====== OpenLDAP TLS OpenSSL ======
<code bash>
[root@ldap ~]# yum install -y openldap-servers openldap-clients
</code>

<code bash>
[root@ldap ~]# cd /etc/pki/tls/private/
</code>

<code bash>
[root@ldap private]# openssl genrsa -out ldap.key 2048
[root@ldap private]# chmod 0600 ldap.key
[root@ldap private]# openssl req -new -sha256 -key ldap.key -out ldap.csr
[root@ldap private]# openssl x509 -req -days 1825 -sha256 -in ldap.csr -signkey ldap.key -out ldap.crt
[root@ldap private]# openssl pkcs8 -topk8 -inform pem -in ldap.key -outform pem -nocrypt -out ldap.pem
</code>

<code bash>
[root@ldap private]# chmod 640 ldap.key ldap.pem 
[root@ldap private]# chgrp ldap ldap.key ldap.pem  
[root@ldap private]# mv ldap.crt ../certs/
</code>

<code bash>
[root@ldap private]# vim /etc/sysconfig/slapd
[...]
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
[...]
</code>

<code bash>
[root@ldap private]# systemctl enable slapd.service
[root@ldap private]# systemctl start slapd.service
</code>

<code bash>
[root@ldap private]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@ldap private]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@ldap private]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
</code>

<code bash>
[root@ldap private]# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
</code>

<code bash>
[root@ldap ~]# mkdir ldifconfigs
[root@ldap ~]# cd ldifconfigs/
</code>

<code bash>
[root@ldap ldifconfigs]# slappasswd -h {SSHA}
New password: 
Re-enter new password: 
{SSHA}8X8MACtOyeictUyFAzBWPqBLao+mSq1t
</code>

<code bash>
[root@ldap ldifconfigs]# cat initial_config.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
-
replace: olcPasswordHash
olcPasswordHash: {SSHA}
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.pem
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: never

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}8X8MACtOyeictUyFAzBWPqBLao+mSq1t
-
replace: olcLastMod
olcLastMod: TRUE
-
replace: olcDbCheckpoint
olcDbCheckpoint: 512 30
-
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by dn="cn=autobind,dc=top" read by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by dn="cn=autobind,dc=top" read by self write by users read by anonymous auth by * none
</code>

<code bash>
[root@ldap ldifconfigs]# ldapadd -Y EXTERNAL -H ldapi:/// -f initial_config.ldif
</code>

<code bash>
[root@ldap ldifconfigs]# cat base.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: simpleSecurityObject
objectclass: organizationalRole
description: LDAP Admin Access
userPassword: {SSHA}8X8MACtOyeictUyFAzBWPqBLao+mSq1t

dn: cn=autobind,dc=example,dc=com
objectClass: simpleSecurityObject
objectclass: organizationalRole
description: LDAP Read-only Access
userPassword:
</code>

<code bash>
[root@ldap ldifconfigs]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f base.ldif
[root@ldap ldifconfigs]# ldappasswd -x -D cn=Manager,dc=example,dc=com -W -S cn=autobind,dc=example,dc=com
</code>

<code bash>
[root@ldap ldifconfigs]# cat ous.ldif 
dn: ou=Usuarios,dc=example,dc=com
objectClass: organizationalUnit
ou: Usuarios

dn: ou=Grupos,dc=example,dc=com
objectClass: organizationalUnit
ou: Grupos
</code>

<code bash>
[root@ldap ldifconfigs]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f ous.ldif
</code>

<code bash>
[root@ldap ldifconfigs]# cat user.ldif
dn: uid=gean,ou=Usuarios,dc=example,dc=com
uid: gean
uidNumber: 5001
gidNumber: 100
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}8X8MACtOyeictUyFAzBWPqBLao+mSq1t
cn: Gean Martins
gn: Gean
sn: Martins
mail: gean@example.com
shadowLastChange: 16890
shadowMin: 0
shadowMax: 99999
shadowWarning: 14
shadowInactive: 3
loginShell: /bin/bash
homeDirectory: /home/gean
</code>

<code bash>
[root@ldap ldifconfigs]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f user.ldif
</code>

<code bash>
[root@ldap ldifconfigs]# cat /etc/openldap/ldap.conf | egrep -v '^#|^$'
BASE	dc=example,dc=com
URI	ldap://ldap.example.com
TLS_CACERTDIR	/etc/openldap/certs
TLS_REQCERT allow
SASL_NOCANON	on
</code>

<code bash>
[root@ldap ldifconfigs]# systemctl restart slapd
</code>

<code bash>
[root@ldap ldifconfigs]# ldapsearch -ZZ -D cn=Manager,dc=example,dc=com -W -b dc=example,dc=com -LLL
Enter LDAP Password: 
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP Admin Access
userPassword:: e1NTSEF9OFg4TUFDdE95ZWljdFV5RkF6QldQcUJMYW8rbVNxMXQ=
cn: Manager

dn: cn=autobind,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP Read-only Access
cn: autobind
userPassword:: e1NTSEF9VGI0Z0FuQ0R1OVlnOFd4T3BwSVFwME1KRWJPOGxlU3U=
userPassword:: e1NTSEF9c3dkNzJiMkJ6Vlg4OFFDUzhYOSt3Z2x4UHkvbFo2NE8=

dn: ou=Usuarios,dc=example,dc=com
objectClass: organizationalUnit
ou: Usuarios

dn: ou=Grupos,dc=example,dc=com
objectClass: organizationalUnit
ou: Grupos

dn: uid=gean,ou=Usuarios,dc=example,dc=com
uid: gean
uidNumber: 5001
gidNumber: 100
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: e1NTSEF9OFg4TUFDdE95ZWljdFV5RkF6QldQcUJMYW8rbVNxMXQ=
cn: Gean Martins
givenName: Gean
sn: Martins
mail: gean@example.com
shadowLastChange: 16890
shadowMin: 0
shadowMax: 99999
shadowWarning: 14
shadowInactive: 3
loginShell: /bin/bash
homeDirectory: /home/gean
</code>