LDAP Server and Client Configuration on Centos7

Lab Setup

Description                Server Information               Tester1 Information

Operating System      CENTOS7 – 64 Bit                CENTOS7 – 64 Bit

Host Name                 server1.example.com          tester1.example.com

IP Address                 192.168.122.50                    192.168.122.100

Prerequisites:

1. Make sure both server server1 (192.168.122.50) and tester1(192.168.122.100) are accessible.
2. Make an entry of each host in /etc/hosts for name resolution if you use server name instead of IP address.

Server Side configuration

Login into the server server1 192.168.122.50 as root.

1. Install the required LDAP Packages “Openldap” and “migrationtools”

# yum -y install openldap* migrationtools

2. Create a LDAP root passwd for administration purpose.

# slappasswd

New password:

Re-enter new password:

Copy the encrypted the password from the above output and keep it save it to be used later.

3. Edit the OpenLDAP Server Configuration

OpenLDAP server Configuration files are located in /etc/openldap/slapd.d/.

1. 1. Go to /etc/openldap/slapd.d/cn=config/ and edit “olcDatabase={2}hdb.ldif” configuration file.

# cd /etc/openldap/slapd.d/cn=config

# vi olcDatabase\=\{2\}hdb.ldif

1. 1. Change “olcSuffix” and “olcRootDN” to point to your domain.

olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com

1. 1. Add these lines:

olcRootPW: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL
olcTLSCertificateFile: /etc/pki/tls/certs/exampleldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/exampleldapkey.pem

Replace the “olcRootPW” value with your copied passwd.

1. Save and exit.

The suffix specifies the domain for which the LDAP server provides information and should be changed to your domain name. The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default.

4. Provide the Monitor privileges

Open /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file and go to the line starting with olcAccess. Replace the value “dc=my-domain,dc=com” to “dc=example,dc=com” as below.

# vi olcDatabase={1}monitor.ldif 

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Notes:

1. 1. If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
   2. Access controls defined in the frontend are appended to all other databases’ controls.

5. Verify the configuration

# slaptest –u

56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"

56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"

config file testing succeeded

Ignore the Checksum errors as of now.

6. Create the self-signed certificate

 # openssl req -new -x509 -nodes -out /etc/pki/tls/certs/exampleldap.pem -keyout /etc/pki/tls/certs/exampleldapkey.pem -days 365

Verify the created certificates under the location /etc/pki/tls/certs/

# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 Jan  8 14:52 /etc/pki/tls/certs/exampleldapkey.pem
-rw-r--r--. 1 root root 1497 Jan  8 14:52 /etc/pki/tls/certs/exampleldap.pem

7. Enable and Start the SLAPD service

# systemctl start slapd

# systemctl enable slapd

# netstat -lt | grep ldap

tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN

tcp6       0      0 [::]:ldap               [::]:*                  LISTEN

8. Configure LDAP Database

Copy the Sample Database Configuration file, change the file permissions

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/

9. Add LDAP Schemas

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

10. Create base objects in OpenLDAP

We need to change some predefined values in the file “migrate_common.ph” according to our domain name:

# cd /usr/share/migrationtools/
[root@server1 migrationtools]# vi migrate_common.ph

1. 1. Go to Line Number 71 and change your domain name

$DEFAULT_MAIL_DOMAIN = "example.com";

1. 1. Go to line number 74 and change your base name

$DEFAULT_BASE = "dc=example,dc=com";

1. 1. Go to line number 90 and change your EXTENDED_SCHEMA from “0” to “1”

$EXTENDED_SCHEMA = 1;

1. 1. Save and Exit the file.

11. Generate a base.ldif file for your Domain (You are in /usr/share/migrationtools/ Directory)

[root@server1 migrationtools]# touch /root/base.ldif

1. 1. Copy these lines and paste inside the file /root/base.ldif.

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

       Replace with your domain name for example.com,

1. Save and exit the file.

Create a Local Users (You are still in /usr/share/migrationtools/ Directory)

12. Let us create some local users and groups, then we will migrate to LDAP.

# useradd ldapuser1

# useradd ldapuser2

# echo "redhat" | passwd --stdin ldapuser1

# echo "redhat" | passwd --stdin ldapuser2

1. 1. 1. Filter out these user from /etc/passwd to another file:

# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

1. Filter out user group from /etc/group to another file:

# grep ":10[0-9][0-9]" /etc/group > /root/group

13. Convert the Individual Users file to LDAP Data Interchange Format (LDIF). (You are still in /usr/share/migrationtools/ Directory)

1. 1. Generate a ldif file for users

# ./migrate_passwd.pl /root/passwd /root/users.ldif

1. 1. Generate a ldif file for groups

# ./migrate_group.pl /root/group /root/groups.ldif

14. Import Users in to the LDAP Database. (You are still in /usr/share/migrationtools/ Directory)

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif

It will ask for a password of “Manager”, you have to type the password which you generated in encrypted format.

15. Test the configuration. (You are still in /usr/share/migrationtools/ Directory)

# ldapsearch -x cn=ldapuser1 -b dc=example,dc=com

It should prints all the user information:

# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

16. Stop Firewalld to allow the connection. (You are still in /usr/share/migrationtools/ Directory)

[root@server1 migrationtools]# cd ~

# systemctl stop firewalld

LDAP Configuration is done, but we need to share the LDAP Users Home Directories via NFS. So Users who logged in the tester1 servers will also be able to save their data remotely on LDAP Server. If not they will get an error as “Home Directory not found”.

17. NFS Configuration to export the Home Directory.

Edit the file /etc/exports and add an entry as below to export the home directory.

# vi /etc/exports
/home *(rw,sync)

Save and Exit the file.

18. Enable and restart rpcbind and nfs service.

# yum -y install rpcbind nfs-utils
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs

19. Test the NFS Configuration

# showmount -e
Export list for server1.example.com:
/home *

Client – tester1 end configuration

1. Login into the server tester1 192.168.122.100
2. Install the required rpms on Tester1

[root@tester1 ~]# yum install -y openldap-client nss-pam-ldapd
[root@tester1 ~]# authconfig-tui

Steps to follow for LDAP Authentication:

1. 1. Put ‘*’ Mark on “Use LDAP”
   2. Put ‘*’ Mark on “Use LDAP Authentication”
   3. Select “Next” and Enter.
   4. Enter the server field as “ldap://server1.example.com/”
   5. Enter the Base DN Field as “dc=example,dc=com”
   6. Select “OK” and Enter

1. 3. Test your Configuration.

Search the ldap user using getent  command and check the output. If you get output, then our LDAP Configurations are working properly.

[root@tester1 ~]# getent passwd ldapuser1

ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash

4. Mount the LDAP Users Home Directory.

Add an entry in /etc/fstab to mount the LDAP Users home directory.

server1.example.com:/home   /home   auto defaults 0 0

Complete this lab successfully and avail 80% discount on any course on this website. Drop a mail with screenshot at admin@theskillpedia.com and we will share the discount coupon with you.

Take a look at the Courses offered with Course Contents at https://www.theskillpedia.com/category/course-contents/