I assume that you have some basic information about ovirt, LDAP and Kerberos.
Installing OpenLDAP
First of all, we need to install OpenLDAP as a LDAP provider.We will later install kerberos, as authN provider:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ yum -y install openldap-{clients,servers} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ systemctl start slapd | |
$ systemctl enable slapd |
Configuring schemas, overlay, dn and password
First of all we need to add cosine and inetorgperson schemas:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif | |
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/inetorgperson.ldif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat /tmp/memberof.ldif | |
dn: cn={0}module,cn=config | |
objectClass: olcModuleList | |
cn: {0}module | |
olcModulePath: /usr/lib64/openldap | |
olcModuleLoad: {0}memberof.la | |
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config | |
objectClass: olcConfig | |
objectClass: olcMemberOf | |
objectClass: olcOverlayConfig | |
objectClass: top | |
olcOverlay: {0}memberof | |
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /tmp/memberof.ldif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ slappasswd | |
New password: | |
Re-enter new password: | |
{SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA</i> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat /tmp/config.ldif | |
dn: olcDatabase={2}hdb,cn=config | |
changetype: modify | |
replace: olcSuffix | |
olcSuffix: dc=openldap,dc=yourdomain,dc=com | |
- | |
replace: olcRootDN | |
olcRootDN: cn=Manager,dc=openldap,dc=yourdomain,dc=com | |
- | |
replace: olcRootPW | |
olcRootPW: {SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA | |
- | |
$ ldapmodify -H ldapi:/// -Y EXTERNAL -f /tmp/config.ldif |
Create OU for users and groups
Create oraganization and organization unit for users and groups.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat /tmp/structure.ldif | |
dn: dc=openldap,dc=yourdomain,dc=com | |
objectClass: dcObject | |
objectClass: organization | |
dc: openldap | |
o: OpenLDAP Example | |
dn: ou=Users,dc=openldap,dc=yourdomain,dc=com | |
objectClass: organizationalUnit | |
ou: Users | |
dn: ou=Groups,dc=openldap,dc=yourdomain,dc=com | |
objectClass: organizationalUnit | |
ou: Groups | |
$ ldapadd -x -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -W -f structure.ldif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat /tmp/users.ldif | |
dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
objectclass: inetOrgPerson | |
objectclass: uidObject | |
uid: user0 | |
cn: User2 | |
givenName: User | |
title: User | |
mail: user0@openldap.yourdomain.com | |
sn: user0 | |
$ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/users.ldif | |
$ cat /tmp/group.ldif | |
dn: cn=Group0,ou=Groups,dc=openldap,dc=yourdomain,dc=com | |
objectclass: groupOfNames | |
cn: Group0 | |
member: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
member: uid=user1,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
$ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/group.ldif |
Try it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ldapsearch -LLL -H ldapi:/// -b 'dc=openldap,dc=yourdomain,dc=com' -x '(uid=user0)' | |
dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
objectclass: inetOrgPerson | |
objectclass: uidObject | |
uid: user0 | |
cn: User2 | |
title: User | |
sn: user0 | |
givenName: User | |
mail: user0@openldap.yourdomain.com |