SLAC CPE Software Engineering Group
Stanford Linear Accelerator Center
System Admin

LDAP -Notes2
SLAC Detailed
SLAC Computing
Software Home
Software Detailed
 

 

 

 

 

 

 

https://likegeeks.com/linux-ldap-server/

 


 
 

 

Modification file:  (  mod-file-ken )

 

dn: olcDatabase={2}hdb,cn=config
changeType: modify
replace: olcRootDN
olcRootDN: cn=Admin,dc=slac,dc=stanford,dc=edu

dn: olcDatabase={2}hdb,cn=config
changeType: modify

replace: olcSuffix
olcSuffix: dc=slac,dc=stanford,dc=edu

dn: olcDatabase={2}hdb,cn=config
changeType: modify
replace: olcRootPW
olcRootPW: {SSHA}Jsg0q7+CV7bkl4+PCIWyNVPD9bmVCE8G

 

 

[root@mccldap1 slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod-file-ken

 


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

[root@mccldap1 slapd.d]# more cn\=config/olcDatabase\=\{2\}hdb.ldif

 


# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 debe1f6e
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 02bfd18c-8b1f-103a-9d7e-cf1331bfac1f
creatorsName: cn=config
createTimestamp: 20200914214303Z
olcSuffix: dc=slac,dc=stanford,dc=edu
olcRootDN: cn=Admin,dc=slac,dc=stanford,dc=edu
entryCSN: 20201001200450.544455Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201001200450Z

 

 

[root@mccldap1 slapd.d]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=\*


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase=*
# requesting: ALL
#

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none

# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none

# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=slac,dc=stanford,dc=edu
olcRootDN: cn=Admin,dc=slac,dc=stanford,dc=edu

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4


Create Database File:

 

[root@mccldap1 slapd.d]# more /usr/share/openldap-servers/DB_CONFIG.example
# $OpenLDAP$
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See the Oracle Berkeley DB documentation
# <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
# <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
# <http://www.openldap.org/faq/index.cgi?file=1075>

# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.

# one 0.25 GB cache
set_cachesize 0 268435456 1

# Data Directory
#set_data_dir db

# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs

# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
[root@mccldap1 slapd.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@mccldap1 slapd.d]# chown ldap:ldap /var/lib/ldap/*
[root@mccldap1 slapd.d]# systemctl restart slapd
[root@mccldap1 slapd.d]# slaptest


config file testing succeeded

 

 

[root@mccldap1 slapd.d]# netstat -lt | grep ldap


tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ldap [::]:* LISTEN

 

Certs:

[root@mccldap1 certs]# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
....+++
...+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Menlo Park
Organization Name (eg, company) [Default Company Ltd]:SLAC national Accelerator Laboratory
Organizational Unit Name (eg, section) []:Computing Division
Common Name (eg, your name or your server's hostname) []:mccldap1
Email Address []:controls-system-admins@slac.stanford.edu

 

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem
 


 

Programmers' Guides, Users' Guides, Requirements, Design, Papers, Administration, How-To, Hardware, IOC, Database

 

[SLAC CPE Software Engineering Group][ SLAC Home Page]

 


Created by: Ken Brobeck  13-Aug-2020

Modified:  01-Oct-2020