Pages

Wednesday 22 April 2015

OpenLDAP Server Configuration on RHEL 7 / CentOS 7

Step 1: Install the following packages:

# yum install -y openldap openldap-clients openldap-servers migrationtools

Step 2: Generate a LDAP encrypted password for Manager user  (here redhat):

# slappasswd -s redhat -n > /etc/openldap/secret-passwd

Step 3: Configure OpenLDAP Server: 

#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

#do the following changes

olcSuffix: dc=example,dc=com

olcRootDN: cn=Manager,dc=example,dc=com

olcRootPW: PASTE YOUR ENCRYPTED PASSWORD HERE from /etc/openldap/secret-passwd

olcTLSCertificateFile: /etc/pki/CA/cacert.pem

olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem

:wq (save abd exit)

Step 4: Configure Monitoring Database Configuration file: 

#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

#do the following change

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none


:wq (save and exit)

Step 5: Generate a X509 self sign certificate which is valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout /etc/pki/CA/private/cakey.pem -days 365

Country Name (2 letter code) [XX]: IN

State or Province Name (full name) []: Delhi

Locality Name (eg, city) [Default City]: New Delhi

Organization Name (eg, company) [Default Company Ltd]: Example, Inc.

Organizational Unit Name (eg, section) []: Training

Common Name (eg, your name or your server's hostname) []:server1.example.com

Email Address []: root@server1.example.com

Step 6: Secure the content of the /etc/pki/CA/ directory:

# cd /etc/pki/CA/

# chown ldap:ldap cacert.pem

 # cd /etc/pki/CA/private/

# chown ldap:ldap cakey.pem

# chmod 600 cakey.pem

Step 7: Prepare the LDAP database:


# cp -rvf /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# chown -R ldap:ldap /var/lib/ldap/

Step 8: Enable LDAPS: 

#vim /etc/sysconfig/slapd

 #Do the following changes

SLAPD_URLS="ldapi:///   ldap:///   ldaps:///"

:wq (save and exit)


Step 9: Test the configuration:

# slaptest -u

Step 10: Start and enable the slapd service at boot: 

# systemctl start slapd

# systemctl enable slapd

Step 11: Check the LDAP activity:

# netstat -lt | grep ldap

#netstat -tunlp | egrep "389|636"


Step 12: To start the configuration of the LDAP server, add the follwing LDAP schemas:

# cd /etc/openldap/schema

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

                        ##################################################
                        # NOTE-: You can add schema files according to your need: #
                        ##################################################

Step 13: Now use Migration Tools to create LDAP DIT: 

# cd /usr/share/migrationtools

# vim migrate_common.ph

#do the following chnages

on the Line Number 61, change "ou=Groups"
 $NAMINGCONTEXT{'group'}             = "ou=Groups";

on the Line Number 71, change your domain name
$DEFAULT_MAIL_DOMAIN = "example.com";

on the line number 74, change your base name
         $DEFAULT_BASE = "dc=example,dc=com";

on the line number 90, change schema value
$EXTENDED_SCHEMA = 1;


:wq (save and exit)

Step 14: Generate a base.ldif file for your Domain DIT: 

#./migrate_base.pl > /root/base.ldif

Step 15: Load "base.ldif" into LDAP Database: 

#ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif

Step 16: Now Create some users and Groups and migrate it from local database to LDAP database: 

#mkdir /home/guests
#useradd -d /home/guests/ldapuser1 ldapuser1
#useradd -d /home/guests/ldapuser2 ldapuser2
#useradd -d /home/guests/ldapuser3 ldapuser3
#useradd -d /home/guests/ldapuser4 ldapuser4
#useradd -d /home/guests/ldapuser5 ldapuser5

#echo 'password' | passwd --stdin ldapuser1
#echo 'password' | passwd --stdin ldapuser2
#echo 'password' | passwd --stdin ldapuser3
#echo 'password' | passwd --stdin ldapuser4
#echo 'password' | passwd --stdin ldapuser5

Step 17: Now filter out these Users and Groups and it password from /etc/shadow to different file: 

#getent passwd | tail -n 5 > /root/users

#getent shadow | tail -n 5 > /root/shadow

# getent group | tail -n 5 > /root/groups

Step 18: Now you can delete these users from local database: 

#userdel ldapuser1
#userdel ldapuser2
#userdel ldapuser3
#userdel ldapuser4
#userdel ldapuser5

Step 19: Now you need to create ldif file for these users using migrationtools: 

# cd /usr/share/migrationtools/

# vim migrate_passwd.pl

#search /etc/shadow and replace it into /root/shadow on Line Number 188.

:wq (save and exit)

# ./migrate_passwd.pl /root/users > /root/users.ldif

# ./migrate_group.pl /root/groups > /root/groups.ldif

Step 20: Upload these users and groups ldif file into LDAP Database: 

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif

Step 21: Now search LDAP DIT for all records: 

# ldapsearch -x -b "dc=example,dc=com" -H ldap://server1.example.com

Step 22: Now share ldapusers home directories via NFS: 

#vim /etc/exports

#Add the folloiwng line:

/home/guests    192.168.48.0/255.255.255.0(rw,sync)


:wq (save and exit)

#systemctl start nfs

#systemctl enable nfs

Step 23: Share your CA Certificate to clients via FTP/HTTP: 

#yum install vsftpd httpd -y

# cp -rvf /etc/pki/CA/cacert.pem /var/ftp/pub/

# ln -s /var/ftp/pub/ /var/www/html/

#systemctl start vsftpd

#systemctl enable vsftpd

#systemctl start httpd

#systemctl enable httpd

Step 24: Now Go to the client machine and install the following packages: 

#yum install openldap-clients sssd pam_ldap authconfig-gtk -y

Step 25: Run the "authconfig-gtk" command to configure as a LDAP Client: 

# authconfig-gtk

Click on "Identity & Authentication" Tab

Click on drop down menu in "User Account Database" and Select "LDAP"

in LDAP Search Base DN: dc=example,dc=com

in LDAP Server: ldap://server1.example.com

Select the check Box of "Use TLS to encrypt connections"

Click "Download CA Certificate"

In Certificate URL: type http://server1.example.com/pub/cacert.pem

Authentication Protocol: LDAP Password

Click "OK"


# getent passwd ldapuser1

Step 26: Now Configure your client machine to access ldapusers  home directory from    
                "server1.example.com" 

#yum install autofs -y

#vim /etc/auto.master

#add the following line

/home/guests /etc/auto.guests

:wq (save and exit)

#vim /etc/auto.guests

#add the following line

* -rw server1.example.com:/home/guests/&

:wq (save and exit)

Step 27: Now start and enable autofs service at boot: 

#systemctl restart autofs

#systemctl enable autofs

Step 28: Now try to login as ldapuseer on client machine: 

#ssh ldapuser1@client.example.com

Password: password

[ldapuser1@client.exmaple.com ~]$


 You may have some issue with Firewall/iptables, So add Ports/Services into firewall or disable it. 

############Congratulations, You have configured LDAP server and client##############