How to Configure Ldap Server Configuration in Centos 6.5


Ldap-Server and Ldap-Client installation and configuration in Centos 6.5 64 Bithttps://www.blogger.com/template-editor.g?blogID=3918876861067142300&templateName=blitz.css;mosaic

What is LDAP ?


LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers and so on; company structure information (although frankly you can extend it and store anything in there).


Name-         openldap-serveer

Package-     openldap*
Port No.      389
Script-         slaped
Config File-

                  /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"


                  /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"


Configure openldap-servers-

Note- Pre-Requisites:

1- Working DNS Server: If you don't know how to configure DNS Server
2- Server should be synced with NTP Server, NTP Server configuration
Step-1 Disable Selinux-
Edit selinux file and set SELINUX=disable
[root@test ~]# vim /etc/sysconfig/selinux
Iptables Configuration-
https://www.blogger.com/template-editor.g?blogID=3918876861067142300&templateName=blitz.css;mosaic
[root@test ~]# service iptables stop
[root@test ~]# chkconfig iptables off
[root@test ~]# vim /etc/sysconfig/iptables
if you want to use Iptables in Idap sever
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT
[root@test ~]# service iptables stop
[root@test ~]# chkconfig iptables on
Step-2 Set Static IP

[root@test ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

IPADDRS     192.168.1.221

NETMASK   255.255.255.0

Step-3 Change hostname :--
[root@test ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=test.example.com
GATEWAY=192.168.1.1
[root@test ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.221      test.example.com         test
[root@test ~]# /etc/init.d/NetworkManager restart
[root@test ~]# hostname
test.example.com
[root@test ~]# ping test.example.com

NG test.example.com (192.168.1.221) 56(84) bytes of data.

64 bytes from test.example.com (192.168.1.221): icmp_seq=1 ttl=64 time=0.067 ms

64 bytes from test.example.com (192.168.1.221): icmp_seq=2 ttl=64 time=0.056 ms

64 bytes from test.example.com (192.168.1.221): icmp_seq=3 ttl=64 time=0.060 ms

64 bytes from test.example.com (192.168.1.221): icmp_seq=4 ttl=64 time=0.058 ms

64 bytes from test.example.com (192.168.1.221): icmp_seq=5 ttl=64 time=0.068 ms

Step-4 Now generate a encrypted password for Administrator User That is "Manager"

[root@test ~]# slappasswd
New password: xxxxxxxx
Re-enter new password: xxxxxxxxxxxxxxx
{SSHA}tEyKAy8ik3U7HQ3Mdb5Qs+3DiGX78FMX
Note- You need to copy above generated password
Step-5 Now Configure OpenLDAP Server, so edit the following file:
[root@test ~]# cd /etc/openldap/slapd.d/
[root@test slapd.d]# ll
drwxrwxrwx. 3 ldap ldap 4096 Mar 23 12:46 cn=config
-rwxrwxrwx. 1 ldap ldap 1131 Nov 15 14:39 cn=config.ldif
[root@test slapd.d]# cd cn\=config
[root@test cn=config]# ll
drwxrwxrwx. 2 ldap ldap  4096 Nov 15 14:39 cn=schema
-rwxrwxrwx. 1 ldap ldap 51896 Nov 15 14:39 cn=schema.ldif
-rwxrwxrwx. 1 ldap ldap   592 Nov 15 14:39 olcDatabase={0}config.ldif
-rwxrwxrwx. 1 ldap ldap   525 Nov 15 14:39 olcDatabase={-1}frontend.ldif
-rwxrwxrwx. 1 ldap ldap   622 Nov 15 14:39 olcDatabase={1}monitor.ldif
-rwxrwxrwx. 1 ldap ldap  1202 Nov 15 14:39 olcDatabase={2}bdb.ldif
[root@test cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@test cn=config]# vim olcDatabase\=\{2\}bdb.ldif
Inside this file do the following changes:
-----------------------------------------------------------------------
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
-----------------------------------------------------------------------
Inside this file create the following lines:
----------------------------------------------------------------------------------------------------------
olcRootPW: {SSHA}tEyKAy8ik3U7HQ3Mdb5Qs+3DiGX78FMX     #--> Paste youre encrypted password
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem

Save file and exit :--
-----------------------------------------------------------------------------------------------------------
Step-6 Specify the Monitoring Privileges file..
[root@test cn=config]# vim olcDatabase\=\{1\}monitor.ldif
(Search Following Line- olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read  by dn.base="cn=manager,dc=my-domain,dc=com" read  by * none)
and Change this into-
--------------------------------------------------------------------------------------------------------------
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read  by dn.base="cn=Manager,dc=example,dc=com" read  by * none

Save file and exit :-- 
--------------------------------------------------------------------------------------------------------------
Step-7 Copy the Simple Database file
[root@test cn=config]# cd -
[root@test ~]#
[root@test ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
`/usr/share/openldap-servers/DB_CONFIG.example' -> `/var/lib/ldap/DB_CONFIG'
[root@test ~]# cd /var/lib/ldap/
[root@test ldap]# ll
-rw-r--r--. 1 root root 921 Mar 23 12:57 DB_CONFIG
Note- Change owner and group ownership of this Database 'DB-CONFIG' and update database..
[root@test ldap]# chown -R ldap:ldap DB_CONFIG
[root@test ldap]# ll
-rw-r--r--. 1 ldap ldap 921 Mar 23 12:57 DB_CONFIG
[root@test ldap]# updatedb
Step-8 Configure OpenLdap to listen on SSL/TLS
[root@test ldap]# cd
[root@test ~]# vim /etc/sysconfig/ldap
Inside this file do the following changes:-
---------------------------------------------------
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
Save file and exit :--
---------------------------------------------------
Step-9 Now you need to generate a self sign certificate for OpenLDAP Server.
You Can also configure CA Server..
But I'm creating self sign certificate.....
[root@test ~]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout /etc/pki/tls/certs/exampleckey.pem -days 365
Generating a 2048 bit RSA private key
..............+++
............................................+++
writing new private key to '/etc/pki/tls/certs/examplekey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:Ashu, Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:server.example.com
Email Address []:root@test.example.com
[root@test ~]# ls -l /etc/pki/tls/certs/example*
-rw-r--r--. 1 root root 1704 Mar 23 13:17 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root root 1440 Mar 23 13:17 /etc/pki/tls/certs/example.pem
Step-10 Change owner and group ownership of certificate and key file: 'examplekey.pem', 'examplec.pem'
[root@test ~]# chown -Rf root:ldap /etc/pki/tls/certs/example.pem
[root@test ~]# chown -Rf root:ldap /etc/pki/tls/certs/examplekey.pem
[root@test ~]# ls -l /etc/pki/tls/certs/example*
-rw-r--r--. 1 root ldap 1704 Mar 23 13:17 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root ldap 1440 Mar 23 13:17 /etc/pki/tls/certs/example.pem
Step-11 Restart OpenLdap services...
[root@test ~]# /etc/init.d/slapd restart;chkconfig slapd on
OR
[root@test ~]# service slapd restart
[root@test ~]# chkconfig slapd on
Step-12 Now Copy certificate file '/etc/pki/tls/certs/example.pem'in '/var/ftp/pub/'
[root@test ~]# cp -rvf /etc/pki/tls/certs/example.pem /var/ftp/pub/
`/etc/pki/tls/certs/example.pem' -> `/var/ftp/pub/examplec.pem'
[root@test ~]# service vsftpd restart
[root@test ~]# chkconfig vsftpd on
[root@test ~]# ln-s /var/ftp/pub/ /var/www/html
[root@test ~]# service httpd restart
[root@test ~]# chkconfig httpd on
Step-13 Now you need to create base objects in OpenLDAP.
NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.
there are two ways-
1- you can create it manually.
2- you can use migration tools.
Note- I am using migration tools.
[root@test ~]# yum install migrationtools
[root@test ~]# cd /usr/share/migrationtools/
[root@test migrationtools]# ls                       #--> Show the all file
migrate_aliases.pl              migrate_automount.pl        migrate_networks.pl
migrate_all_netinfo_offline.sh  migrate_base.pl             migrate_passwd.pl
migrate_all_netinfo_online.sh   migrate_common.ph           migrate_profile.pl
migrate_all_nis_offline.sh      migrate_fstab.pl            migrate_protocols.pl
migrate_all_nis_online.sh       migrate_group.pl            migrate_rpc.pl
migrate_all_nisplus_offline.sh  migrate_hosts.pl            migrate_services.pl
migrate_all_nisplus_online.sh   migrate_netgroup_byhost.pl  migrate_slapd_conf.pl
migrate_all_offline.sh          migrate_netgroup_byuser.pl
migrate_all_online.sh           migrate_netgroup.pl
Step-14 you need to change some predefined values according to your domain name, for that do the  following :--
[root@test migrationtools]# vim migrate_common.ph
#-->On The Line Number-61..
$NAMINGCONTEXT{'group'}             = "ou=Groups";
#-->On The Line Number-71..
$DEFAULT_MAIL_DOMAIN = "example.com";
#-->On The Line Number-74..
$DEFAULT_BASE = "dc=example,dc=com";
#-->On The Line Number-90..
$EXTENDED_SCHEMA = 1;
Save file and exit :--
Step-15 Generate a base.ldif file for your domain..
[root@test migrationtools]# ./migrate_base.pl         #--> Check all migrate file setting
[root@test migrationtools]# ./migrate_base.pl > /root/base.ldif
Step-16 If you want to migrate you local users and groups on ldap
Note- First crate Some user. and then asign password...
[root@test migrationtools]# cd
[root@test ~]# mkdir /home/ldap
[root@test ~]# useradd -d /home/ldap/ldapuser-1 ldapuser-1
[root@test ~]# useradd -d /home/ldap/ldapuser-2 ldapuser-2
[root@test ~]# useradd -d /home/ldap/ldapuser-3 ldapuser-3
[root@test ~]# useradd -d /home/ldap/ldapuser-4 ldapuser-4
[root@test ~]# useradd -d /home/ldap/ldapuser-5 ldapuser-5
[root@test ~]# passwd ldapuser-1
[root@test ~]# passwd ldapuser-2
[root@test ~]# passwd ldapuser-3
[root@test ~]# passwd ldapuser-4
[root@test ~]# passwd ldapuser-5
[root@test ~]# cat /etc/passwd          (Check user information)
Step-17
1-Filter out these users from '/etc/passwd' to another file..
[root@test ~]# getent passwd | tail -n 5
[root@test ~]# getent passwd | tail -n 5 > /root/users
2- filter out password information from '/etc/shadow' to another file
[root@test ~]# getent shadow | tail -n 5
[root@test ~]# getent shadow | tail -n 5 > /root/passwords
3- filter out user groups from '/etc/group' to another file..
[root@test ~]# getent group | tail -n 5
[root@test ~]# getent group | tail -n 5 > /root/groups
Note- getent is a unix command that helps a user get entries in a number of important text files called databases.
The databases it searches in are: passwd, group, hosts, services, protocols, ethers (Ethernet addresses) or networks.
Step- 18 Now open 'migrate_passwd.pl' file to change the location of password file..
[root@test ~]# cd /usr/share/migrationtools/
[root@test migrationtools]# ls
[root@test migrationtools]# vim migrate_passwd.pl
#-->Line Number- 188, OR Search '/etc/shadow' and change to '/root/passwords'
sub read_shadow_file
 {
         open(SHADOW, "/root/shadow") || return;
         while(<SHADOW>) {
                 chop;
                 ($shadowUser) = split(/:/, $_);
                 $shadowUsers{$shadowUser} = $_;
        }
Save file and exit :--
Step-19 Generate a ldif file for users and groups...
[root@test migrationtools]#./migrate_passwd.pl /root/users
[root@test migrationtools]#./migrate_passwd.pl /root/users > /root/users.ldif
[root@test migrationtools]#./migrate_group.pl /root/groups
[root@test migrationtools]#./migrate_group.pl /root/groups > /root/groups.ldif
[root@test migrationtools]# cd
[root@test ~]# ls -l
-rwxrwxrwx. 1 root root   2105 Nov 14 16:32 anaconda-ks.cfg
-rw-r--r--. 1 root root   1200 Mar 23 14:17 base.ldif
drwxrwxrwx. 7 root root   4096 Feb 21 20:53 Desktop
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Documents
drwxrwxrwx. 7 root root   4096 Jan 13 14:19 Downloads
-rw-r--r--. 1 root root     94 Mar 23 14:45 groups
-rw-r--r--. 1 root root    695 Mar 23 14:46 groups.ldif
-rwxrwxrwx. 1 root root  46359 Nov 14 16:32 install.log
-rwxrwxrwx. 1 root root  10329 Nov 14 16:30 install.log.syslog
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Music
-rw-r--r--. 1 root root     94 Mar 23 14:45 passwords
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Pictures
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Public
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Templates
-rw-r--r--. 1 root root     94 Mar 23 14:47 users
-rw-r--r--. 1 root root     94 Mar 23 14:49 users.ldif
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Videos
Step-20 Now it' time to upload these ldif file to LDAP Server..
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
Note- Enter LDAP Password: (you have to type the password which you generated in encrypted format.)
Use 'ldapsearch' command-
[root@test ~]# ldapsearch -x -b "dc=example,dc=com" | less
Step-21 Now share LDAP Users home Directory via NFS..
://www.blogger.com/template-editor.g?blogID=3918876861067142300&templateName=blitz.css;mosaicgle] name=Google - i386 baseurl=http://dl.google.com/linux/rpm/stable/i386 enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
[root@test ~]# vim /etc/exports
/home/ldap  192.168.0.0/255.255.255.0(rw,sync)

Save file and exit :--
[root@test ~]# /etc/init.d/nfs restart;chkconfig nfs on
Note- If You are getting the blew error while starting your NFS service because you have not installed or started rpcbind service.
Error:-  "Cannot register service: RPC: Unable to receive; errno = Connection refused"
Solution:- Install 'rpcbind' service. and then restart 'rpcbind' service..
[root@test ~]# yum -y install rpcbind
[root@test ~]# /etc/init.d/rpcbind start
Again Check-
[root@test ~]# /etc/init.d/nfs restart;chkconfig nfs on
Problem has been resolved..
LDAP server configuration has been completed...
Client PC-
----------------
Now go to the test machine to use ldap server and it's users..
Step-1 Check ip add..
[root@mantun ~]# ifconfig
IPADDRS     192.168.1.210
NETMASK   255.255.255.0
[root@mantun ~]# ping 192.168.1.210
[root@mantun ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.221     test.example.com         test
192.168.1.210     mantun.example.com          test
Step-2 Open 'authconfig-gtk'
[root@mantun ~]# authconfig-gtk
Now open New box---
Click on--> 'Identity & Authentication' Tab
Click on drop down menu in--> 'User Account Database' And Select 'LDAP'
LDAP Search Base DN: DC=example,dc=com
LDAP Server: ldap://ldap.example.com
Select The Check Box of- 'Use TLS to encrypt connection'
Click. 'Doenload CA Certificate'
Certificate URL: http://test.example.com/pub/example.pem
Click- Apply
Step-3 Create the following new line.
[root@test ~]# vim /etc/auto.master
/home/ldap    /etc/auto.ldap
[root@mantun ~]# vim /etc/auto.ldap
*       -rw     server.example.com:/home/ldap/&
[root@mantun ~]# service autofs reload
[root@mantun ~]# su - ldapuser-1
[ldapuser-1@mantun ~]#
[ldapuser-1@mantun ~]# logout
[root@mantun ~]#
[root@mantun ~]# su - ldapuser-2
[ldapuser-2@mantun ~]#
OpenLdap server and test configuration has been finished...
How to add LDAP User-
----------------------------------
1- Create a user
[root@test ~]# useradd -d /home/ldap/ldapuser-6 ldapuser-6
2- Set password-
[root@test ~]# passwd ldapuser-6
3- Now Filter out your users from '/etc/passwd'to other file.
[root@test ~]# getent passwd | tail -n 1 > /root/users
4- Now Filter out your Groups from '/etc/group' to other file.
[root@test ~]# getent group | tail -n 1 > /root/groups
5- Now Filter out your password information from '/etc/shadow' to other file.
[root@test ~]# getent shadow | tail -n 5 > /root/passwords
6- Now use the migrationtools to generate ldif file for users and groups
"How to use Migrationtools" (Step-19).  or
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
7- Now add that users and groups ldif files to LDAP (Step-20) or
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@test ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
How to change LDAP User Password-
---------------------------------------------------------
[root@test ~]# ldappasswd -x -w redhat1 -D 'cn=Manager,dc=example,dc=com' -s redhat1 'uid=ldap-6,ou=Users,dc=example,dc=com'
Note- In this example, my first "redhat1" word is the password of "Manager" user and second "redhat1" word is the password of "ldap-6" user.
How to Delete LDAP User-
----------------------------------------
[root@test ~]# ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' 'uid=ldap-6,ou=Users,dc=examplec,dc=com'

Note- In this example, i want to delete a user name "ldap-6" so you have to type complete DN of that user.




How to Configure Ldap Server Configuration in Centos 6.5 How to Configure Ldap Server Configuration in Centos 6.5 Reviewed by Unknown on October 30, 2017 Rating: 5

Scribe

http://feeds.feedburner.com/LinuxAndAws
Powered by Blogger.
X

Get Updates On

Linux Tutorial

AWS Tutorial

Devops Tutorial

We are going to send you our resources for free. To collect your copy at first, join our mailing list. So don't miss any updates, stay connected!