How to configure LDAP Server in RHEL/CentOS
To configure LDAP in RHEL7/CentOS
LDAP stands for Lightweight Directory Access Protocol, it is a directory service protocol for centralized authentication for the clients over a network. LDAP allow users to access centrally stored information like directories and files on the server. LDAP holds user accounts and information about all the users so they don’ t need to have an account locally.
Setup Environment
LDAP Server: IP-192.168.5.88 HostName-server.linuxhelp.com
LDAP Client: IP-192.168.5.89 HostName-client.linuxhelp.com
Requirements
- Make sure the client and server can be able to communicate each other by IP address or hostname.
- You Must have Domain Name Controller (DNS) for resolving the domain names between server and client.
If you don’ t have DNS you can create entry in /etc/hosts file for resolving the domain names.
Below is the example for hosts file entry.
192.168.5.88 server.linuxhelp.com 192.168.5.89 client.linuxhelp.com
To configure LDAP Server
Install the required packages for setting up LDAP Server.
[root@linuxhelp ~]# yum install openldap* migrationtools -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Package openldap-2.4.39-3.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package compat-openldap.x86_64 1:2.3.43-5.el7 will be installed
.
.
.
clients.x86_64 0:2.4.39-3.el7
openldap-devel.x86_64 0:2.4.39-3.el7 openldap-servers.x86_64 0:2.4.39-3.el7
Dependency Installed:
cyrus-sasl-devel.x86_64 0:2.1.26-17.el7
Complete!
Once the installation is completed, setup the root password for administration purpose.
[root@linuxhelp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}b28RwTpbqZ5/kxro785tKExdK4uyOX7T
Now it will generate the encrypted format for your root password. Make a note of this password, as you need to use this password later, while editing the configuration file for LDAP.
Go to this directory /etc/openldap/slapd.d/cn=config to edit the configuration file for LDAP. Now edit the file called " olcDatabase={1}monitor.ldif " " olcDatabase={2}hdb.ldif" as follows.
[root@linuxhelp ~]# cd /etc/openldap/slapd.d/cn=config [root@linuxhelp cn=config]# ls -l total 20 drwxr-x---. 2 ldap ldap 28 May 15 00:33 cn=schema -rw-------. 1 ldap ldap 378 May 15 00:33 cn=schema.ldif -rw-------. 1 ldap ldap 513 May 15 00:33 olcDatabase={0}config.ldif -rw-------. 1 ldap ldap 408 May 15 00:33 olcDatabase={-1}frontend.ldif -rw-------. 1 ldap ldap 562 May 15 00:33 olcDatabase={1}monitor.ldif -rw-------. 1 ldap ldap 609 May 15 00:33 olcDatabase={2}hdb.ldif [root@linuxhelp cn=config]# vim olcDatabase={2}hdb.ldif
Now edit the variables of “ olcSuffix” and “ olcRootDN” as follows.
you need to mention your domain name instead of dc=my-domain,dc=com to your domain name. For a example my domain “ linuxhelp.com” , change dc=linuxhelp,dc=com
olcSuffix: dc=linuxhelp,dc=com olcRootDN: cn=Manager,dc=linuxhelp,dc=com
And add the below lines in the end of the configuration file. Instead of olcRootPW: enter your root password of LDAP in encrypted format that we have previously generated. And mention the Certification path that we are going to generate later.
olcRootPW: {SSHA}b28RwTpbqZ5/kxro785tKExdK4uyOX7T
olcTLSCertificateFile: /etc/pki/tls/certs/linuxhelp.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/linuxhelpkey.pem
Now edit the “ olcDatabase={1}monitor.ldif” configuration file in the same directory. Here also replace your domain name instead dc=my-domain,dc=com as follows.
[root@linuxhelp cn=config]# vim olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base=" gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base=" cn=Manager,dc=linuxhelp,dc=com" read by * none
Then verify the configuration file using slaptest command.
[root@linuxhelp cn=config]# slaptest -u
5737a49a ldif_read_file: checksum error on " /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5737a49a ldif_read_file: checksum error on " /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
Now the slaptest in succeeded. Just ignore the Checksum error, it’ s not a big issue. Start and enable the service
[root@linuxhelp cn=config]# systemctl start slapd
[root@linuxhelp cn=config]# systemctl enable slapd
ln -s ' /usr/lib/systemd/system/slapd.service' ' /etc/systemd/system/multi-user.target.wants/slapd.service'
Configure the Database for LDAP and change the file permissions to ldap user and ldap group.
[root@linuxhelp cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@linuxhelp cn=config]# chown -R ldap:ldap /var/lib/ldap/
Add the following LDAP Schemas.
[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry " cn=cosine,cn=schema,cn=config"
[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry " cn=nis,cn=schema,cn=config"
[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry " cn=inetorgperson,cn=schema,cn=config"
Generate the certificate file that we have mentioned in the configuration file for LDAP. While generating it will ask your for some information to provide.
[root@linuxhelp cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/linuxhelp.pem -keyout /etc/pki/tls/certs/linuxhelpkey.pem -days 365
Generating a 2048 bit RSA private key
...........................................+++
..............................................................................................................+++
writing new private key to ' /etc/pki/tls/certs/linuxhelpkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ' .' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:linuxhelp
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server' s hostname) []:server.linuxhelp.com
Email Address []:
To verify about the generated certificate run the following command.
[root@linuxhelp cn=config]# ls -l /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 May 15 03:52 /etc/pki/tls/certs/linuxhelpkey.pem
-rw-r--r--. 1 root root 1318 May 15 03:52 /etc/pki/tls/certs/linuxhelp.pem
Now navigate to this directory /usr/share/migrations/ to edit “ migratinos_common.ph”
[root@linuxhelp cn=config]# cd /usr/share/migrationtools/ [root@linuxhelp migrationtools]# vim migrate_common.ph
Go to line number 71 and edit domain name as required.
$DEFAULT_MAIL_DOMAIN = " linuxhelp.com"
And edit the base name in line number 74.
$DEFAULT_BASE = " dc=linuxhelp,dc=com"
Go to line number 90 and change the EXTENDED_SCHEMA value to “ 1”
$EXTENDED_SCHEMA = 1
Generate the base.ldif file for domain.
[root@linuxhelp migrationtools]# vim /root/base.ldif
Create entry like below, and change domain name.
dn: dc=linuxhelp,dc=com objectClass: top objectClass: dcObject objectclass: organization o: linuxhelp com dc: linuxhelp dn: cn=Manager,dc=linuxhelp,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=linxuhelp,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=linuxhelp,dc=com objectClass: organizationalUnit ou: Group
Create ldapusers in the ldapserver and create password for users to login from the client side.
[root@linuxhelp migrationtools]# useradd ldapuser1 [root@linuxhelp migrationtools]# useradd ldapuser2 [root@linuxhelp migrationtools]# passwd ldapuser1 Changing password for user ldapuser1. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@linuxhelp migrationtools]# passwd ldapuser2 Changing password for user ldapuser2. New password: Retype new password: passwd: all authentication tokens updated successfully.
Copy the user and group information for ldapusers from the respective files /etc/passwd and /etc/group, and paste the information to a new file as follows.
[root@linuxhelp migrationtools]# tail /etc/passwd
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:993:991::/run/gnome-initial-setup/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
user1:x:1000:1000:user1:/home/user1:/bin/bash
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
[root@linuxhelp migrationtools]# vim /root/passwd
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
[root@linuxhelp migrationtools]# tail /etc/group
stapdev:x:158:
slocate:x:21:
postdrop:x:90:
postfix:x:89:
sshd:x:74:
tcpdump:x:72:
user1:x:1000:user1
ldap:x:55:
ldapuser1:x:1001:
ldapuser2:x:1002:
[root@linuxhelp migrationtools]# vim /root/group
ldapuser1:x:1001:
ldapuser2:x:1002:
Convert the individual users and groups file into ldif (LDAP Data Interchange Format) format.
[root@linuxhelp migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif [root@linuxhelp migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif
Now it’ s time to import the all ldif files under the root directory created respectively for base, users and groups into the LDAP Database.
[root@linuxhelp migrationtools]# ldapadd -x -W -D " cn=Manager,dc=linuxhelp,dc=com" -f /root/base.ldif
Enter LDAP Password:
adding new entry " dc=linuxhelp,dc=com"
adding new entry " cn=Manager,dc=linuxhelp,dc=com"
adding new entry " ou=People,dc=linuxhelp,dc=com"
adding new entry " ou=Group,dc=linuxhelp,dc=com"
[root@linuxhelp migrationtools]# ldapadd -x -W -D " cn=Manager,dc=linuxhelp,dc=com" -f /root/users.ldif
Enter LDAP Password:
adding new entry " uid=ldapuser1,ou=People,dc=linuxhelp,dc=com"
adding new entry " uid=ldapuser2,ou=People,dc=linuxhelp,dc=com"
[root@linuxhelp migrationtools]# ldapadd -x -W -D " cn=Manager,dc=linuxhelp,dc=com" -f /root/groups.ldif
Enter LDAP Password:
adding new entry " cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com"
adding new entry " cn=ldapuser2,ou=Group,dc=linuxhelp,dc=com"
Check whether the information is imported to the database.
[root@linuxhelp migrationtools]# ldapsearch -x cn=ldapuser1 -b dc=linuxhelp,dc=com
# extended LDIF
#
# LDAPv3
# base < dc=linuxhelp,dc=com> with scope subtree
# filter: cn=ldapuser1
# requesting: ALL
#
# ldapuser1, People, linuxhelp.com
dn: uid=ldapuser1,ou=People,dc=linuxhelp,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhuYVphQ0JnJFFrYVdaOWgzLjYwbHNaS0I1LlduVTFMUVZkem1
6aHJpb3E0c2pwNTFvRGRMMFFBNlgzTkJWMDgucm1lbmpBcjJ1dlFISjdBMGhzM2JLWktES2RDWXEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
# ldapuser1, Group, linuxhelp.com
dn: cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
[root@linuxhelp migrationtools]# ldapsearch -x -b ' dc=linuxhelp,dc=com' ' (objectclass=*)'
# extended LDIF
#
# LDAPv3
# base < dc=linuxhelp,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# linuxhelp.com
dn: dc=linuxhelp,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linuxhelp com
dc: linuxhelp
# Manager, linuxhelp.com
dn: cn=Manager,dc=linuxhelp,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
# People, linuxhelp.com
dn: ou=People,dc=linuxhelp,dc=com
objectClass: organizationalUnit
ou: People
# Group, linuxhelp.com
dn: ou=Group,dc=linuxhelp,dc=com
objectClass: organizationalUnit
ou: Group
# ldapuser1, People, linuxhelp.com
dn: uid=ldapuser1,ou=People,dc=linuxhelp,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhuYVphQ0JnJFFrYVdaOWgzLjYwbHNaS0I1LlduVTFMUVZkem1
6aHJpb3E0c2pwNTFvRGRMMFFBNlgzTkJWMDgucm1lbmpBcjJ1dlFISjdBMGhzM2JLWktES2RDWXEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
# ldapuser2, People, linuxhelp.com
dn: uid=ldapuser2,ou=People,dc=linuxhelp,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEc1MC5hU0JiJHNud0FjNVUyMGh3OHpWNVdoN3dWZEJFV01MNjV
RbzZLcUdJTWpSTXJaZkZ4dUxjZlNESTUzZXBraTlGeXZ0bnlpRHlMUUdnVzd2dWVod3JCMjVkLnEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser2
# ldapuser1, Group, linuxhelp.com
dn: cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
# ldapuser2, Group, linuxhelp.com
dn: cn=ldapuser2,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 1002
# search result
search: 2
result: 0 Success
# numResponses: 9
# numEntries: 8
Now add the firewall rule for LDAP
[root@linuxhelp migrationtools]# firewall-cmd --permanent --add-service=ldap success [root@linuxhelp migrationtools]# firewall-cmd --reload Success
Now the configuration for the LDAP server is done. But we need to share the home directories for the LDAP users by using NFS and Autofs service to avoid getting the error “ Home Directory not found” for our users in the client side. Make sure you have NFS packages is installed in your server. Then now share the home directory via /etc/exports as follows.
[root@linuxhelp migrationtools]# vim /etc/exports
/home *(rw,sync)
Now start and enable the nfs service
[root@linuxhelp migrationtools]# systemctl start nfs-server
[root@linuxhelp migrationtools]# systemctl enable nfs-server
ln -s ' /usr/lib/systemd/system/nfs-server.service' ' /etc/systemd/system/nfs.target.wants/nfs-server.service'
To Configure Client for LDAP Authentication
Install the LDAP client packages.
[root@linuxhelp ~]# yum install openldap-clients nss-pam-ldapd -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
.
.
.
Dependency Updated:
glibc.x86_64 0:2.17-106.el7_2.6 glibc-common.x86_64 0:2.17-106.el7_2.6 openldap.x86_64 0:2.4.40-9.el7_2
Complete!
Now setup LDAP Authentication using " authconfig" command.
[root@linuxhelp ~]# authconfig-tui
Now run the following command to test client side configuration is properly working or not.
[root@linuxhelp ~]# getent passwd ldapuser1
ldapuser1:x:1001:1001:ldapuser1:/home/ldapuser1:/bin/bash
Now we can know that we have login for ldapuser1 on the ldap server.
[root@linuxhelp ~]# su - ldapuser1
su: warning: cannot change directory to /home/ldapuser1: No such file or directory
mkdir: cannot create directory ' /home/ldapuser1' : Permission denied
-bash-4.2$ logout
Here we are getting the error “ cannot create directory” . We must configure autofs service in client side to create the home directory. Now run the following command to install the autofs package.
[root@linuxhelp ~]# yum install autofs -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package autofs.x86_64 1:5.0.7-54.el7 will be installed
.
.
.
Installed:
autofs.x86_64 1:5.0.7-54.el7
Dependency Installed:
hesiod.x86_64 0:3.2.1-3.el7
Complete!
Now edit the /etc/auto.master and /etc/auto.misc file as follows in order to create home directory in the server.
[root@linuxhelp ~]# vim /etc/auto.master /home /etc/auto.misc [root@linuxhelp ~]# vim /etc/auto.misc * -fstype=nfs,rw,nosuid,soft server.linuxhelp.com:/home/&
Now restart and enable the autofs service and then try to login as ldapuser.
[root@linuxhelp ~]# systemctl restart autofs [root@linuxhelp ~]# systemctl enable autofs ln -s ' /usr/lib/systemd/system/autofs.service' ' /etc/systemd/system/multi-user.target.wants/autofs.service' [root@linuxhelp ~]# su - ldapuser1 Last login: Sun May 15 04:34:03 IST 2016 on pts/1 [ldapuser1@linuxhelp ~]$
Comments ( 4 )