LDAP Server and Client Configuration on Centos7

 

Lab Setup

Description                Server Information               Tester1 Information

Operating System      CENTOS7 - 64 Bit                CENTOS7 - 64 Bit

Host Name                 server1.example.com          tester1.example.com

IP Address                 192.168.122.50                    192.168.122.100

 

Prerequisites:

1. Make sure both server server1 (192.168.122.50) and tester1(192.168.122.100) are accessible.
2. Make an entry of each host in /etc/hosts for name resolution if you use server name instead of IP address.

 

Server Side configuration

Login into the server server1 192.168.122.50 as root.

1. Install the required LDAP Packages "Openldap" and “migrationtools”

# yum -y install openldap* migrationtools

2. Create a LDAP root passwd for administration purpose.

# slappasswd New password: Re-enter new password:

Copy the encrypted the password from the above output and keep it save it to be used later.

3. Edit the OpenLDAP Server Configuration

OpenLDAP server Configuration files are located in

/etc/openldap/slapd.d/.

 

1. 1. Go to

      /etc/openldap/slapd.d/cn=config/

      and edit "

      olcDatabase={2}hdb.ldif

      " configuration file.

# cd /etc/openldap/slapd.d/cn=config # vi olcDatabase\=\{2\}hdb.ldif

1. 1. Change "

      olcSuffix

      " and "

      olcRootDN

      " to point to your domain.

olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com

1. 1. Add these lines:

olcRootPW: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL olcTLSCertificateFile: /etc/pki/tls/certs/exampleldap.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/exampleldapkey.pem

Replace the "

olcRootPW

" value with your copied passwd.

 

1. Save and exit.

The

suffix

specifies the domain for which the LDAP server provides information and should be changed to your domain name. The

rootdn

entry is the Distinguished Name (

DN

) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The

rootdn

user can be thought of as the root user for the LDAP directory. In the configuration file, change the

rootdn

line from its default.

 

4. Provide the Monitor privileges

Open

/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

 file and go to the line starting with 

olcAccess

. Replace the value "

dc=my-domain,dc=com

" to "

dc=example,dc=com

" as below.

 

# vi olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Notes:

1. 1. If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
   2. Access controls defined in the frontend are appended to all other databases' controls.

5. Verify the configuration

# slaptest –u 56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded

Ignore the Checksum errors as of now.

6. Create the self-signed certificate

 # openssl req -new -x509 -nodes -out /etc/pki/tls/certs/exampleldap.pem -keyout /etc/pki/tls/certs/exampleldapkey.pem -days 365

Verify the created certificates under the location /etc/pki/tls/certs/

# ll /etc/pki/tls/certs/*.pem -rw-r--r--. 1 root root 1704 Jan  8 14:52 /etc/pki/tls/certs/exampleldapkey.pem -rw-r--r--. 1 root root 1497 Jan  8 14:52 /etc/pki/tls/certs/exampleldap.pem

7. Enable and Start the SLAPD service

# systemctl start slapd # systemctl enable slapd # netstat -lt | grep ldap tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN tcp6       0      0 [::]:ldap               [::]:*                  LISTEN

8. Configure LDAP Database

Copy the Sample Database Configuration file, change the file permissions

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown -R ldap:ldap /var/lib/ldap/

9. Add LDAP Schemas

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

10. Create base objects in OpenLDAP

We need to change some predefined values in the file "

migrate_common.ph

" according to our domain name:

 

# cd /usr/share/migrationtools/ [root@server1 migrationtools]# vi migrate_common.ph

1. 1. Go to Line Number 71 and change your domain name

$DEFAULT_MAIL_DOMAIN = "example.com";

1. 1. Go to line number 74 and change your base name

$DEFAULT_BASE = "dc=example,dc=com";

1. 1. Go to line number 90 and change your EXTENDED_SCHEMA from "0" to "1"

$EXTENDED_SCHEMA = 1;

1. 1. Save and Exit the file.

11. Generate a base.ldif file for your Domain (You are in /usr/share/migrationtools/ Directory)

[root@server1 migrationtools]# touch /root/base.ldif

1. 1. Copy these lines and paste inside the file

      /root/base.ldif

      .

dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group

       Replace with your domain name for 

example.com

,

 

1. Save and exit the file.

Create a Local Users (You are still in /usr/share/migrationtools/ Directory)

12. Let us create some local users and groups, then we will migrate to LDAP.

# useradd ldapuser1 # useradd ldapuser2 # echo "redhat" | passwd --stdin ldapuser1 # echo "redhat" | passwd --stdin ldapuser2

1. 1. 1. Filter out these user from

         /etc/passwd

         to another file:

# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

1. Filter out user group from

   /etc/group

   to another file:

# grep ":10[0-9][0-9]" /etc/group > /root/group

13. Convert the Individual Users file to LDAP Data Interchange Format (LDIF). (You are still in /usr/share/migrationtools/ Directory)

1. 1. Generate a ldif file for users

# ./migrate_passwd.pl /root/passwd /root/users.ldif

1. 1. Generate a ldif file for groups

# ./migrate_group.pl /root/group /root/groups.ldif

14. Import Users in to the LDAP Database. (You are still in /usr/share/migrationtools/ Directory)

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif # ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif # ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif

It will ask for a password of "Manager", you have to type the password which you generated in encrypted format.

15. Test the configuration. (You are still in /usr/share/migrationtools/ Directory)

# ldapsearch -x cn=ldapuser1 -b dc=example,dc=com

It should prints all the user information:

# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

16. Stop Firewalld to allow the connection. (You are still in /usr/share/migrationtools/ Directory)

[root@server1 migrationtools]# cd ~ # systemctl stop firewalld

LDAP Configuration is done, but we need to share the LDAP Users Home Directories via NFS. So Users who logged in the tester1 servers will also be able to save their data remotely on LDAP Server. If not they will get an error as "Home Directory not found".

17. NFS Configuration to export the Home Directory.

Edit the file

/etc/exports

and add an entry as below to export the home directory.

 

# vi /etc/exports /home *(rw,sync)

Save and Exit the file.

18. Enable and restart rpcbind and nfs service.

# yum -y install rpcbind nfs-utils # systemctl start rpcbind # systemctl start nfs # systemctl enable rpcbind # systemctl enable nfs

19. Test the NFS Configuration

# showmount -e Export list for server1.example.com: /home *

 

Client - tester1 end configuration

1. Login into the server tester1 192.168.122.100
2. Install the required rpms on Tester1

[root@tester1 ~]# yum install -y openldap-client nss-pam-ldapd [root@tester1 ~]# authconfig-tui

 

Steps to follow for LDAP Authentication:

 

1. 1. Put '*' Mark on "Use LDAP"
   2. Put '*' Mark on "Use LDAP Authentication"
   3. Select "Next" and Enter.
   4. Enter the server field as "ldap://server1.example.com/"
   5. Enter the Base DN Field as "dc=example,dc=com"
   6. Select "OK" and Enter

1. 3. Test your Configuration.

Search the ldap user using

getent

 command and check the output. If you get output, then our LDAP Configurations are working properly.

 

[root@tester1 ~]# getent passwd ldapuser1 ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash

4. Mount the LDAP Users Home Directory.

Add an entry in

/etc/fstab

to mount the LDAP Users home directory.

 

server1.example.com:/home   /home   auto defaults 0 0

Complete this lab successfully and avail 80% discount on any course on this website. Drop a mail with screenshot at admin@theskillpedia.com and we will share the discount coupon with you.

Take a look at the Courses offered with Course Contents at https://www.theskillpedia.com/category/course-contents/

[the_ad id="2469"]