
Lab Setup
Description Server Information Tester1 Information
Operating System CENTOS7 – 64 Bit CENTOS7 – 64 Bit
Host Name server1.example.com tester1.example.com
IP Address 192.168.122.50 192.168.122.100
Prerequisites:
- Make sure both server server1 (192.168.122.50) and tester1(192.168.122.100) are accessible.
- Make an entry of each host in /etc/hosts for name resolution if you use server name instead of IP address.
Server Side configuration
Login into the server server1 192.168.122.50 as root.
- Install the required LDAP Packages “Openldap” and “migrationtools”
# yum -y install openldap* migrationtools
- Create a LDAP root passwd for administration purpose.
# slappasswd
New password: Re-enter new password:
Copy the encrypted the password from the above output and keep it save it to be used later.
- Edit the OpenLDAP Server Configuration
OpenLDAP server Configuration files are located in /etc/openldap/slapd.d/.
-
- Go to /etc/openldap/slapd.d/cn=config/ and edit “olcDatabase={2}hdb.ldif” configuration file.
# cd /etc/openldap/slapd.d/cn=config # vi olcDatabase\=\{2\}hdb.ldif
-
- Change “olcSuffix” and “olcRootDN” to point to your domain.
olcSuffix: dc=example,dc=com olcRootDN: cn=Manager,dc=example,dc=com
-
- Add these lines:
olcRootPW: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL olcTLSCertificateFile: /etc/pki/tls/certs/exampleldap.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/exampleldapkey.pem
Replace the “olcRootPW” value with your copied passwd.
- Save and exit.
The suffix specifies the domain for which the LDAP server provides information and should be changed to your domain name. The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default.
- Provide the Monitor privileges
Open /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file and go to the line starting with olcAccess. Replace the value “dc=my-domain,dc=com” to “dc=example,dc=com” as below.
# vi olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Notes:
-
- If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
- Access controls defined in the frontend are appended to all other databases’ controls.
- Verify the configuration
# slaptest –u 56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 56abba86 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded
Ignore the Checksum errors as of now.
- Create the self-signed certificate
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/exampleldap.pem -keyout /etc/pki/tls/certs/exampleldapkey.pem -days 365
Verify the created certificates under the location /etc/pki/tls/certs/
# ll /etc/pki/tls/certs/*.pem -rw-r--r--. 1 root root 1704 Jan 8 14:52 /etc/pki/tls/certs/exampleldapkey.pem -rw-r--r--. 1 root root 1497 Jan 8 14:52 /etc/pki/tls/certs/exampleldap.pem
- Enable and Start the SLAPD service
# systemctl start slapd # systemctl enable slapd # netstat -lt | grep ldap tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN tcp6 0 0 [::]:ldap [::]:* LISTEN
- Configure LDAP Database
Copy the Sample Database Configuration file, change the file permissions
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown -R ldap:ldap /var/lib/ldap/
- Add LDAP Schemas
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
- Create base objects in OpenLDAP
We need to change some predefined values in the file “migrate_common.ph” according to our domain name:
# cd /usr/share/migrationtools/ [root@server1 migrationtools]# vi migrate_common.ph
-
- Go to Line Number 71 and change your domain name
$DEFAULT_MAIL_DOMAIN = "example.com";
-
- Go to line number 74 and change your base name
$DEFAULT_BASE = "dc=example,dc=com";
-
- Go to line number 90 and change your EXTENDED_SCHEMA from “0” to “1”
$EXTENDED_SCHEMA = 1;
-
- Save and Exit the file.
- Generate a base.ldif file for your Domain (You are in /usr/share/migrationtools/ Directory)
[root@server1 migrationtools]# touch /root/base.ldif
-
- Copy these lines and paste inside the file /root/base.ldif.
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Replace with your domain name for example.com,
- Save and exit the file.
Create a Local Users (You are still in /usr/share/migrationtools/ Directory)
- Let us create some local users and groups, then we will migrate to LDAP.
# useradd ldapuser1 # useradd ldapuser2 # echo "redhat" | passwd --stdin ldapuser1 # echo "redhat" | passwd --stdin ldapuser2
-
-
- Filter out these user from /etc/passwd to another file:
-
# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd
- Filter out user group from /etc/group to another file:
# grep ":10[0-9][0-9]" /etc/group > /root/group
- Convert the Individual Users file to LDAP Data Interchange Format (LDIF). (You are still in /usr/share/migrationtools/ Directory)
-
- Generate a ldif file for users
# ./migrate_passwd.pl /root/passwd /root/users.ldif
-
- Generate a ldif file for groups
# ./migrate_group.pl /root/group /root/groups.ldif
- Import Users in to the LDAP Database. (You are still in /usr/share/migrationtools/ Directory)
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif # ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif # ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
It will ask for a password of “Manager”, you have to type the password which you generated in encrypted format.
- Test the configuration. (You are still in /usr/share/migrationtools/ Directory)
# ldapsearch -x cn=ldapuser1 -b dc=example,dc=com
It should prints all the user information:
# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
- Stop Firewalld to allow the connection. (You are still in /usr/share/migrationtools/ Directory)
[root@server1 migrationtools]# cd ~ # systemctl stop firewalld
LDAP Configuration is done, but we need to share the LDAP Users Home Directories via NFS. So Users who logged in the tester1 servers will also be able to save their data remotely on LDAP Server. If not they will get an error as “Home Directory not found”.
- NFS Configuration to export the Home Directory.
Edit the file /etc/exports and add an entry as below to export the home directory.
# vi /etc/exports /home *(rw,sync)
Save and Exit the file.
- Enable and restart rpcbind and nfs service.
# yum -y install rpcbind nfs-utils # systemctl start rpcbind # systemctl start nfs # systemctl enable rpcbind # systemctl enable nfs
- Test the NFS Configuration
# showmount -e Export list for server1.example.com: /home *
Client – tester1 end configuration
- Login into the server tester1 192.168.122.100
- Install the required rpms on Tester1
[root@tester1 ~]# yum install -y openldap-client nss-pam-ldapd [root@tester1 ~]# authconfig-tui
Steps to follow for LDAP Authentication:
-
- Put ‘*’ Mark on “Use LDAP”
- Put ‘*’ Mark on “Use LDAP Authentication”
- Select “Next” and Enter.
- Enter the server field as “ldap://server1.example.com/”
- Enter the Base DN Field as “dc=example,dc=com”
- Select “OK” and Enter
-
- Test your Configuration.
Search the ldap user using getent command and check the output. If you get output, then our LDAP Configurations are working properly.
[root@tester1 ~]# getent passwd ldapuser1 ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash
- Mount the LDAP Users Home Directory.
Add an entry in /etc/fstab to mount the LDAP Users home directory.
server1.example.com:/home /home auto defaults 0 0
Complete this lab successfully and avail 80% discount on any course on this website. Drop a mail with screenshot at admin@theskillpedia.com and we will share the discount coupon with you.
Take a look at the Courses offered with Course Contents at https://www.theskillpedia.com/category/course-contents/
0 responses on "LDAP Server and Client Configuration on Centos7"