29.0 Setting Up OpenLDAP on Windows 2000

Install Cygwin and OpenLDAP package

  1. Install Cygwin on the server. For download details, see http://www.cygwin.com

  2. Install OpenLDAP package from http://www.openldap.org/software/download

Setup the slapd.conf file and verify LDAP server is running

  1. Modify the slapd.conf file and add details similar to the following:

    database  bdb
suffix    "dc=openldap,dc=com"
rootdn    "cn=Manager,dc=openldap,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw    secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory  /var/openldap/openldap-data
# Indices to maintain
index  objectClass  eq

  2. Enusre that LDAP server is up and running by executing the following command:

    ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Create an LDIF file and add it to the directory

  1. Create an .ldif file using any text editor and add the following lines:

    dn: dc=openldap,dc=com
objectclass: dcObject
objectclass: organization
o: protocom
dc: openldap

dn: cn=Manager,dc=openldap,dc=com
objectclass: organizationalRole
cn: Manager

    Save this file to home/admin folder.

  2. Add this .ldif file to the OpenLDAP directory by executing the following command from the /Cygwin/bin folder:

    ./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f <name of the ldif file created in Step 5>

    Specify the password declared in the slapd.conf file in Step 1?

Create O, OU and Users

  1. Create an LDIF file titled o.ldif and add the following details:

    ##################################################
dn: o=protocom,dc=openldap,dc=com
o: protocom
objectClass: organization
##################################################

    Save this file to the home directory.

  2. Add this file to the directory by executing the following command:

    ./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f o.ldif

    Specify the password frm the slapd.conf file

  3. Create an LDIF file titled ou.ldif and add the following details:

    dn: ou=users,o=protocom,dc=openldap,dc=com
ou: users
objectClass: organizationalUnit

    Save this file to the home directory.

  4. Add this file to the directory by executing the following command:

    ./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f ou.ldif

    Specify the password frm the slapd.conf file

  5. Create an LDIF file titled user.ldif and add the following details:

    dn: cn=tu3,ou=users,o=protocom,dc=openldap,dc=com
cn: tu3
sn: tu3
objectClass: person
userPassword: abc

    Save this file to the home directory.

  6. Add this file to the directory by executing the following command:

    ./ldapadd -x -D "cn=Manager,dc=openldap,dc=com" -W -f user.ldif,

    Specify the password frm the slapd.conf file

  7. Now we want to see if everything is up and running, so start your LDAP browser and connect to your LDAP server.

Setting up SSL and Creating Certificates

  1. Create a server certificate by using the following command:

    openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365

    This creates a certificate named server.pem

  2. Create a CA by using the following command:

    ./usr/share/ssl/misc/CA.sh –newca

  3. Create a certificate signing request (CSR) by using the following command:

    openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

  4. Have the CA sign the CSR by specifying the following command:

    /usr/share/ssl/misc/CA.sh –sign

  5. Edit the slapd.conf file and add the following lines:

    #include    /etc/openldap/schema/core.schema
include /etc/openldap/schema/core.schema 
include /etc/openldap/schema/cosine.schema 
include /etc/openldap/schema/inetorgperson.schema 
include /etc/openldap/schema/misc.schema 
include /etc/openldap/schema/openldap.schema

    IMPORTANT:Verify the path to the schema files before adding the details to the slapd.conf file

  6. Specify the CA signed certificate and server certificate entries by adding the following lines to the slapd.conf file

    
TLSCipherSuite HIGH:MEDIUM:+SSLv2 
TLSCACertificateFile /usr/var/openldap-data/cacert.pem 
TLSCertificateFile /usr/var/openldap-data/servercrt.pem 
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem 

# Use the following if client authentication is required 
#TLSVerifyClient demand 
# ... or not desired at all 
TLSVerifyClient never

  7. Add the following lines to the ldap.conf file:

    HOST openldap.com 
PORT 636 

TLS_CACERT /ssl/certs/cacert.pem 
TLS_REQCERT demand

Testing the setup

  1. Test the setup by using the following command:

    /usr/sbin/slapd -d1 -h "ldap:/// ldaps:///"

Connect to the LDAP Browser using SSL and create DER file

  1. Specify the username, context and accept the certificate.

  2. Create DER file for client authentication by using the following command:

    openssl.exe x509 -in cacert.pem -outform DER -out cacert.der