Página 1 de 12
Configuración LDAP
El servicio LDAP utiliza el puerto 389, algo que puede que tengamos que tener en cuenta si tenemos un cortafuegos.
La configuración ldap se guarda en en la carperta /etc/openldap/, y el fichero de configuración es /etc/openldap.slapd.conf, que ateniéndose a los parámetros establecidos, debe quedar de la siguiente forma:
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:DES-CBC-SHA TLSCACertificateFile /etc/pki/CA/cacert.pem TLSCertificateFile /etc/pki/caronte.bez.ies/caronte.bez.ies .pem TLSCertificateKeyFile /etc/pki/caronte.bez.ies/caronte.bez.ies.sc.key TLSVerifyClient never ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=bez.ies,dc=net" checkpoint 1024 15 rootdn "cn=root,dc=bez.ies,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw claveldap # rootpw {SSHA}ZB4dJQoik5+J/HPLVKTo7pVbr4yZDSMG # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/bez.ies # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub ## required to support pdb_getsambapwrid() index displayName pres,sub,eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none # those 2 parameters must be world readable for password aging to work correctly # (or use a priviledge account in /etc/ldap.conf to bind to the directory) access to attrs=shadowLastChange,shadowMax by self write by * read # all others attributes are readable to everybody access to * by * read # enable monitoring database monitor access to * by dn.exact="cn=root,cn=config" read by * none
Para crear una contraseña ldap ejecutamos
slappasswd New password: (tecleado “claveldap”) Re-enter new password: (tecleado “claveldap”) {SSHA}ZB4dJQoik5+J/HPLVKTo7pVbr4yZDSMG
y ahora podemos poner el resultado en slapd.conf.
“rootpw {SSHA}ZB4dJQoik5+J/HPLVKTo7pVbr4yZDSMG”
Si no vamos a utilizar TLS, podemos eliminar los certificados de la configuración.
Crear directorio para la base de datos
mkdir /var/lib/ldap/bez.ies chown ldap.ldap /var/lib/ldap/bez.ies
Como veremos, ldap es bastante exigente con los propietarios y permisos de los ficheros involucrados.