OpenLDAP Server Configuration (CentOS 7)

OpenLDAP is a directory Server and is configured by using LDAP Data Interchange Format files (.ldif). 
Manually Editing config files results in checksum error
Space is considered as a junk character and causes error while importing .ldif files

A. Server Configuration

1. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
    192.168.100.195  ldapserver.geekonline.in
    192.168.100.196  client1.geekonline.in

    

2. Install necessary packages
     #yum -y install strace net-tools
     #yum install openldap* migrationtools
     #systemctl enable slapd
     #systemctl start slapd

3. Change log settings
     #echo "####Custom Logs for LDAP###" >> /etc/rsyslog.conf
     #echo "local4.* /var/log/slapd/ldap.log" >> /etc/rsyslog.conf
     #tail -n2 /etc/rsyslog.conf
     #systemctl restart rsyslog   or # systemctl reload rsyslog
     It will automatically create directory and files and LDAP logs will be redirected to /var/log/slapd/ldap.log
     

4. Open ports in firewall
     #firewall-cmd --permanent --add-port=389/tcp
     #firewall-cmd --permanent --add-port=636/tcp
     #firewall-cmd --permanent --add-port=9830/tcp
     #firewall-cmd --reload


5.  list the config files
     #cd /etc/openldap/slapd.d/cn\=config
     #ls
     

6.  #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
     

7   Create a admin password in SSHA hash algorithm and copy the output to notepad for further configuration. 
     # slappasswd
     

8.  Create ldif to modify olcDatabase={2}hdb.ldif
      #vi /opt/ldap/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ULNvNmPZNyCNqlU5E/9DftThZzF4aAEE

     

9. Make sure no extra spaces are present in the file and Import the DB file
     #cd /opt/ldap/
    #ls
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
    #slaptest -u
    

10. Note the change in file
     #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
    
11. Now check the file 
    #cat olcDatabase={1}monitor,cn=config
    


12. Create monitor.ldif file
     #vi monitor.ldif
     
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=geekonline,dc=in" read by * none

    


13.Make sure no extra spaces are present in the file and Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
    #slatptest -u
    

14  Now check file olcDatabase={1}monitor,cn=config for changes
   #cat olcDatabase={1}monitor,cn=config
    

15. Crease SSL Certificates for 10 years
   #openssl req -nodes -new -x509 -keyout /etc/openldap/certs/ldapkey.pem -out /etc/openldap/certs/ldapcert.pem -days 3650
    

16. Create certs.ldif file
      #vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
 
    

 17. Make sure no extra spaces are present in the file and  Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    #slaptest -u
   

18. Verify the changes
    #cd /etc/openldap/slapd.d
    #cat cn=config.ldif
   

19. Copy DB_CONFIG file and add external schemas (used for storing data)
    #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    #chown ldap:ldap /var/lib/ldap/DB_CONFIG
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  
    

20.create a base.ldif file
     #vi base.ldif

dn: dc=geekonline,dc=in
dc: geekonline
objectClass: top
objectClass: domain

dn: cn=admin,dc=geekonline,dc=in
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: Group

   

21. Add base ldif to LDAP Configuration
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f base.ldif
   #slaptest -u
   


22.Check ldap object classes
    #ldapsearch -xb "dc=geekonline,dc=in" "(objectClass=*)"
   

23. check password 
   #ldapsearch -H ldap://127.0.0.1 -D "cn=admin,dc=geekonline,dc=in" -w "pass"
   
 
24.Create OS Users.
   #useradd osuser1
   #useradd osuser2
   #echo "pass1" | passwd --stdin osuser1
   #echo "pass2" | passwd --stdin osuser2

   #mkdir /opt/ldap/migrated_users
   #grep "osuser" /etc/passwd >> /opt/ldap/migrated_users/users
   #grep "osuser" /etc/group >> /opt/ldap/migrated_users/groups
   verify the files

   #cat /opt/ldap/migrated_users/users 
   #cat /opt/ldap/migrated_users/groups

  

25. Using migration tool
     #cd /usr/share/migrationtools/
     #cp migrate_common.ph migrate_common.ph.orig
     #vi migrate_common.ph
     #search and change below entries

     $DEFAULT_MAIL_DOMAIN = "geekonline.in";
     $DEFAULT_BASE = "dc=geekonline,dc=in"; 
     $EXTENDED_SCHEMA = 1;



26. Migrate OS users and groups using migration tool
   #/usr/share/migrationtools/migrate_passwd.pl /opt/ldap/migrated_users/users /opt/ldap/migrated_users/users.ldif
   #/usr/share/migrationtools/migrate_group.pl /opt/ldap/migrated_users/groups /opt/ldap/migrated_users/groups.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/users.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/groups.ldif

   

27.  Search that added user in ldap also check for 
   #ldapsearch -x cn=osuser1 -b dc=geekonline,dc=in
    
  
    #  ldapsearch -x cn=osuser2 -b dc=geekonline,dc=in
  

28 Create password for LDAP users which we are going to create using openssl
    #openssl passwd -crypt pass1
    uSMQbmjkzJzBw
    #openssl passwd -crypt pass2
    195EbQnuDDzcA
    note down the  output
   

29 create ldif file for user ldapuser1
   #vi ldapuser1.ldif

dn: cn=ldapuser1,ou=People,dc=geekonline,dc=in
cn: ldapuser1
gidnumber: 100
givenname: ldapuser1
homedirectory: /home/users/ldapuser1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser1
uidnumber: 5001
userpassword: {CRYPT}uSMQbmjkzJzBw
   
   

30 create ldif file for user ldapuser2
   #vi ldapuser1.ldif
 
dn: cn=ldapuser2,ou=People,dc=geekonline,dc=in
cn: ldapuser2
gidnumber: 100
givenname: ldapuser2
homedirectory: /home/users/ldapuser2
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser2
uidnumber: 5002
userpassword: {CRYPT}195EbQnuDDzcA

   

31. Import both users in LDAP using ldif files
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser1.ldif
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser2.ldif
   

32. Verify the users in  LDAP
  #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
   
  
  #ldapsearch -x cn=ldapuser2 -b dc=geekonline,dc=in
   

B. Client Configuration 
  
     
1. Install the necessary packages
  #yum install openldap-clients nss-pam-ldapd

2. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems 
    192.168.100.195 ldapserver.geekonline.in 
    192.168.100.196 client1.geekonline.in

   

3. Enter below command on the client
    #authconfig --enableldap --enableldapauth --ldapserver=ldapserver.geekonline.in --ldapbasedn="dc=geekonline,dc=in" --enablemkhomedir --update
    
    This will automatically create home directory on client machine at first login

    

   Above command automatically configures ldap client,nsswitch file and PAM  
   #cat /etc/nslcd.conf |grep -v \#
   
  
   #cat /etc/nsswitch.conf |grep -i ldap
   

   #grep -ir home /etc/pam.d/*
   

  

Thus We can Configure LDAP server

C: Deleting LDAP user
   1. Gather the required information from LDAP using below command
   #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in

  2. Delete the user using below command
  #ldapdelete -v -c -D "cn=admin,dc=geekonline,dc=in" -w pass "cn=ldapuser1,ou=People,dc=geekonline,dc=in"



Summary
1. Never edit configuration files manually. 
2. LDAP configuration is easy if you avoid copy paste/typing mistakes (unnecessary spaces are considered as junk characters)
3. You can import existing OS users to LDAP
4. You can create LDAP user directly without creating it on OS
5. Client configuration can be done using fqdn instead of IPs
6. You can Create/modify/delete users easily






 
         

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

3,435 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>