image1openLDAP Server Configuration on RHEL7/Centos7

This Tutorial describes you Step by Step Procedure to install and configure an OpenLDAP server and Client on RHEL7/CentOS7

LDAP, or Lightweight Directory Access Protocol, is a protocol for managing related information from a centralized location through the use of a file and directory hierarchy. It functions in a similar way to a relational database in certain ways, and can be used to organize and store any kind of information. LDAP is commonly used for centralized authentication.

Our Lab Setup

Description Server Information Client Information
Operating System RHEL7 – 64 Bit RHEL7 – 64 Bit
Host Name Server.example.com Client.example.com
IP Address 192.168.1.10 192.168.1.20

Use the following instructions to install and configure the LDAP Server and Ldap Client on Centos7/RHEL7.

Prerequisites:
1. Make sure both server server.example.com (192.168.1.10) and client.example.com (192.168.1.20) are accessible.
2. Make an entry of each host in /etc/hosts for name resolution or Configure it in DNS to resolve the IP, if you use server name instead of IP address.

[root@server ~]# vim /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.10 server.example.com server

192.168.1.20 client.example.com client

[root@server ~]# scp /etc/hosts root@server:/etc/hosts

Server end configuration

Login into the server server 192.168.2.10 and do the following steps to configure OpenLDAP Server.

1. Install the required LDAP Packages “Openldap”

Install the appropriate LDAP packages “openldap” and “migrationtools”

[root@server ~]# yum -y install openldap* migrationtools

2. Create a LDAP root passwd for administration purpose.

[root@server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL

Copy the encrypted the passwd from the above output “{SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL”. Replace with your password and keep it aside.

3. Edit the OpenLDAP Server Configuration

OpenLDAP server Configuration files are located in /etc/openldap/slapd.d/.
Go to
cn=config directory under /etc/openldap/slapd.d/ and edit the “olcDatabase={2}hdb.ldif” for changing the configuration.

[root@server ~]# cd /etc/openldap/slapd.d/cn=config
[root@server cn=config]# vi olcDatabase={2}hdb.ldif

Change the variables of “olcSuffix” and “olcRootDN” according to your domain as below.

olcSuffix: dc=example,dc=com

olcRootDN: cn=Manager,dc=example,dc=com

Add the below three lines additionally in the same configuration file.

olcRootPW: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL

olcTLSCertificateFile: /etc/pki/tls/certs/exampleldap.pem

olcTLSCertificateKeyFile: /etc/pki/tls/certs/exampleldapkey.pem

Replace the “olcRootPW” value with your copied passwd. Now Save and exit the configuration file.

The suffix line names the domain for which the LDAP server provides information and should be changed to your domain name. The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as above.

4. Provide the Monitor privileges

Open the file /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif and go to the line start with olcAccess. Replace the value “dc=my-domain,dc=com” to “dc=example,dc=com” as below.

[root@server cn=config]# vi olcDatabase={1}monitor.ldif

olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth” read by dn.base=”cn=Manager,dc=example,dc=com” read by * none

Note: If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.

Note: Access controls defined in the frontend are appended to all other databases’ controls.

Verify the configuration

[root@server cn=config]# slaptest -u
56abba86 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
56abba86 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”
config file testing succeeded

Ignore the Checksum errors as of now.

5. Enable and Start the SLAPD service

[root@server cn=config]# systemctl start slapd
[root@server cn=config]# systemctl enable slapd

6. Configure the LDAP Database

Copy the Sample Database Configuration file, change the file permisions as below.

[root@server cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server cn=config]# chown -R ldap:ldap /var/lib/ldap/

Add the following LDAP Schemas

[root@server cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@server cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@server cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/icomorgperson.ldif

7. Create the self-signed certificate

In Step 3, We have specified our certificate locations. But we have not created yet, Lets create the self signed certificate,

[root@server cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/exampleldap.pem -keyout /etc/pki/tls/certs/exampleldapkey.pem -days 365

Provide your company details to generate the certificate as below.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Padur
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:LINUX
Common Name (eg, your name or your server’s hostname) []:server.example.com
Email Address []:
root@server.example.com

Verify the created certificates under the location /etc/pki/tls/certs/

[root@server cn=config]# ll /etc/pki/tls/certs/*.pem
-rw-r–r–. 1 root root 1704 Jan  8 14:52 /etc/pki/tls/certs/exampledapkey.pem
-rw-r–r–. 1 root root 1497 Jan  8 14:52 /etc/pki/tls/certs/exampleldap.pem

8. Create base objects in OpenLDAP

To create base objects in OpenLDAP, we need migration tools to be installed. We have already installed the migrationtools in the step 1 itself. So You will see lot of files and scripts under /usr/share/migrationtools/.

We need to change some predefined values in the file “migrate_common.ph” according to our domain name, for that do the following:

[root@server cn=config]# cd /usr/share/migrationtools/

[root@server migrationtools]# vi migrate_common.ph

Go to Line Number 71 and change your domain name

$DEFAULT_MAIL_DOMAIN = “example.com”;

Go to line number 74 and change your base name

$DEFAULT_BASE = “dc=example,dc=com”;

Go to line number 90 and change your EXTENDED_SCHEMA from “0” to “1”

$EXTENDED_SCHEMA = 1;

Finally Save and Exit the file.

9. Generate a base.ldif file for your Domain

[root@server migrationtools]# touch /root/base.ldif

Copy the below lines and paste inside the file /root/base.ldif.

[root@server migrationtools]# vi /root/base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

10. Create a Local Users

Lets create some local users and groups, then we will migrate to LDAP. For testing purpose, I create three users as below.

[root@server migrationtools]# useradd ldapuser1
[root@server migrationtools]# useradd ldapuser2

[root@server migrationtools]# passwd ldapuser1

[root@server migrationtools]# passwd ldapuser2

Filter out these user from /etc/passwd to another file:

[root@server migrationtools]# grep “:10[0-9][0-9]” /etc/passwd > /root/passwd

Filter out user group from /etc/group to another file:

[root@server migrationtools]# grep “:10[0-9][0-9]” /etc/group > /root/group

Now Convert the Individual Users file to LDAP Data Interchange Format (LDIF)

Generate a ldif file for users

[root@server migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif

Generate a ldif file for groups

[root@server migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif

11. Import Users in to the LDAP Database.

Lets update these ldif file to LDAP Database. 

NOTE: It will ask for a password of “Manager”, you have to type the password which you generated in encrypted format.

[root@server migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/base.ldif
[root@server migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/users.ldif
[root@server migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/groups.ldif

[root@server migrationtools]# systemctl stop firewalld

14. NFS Configuration to export the Home Directory.

Edit the file /etc/exports and add an entry as below to export the home directory. 

[root@server ~]# yum install rpcbind nfs-utils -y

[root@server ~]# vi /etc/exports
/home *(rw)

Enable and restart rpcbind and nfs service.
[root@server ~]# systemctl start rpcbind
[root@server ~]# systemctl start nfs
[root@server ~]# systemctl enable rpcbind
[root@server ~]# systemctl enable nfs

Test the NFS Configuration

[root@server ~]# showmount -e localhost
Export list for server.example.com:
/home *

Client end configuration

1. Ldap Client Configuration to use LDAP Server

[root@client ~]# yum install -y openldap-clients nss-pam-ldap nsf-utils
[root@client ~]# authconfig-tui

 

 

ldap

Select “OK” and Enter

2. Test the Client Configuration.

Search the ldap user using the below command and check the output. If you get output, then our LDAP Configurations are working properly.

[root@client ~]# getent passwd ldapuser1
ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash

3. Mount the LDAP Users Home Directory.

Add the below entry to mount the LDAP Users home directory in the file /etc/fstab as below.

[root@client ~]# vi /etc/fstab

Server.example.com:/home /home auto defaults 0 0

[root@client ~]# mount 192.168.1.10:/home /home

[root@client ~]# mount 192.168.1.10:/home /home^C

[root@client ~]# su – ldapuser1

Last login: Mon May 22 17:34:06 IST 2017 on pts/0

[ldapuser1@client ~]$ touch file1

[ldapuser1@client ~]$ ls

file1

server end chech

[root@server ~]# cd /home/ldapuser1/

[root@server ldapuser1]# ls

file1

[root@server ldapuser1]#