Configuring A System To Authenticate Using Openldap - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 25. Lightweight Directory Access Protocol (LDAP)
rootdn "cn=root,dc=example,dc=com"
When populating an LDAP directory over a network, change the rootpw line — replacing the default
value with an encrypted password string. To create an encrypted password string, type the following
command:
slappasswd
When prompted, type and then re-type a password. The program prints the resulting encrypted
password to the shell prompt.
Next, copy the newly created encrypted password into the /etc/openldap/slapd.conf on one of
the rootpw lines and remove the hash mark (#).
When finished, the line should look similar to the following example:
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u
Warning
LDAP passwords, including the rootpw directive specified in /etc/openldap/
slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
To enable TLS encryption, review the comments in /etc/openldap/slapd.conf and
refer to the man page for slapd.conf.
For added security, the rootpw directive should be commented out after populating the LDAP
directory by preceding it with a hash mark (#).
When using the /usr/sbin/slapadd command line tool locally to populate the LDAP directory, use
of the rootpw directive is not necessary.
Important
Only the root user can use /usr/sbin/slapadd. However, the directory server runs
as the ldap user. Therefore, the directory server is unable to modify any files created by
slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldap
25.7. Configuring a System to Authenticate Using
OpenLDAP
This section provides a brief overview of how to configure OpenLDAP user authentication. Unless
you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the
references provided in
410
Section 25.9, "Additional Resources"
for more information.