Monday, November 30, 2015

OpenLDAP implementation (RHEL 6)


CA: ca.example.com (192.168.1.41)
LDAP: ldap.example.com (192.168.1.42)
CLIENT: client.example.com (192.168.1.43)

A. Server side configuration:

1. Install the required packages:
#  yum install openldap*
    openldap-clients.i386 0:2.2.13-6.4E
    openldap-devel.i386 0:2.2.13-6.4E
    openldap-servers.i386 0:2.2.13-6.4E
    openldap-servers-sql.i386 0:2.2.13-6.4E
    migrationtool*
    compat-openldap.i386 0:2.1.30-6.4E

2. Start the service:
#  service slapd restart

3. Make sure the service is stopped before further changes:
#  service slapd stop

4. Take a backup of the slapd.conf file:
#  cp /usr/share/openldap-servers/slapd.conf.obsolete /root/Desktop/

5. Rename the main configuration file:
#  mv /usr/share/openldap-servers/slapd.conf.obsolete /usr/share/openldap-servers/slapd.conf

6. Run the command to get the encrypted password for the root in LDAP:
#  slappasswd
Copy the output of the command.

7. Now edit the main configuration file:
#  vim /usr/share/openldap-servers/slapd.conf
database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}Ewhy9YzyeyKQSjcRs5R4K/MU252S/iMW
directory       /var/lib/ldap (no need to change it)

8. Restart and then stop the service.
#  service slapd start
#  service slapd stop

9. Now create the LDIF (LDAP Data Interchange Fomat) files:
#  vim example.com.ldif
# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example

#  vim admin.example.com.ldif
# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

#  vim users.example.com.ldif
# Base DN for users
dn: ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: users

#  vim groups.example.com.ldif
# Base DN for groups
dn: ou=groups,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: groups

10. Remove all the previous LDAP configuration:
#  rm -rf /etc/openldap/slapd.d/*

11. Remove all the previous LDAP content:
#  rm -rf /var/lib/ldap/*

12. Take backup of the main database configuration file:
#  cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

13. Initialize the DB file for content:
#  echo "" | slapadd -f /usr/share/openldap-servers/slapd.conf

14. Convert configuration file into dynamic configuration under /etc:
#  slaptest -f /usr/share/openldap-servers/slapd.conf -F /etc/openldap/slapd.d

15. Set the correct permissions and the ownership for the configuration and the content directory:
#  chown -R ldap:ldap /var/lib/ldap
#  chown -R ldap:ldap /etc/openldap/slapd.d

16. To test the initial configuration, start the service:
#  service slapd restart

If you get any warning while restarting the service:
# vim /etc/openldap/slapd.d
# vim cn= config.ldif
olcThreads: 16
olcTLSVerifyClient: never
olcToolThreads: 1

Note: here it should not show those 3 TLS certificate lines of CA cert, server cert and server key file path. If it is there, comment it.
If you have followed the step 14, in that case you need to delete the 3 relevant lines from the cn=config.ldif file.
Now restart the service. It should not show any warning now.

17. List the content:
#  ldapsearch -x -b 'dc=example,dc=com'

18. Load the LDAP DB content from LDIF:
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f example.com.ldif
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f admin.example.com.ldif
# ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f users.example.com.ldif
#  ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f groups.example.com.ldif

19. List again:
#  ldapsearch -x -b 'dc=example,dc=com'

20. Now create the user and group with explicitly defined gid and uid.
(you can use the existing users and groups from the system but it is always preferred to create the special user)
#  groupadd  --gid 10000 rohit
#  useradd  --uid 10000 --gid 10000 rohit
#  passwd   rohit

21. Take the backup of the file used for migration of the users etc.:
#  cp  /usr/share/migrationtools/migrate_common.ph /root/Desktop/

22. Set the default values used by the migration file:
#  vim /usr/share/migrationtools/migrate_common.ph
Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";
Default base
$DEFAULT_BASE = "dc=example,dc=com";
Naming context for user data according to users.example.com.ldif file above
$NAMINGCONTEXT{'passwd'}            = "ou=users";
Naming context for group data according to groups.example.com.ldif file above
$NAMINGCONTEXT{'group'}             = "ou=groups";

Note: All above 4 lines are required to change otherwise you will have the following messageafter running the command:
#  ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f rohit.passwd.ldif
adding new entry "uid=rohit,ou=People,dc=example,dc=com"
ldap_add: No such object (32)
        matched DN: dc=example,dc=com

23. Migrate a user and a group from /etc/passwd file:
# grep rohit /etc/passwd > rohit.passwd.line
#  grep rohit /etc/group  > rohit.group.line

24. Convert the user and group file into LDIF format:
#  /usr/share/migrationtools/migrate_passwd.pl rohit.passwd.line rohit.passwd.ldif
#  /usr/share/migrationtools/migrate_group.pl   rohit.group.line   rohit.group.ldif

25. Import it in the LDAP DB:
#  ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f rohit.passwd.ldif
#  ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f rohit.group.ldif

Note:
  • -D -> Specifies username
  • -W ->  Specified that the password will be prompted
  • -f -> Specifies the name of the LDIF file
  • -x -> Specifies simple authentication
  • -w -> specify the password within the command itself

26. Start the service:
#  /etc/init.d/slapd start

27. Now search the server:
#  ldapsearch -x -b 'dc=example,dc=com'
# ldapsearch -x



B. Client side configuration:

1. Install the required packages:
#yum install openldap-clients  openldap-devel   nss-pam-ldapd  nss-util  authconfig-gtk  compat-openldap

Note: Check for
libnss_ldap.so.2 in the /lib64/ directory.

2. open /etc/openldap/ldap.conf file:
BASE dc=example,dc=com
URI ldap://<server_ip>/
i.e. URI ldap://192.168.1.33/

3. Configure authentication through LDAP without encrypted connection:
#vim /etc/sysconfig/authconfig
FORCELEGACY=yes

Note: If you are not doing this, you can do the following:
# vim /etc/sssd/sssd.conf
Add the line in the [domain/default] section:
ldap_tls_reqcert = never

4. Configure from the client side:
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.33
--ldapbasedn="dc=example,dc=com" --update

Or you can do this:
5. Add the server information on client side:
# authconfig-tui



Note: check tick mark on “use LDAP” and “use LDAP authentication”. Rest leave them by default.





Note: After this check the file /etc/nsswitch for the entries. It should be like this:
passwd:     files ldap
shadow:     files ldap
group:      files ldap

6. Now follow the following commands for the user to get login:
(“rohit” user was created on the server system. Now it should get the login from the client system)
Make sure there is not "rohit" user configured on this client machine:
# id rohit
# grep rohit /etc/passwd /etc/group

# mkdir /home/rohit
# chmod 700 /home/rohit
# cp /etc/skel/.bash* /home/rohit
# chown -R rohit:rohit /home/rohit

7. Run the command to get the info of the user:
#  getent passwd rohit
rohit:x:100000:100000:rohit:/home/rohit:/bin/bash

8. Now login from the user (rohit) and check.

Note:  On server side /etc/sysconfig/ldap file:
By default it reads:
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=no

If not using encryption, you can leave it alone.
If using SSL or TLS, you would change the SLAPD_LDAPS line from a no to a yes, so that the file would read:
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes



C. Getting output from LDAP (addressbook):

1. # vim addressbook.ldif
# address book
dn: ou=addressbook, dc=example, dc=com
objectClass: top
objectClass: organizationalUnit
ou: addressbook

Add this into the ldap:
1. Create an LDIF file named contact.ldif having content:
# vim contact.ldif
dn: cn=rohit chauhan, ou=addressbook, dc=example, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: rohit chauhan
gn: rohit
sn: chauhan
mail: rohit.chauhan@example.com
physicalDeliveryOfficeName: example, Inc., linux Services
postalAddress: PO BOX 500001
l: Bangalore
ou: addressbook
st: Karnataka
postalCode: 70555
telephoneNumber: 141-22008899
facsimileTelephoneNumber: 555-555-5556
pager: 555-555-5557
mobile: 8792188038
homePhone: 555-555-5556

2. Add it to the DB:
#  ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f addressbook.ldif
#  ldapadd -x -D 'cn=admin,dc=example,dc=com' -W -f contact.ldif

3. Querying  about the person:
[root@ldap ~]# ldapsearch -x "(sn=chauhan)" cn sn mail l ou st pager mobile homephone
Or
# ldapsearch -x -LLL -b "dc=example,dc=com" 'sn=chauhan' mail l st
(it will show all the information mentioned in the command i.e. cn sn mail l ou st pager mobile homephone of the person)

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (sn=chauhan)
# requesting: cn sn mail l ou st pager mobile homephone
#

# rohit chauhan, addressbook, example.com
dn: cn=rohit chauhan,ou=addressbook,dc=example,dc=com
cn: rohit chauhan
sn: chauhan
mail: rohit.chauhan@example.com
l: Bangalore
ou: addressbook
st: Karnataka
pager: 555-555-5557
mobile: 8792188038
homePhone: 555-555-5556

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


D. Installing the “phpldapadmin” tool for LDAP browsing:

1. Download the package “phpldapadmin-1.2.3.zip.gz”.

2. extract it.
A directory named phpldapadmin-1.2.3 will be produced.

3. rename it
# mv phpldapadmin-1.2.3.zip.gz phpldapadmin

4. If “http” package is not installed, install it.
# yum install httpd* -y

5. Copy the directory to the document root:
# cp –r phpldapadmin  /var/www/html/

6. start the “httpd” service.
# service httpd restart
Note: You may have to rename the file “index.php.example” to “index.php”

7. Now open your browser. In URL, write here:
http://<system _ip>/phpldapadmin

8. A webpage will be opened showing the PhpLdapAdmin.
On the left side click “login”.
Give required credentials and get login.
i.e.
DN: cn=admin,dc=example,dc=com
Password: redhat

No comments:

Post a Comment