CA: ca.example.com (192.168.1.41)
LDAP: ldap.example.com
(192.168.1.42)
CLIENT: client.example.com
(192.168.1.43)
A. Server side configuration:
1.
Install the required packages:
# yum install openldap*
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E
migrationtool*
compat-openldap.i386 0:2.1.30-6.4E
2.
Start the service:
# service slapd restart
3.
Make sure the service is stopped before further changes:
# service slapd stop
4.
Take a backup of the slapd.conf file:
# cp
/usr/share/openldap-servers/slapd.conf.obsolete /root/Desktop/
5.
Rename the main configuration file:
# mv
/usr/share/openldap-servers/slapd.conf.obsolete
/usr/share/openldap-servers/slapd.conf
6.
Run the command to get the encrypted password for the root in LDAP:
# slappasswd
Copy
the output of the command.
7.
Now edit the main configuration file:
# vim /usr/share/openldap-servers/slapd.conf
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn
"cn=admin,dc=example,dc=com"
rootpw
{SSHA}Ewhy9YzyeyKQSjcRs5R4K/MU252S/iMW
directory /var/lib/ldap (no need to change it)
8.
Restart and then stop the service.
# service slapd start
# service slapd stop
9.
Now create the LDIF (LDAP Data
Interchange Fomat) files:
# vim example.com.ldif
# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
# vim admin.example.com.ldif
# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin
# vim users.example.com.ldif
# Base DN for users
dn: ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: users
# vim groups.example.com.ldif
#
Base DN for groups
dn:
ou=groups,dc=example,dc=com
changetype:
add
objectclass:
top
objectclass:
organizationalUnit
ou:
groups
10.
Remove all the previous LDAP configuration:
# rm -rf /etc/openldap/slapd.d/*
11.
Remove all the previous LDAP content:
# rm -rf /var/lib/ldap/*
12.
Take backup of the main database configuration file:
# cp
/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
13.
Initialize the DB file for content:
# echo "" | slapadd -f
/usr/share/openldap-servers/slapd.conf
14.
Convert configuration file into dynamic configuration under /etc:
# slaptest -f
/usr/share/openldap-servers/slapd.conf -F /etc/openldap/slapd.d
15.
Set the correct permissions and the ownership for the configuration and the
content directory:
# chown -R ldap:ldap /var/lib/ldap
# chown -R ldap:ldap /etc/openldap/slapd.d
16.
To test the initial configuration, start the service:
# service slapd restart
If
you get any warning while restarting the service:
#
vim /etc/openldap/slapd.d
#
vim cn= config.ldif
olcThreads:
16
olcTLSVerifyClient:
never
olcToolThreads:
1
Note:
here it should not show those 3 TLS certificate lines of CA cert, server cert
and server key file path. If it is there, comment it.
If
you have followed the step 14, in that case you need to delete the 3 relevant
lines from the cn=config.ldif file.
Now
restart the service. It should not show any warning now.
17.
List the content:
# ldapsearch -x -b 'dc=example,dc=com'
18.
Load the LDAP DB content from LDIF:
#
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f example.com.ldif
#
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f admin.example.com.ldif
#
ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f users.example.com.ldif
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W
-f groups.example.com.ldif
19.
List again:
# ldapsearch -x -b 'dc=example,dc=com'
20.
Now create the user and group with explicitly defined gid and uid.
(you
can use the existing users and groups from the system but it is always
preferred to create the special user)
# groupadd
--gid 10000 rohit
# useradd
--uid 10000 --gid 10000 rohit
# passwd
rohit
21.
Take the backup of the file used for migration of the users etc.:
# cp
/usr/share/migrationtools/migrate_common.ph /root/Desktop/
22.
Set the default values used by the migration file:
# vim
/usr/share/migrationtools/migrate_common.ph
Default
DNS domain
$DEFAULT_MAIL_DOMAIN
= "example.com";
Default
base
$DEFAULT_BASE =
"dc=example,dc=com";
Naming
context for user data according to users.example.com.ldif file above
$NAMINGCONTEXT{'passwd'} = "ou=users";
Naming
context for group data according to groups.example.com.ldif file above
$NAMINGCONTEXT{'group'} = "ou=groups";
Note:
All above 4 lines are required to change otherwise you will have the following
messageafter running the command:
# ldapadd -x -D
"cn=admin,dc=example,dc=com" -W -f rohit.passwd.ldif
adding
new entry "uid=rohit,ou=People,dc=example,dc=com"
ldap_add:
No such object (32)
matched DN: dc=example,dc=com
23.
Migrate a user and a group from /etc/passwd file:
#
grep rohit /etc/passwd > rohit.passwd.line
# grep rohit /etc/group > rohit.group.line
24.
Convert the user and group file into LDIF format:
# /usr/share/migrationtools/migrate_passwd.pl
rohit.passwd.line rohit.passwd.ldif
#
/usr/share/migrationtools/migrate_group.pl rohit.group.line rohit.group.ldif
25.
Import it in the LDAP DB:
# ldapadd -x -D
"cn=admin,dc=example,dc=com" -W -f rohit.passwd.ldif
# ldapadd -x -D
"cn=admin,dc=example,dc=com" -W -f rohit.group.ldif
Note:
- -D -> Specifies username
- -W -> Specified that the password will be prompted
- -f -> Specifies the name of the LDIF file
- -x -> Specifies simple authentication
- -w -> specify the password within the command itself
26.
Start the service:
# /etc/init.d/slapd start
27.
Now search the server:
# ldapsearch -x -b 'dc=example,dc=com'
#
ldapsearch -x
B. Client side configuration:
1.
Install the required packages:
#yum
install openldap-clients
openldap-devel
nss-pam-ldapd nss-util authconfig-gtk compat-openldap
Note:
Check for
libnss_ldap.so.2
in the /lib64/ directory.
2.
open /etc/openldap/ldap.conf file:
BASE dc=example,dc=com
URI ldap://<server_ip>/
i.e. URI ldap://192.168.1.33/
3.
Configure authentication through LDAP without encrypted connection:
#vim
/etc/sysconfig/authconfig
FORCELEGACY=yes
Note:
If you are not doing this, you can do the following:
#
vim /etc/sssd/sssd.conf
Add
the line in the [domain/default] section:
ldap_tls_reqcert
= never
4.
Configure from the client side:
#
authconfig --enableldap --enableldapauth --ldapserver=192.168.1.33
--ldapbasedn="dc=example,dc=com"
--update
Or
you can do this:
5.
Add the server information on client side:
#
authconfig-tui
Note:
check tick mark on “use LDAP” and “use LDAP authentication”. Rest leave them by
default.
Note:
After this check the file /etc/nsswitch for the entries. It should be like
this:
passwd: files ldap
shadow: files ldap
group: files ldap
6.
Now follow the following commands for the user to get login:
(“rohit”
user was created on the server system. Now it should get the login from the
client system)
Make sure there is not
"rohit" user configured on this client machine:
# id rohit
# grep rohit /etc/passwd /etc/group
# mkdir /home/rohit
# chmod 700 /home/rohit
# cp /etc/skel/.bash* /home/rohit
#
chown -R rohit:rohit /home/rohit
7.
Run the command to get the info of the user:
# getent passwd rohit
rohit:x:100000:100000:rohit:/home/rohit:/bin/bash
8.
Now login from the user (rohit) and check.
Note: On server side /etc/sysconfig/ldap file:
By default it reads:
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=no
If not using encryption, you can
leave it alone.
If using SSL or TLS, you would
change the SLAPD_LDAPS line from a no to a yes, so that the file would read:
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
C. Getting output from LDAP
(addressbook):
1.
# vim addressbook.ldif
#
address book
dn:
ou=addressbook, dc=example, dc=com
objectClass:
top
objectClass:
organizationalUnit
ou:
addressbook
Add
this into the ldap:
1.
Create an LDIF file named contact.ldif having content:
#
vim contact.ldif
dn:
cn=rohit chauhan, ou=addressbook, dc=example, dc=com
objectClass:
top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetOrgPerson
cn:
rohit chauhan
gn:
rohit
sn:
chauhan
mail:
rohit.chauhan@example.com
physicalDeliveryOfficeName:
example, Inc., linux Services
postalAddress:
PO BOX 500001
l:
Bangalore
ou:
addressbook
st:
Karnataka
postalCode:
70555
telephoneNumber:
141-22008899
facsimileTelephoneNumber:
555-555-5556
pager:
555-555-5557
mobile:
8792188038
homePhone:
555-555-5556
2.
Add it to the DB:
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W
-f addressbook.ldif
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W
-f contact.ldif
3.
Querying about the person:
[root@ldap ~]# ldapsearch -x
"(sn=chauhan)" cn sn mail l ou st pager mobile homephone
Or
# ldapsearch -x -LLL -b
"dc=example,dc=com" 'sn=chauhan' mail l st
(it
will show all the information mentioned in the command i.e. cn sn mail l ou st
pager mobile homephone of the person)
#
extended LDIF
#
#
LDAPv3
#
base <dc=example,dc=com> (default) with scope subtree
#
filter: (sn=chauhan)
#
requesting: cn sn mail l ou st pager mobile homephone
#
#
rohit chauhan, addressbook, example.com
dn:
cn=rohit chauhan,ou=addressbook,dc=example,dc=com
cn: rohit chauhan
sn: chauhan
mail: rohit.chauhan@example.com
l: Bangalore
ou: addressbook
st: Karnataka
pager: 555-555-5557
mobile: 8792188038
homePhone: 555-555-5556
#
search result
search:
2
result:
0 Success
#
numResponses: 2
#
numEntries: 1
D.
Installing the “phpldapadmin” tool for LDAP browsing:
1. Download the package “phpldapadmin-1.2.3.zip.gz”.
2. extract it.
A directory named phpldapadmin-1.2.3 will be
produced.
3. rename it
# mv phpldapadmin-1.2.3.zip.gz phpldapadmin
4. If “http” package is not installed, install it.
# yum install httpd* -y
5. Copy the directory to the document root:
# cp –r phpldapadmin
/var/www/html/
6. start the “httpd” service.
# service httpd restart
Note: You may have to rename the file
“index.php.example” to “index.php”
7. Now open your browser. In URL, write here:
http://<system _ip>/phpldapadmin
8. A webpage will be opened showing the PhpLdapAdmin.
On the left side click “login”.
Give required credentials and get login.
i.e.
DN: cn=admin,dc=example,dc=com
Password: redhat
No comments:
Post a Comment