One application I am working on needed LDAP authorization support. In order to test before actually deploying it I decided to create local LDAP server in virtual machine.
I decided to use CentOS minimal install as starting point. It is extremely small distribution to start with and it allows for virtual machine with only 256 MB of RAM (although it needs 512 MB in order to install, go figure).
Installation of CentOS is uneventful. Just go next, next, next and it is done. Although it might be wise to skip media check since it takes ages. In matter of minutes OS will boot up and then the fun starts.
Since we will need network access for both using machine as LDAP server and for getting packages of the Internet, we need network access. Getting it to work is as easy as writing
ifup eth0. In order to make these changes permanent just edit
/etc/sysconfig/network-scripts/ifcfg-eth0 and change line starting with
ONBOOT="yes". It is as easy (if you disregard annoyance of vi editor).
Now we need to install our directory server. First install package (answer
y to everything):
# yum install 389-ds-base
And then run setup (answer
yes to first two questions and just use default for others):
That should leave us with values totally unsuitable for anything but for testing (which is exactly what we want):
Computer name ...............: //localhost.localdomain// System User .................: //nobody// System Group ................: //nobody// Directory server network port: //389// Directory server identifier .: //localhost// Suffix ......................: //dc=localdomain// Directory Manager DN ........: //cn=Directory Manager//
Quick search will prove that our directory server is up and running
$ ldapsearch -h 127.0.0.1 -x -b "dc=localdomain" ... # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9
Well, now we are ready to add our first user. In order to do this just create
user.ldif file with following content:
dn: uid=jdoe,ou=People,dc=localdomain objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: jdoe cn: John Doe displayName: John Doe givenName: John sn: Doe userPassword: test
Not all these attributes are mandatory but I find this to be minimum acceptable set for my use. This is not enough if you want to use LDAP server for logons but it is enough for basic password checking. We add user with:
$ ldapadd -h 127.0.0.1 -x -D "cn=Directory Manager" -W -f user.ldif adding new entry "uid=jdoe,ou=People,dc=localdomain"
If something is messed up, just delete the user and add it again:
$ ldapdelete -h 127.0.0.1 -x -D "cn=Directory Manager" -W "uid=jdoe,ou=people,dc=localdomain" $ ldapadd -h 127.0.0.1 -x -D "cn=Directory Manager" -W -f user.ldif adding new entry "uid=jdoe,ou=People,dc=localdomain"
Yes, there is an
ldapmodify operation but I find it better to start with clean slate during testing.
Another test to verify that our user authentication works and we are good. Password asked here is not your root LDAP password but password of an user (
test in my example):
$ ldapsearch -h 127.0.0.1 -x -D "uid=jdoe,ou=People,dc=localdomain" -W -b "ou=people,dc=localdomain" "uid=jdoe" dn: uid=jdoe,ou=People,dc=localdomain objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: jdoe cn: John Doe displayName: John Doe givenName: John sn: Doe search: 2 result: 0 Success
Congratulations, you have just made your first LDAP authorization.
Since, in current state, our LDAP cannot talk with outside world, we can think of dropping firewall (not something that you should do in production environment):
# iptables -F INPUT # service iptables save
And last step would be to ensure that our directory server gets started as soon as machine is booted up:
# chkconfig dirsrv on
With this LDAP test server configuration is done.