with-cyrus-sasl \
--with-systemd \
`# Slapd Options (Standalone LDAP Daemon)` \
--enable-slapd \
--enable-cleartext \
--enable-crypt \
--enable-spasswd \
--enable-modules \
--enable-rlookups \
--disable-wrappers \
`# Slapd Overlay Options` \
--enable-overlays=mod \
--enable-ppolicy=mod \
--enable-memberof=mod \
`# Slapd Backend Options` \
--enable-backends=no \
--enable-mdb \
--enable-passwd \
--disable-wt \
--disable-sql \
--disable-perl \
# Directories And Sudo
# sudo -V | grep -i ldap
# rpm -ql sudo | grep -i schema.openldap
cp /usr/share/doc/sudo/schema.OpenLDAP /etc/openldap/schema/sudo.schema
mkdir -pv /var/lib/openldap/aspirin.com /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/openldap /etc/openldap/slapd.conf
slapadd -n0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif [-u] # -u == dry-run
chown -R ldap.ldap /etc/openldap/slapd.d
# Systemd Unit
cat > /etc/systemd/system/slapd.service << 'EOL'
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-mdb
[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///" "SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
EnvironmentFile=-/etc/sysconfig/openldap
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
Exec
[Install]
WantedBy=multi-user.target
EOL
mkdir -pv /etc/systemd/system/openldap.service.d
cat >> override.conf <<EOF
[Service]
LimitNOFILE=1048576
EOF
cat >> /etc/defualt/openldap <<EOF
SLAPD_URLS="ldap:/// ldaps:/// ldapi:///"
SLAPD_OPTIONS="-u ldap -g ldap"
EOF
# Configure MDB 🎆
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=mdb -LLL -Q
ldapdelete -Y EXTERNAL -H ldapi:/// -r [-n] 'olcDatabase={1}mdb,cn=config'
ldapadd -Y EXTERNAL -H ldapi:/// -f RootDN.ldif -v [-n]
# Configure OpenLDAP with SSL/TLS 🎄
openssl req -new -x509 -nodes -days 3344 -newkey rsa:2048 -keyout ldap.key -out ldap.crt -subj '/C=CN/ST=Allusion/L=Allusion/O=amain/OU=devops/CN=bemoan/emailAddress=b@b.io'
install --owner ldap --group ldap --mode=0400 ldap.key ldap.crt /etc/pki/tls
ldapadd -Y EXTERNAL -H ldapi:/// -f TLS.ldif
slapcat -b cn=config | grep -i olcTLS
# Create OpenLDAP Base DN 🎀
ldapadd -Y EXTERNAL -H ldapi:/// -f BaseDN.ldif
# Create OpenLDAP User Accounts And Set Password 🎢
ldapadd -Y EXTERNAL -H ldapi:/// -f Users.ldif
ldappasswd -Y EXTERNAL -H ldapi:/// -s johndoe 'uid=johndoe,ou=people,dc=aspirin,dc=com'
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'dc=aspirin,dc=com' '(uid=johndoe)'
# Create OpenLDAP Bind DN And Bind DN User 👓
# Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called system. Note the access controls associated with this ou as defined on the root DN above.
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f BindDNUser.ldif
# Allow OpenLDAP Service Through Firewall 👖
firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd reload
# slapd
slapd -d ?
slapd -u slapd -g slapd -l LOCAL4 -s Any -4 -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d -h 'ldap://0.0.0.0:389 ldaps:///0.0.0.0:636 ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi'
slapd -T test -f slapd.conf # test configuration file
# slaptest
slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d -v -n0 -d any
ldapsearch -x -w secret -b 'cn=config' -D 'cn=config'
# slapcat
slapcat -b cn=schema,cn=config
slapcat -b dc=aspirin,dc=com
slapcat -n [0 | 1 | 2] -l backup.ldif
slapcat -H ldap[s]:///ou=system,dc=aspirin,dc=com
slapcat -F /etc/openldap/slapd.d # monitor doesn't support slapcat
# slappasswd 🎃 aware \n
slappasswd -h {ssha} -s secret
echo secret | slappasswd -h {ssha} -n -s -
slappasswd -T file -h {ssha} -v
# BACKUP SLAPD CONFIGURATION
slapcat -F /usr/local/etc/openldap/slapd.d -n0 -l extracted_config.ldif
# BACKUP THE ONLY DATABASE
slapcat -F /usr/local/etc/openldap/slapd.d -n1 -l extracted_mdb.ldif
# RESTORE CONFIGURATION
slapadd -F /usr/local/etc/openldap/slapd.d -n0 -l extracted_config.ldif
chown -R ldap:ldap /usr/local/etc/openldap/slapd.d
# ldapwhoami
ldapwhoami -H ldap://localhost:389 -v
ldapwhoami -H ldap://localhost:389 -x -D 'cn=Manager,dc=aspirin,dc=com' -w secret
# ldapsearch
ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=\* \*
ldapsearch -x -H ldapi:/// -b dc=aspirin,dc=io -s sub -D cn=perturb,dc=aspirin,dc=io -w slap
ldapsearch -x -b dc=aspirin,dc=io -LLL -u -t '(cn=*)' cn sn
ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -Q -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' ''
# ldapmodify
ldapmodify -Y EXTERNAL -H ldapi:/// -f a.ldif
# ldapadd
ldapadd -x -D cn=perturb,dc=aspirin,dc=io -w slap -f aspirin.io.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif | inetorgperson.ldif | nis.ldif
# ldapdelete
ldapdelete -x -D cn=perturb,dc=aspirin,dc=io -w slap -r -v -n 'ou=tech,dc=aspirin,dc=io'
slapadd -F /usr/local/etc/openldap/slapd.d -l update_config.ldif
slaptest -F /usr/local/etc/openldap/slapd.d
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# slapd.ldif ==> slapd.d
slapadd -n0 -F slapd.d -f slapd.ldif -u # -u dry-run
chown -R ldap.ldap slapd.d
chmod -R 750 slapd.d
# 修改日志 Enable Logging
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcGlobal)' olcLogLevel -LLL -Q # 查询当前日志级别
cat > enable-ldap-log.ldif <<EOF
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable-ldap-log.ldif
echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf
systemctl restart rsyslog
# Manual
man slapd-mdb
cat > bindDNuser.ldif << 'EOL'
dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system
dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}Gvsg+koUK/B9h8abQQxxqHik3gE3gBwn
description: Bind DN user for LDAP Operations
EOL
