==== OpenLDAP no CentOS ====

==== Instalação e configuração inicial ====

<file bash>
# yum install openldap-servers openldap-clients nss-pam-ldapd
</file>

Ativando os serviços:
<file bash>
# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
</file>

Criando uma cópia de segurança do slapd.d
<file bash>
# cp -ap /etc/openldap/slapd.d{,.old}
</file>

Copiando o backend de exemplo para o diretório /var/lib/ldap/ 
<file bash>
# cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
</file>

Ajuste nas permisões e nos contextos do SElinux
<file bash>
# chown -R ldap:ldap /var/lib/ldap
# chcon -u system_u -t slapd_db_t /var/lib/ldap/DB_CONFIG
</file>

==== Configurando o syslog ====
<code bash>
# cat /etc/rsyslog.conf
[...]
#### RULES ####
 
# Envia os logs do slapd(8c) para /var/log/slapd.log
if $programname == 'slapd' then /var/log/slapd.log
& ~
[...]
</code>

<code bash>
# cat /etc/logrotate.d/slapd
# /etc/logrotate.d/slapd
/var/log/slapd.log {
 rotate 7
 compress
}
</code>

<file bash>
# chcon -u system_u /etc/logrotate.d/slapd
</file>

Reiniciando o rsyslog
<file bash>
# systemctl restart rsyslog
</file>

==== Iniciando e checando os serviços do OpenLDAP ====
<file bash>
# systemctl start slapd.service
</file>

<file bash>
# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
   Active: active (running) since Ter 2015-06-16 08:33:35 BRT; 1h 19min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 1946 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1042 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 1976 (slapd)
   CGroup: /system.slice/slapd.service
           └─1976 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jun 16 08:33:34 ldap.laboratorio.com.br runuser[1287]: pam_unix(runuser:session): session opened f...0)
Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1946]: @(#) $OpenLDAP: slapd 2.4.39 (Mar  6 2015 04:... $
                                                             mockbuild@worker1.bsys.centos.org:/bu...pd
Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1976]: hdb_db_open: warning - no DB_CONFIG file foun...).
                                                     Expect poor performance for suffix "dc=my-dom...".
Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1976]: slapd starting
Jun 16 08:33:35 ldap.laboratorio.com.br systemd[1]: Started OpenLDAP Server Daemon.
Jun 16 09:52:22 ldap.laboratorio.com.br systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
</file>

<file bash>
# ps -ef | grep slapd
ldap      1976     1  0 08:33 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
root      2719  2194  0 09:55 pts/0    00:00:00 grep --color=auto slapd
</file>

<file bash>
# ss -nat | grep 389
LISTEN     0      128                       *:389                      *:*     
LISTEN     0      128                      :::389                     :::*     
</file>

<file bash>
# tail -n1 /var/log/slapd.log 
Jun 16 09:58:12 ldap slapd[2775]: slapd starting
</file>

==== Adicionando Schemas ====
Na instalação padrão do OpenLDAP no CentOS 7 ele vem apenas com um schema o "core". 

Listando schemas disponiveis que vem na instalação
<file bash>
# rpm -ql openldap-servers | grep '\.ldif$'
/etc/openldap/schema/collective.ldif
/etc/openldap/schema/corba.ldif
/etc/openldap/schema/core.ldif
/etc/openldap/schema/cosine.ldif
/etc/openldap/schema/duaconf.ldif
/etc/openldap/schema/dyngroup.ldif
/etc/openldap/schema/inetorgperson.ldif
/etc/openldap/schema/java.ldif
/etc/openldap/schema/misc.ldif
/etc/openldap/schema/nis.ldif
/etc/openldap/schema/openldap.ldif
/etc/openldap/schema/pmi.ldif
/etc/openldap/schema/ppolicy.ldif
/usr/share/openldap-servers/slapd.ldif
</file>

Inicialmente iremos adicionar três schema: cosine, inetorgperson e nis.
<file bash>
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
</file>

<file bash>
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
</file>

<file bash>
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
</file>

Listando as schemas importados
<file bash>
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config | grep cn=schema,cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}inetorgperson,cn=schema,cn=config
dn: cn={3}nis,cn=schema,cn=config
</file>

==== Montando a estrutura ====
Vamos criar um diretório para nossas .ldifs
<file bash>
# cd /etc/openldap/
# mkdir ldif
# chcon -u system_u ldif
</file>

Para comecar nossa configuração vamos gerar o hash de senha para RootDN
<file bash>
# cd ldif/
</file>

<file bash>
# cd ldif/
# slappasswd -s senha123 -n >> passwd
</file>

<file bash>
# head passwd 

{SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
</file>

Agora criaremos nossa estrutura: 
<code bash>
# cat conf.ldif 
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=config
-
replace: olcRootPW
olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=laboratorio,dc=com,dc=br
-
replace: olcRootDN
olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br
-
replace: olcRootPW
olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
</code>

Importando...
<file bash>
# ldapmodify -Y EXTERNAL -H ldapi:/// -f conf.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
</file>

Checando a configurações importadas
<file bash>
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={0}config"
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" manage by * none
olcRootDN: cn=config
olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
</file>

<file bash>
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={1}monitor"
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * no
 ne
</file>

<file bash>
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={2}hdb"
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=laboratorio,dc=com,dc=br
olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br
olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
</file>

==== Montando o diretório ====
<code bash>
# cat tree.ldif 
dn: dc=laboratorio,dc=com,dc=br
dc: laboratorio
objectClass: top
objectClass: domain

dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br
ou: PosixAccount
objectClass: top
objectClass: organizationalUnit
</code>

<file bash>
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f tree.ldif 
adding new entry "dc=laboratorio,dc=com,dc=br"

adding new entry "ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
</file>

<file bash>
# ldapsearch -x -LLL -b dc=laboratorio,dc=com,dc=br
dn: dc=laboratorio,dc=com,dc=br
dc: laboratorio
objectClass: top
objectClass: domain

dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br
ou: PosixAccount
objectClass: top
objectClass: organizationalUnit
</file>

==== Adicionando usuários ====
Aqui iremos adicionar apenas os usuários Posix que foram criado no servidor [[autofs|AutoFS]]
<code bash>
# cat grupo.ldif 
dn: cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
objectClass: posixGroup
objectClass: top
cn: sysadmin
userPassword: {crypt}x
gidNumber: 5000
</code>

<file bash>
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f grupo.ldif 
adding new entry "cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
</file>

<code bash>
# cat usuarios.ldif 
dn: uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
uid: tony
cn: Tony Stark
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$GPv82i7x$KH7PZ8VZ.NIklrL2EFI2VfZMV6c6h7EX8Oe0.ZfdUCzwDKRrWe9FFRzfSlu9fsg9O6oZqoZMcvtuXiaQp7XlJ1
shadowLastChange: 16602
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 5000
homeDirectory: /ldaphome/tony
gecos: Tony Stark

dn: uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
uid: gean
cn: Gean Martins
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$6loKMlcf$WuOqabSfbLCTOiE/bf/E5EXSfXaCZhjiNVoFURrln3StVCM/vIL0K0MoAxmpRmHXpJYMAzEUAtJ71IQsFJJC70
shadowLastChange: 16601
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 5000
homeDirectory: /ldaphome/gean
gecos: Gean Martins
</code>

<file bash>
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f usuarios.ldif 
adding new entry "uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br"

adding new entry "uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
</file>

Checando a importação
<file bash>
# ldapsearch -x -LLL -b dc=laboratorio,dc=com,dc=br
dn: dc=laboratorio,dc=com,dc=br
dc: laboratorio
objectClass: top
objectClass: domain

dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br
ou: PosixAccount
objectClass: top
objectClass: organizationalUnit

dn: cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
objectClass: posixGroup
objectClass: top
cn: sysadmin
userPassword:: e2NyeXB0fXg=
gidNumber: 5000

dn: uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
uid: tony
cn: Tony Stark
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEdQdjgyaTd4JEtIN1BaOFZaLk5Ja2xyTDJFRkkyVmZaTVY2YzZ
 oN0VYOE9lMC5aZmRVQ3p3REtScldlOUZGUnpmU2x1OWZzZzlPNm9acW9aTWN2dHVYaWFRcDdYbEox
shadowLastChange: 16602
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 5000
homeDirectory: /ldaphome/tony
gecos: Tony Stark

dn: uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br
uid: gean
cn: Gean Martins
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDZsb0tNbGNmJFd1T3FhYlNmYkxDVE9pRS9iZi9FNUVYU2ZYYUN
 aaGppTlZvRlVScmxuM1N0VkNNL3ZJTDBLME1vQXhtcFJtSFhwSllNQXpFVUF0SjcxSVFzRkpKQzcw
shadowLastChange: 16601
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 5000
homeDirectory: /ldaphome/gean
gecos: Gean Martins
</file>

==== Firewall ====

Liberando no firewall
<file bash>
# firewall-cmd --permanent --add-service=ldap
success
# firewall-cmd --reload
success
</file>