Install openLDAP di Centos

Alhamdulillah, setelah berbulan-bulan ngutak-ngatik ternyata openLDAP sudah berhasil diinstall di CentOS. Lega rasanya sudah bisa belajar Linux dan instal LDAP. Padahal cuma nginstal, belum terlalu sulit dibanding programming.

Nah, sebagai pengingat dan pembelajaran bagi saya dan teman-teman yang sedang belajar LDAP dan Linux, saya mendokumentasikannya dalam bentuk blog.

Note: saya menjalankan CentOS di virtual machin dengan NIC-nya di-NAT dan membiarkan CentOS saya bisa akses ke internet dengan modem yang saya miliki agar pada suatu waktu akan update paket atau sekadar Internet-an, maka CentOS saya bisa melakukannya.

Baiklah, kita mulai dengan persiapan:

  1. Siapkan koneksi Internet modem (running di Windows 7) dan hidupkan CentOS kita.
  2. Persiapkan paket yang akan kita install yaitu (openldap openldap-servers openldap-clients).
  3. Jika akan mengakses LDAP via web, saya menggunakan phpldapadmin. sehingga paket ini harus diinstall dari repository lainnya. Sehingga perlu memodifikasi repositorynya.

Step 1: Install paket utama openLDAP.

OK, kita mulai dengan CentOS CLI. Login ke CentOS sebagai root.

[root@localhost ~]# yum install -y openldap openldap-servers openldap-clients
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: mirror.dionipe.net
* extras: mirror.dionipe.net
* updates: mirror.dionipe.net
base                                                                                                                                            | 3.7 kB     00:00
extras                                                                                                                                          | 3.4 kB     00:00
updates                                                                                                                                         | 3.4 kB     00:00
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package openldap.i686 0:2.4.23-32.el6_4.1 will be updated
—> Package openldap.i686 0:2.4.39-8.el6 will be an update
—> Package openldap-clients.i686 0:2.4.39-8.el6 will be installed
—> Package openldap-servers.i686 0:2.4.39-8.el6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================================================
Package                                        Arch                               Version                                    Repository                          Size
=======================================================================================================================================================================
Installing:
openldap-clients                               i686                               2.4.39-8.el6                               base                               157 k
openldap-servers                               i686                               2.4.39-8.el6                               base                               2.0 M
Updating:
openldap                                       i686                               2.4.39-8.el6                               base                               282 k

Transaction Summary
=======================================================================================================================================================================
Install       2 Package(s)
Upgrade       1 Package(s)

Total download size: 2.4 M
Downloading Packages:
(1/3): openldap-2.4.39-8.el6.i686.rpm                                                                                                           | 282 kB     00:00
(2/3): openldap-clients-2.4.39-8.el6.i686.rpm                                                                                                   | 157 kB     00:00
(3/3): openldap-servers-2.4.39-8.el6.i686.rpm                                                                                                   | 2.0 MB     00:06
———————————————————————————————————————————————————————–
Total                                                                                                                                  203 kB/s | 2.4 MB     00:12
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating   : openldap-2.4.39-8.el6.i686                                                                                                                          1/4
Installing : openldap-servers-2.4.39-8.el6.i686                                                                                                                  2/4
Installing : openldap-clients-2.4.39-8.el6.i686                                                                                                                  3/4
Cleanup    : openldap-2.4.23-32.el6_4.1.i686                                                                                                                     4/4
Verifying  : openldap-servers-2.4.39-8.el6.i686                                                                                                                  1/4
Verifying  : openldap-2.4.39-8.el6.i686                                                                                                                          2/4
Verifying  : openldap-clients-2.4.39-8.el6.i686                                                                                                                  3/4
Verifying  : openldap-2.4.23-32.el6_4.1.i686                                                                                                                     4/4

Installed:
openldap-clients.i686 0:2.4.39-8.el6                                               openldap-servers.i686 0:2.4.39-8.el6

Updated:
openldap.i686 0:2.4.39-8.el6

Complete!
[root@localhost ~]#

Step 2: Install PHP LDAP Admin, dengan terlebih dulu memodifikasi repository (epel).

[root@localhost openldap]# rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Retrieving http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
warning: /var/tmp/rpm-tmp.goHNW1: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing…                ########################################### [100%]
1:epel-release           ########################################### [100%]
[root@localhost openldap]# yum install -y phpldapadmin
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
epel/metalink                                                                                                                                   | 2.3 kB     00:00
* base: mirror.dionipe.net
* epel: ftp.cuhk.edu.hk
* extras: mirror.dionipe.net
* updates: mirror.dionipe.net
epel                                                                                                                                            | 4.4 kB     00:00
epel/primary_db                                                                                                                                 | 5.5 MB     00:15
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package phpldapadmin.noarch 0:1.2.3-1.el6 will be installed
–> Processing Dependency: php >= 5.0.6 for package: phpldapadmin-1.2.3-1.el6.noarch
–> Processing Dependency: php-ldap for package: phpldapadmin-1.2.3-1.el6.noarch
–> Running transaction check
—> Package php.i686 0:5.3.3-46.el6_6 will be installed
–> Processing Dependency: php-common(x86-32) = 5.3.3-46.el6_6 for package: php-5.3.3-46.el6_6.i686
–> Processing Dependency: php-cli(x86-32) = 5.3.3-46.el6_6 for package: php-5.3.3-46.el6_6.i686
—> Package php-ldap.i686 0:5.3.3-46.el6_6 will be installed
–> Running transaction check
—> Package php-cli.i686 0:5.3.3-46.el6_6 will be installed
—> Package php-common.i686 0:5.3.3-46.el6_6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================================================
Package                                   Arch                                Version                                      Repository                            Size
=======================================================================================================================================================================
Installing:
phpldapadmin                              noarch                              1.2.3-1.el6                                  epel                                 806 k
Installing for dependencies:
php                                       i686                                5.3.3-46.el6_6                               updates                              1.1 M
php-cli                                   i686                                5.3.3-46.el6_6                               updates                              2.2 M
php-common                                i686                                5.3.3-46.el6_6                               updates                              530 k
php-ldap                                  i686                                5.3.3-46.el6_6                               updates                               42 k

Transaction Summary
=======================================================================================================================================================================
Install       5 Package(s)

Total download size: 4.7 M
Installed size: 15 M
Downloading Packages:
(1/5): php-5.3.3-46.el6_6.i686.rpm                                                                                                              | 1.1 MB     00:03
(2/5): php-cli-5.3.3-46.el6_6.i686.rpm                                                                                                          | 2.2 MB     00:04
(3/5): php-common-5.3.3-46.el6_6.i686.rpm                                                                                                       | 530 kB     00:00
(4/5): php-ldap-5.3.3-46.el6_6.i686.rpm                                                                                                         |  42 kB     00:00
(5/5): phpldapadmin-1.2.3-1.el6.noarch.rpm                                                                                                      | 806 kB     00:03
———————————————————————————————————————————————————————–
Total                                                                                                                                  175 kB/s | 4.7 MB     00:27
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : php-common-5.3.3-46.el6_6.i686                                                                                                                      1/5
Installing : php-cli-5.3.3-46.el6_6.i686                                                                                                                         2/5
Installing : php-5.3.3-46.el6_6.i686                                                                                                                             3/5
Installing : php-ldap-5.3.3-46.el6_6.i686                                                                                                                        4/5
Installing : phpldapadmin-1.2.3-1.el6.noarch                                                                                                                     5/5
Verifying  : php-5.3.3-46.el6_6.i686                                                                                                                             1/5
Verifying  : php-cli-5.3.3-46.el6_6.i686                                                                                                                         2/5
Verifying  : php-common-5.3.3-46.el6_6.i686                                                                                                                      3/5
Verifying  : php-ldap-5.3.3-46.el6_6.i686                                                                                                                        4/5
Verifying  : phpldapadmin-1.2.3-1.el6.noarch                                                                                                                     5/5

Installed:
phpldapadmin.noarch 0:1.2.3-1.el6

Dependency Installed:
php.i686 0:5.3.3-46.el6_6            php-cli.i686 0:5.3.3-46.el6_6            php-common.i686 0:5.3.3-46.el6_6            php-ldap.i686 0:5.3.3-46.el6_6

Complete!

#

Step 3: Membuat directory yang akan digunakan sebagai log ldap.

[root@localhost ~]# mkdir /var/log/slapd
[root@localhost ~]#
[root@localhost ~]# chmod 755 /var/log/slapd/
[root@localhost ~]# chown ldap:ldap /var/log/slapd/
[root@localhost ~]# sed -i “/local4.*/d” /etc/rsyslog.conf
[root@localhost ~]# cat >> /etc/rsyslog.conf << EOF
> local4.*  /var/log/slapd/slapd.log
> EOF

[root@localhost ~]#

Step 4: Stop service rsyslog

[root@localhost ~]# service rsyslog restart
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
[root@localhost ~]#

Step 5. Create sertifikat

[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost certs]#
[root@localhost certs]#
[root@localhost certs]# dir
ca-bundle.crt  ca-bundle.trust.crt  make-dummy-cert  Makefile  renew-dummy-cert
[root@localhost certs]# make slapd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  slapd.pem ; \
echo “”    >> slapd.pem ; \
cat $PEM2 >> slapd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
……………………+++
……………………….+++
writing new private key to ‘/tmp/openssl.8vk2yj’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:ID
State or Province Name (full name) []:Jakarta
Locality Name (eg, city) [Default City]:Jakarta
Organization Name (eg, company) [Default Company Ltd]:komar
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:ldapserver
Email Address []:komar@komar.com
[root@localhost certs]#

Step 6: Modifikasi kepemilikan dan permision si file cert.

[root@localhost certs]# chmod 640 slapd.pem
[root@localhost certs]# chown :ldap slapd.pem
[root@localhost certs]# ln -s /etc/pki/tls/certs/slapd.pem  /etc/openldap/certs/slapd.pem
[root@localhost certs]#

Step 7: Membuat password LDAP

[root@localhost certs]# slappasswd
New password:
Re-enter new password:
{SSHA}BV2crbB1NOzBaRUzvztgjhgjNJk+Au6D
[root@localhost certs]#

Step 8: Backup/Copy file ldap

[root@localhost certs]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf.1
[root@localhost certs]# dir /etc/openldap/
certs  ldap.conf  schema  slapd.conf.1  slapd.d
[root@localhost certs]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@localhost certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost certs]#

Step 9: Modifikasi file slapd.conf

[root@localhost certs]# vim /etc/openldap/slapd.conf
Edit bagian berikut:

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

rootpw                  {SSHA}BV2crbB1NOzBaRUzvztgjhgjNJk+Au6D

Note: sesuaikan password ‘rootpw’ sesuai password yang telah kita buat di step 7 dan simpan perubahannya.

Step 10: Modifikasi file ldap di directory /etc/sysconfig dan pastikan parameter di bawah ini ok.

[root@localhost certs]# cd /etc/sysconfig/

[root@localhost sysconfig]# vim ldap

SLAPD_LDAP=yes

Step 11: Modifikasi file /etc/openldap/ldap.conf

[root@localhost sysconfig]# vim /etc/openldap/ldap.conf

BASE    dc=komar,dc=com
URI     ldap://localhost

Step 12: Create file ldif

[root@localhost sysconfig]# vi /root/root.ldif

dn: dc=komar,dc=com
dc: komar
objectClass: dcObject
objectClass: organizationalUnit
ou: komar.com

dn: ou=people,dc=komar,dc=com
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=komar,dc=com
ou: groups
objectClass: organizationalUnit

Step 12: Hapus semua file yang ada di bawah folder slapd.d

[root@localhost sysconfig]# cd /etc/openldap/slapd.d/
[root@localhost slapd.d]# ls
cn=config  cn=config.ldif
[root@localhost slapd.d]# rm -rf /etc/openldap/slapd.d/*
[root@localhost slapd.d]# ls
[root@localhost slapd.d]# slapadd -v -n 2 -l /root/root.ldif
added: “dc=komar,dc=com” (00000001)
added: “ou=people,dc=komar,dc=com” (00000002)
added: “ou=groups,dc=komar,dc=com” (00000003)
_#################### 100.00% eta   none elapsed            none fast!
Closing DB…
[root@localhost slapd.d]#
[root@localhost slapd.d]#

Step 13: Lakukan perubahan ownership terhadap file/directory berikut:

root@localhost slapd.d]# chown -R ldap:ldap /var/lib/ldap
[root@localhost slapd.d]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@localhost slapd.d]#

Step 14: Test LDAP

[root@localhost slapd.d]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@localhost slapd.d]# ls -ltr /etc/openldap/slapd.d
total 8
-rw——- 1 root root 1283 Jul 29 20:19 cn=config.ldif
drwxr-x— 3 root root 4096 Jul 29 20:19 cn=config
[root@localhost slapd.d]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@localhost slapd.d]#
[root@localhost slapd.d]#
[root@localhost slapd.d]# ls -ltr /etc/openldap/slapd.d
total 8
-rw——- 1 ldap ldap 1283 Jul 29 20:19 cn=config.ldif
drwxr-x— 3 ldap ldap 4096 Jul 29 20:19 cn=config

Step 15: ON-kan service slapd
[root@localhost slapd.d]# chkconfig –level 235 slapd on
[root@localhost slapd.d]# service slapd start
Starting slapd: [  OK  ]
[root@localhost slapd.d]#
[root@localhost slapd.d]#
[root@localhost slapd.d]# service slapd status
slapd (pid  3675) is running…
[root@localhost slapd.d]#

Step 16: Test pencarian ldap

[root@localhost slapd.d]# ldapsearch -x -ZZ -h localhost

Step 17: Seting firewall agar mengizinkan network lokal (LAN) bisa mengakses LDAP di port 389/636

[root@localhost slapd.d]# vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 389 -j ACCEPT -s 192.168.254.0/24
-A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -j ACCEPT -s 192.168.254.0/24
-A INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
~
~
~
~
~
~
~

Step 18: Restart firewal/iptables dan ldap

[root@localhost slapd.d]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: ip_conntrack_ftp [  OK  ]
[root@localhost slapd.d]#
[root@localhost slapd.d]# service slapd restart
Stopping slapd: [  OK  ]
Starting slapd: [  OK  ]
[root@localhost slapd.d]#

Test.

[root@localhost slapd.d]# ldapsearch -x -H ldaps://localhost
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
[root@localhost slapd.d]#

[root@localhost sysconfig]# pwd
/etc/sysconfig
[root@localhost sysconfig]#

Step 19: Edit file ldap (vim /etc/sysconfig/ldap) agar bisa dicari menggunakan https, lalu restart ldap.

#vim /etc/sysconfig/ldap

SLAPD_LDAPS=yes

PHPLDAPADMIN

root@localhost sysconfig]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim phpldapadmin.conf
#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.0.0
</Directory>
Restart service http daemon.

test mengakases ldap. http://localhost/phpldapadmin

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s