Configuring the OpenLDAP server

The following assumptions must be true before you start the configuration of the OpenLDAP server:

Note: Different UNIX versions might require variations of the listed commands.

The subsequent use of secldap is an example container name; customize this as required.

Perform the following steps to configure your OpenLDAP server:

  1. The following step is optional and only required if you want to start from a known initial state if you already have OpenLDAP installed and in use. If OpenLDAP has not already been installed skip to step 2.
    Important: Checked with your LDAP administrator before you remove slapd configuration from your system, especially if you already have applications relying on OpenLDAP or the schema in use has previously been extended. Micro Focus recommends that you backup any existing files in case you might need to restore them, for example:
    tar czf /etc/openldap/slapd-backup.tgz slapd.conf -C /var/lib ldap

    To stop and clear slapd, execute the following on the command line:

    systemctl stop slapd
    systemctl disable slapd
    rm -rf
    /etc/openldap/slapd.d
    rm -f /var/lib/ldap/*
    yum -y remove openldap-servers
    yum -y remove openldap-clients
  2. To install OpenLDAP, execute the following on the command line:
    yum -y install openldap-servers
    yum -y install openldap-clients
  3. Modify the slapd.d/cn=config/olcDatabase={0}config.ldif file:
    sed -i '/CRC.*/d' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
     
    sed -i '/olcAccess:.*/c\olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
     
    sed -i '/ al,cn=auth.*/d' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
  4. Start the slapd process:
    systemctl start slapd
  5. Create a chrootpwd.ldif file in the current directory with the following contents:
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
  6. Modify chrootpwd.ldif and add a Root DN password. In the command below replace [password] with a password of your choice:
    secret=$(slappasswd -s [password]) 
     
    sed -i "/olcRootPW:.*/c\olcRootPW: $secret" chrootpwd.ldif
  7. Extend the LDAP schema using ldapadd commands:
    ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpwd.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif 
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
  8. Create a backend.ldif file in the current directory with the following contents:
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/openldap
    olcModuleload: back_hdb
     
    dn: olcDatabase=hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcDbDirectory: /var/lib/ldap
    olcDbIndex: objectClass eq,pres
    olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
    olcSuffix: dc=secldap,dc=com
    olcRootDN: cn=Manager,dc=secldap,dc=com
    olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
    olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=secldap,dc=com" write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by dn="cn=Manager,dc=secldap,dc=com" write by * read
  9. Create a password for the Enterprise Server connection, replace [connection password] with a password of your choice:
    secret=$(slappasswd -s [connection password]) 
     
    sed -i "/olcRootPW:.*/c\olcRootPW: $secret" backend.ldif
     
    ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
  10. Stop the slapd daemon:
    systemctl stop slapd
  11. Create a schema_convert.conf file with following contents:
    include corba.schema      
    include core.schema       
    include cosine.schema     
    include duaconf.schema    
    include dyngroup.schema   
    include inetorgperson.schema
    include java.schema       
    include misc.schema       
    include nis.schema        
    include openldap.schema   
    include ppolicy.schema    
    include collective.schema
    include container.schema
    include mfds.schema
  12. Create Enterprise Server schema extensions using MFDS:
    cp -r /etc/openldap/schema .
     
    mfds -l "dc=secldap,dc=com" 2 schema/mfds.schema
     
    rm -rf schema/cn=config
     
    cd schema
     
    slaptest -f ../schema_convert.conf -F .
     
    cd ..
     
    cp schema/cn=config/cn=schema/cn={12}container.ldif /etc/openldap/slapd.d/cn=config/cn=schema
     
    cp schema/cn=config/cn=schema/cn={13}mfds.ldif /etc/openldap/slapd.d/cn=config/cn=schema
     
    chown -R ldap /etc/openldap/slapd.d
     
    chmod -R 700 /etc/openldap/slapd.d
  13. Restart the slapd standalone LDAP daemon:
    systemctl start slapd
  14. Enable the slapd service:
    systemctl enable slapd
  15. Create a log folder:
    rm -rf schema/log
     
    mkdir schema/log
  16. Create an additional schema extension file top.ldif in the schema directory:
    dn: dc=secldap,dc=com
    objectClass: dcObject
    objectClass: organization
    dc: secldap
    description: secldap domain
    o: MFSECLDAP
  17. Create an additional schema extension file mf-containers.ldif in schema directory:
    dn: cn=Micro Focus,dc=secldap,dc=com
    cn: Micro Focus
    objectClass: container
     
    dn: cn=Enterprise Server Resources,cn=Micro Focus,dc=secldap,dc=com
    cn: Enterprise Server Resources
    objectClass: container
     
    dn: cn=Enterprise Server Users,cn=Micro Focus,dc=secldap,dc=com
    cn: Enterprise Server Users
    objectClass: container
     
    dn: cn=Enterprise Server User Groups,cn=Micro Focus,dc=secldap,dc=com
    cn: Enterprise Server User Groups
    objectClass: container
  18. Install the remaining schema extensions:
    ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/top.ldif -h localhost:389 > schema/log/top.log
     
    ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/mf-containers.ldif -h localhost:389 > schema/log/containers.log
     
    rm -f schema/mfds-users.ldif
     
    mfds -e "cn=Micro Focus,dc=secldap,dc=com" "cn=Enterprise Server Users" "cn=Enterprise Server User Groups" "cn=Enterprise Server Resources" 2 "schema/mfds-users.ldif" 
     
    ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/mfds-users.ldif -h localhost:389 -c > schema/log/mfds-users.log
     
    sed 's/DC=X/CN=Micro Focus,dc=secldap,dc=com/' /opt/microfocus/EnterpriseDeveloper/etc/es_default_ldap_openldap.ldf > schema/es_default_ldap_openldap.ldif
     
    ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/es_default_ldap_openldap.ldif -h localhost:389 -c > schema/log/es_default_ldap_openldap.log
  19. Confirm the schema extensions have been installed using the following command:
    ldapsearch -h localhost:389 -x -b "cn=subschema" -s base + > schema.txt
    Check the contents of the resulting file, schema.txt, to verify that there are attributes and objectClass entries that begin with microfocus-. You can also attempt to connect to the "dc=secldap,dc=com" or your customized variation, Base DN using an LDAP browser or other LDAP access tool via port 389 using the "cn=Manager,dc=secldap,dc=com" simple id and [connection password] password and browse the "cn=Micro Focus" container tree.