Configure LDAP Server in order to share users accounts in your local networks.

1. Install OpenLDAP Server.

# yum -y install openldap-servers openldap-clients # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown ldap. /var/lib/ldap/DB_CONFIG # systemctl start slapd # systemctl enable slapd

2. Set OpenLDAP admin password. Generate encrypted password

# slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx # vi chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx # ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"

3. Import basic Schemas.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"

4 Set your domain name on LDAP DB.

# generate directory manager's password # slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx # vi chdomain.ldif # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read # ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" # vi basedomain.ldif # replace to your own domain name for "dc=***,dc=***" section dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Domain dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group # ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif Enter LDAP Password: # directory manager's password adding new entry "dc=example,dc=com" adding new entry "cn=Manager,dc=example,dc=com" adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Group,dc=example,dc=com"

5. If Firewalld is running, allow LDAP service. LDAP uses 389/TCP.

# firewall-cmd --add-service=ldap --permanent success # firewall-cmd --reload success

6. Configure LDAP Provider. Add syncprov module.

# vi mod_syncprov.ldif # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la # ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" # vi syncprov.ldif # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 # ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

Configure LDAP Consumer/tester1.

[root@tester1 ~]# vi syncrepl.ldif # create new dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 # LDAP server's URI provider=ldap://10.0.0.30:389/ bindmethod=simple # own domain name binddn="cn=Manager,dc=example,dc=com" # directory manager's password credentials=password searchbase="dc=example,dc=com" # includes subtree scope=sub schemachecking=on type=refreshAndPersist # [retry interval] [retry times] [interval of re-retry] [re-retry times] retry="30 5 300 3" # replication interval interval=00:00:05:00 [root@tester1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" # confirm settings to search datas [root@tester1 ~]# ldapsearch -x -b 'ou=People,dc=example,dc=com' # People, example.com dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People ... ...

Configure LDAP Client to bind LDAP Consumer, too.

# authconfig --ldapserver=server1.example.com,tester1.example.com --update