Configuring the OpenLDAP server

Restriction: This topic applies only when the Enterprise Server feature is enabled.

The following assumptions must be true before you start the configuration of the OpenLDAP server:

You have appropriate authority to administer the system.
Are working in a writeable working directory.
The Enterprise Server product is installed in the default location.
Root access will be required for most actions.

Note: Different UNIX versions might require variations of the listed commands.

The subsequent use of secldap is an example container name; customize this as required.

Perform the following steps to configure your OpenLDAP server:

The following step is optional and only required if you want to start from a known initial state if you already have OpenLDAP installed and in use. If OpenLDAP has not already been installed skip to step 2.
Important: Checked with your LDAP administrator before you remove slapd configuration from your system, especially if you already have applications relying on OpenLDAP or the schema in use has previously been extended. Micro Focus recommends that you backup any existing files in case you might need to restore them, for example:
```
tar czf /etc/openldap/slapd-backup.tgz slapd.conf -C /var/lib ldap
```
To stop and clear slapd, execute the following on the command line:
```
systemctl stop slapd
systemctl disable slapd
rm -rf
/etc/openldap/slapd.d
rm -f /var/lib/ldap/*
yum -y remove openldap-servers
yum -y remove openldap-clients
```
To install OpenLDAP, execute the following on the command line:
```
yum -y install openldap-servers
```
```
yum -y install openldap-clients
```

Modify the slapd.d/cn=config/olcDatabase={0}config.ldif file:

sed -i '/CRC.*/d' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
 
sed -i '/olcAccess:.*/c\olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
 
sed -i '/ al,cn=auth.*/d' /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif

Start the slapd process:
```
systemctl start slapd
```

Create a chrootpwd.ldif file in the current directory with the following contents:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

Modify chrootpwd.ldif and add a Root DN password. In the command below replace [password] with a password of your choice:
```
secret=$(slappasswd -s [password]) 
 
sed -i "/olcRootPW:.*/c\olcRootPW: $secret" chrootpwd.ldif
```

Extend the LDAP schema using ldapadd commands:

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpwd.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif 
 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

Create a backend.ldif file in the current directory with the following contents:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_hdb
 
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=secldap,dc=com
olcRootDN: cn=Manager,dc=secldap,dc=com
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=secldap,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=secldap,dc=com" write by * read

Create a password for the Micro Focus Enterprise Server connection, replace [connection password] with a password of your choice:

secret=$(slappasswd -s [connection password]) 
 
sed -i "/olcRootPW:.*/c\olcRootPW: $secret" backend.ldif
 
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

Stop the slapd daemon:
```
systemctl stop slapd
```

Create a schema_convert.conf file with following contents:

include corba.schema      
include core.schema       
include cosine.schema     
include duaconf.schema    
include dyngroup.schema   
include inetorgperson.schema
include java.schema       
include misc.schema       
include nis.schema        
include openldap.schema   
include ppolicy.schema    
include collective.schema
include container.schema
include mfds.schema

Create Enterprise Server schema extensions using MFDS:

cp -r /etc/openldap/schema .
 
mfds -l "dc=secldap,dc=com" 2 schema/mfds.schema
 
rm -rf schema/cn=config
 
cd schema
 
slaptest -f ../schema_convert.conf -F .
 
cd ..
 
cp schema/cn=config/cn=schema/cn={12}container.ldif /etc/openldap/slapd.d/cn=config/cn=schema
 
cp schema/cn=config/cn=schema/cn={13}mfds.ldif /etc/openldap/slapd.d/cn=config/cn=schema
 
chown -R ldap /etc/openldap/slapd.d
 
chmod -R 700 /etc/openldap/slapd.d

Restart the slapd standalone LDAP daemon:
```
systemctl start slapd
```
Enable the slapd service:
```
systemctl enable slapd
```
Create a log folder:
```
rm -rf schema/log
 
mkdir schema/log
```

Create an additional schema extension file top.ldif in the schema directory:

dn: dc=secldap,dc=com
objectClass: dcObject
objectClass: organization
dc: secldap
description: secldap domain
o: MFSECLDAP

Create an additional schema extension file mf-containers.ldif in schema directory:

dn: cn=Micro Focus,dc=secldap,dc=com
cn: Micro Focus
objectClass: container
 
dn: cn=Enterprise Server Resources,cn=Micro Focus,dc=secldap,dc=com
cn: Enterprise Server Resources
objectClass: container
 
dn: cn=Enterprise Server Users,cn=Micro Focus,dc=secldap,dc=com
cn: Enterprise Server Users
objectClass: container
 
dn: cn=Enterprise Server User Groups,cn=Micro Focus,dc=secldap,dc=com
cn: Enterprise Server User Groups
objectClass: container

Install the remaining schema extensions:

ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/top.ldif -h localhost:389 > schema/log/top.log
 
ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/mf-containers.ldif -h localhost:389 > schema/log/containers.log
 
rm -f schema/mfds-users.ldif
 
mfds -e "cn=Micro Focus,dc=secldap,dc=com" "cn=Enterprise Server Users" "cn=Enterprise Server User Groups" "cn=Enterprise Server Resources" 2 "schema/mfds-users.ldif" 
 
ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/mfds-users.ldif -h localhost:389 -c > schema/log/mfds-users.log
 
sed 's/DC=X/CN=Micro Focus,dc=secldap,dc=com/' /opt/microfocus/EnterpriseDeveloper/etc/es_default_ldap_openldap.ldf > schema/es_default_ldap_openldap.ldif
 
ldapadd -v -D "cn=Manager,dc=secldap,dc=com" -w [connection_password] -f schema/es_default_ldap_openldap.ldif -h localhost:389 -c > schema/log/es_default_ldap_openldap.log

Confirm the schema extensions have been installed using the following command:
```
ldapsearch -h localhost:389 -x -b "cn=subschema" -s base + > schema.txt
```
Check the contents of the resulting file, schema.txt, to verify that there are attributes and objectClass entries that begin with microfocus-. You can also attempt to connect to the "dc=secldap,dc=com" or your customized variation, Base DN using an LDAP browser or other LDAP access tool via port 389 using the "cn=Manager,dc=secldap,dc=com" simple id and [connection password] password and browse the "cn=Micro Focus" container tree.