One application I am working on needed LDAP authorization support. In order to test before actually deploying it I decided to create local LDAP server in virtual machine.
I decided to use CentOS minimal install as starting point. It is extremely small distribution to start with and it allows for virtual machine with only 256 MB of RAM (although it needs 512 MB in order to install, go figure).
Installation of CentOS is uneventful. Just go next, next, next and it is done. Although it might be wise to skip media check since it takes ages. In matter of minutes OS will boot up and then the fun starts.
Since we will need network access for both using machine as LDAP server and for getting packages of the Internet, we need network access. Getting it to work is as easy as writing ifup eth0
. In order to make these changes permanent just edit /etc/sysconfig/network-scripts/ifcfg-eth0
and change line starting with ONBOOT
with ONBOOT="yes"
. It is as easy (if you disregard annoyance of vi editor).
Now we need to install our directory server. First install package (answer y
to everything):
yum install 389-ds-base
And then run setup (answer yes
to first two questions and just use default for others):
setup-ds.pl
That should leave us with values totally unsuitable for anything but for testing (which is exactly what we want):
Computer name ...............: //localhost.localdomain//
System User .................: //nobody//
System Group ................: //nobody//
Directory server network port: //389//
Directory server identifier .: //localhost//
Suffix ......................: //dc=localdomain//
Directory Manager DN ........: //cn=Directory Manager//
Quick search will prove that our directory server is up and running
ldapsearch -h 127.0.0.1 -x -b "dc=localdomain"
...
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9
Well, now we are ready to add our first user. In order to do this just create user.ldif
file with following content:
dn: uid=jdoe,ou=People,dc=localdomain
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jdoe
cn: John Doe
displayName: John Doe
givenName: John
sn: Doe
userPassword: test
Not all these attributes are mandatory but I find this to be minimum acceptable set for my use. This is not enough if you want to use LDAP server for logons but it is enough for basic password checking. We add user with:
ldapadd -h 127.0.0.1 -x -D "cn=Directory Manager" -W -f user.ldif
adding new entry "uid=jdoe,ou=People,dc=localdomain"
If something is messed up, just delete the user and add it again:
ldapdelete -h 127.0.0.1 -x -D "cn=Directory Manager" -W "uid=jdoe,ou=people,dc=localdomain"
ldapadd -h 127.0.0.1 -x -D "cn=Directory Manager" -W -f user.ldif
adding new entry "uid=jdoe,ou=People,dc=localdomain"
Yes, there is an ldapmodify
operation but I find it better to start with clean slate during testing.
Another test to verify that our user authentication works and we are good. Password asked here is not your root LDAP password but password of an user (test
in my example):
ldapsearch -h 127.0.0.1 -x -D "uid=jdoe,ou=People,dc=localdomain" -W -b "ou=people,dc=localdomain" "uid=jdoe"
dn: uid=jdoe,ou=People,dc=localdomain
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jdoe
cn: John Doe
displayName: John Doe
givenName: John
sn: Doe
search: 2
result: 0 Success
Congratulations, you have just made your first LDAP authorization.
Since, in current state, our LDAP cannot talk with outside world, we can think of dropping firewall (not something that you should do in production environment):
iptables -F INPUT
service iptables save
And last step would be to ensure that our directory server gets started as soon as machine is booted up:
chkconfig dirsrv on
With this LDAP test server configuration is done.