Alhamdulillah, setelah berbulan-bulan ngutak-ngatik ternyata openLDAP sudah berhasil diinstall di CentOS. Lega rasanya sudah bisa belajar Linux dan instal LDAP. Padahal cuma nginstal, belum terlalu sulit dibanding programming.
Nah, sebagai pengingat dan pembelajaran bagi saya dan teman-teman yang sedang belajar LDAP dan Linux, saya mendokumentasikannya dalam bentuk blog.
Note: saya menjalankan CentOS di virtual machin dengan NIC-nya di-NAT dan membiarkan CentOS saya bisa akses ke internet dengan modem yang saya miliki agar pada suatu waktu akan update paket atau sekadar Internet-an, maka CentOS saya bisa melakukannya.
Baiklah, kita mulai dengan persiapan:
- Siapkan koneksi Internet modem (running di Windows 7) dan hidupkan CentOS kita.
- Persiapkan paket yang akan kita install yaitu (openldap openldap-servers openldap-clients).
- Jika akan mengakses LDAP via web, saya menggunakan phpldapadmin. sehingga paket ini harus diinstall dari repository lainnya. Sehingga perlu memodifikasi repositorynya.
Step 1: Install paket utama openLDAP.
OK, kita mulai dengan CentOS CLI. Login ke CentOS sebagai root.
[root@localhost ~]# yum install -y openldap openldap-servers openldap-clients
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: mirror.dionipe.net
* extras: mirror.dionipe.net
* updates: mirror.dionipe.net
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package openldap.i686 0:2.4.23-32.el6_4.1 will be updated
—> Package openldap.i686 0:2.4.39-8.el6 will be an update
—> Package openldap-clients.i686 0:2.4.39-8.el6 will be installed
—> Package openldap-servers.i686 0:2.4.39-8.el6 will be installed
–> Finished Dependency ResolutionDependencies Resolved
=======================================================================================================================================================================
Package Arch Version Repository Size
=======================================================================================================================================================================
Installing:
openldap-clients i686 2.4.39-8.el6 base 157 k
openldap-servers i686 2.4.39-8.el6 base 2.0 M
Updating:
openldap i686 2.4.39-8.el6 base 282 kTransaction Summary
=======================================================================================================================================================================
Install 2 Package(s)
Upgrade 1 Package(s)Total download size: 2.4 M
Downloading Packages:
(1/3): openldap-2.4.39-8.el6.i686.rpm | 282 kB 00:00
(2/3): openldap-clients-2.4.39-8.el6.i686.rpm | 157 kB 00:00
(3/3): openldap-servers-2.4.39-8.el6.i686.rpm | 2.0 MB 00:06
———————————————————————————————————————————————————————–
Total 203 kB/s | 2.4 MB 00:12
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openldap-2.4.39-8.el6.i686 1/4
Installing : openldap-servers-2.4.39-8.el6.i686 2/4
Installing : openldap-clients-2.4.39-8.el6.i686 3/4
Cleanup : openldap-2.4.23-32.el6_4.1.i686 4/4
Verifying : openldap-servers-2.4.39-8.el6.i686 1/4
Verifying : openldap-2.4.39-8.el6.i686 2/4
Verifying : openldap-clients-2.4.39-8.el6.i686 3/4
Verifying : openldap-2.4.23-32.el6_4.1.i686 4/4Installed:
openldap-clients.i686 0:2.4.39-8.el6 openldap-servers.i686 0:2.4.39-8.el6Updated:
openldap.i686 0:2.4.39-8.el6Complete!
[root@localhost ~]#
Step 2: Install PHP LDAP Admin, dengan terlebih dulu memodifikasi repository (epel).
[root@localhost openldap]# rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Retrieving http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
warning: /var/tmp/rpm-tmp.goHNW1: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing… ########################################### [100%]
1:epel-release ########################################### [100%]
[root@localhost openldap]# yum install -y phpldapadmin
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
epel/metalink | 2.3 kB 00:00
* base: mirror.dionipe.net
* epel: ftp.cuhk.edu.hk
* extras: mirror.dionipe.net
* updates: mirror.dionipe.net
epel | 4.4 kB 00:00
epel/primary_db | 5.5 MB 00:15
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package phpldapadmin.noarch 0:1.2.3-1.el6 will be installed
–> Processing Dependency: php >= 5.0.6 for package: phpldapadmin-1.2.3-1.el6.noarch
–> Processing Dependency: php-ldap for package: phpldapadmin-1.2.3-1.el6.noarch
–> Running transaction check
—> Package php.i686 0:5.3.3-46.el6_6 will be installed
–> Processing Dependency: php-common(x86-32) = 5.3.3-46.el6_6 for package: php-5.3.3-46.el6_6.i686
–> Processing Dependency: php-cli(x86-32) = 5.3.3-46.el6_6 for package: php-5.3.3-46.el6_6.i686
—> Package php-ldap.i686 0:5.3.3-46.el6_6 will be installed
–> Running transaction check
—> Package php-cli.i686 0:5.3.3-46.el6_6 will be installed
—> Package php-common.i686 0:5.3.3-46.el6_6 will be installed
–> Finished Dependency ResolutionDependencies Resolved
=======================================================================================================================================================================
Package Arch Version Repository Size
=======================================================================================================================================================================
Installing:
phpldapadmin noarch 1.2.3-1.el6 epel 806 k
Installing for dependencies:
php i686 5.3.3-46.el6_6 updates 1.1 M
php-cli i686 5.3.3-46.el6_6 updates 2.2 M
php-common i686 5.3.3-46.el6_6 updates 530 k
php-ldap i686 5.3.3-46.el6_6 updates 42 kTransaction Summary
=======================================================================================================================================================================
Install 5 Package(s)Total download size: 4.7 M
Installed size: 15 M
Downloading Packages:
(1/5): php-5.3.3-46.el6_6.i686.rpm | 1.1 MB 00:03
(2/5): php-cli-5.3.3-46.el6_6.i686.rpm | 2.2 MB 00:04
(3/5): php-common-5.3.3-46.el6_6.i686.rpm | 530 kB 00:00
(4/5): php-ldap-5.3.3-46.el6_6.i686.rpm | 42 kB 00:00
(5/5): phpldapadmin-1.2.3-1.el6.noarch.rpm | 806 kB 00:03
———————————————————————————————————————————————————————–
Total 175 kB/s | 4.7 MB 00:27
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : php-common-5.3.3-46.el6_6.i686 1/5
Installing : php-cli-5.3.3-46.el6_6.i686 2/5
Installing : php-5.3.3-46.el6_6.i686 3/5
Installing : php-ldap-5.3.3-46.el6_6.i686 4/5
Installing : phpldapadmin-1.2.3-1.el6.noarch 5/5
Verifying : php-5.3.3-46.el6_6.i686 1/5
Verifying : php-cli-5.3.3-46.el6_6.i686 2/5
Verifying : php-common-5.3.3-46.el6_6.i686 3/5
Verifying : php-ldap-5.3.3-46.el6_6.i686 4/5
Verifying : phpldapadmin-1.2.3-1.el6.noarch 5/5Installed:
phpldapadmin.noarch 0:1.2.3-1.el6Dependency Installed:
php.i686 0:5.3.3-46.el6_6 php-cli.i686 0:5.3.3-46.el6_6 php-common.i686 0:5.3.3-46.el6_6 php-ldap.i686 0:5.3.3-46.el6_6Complete!
#
Step 3: Membuat directory yang akan digunakan sebagai log ldap.
[root@localhost ~]# mkdir /var/log/slapd
[root@localhost ~]#
[root@localhost ~]# chmod 755 /var/log/slapd/
[root@localhost ~]# chown ldap:ldap /var/log/slapd/
[root@localhost ~]# sed -i “/local4.*/d” /etc/rsyslog.conf
[root@localhost ~]# cat >> /etc/rsyslog.conf << EOF
> local4.* /var/log/slapd/slapd.log
> EOF[root@localhost ~]#
Step 4: Stop service rsyslog
[root@localhost ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@localhost ~]#
Step 5. Create sertifikat
[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost certs]#
[root@localhost certs]#
[root@localhost certs]# dir
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@localhost certs]# make slapd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > slapd.pem ; \
echo “” >> slapd.pem ; \
cat $PEM2 >> slapd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
……………………+++
……………………….+++
writing new private key to ‘/tmp/openssl.8vk2yj’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:ID
State or Province Name (full name) []:Jakarta
Locality Name (eg, city) [Default City]:Jakarta
Organization Name (eg, company) [Default Company Ltd]:komar
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:ldapserver
Email Address []:komar@komar.com
[root@localhost certs]#
Step 6: Modifikasi kepemilikan dan permision si file cert.
[root@localhost certs]# chmod 640 slapd.pem
[root@localhost certs]# chown :ldap slapd.pem
[root@localhost certs]# ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/certs/slapd.pem
[root@localhost certs]#
Step 7: Membuat password LDAP
[root@localhost certs]# slappasswd
New password:
Re-enter new password:
{SSHA}BV2crbB1NOzBaRUzvztgjhgjNJk+Au6D
[root@localhost certs]#
Step 8: Backup/Copy file ldap
[root@localhost certs]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf.1
[root@localhost certs]# dir /etc/openldap/
certs ldap.conf schema slapd.conf.1 slapd.d
[root@localhost certs]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@localhost certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost certs]#
Step 9: Modifikasi file slapd.conf
[root@localhost certs]# vim /etc/openldap/slapd.conf
Edit bagian berikut:
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
rootpw {SSHA}BV2crbB1NOzBaRUzvztgjhgjNJk+Au6D
Note: sesuaikan password ‘rootpw’ sesuai password yang telah kita buat di step 7 dan simpan perubahannya.
Step 10: Modifikasi file ldap di directory /etc/sysconfig dan pastikan parameter di bawah ini ok.
[root@localhost certs]# cd /etc/sysconfig/
[root@localhost sysconfig]# vim ldap
SLAPD_LDAP=yes
Step 11: Modifikasi file /etc/openldap/ldap.conf
[root@localhost sysconfig]# vim /etc/openldap/ldap.conf
BASE dc=komar,dc=com
URI ldap://localhostStep 12: Create file ldif
[root@localhost sysconfig]# vi /root/root.ldif
dn: dc=komar,dc=com
dc: komar
objectClass: dcObject
objectClass: organizationalUnit
ou: komar.comdn: ou=people,dc=komar,dc=com
ou: people
objectClass: organizationalUnitdn: ou=groups,dc=komar,dc=com
ou: groups
objectClass: organizationalUnit
Step 12: Hapus semua file yang ada di bawah folder slapd.d
[root@localhost sysconfig]# cd /etc/openldap/slapd.d/
[root@localhost slapd.d]# ls
cn=config cn=config.ldif
[root@localhost slapd.d]# rm -rf /etc/openldap/slapd.d/*
[root@localhost slapd.d]# ls
[root@localhost slapd.d]# slapadd -v -n 2 -l /root/root.ldif
added: “dc=komar,dc=com” (00000001)
added: “ou=people,dc=komar,dc=com” (00000002)
added: “ou=groups,dc=komar,dc=com” (00000003)
_#################### 100.00% eta none elapsed none fast!
Closing DB…
[root@localhost slapd.d]#
[root@localhost slapd.d]#
Step 13: Lakukan perubahan ownership terhadap file/directory berikut:
root@localhost slapd.d]# chown -R ldap:ldap /var/lib/ldap
[root@localhost slapd.d]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@localhost slapd.d]#
Step 14: Test LDAP
[root@localhost slapd.d]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@localhost slapd.d]# ls -ltr /etc/openldap/slapd.d
total 8
-rw——- 1 root root 1283 Jul 29 20:19 cn=config.ldif
drwxr-x— 3 root root 4096 Jul 29 20:19 cn=config
[root@localhost slapd.d]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@localhost slapd.d]#
[root@localhost slapd.d]#
[root@localhost slapd.d]# ls -ltr /etc/openldap/slapd.d
total 8
-rw——- 1 ldap ldap 1283 Jul 29 20:19 cn=config.ldif
drwxr-x— 3 ldap ldap 4096 Jul 29 20:19 cn=configStep 15: ON-kan service slapd
[root@localhost slapd.d]# chkconfig –level 235 slapd on
[root@localhost slapd.d]# service slapd start
Starting slapd: [ OK ]
[root@localhost slapd.d]#
[root@localhost slapd.d]#
[root@localhost slapd.d]# service slapd status
slapd (pid 3675) is running…
[root@localhost slapd.d]#
Step 16: Test pencarian ldap
[root@localhost slapd.d]# ldapsearch -x -ZZ -h localhost
Step 17: Seting firewall agar mengizinkan network lokal (LAN) bisa mengakses LDAP di port 389/636
[root@localhost slapd.d]# vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 389 -j ACCEPT -s 192.168.254.0/24
-A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -j ACCEPT -s 192.168.254.0/24
-A INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
~
~
~
~
~
~
~
Step 18: Restart firewal/iptables dan ldap
[root@localhost slapd.d]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ip_conntrack_ftp [ OK ]
[root@localhost slapd.d]#
[root@localhost slapd.d]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@localhost slapd.d]#Test.
[root@localhost slapd.d]# ldapsearch -x -H ldaps://localhost
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
[root@localhost slapd.d]#[root@localhost sysconfig]# pwd
/etc/sysconfig
[root@localhost sysconfig]#
Step 19: Edit file ldap (vim /etc/sysconfig/ldap) agar bisa dicari menggunakan https, lalu restart ldap.
#vim /etc/sysconfig/ldap
SLAPD_LDAPS=yes
PHPLDAPADMIN
root@localhost sysconfig]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.0.0
</Directory>
Restart service http daemon.test mengakases ldap. http://localhost/phpldapadmin