1.Configure yum for redhat6.4 and centos6.6

/etc/yum.repos.d/local.repo
[rhel]

name=Red Hat Enterprise Linux

baseurl=file:///mnt/iso

enabled=1

gpgcheck=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

/etc/yum.repos.d/CentOS-Media.repo

[c6-media]
name=CentOS-$releasever - Media
baseurl=file:///media/CentOS/
        file:///mnt/iso/
        file:///media/cdrecorder/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

2.Configure Network Information
    2.1 Edit /etc/sysconfig/network

HOSTNAME=ldapssl

NETWORKING=yes

GATEWAY=10.10.10.1

    2.2 Edit /etc/sysconfig/network-scripts/ifcfg-eth0
                

DEVICE=eth0

HWADDR=00:50:56:9D:0E:53

TYPE=Ethernet

UUID=ef40abaf-fc02-4628-9a27-bb06907a368e

ONBOOT=yes

IPADDR=10.10.10.10

NETMASK=255.255.255.0

GATEWAY=10.10.10.1

NM_CONTROLLED=yes

BOOTPROTO=static

    2.3 Edit /etc/resolv.conf
3. Install GCC

        yum install gcc -y
4. Install BerkelevDB
        wget && tar zxvf db-4.7.25.tar.gz && cd db-4.7.25/build_unix
        ../dist/configure --prefix=/usr/local/BerkeleyDB.4.7
        make && make install
        echo "/usr/local/Berkeley-db-4.7/lib" >> /etc/ld.so.conf
        ldconfig –v

5. Install OpenLDAP

        yum install openldap openldap-servers openldap-clients –y
        need those file: kerberos.schema,rfc2307bis.schema
    
        slaptest -f /etc/openldap/slapd.conf 2>&1
        rm -rf /etc/openldap/slapd.d/*
        slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
        chown -R ldap.ldap /etc/openldap/slapd.d
        service slapd restart
        slapd -h "ldap:///"
5.  Create Object
        

dn: dc=x,dc=y,dc=n

dc: x

o: x

objectClass: organization

objectClass: dcObject

 
ldapadd -x -D "cn=Manager,dc=x,dc=y,dc=n" -W -f base.ldif

dn: ou=group,dc=x,dc=y,dc=n

ou: group

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: x.y.n

dn: ou=people,dc=x,dc=y,dc=n

ou: people

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: x.y.n

dn: cn=aaaa,ou=group,dc=x,dc=y,dc=n

cn: aaaa

gidNumber: 1003

member: uid=ldapuser1,ou=people,dc=x,dc=y,dc=n

member: uid=ldapuser2,ou=people,dc=x,dc=y,dc=n

objectClass: posixGroup

objectClass: top

objectClass: groupOfNames

dn: uid=u5,ou=people,dc=x,dc=y,dc=n

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 3003

loginShell: /bin/bash

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

uid: u5

cn: Test User5

gecos: Test User5

homeDirectory:: L2hvbWUvdTVfaTU1LWVuZzE0MiA=

uidNumber: 5055

userPassword:: e2NyeXB0fSQxJE4vWVRGR3VDJFhlU2tkL09BcnR3TUtkZ051S082RC4=

shadowLastChange: 16828

ldapsearch -x -D "cn=Manager,dc=x,dc=y,dc=n" –W  >> object.txt


5. Configure LDAP-SSL Authentication
    Generate Certificate
    cd /etc/openldap/certs/
    openssl genrsa -out ldap.key 1024  
    openssl req -new -key ldap.key -out ldap.csr(Common Name(eg, your name or your server's hostname)[]:master.example.com // must use FQDN format)
    openssl x509 -req -days 1095 -in ldap.csr -signkey ldap.key -out ldap.crt
    chmod 700 certs/
    chown ldap.ldap certs/ -R
    vim /etc/openldap/ldap.conf
           

            TLS_CACERTDIR   /etc/openldap/certs       

            TLS_REQCERT allow         
    vim /etc/openldap/slapd.conf       
            TLSCertificateFile /etc/openladp/certs/ldap.crt
            TLSCertificateKeyFile /etc/openladp/certs/ldap.key
            TLSCertificatePath /etc/ssl/certs

root@ldapssl ~]# service slapd stop

[root@ldapssl ~]# rm -rf /etc/openldap/slapd.d/*

[root@ldapssl ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

[root@ldapssl ~]# chown ldap.ldap /etc/openldap/slapd.d/ -R

[root@ldapssl ~]# slapd -h "ldaps:/// ldap:///"           

3.2.1. Client Test

[root@ldapssl ~]# setup

/etc/sysconfig/i18n

LANG="en_US.UTF-8"

NG="zh_CN.GB2312"

SUPPORTED="zh_CN.UTF-8:zh_CN:zh"

SYSFONT="latarcyrheb-sun16"

ldapwhoami -v -x -Z            

6.   NSS-PAM-LDAPD-User-Authentication

    

[root@ldapssl ~]# yum install nss-pam-ldapd

[root@ldapssl ~]# vim /etc/sysconfig/authconfig

Following line must be set to YES

USELDAP=yes
USELDAPAUTH=yes
USEMD5=yes
USESHADOW=yes
USELOCAUTHORIZE=yes

[root@ldapssl ~]# vim /etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

[root@ldapssl ~]# vim /etc/ldap.conf

base dc=x,dc=y,dc=n

binddn cn=Manager,dc=x,dc=y,dc=n

bindpwd P@ssw0rd

CA      certificates for server certificate verification

uri ldap://xxx.xxx.xxx.xxx/

ldap_version    3

ssl no

pam_filter      objectClass=posixAccount

tls_cacertdir /etc/openldap/cacerts

[root@ldapssl ~]# vim /etc/pam.d/system-auth

auth        required      pam_env.so

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so

getent passwd command will show ldap user information