Wednesday, April 15, 2015

Configuring OpenLDAP Server/Client on RHEL 6.X / CentOS 6.X


LDAP Server Configuration :

Step 1. Install OpenLDAP packages via YUM

 # yum install openldap*

Step 2. Now generate a encrypted password for Administrator User That is "Manager"

 # slappasswd
                New password: redhat
                Re-enter new password: redhat

                NOTE: You need to copy above generated password

Step 4. Now Configure OpenLDAP Server, so edit the following file

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

                olcSuffix: dc=goldenjohn,dc=com

                olcRootDN: cn=Manager,dc=goldenjohn,dc=com

                NOTE: Add these lines in the end of file

                olcTLSCertificateFile: /etc/pki/tls/certs/goldenjohn.pem
                olcTLSCertificateKeyFile: /etc/pki/tls/certs/goldenjohnkey.pem

                :wq (save and exit)

Step 5. Now specify the Monitoring privileges

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

                Inside this file search the following "cn=manager,dc=goldenjohn,dc=com"
                and change this into "cn=Manager,dc=goldenjohn,dc=com"

                :wq (save and exit)

Step 6. Now copy the sample database file

 # cp /usr/share/openldap-servers/DB_CONFIG.goldenjohn /var/lib/ldap/DB_CONFIG

 # chown -R ldap:ldap /var/lib/ldap/

 # updatedb

Step 7.  Configure OpenLDAP to listen on SSL/TLS

 # vim /etc/sysconfig/ldap

                SLAPD_LDAPS=yes #(default is no)

                :wq (save and exit)

Step 8. Now you need to create a certificate for OpenLDAP Server.

 # openssl req -new -x509 -nodes -out /etc/pki/tls/certs/goldenjohn.pem -keyout /etc/pki/tls/certs/goldenjohnkey.pem -days 365

                Country Name (2 letter code) [XX]:IN
                State or Province Name (full name) []:Tamil Nadu
                Locality Name (eg, city) [Default City]:Chennai
                Organization Name (eg, company) [Default Company Ltd]:Goldenjohn, Inc.
                Organizational Unit Name (eg, section) []:IT
                Common Name (eg, your name or your server's hostname) []
                Email Address []

Step 9. You need to change owner and group ownership of certificate and keyfile

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohn.pem

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohnkey.pem

 # ls -l /etc/pki/tls/certs/goldenjohn*

Step 10. Start/Restart the service of OpenLDAP

 # service slapd restart

 # chkconfig slapd on

Step 11. Now you need to create base objects in OpenLDAP.

                NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.

                there are two ways, (1). you can create it manually (2). you can use migration tools. In this goldenjohn I am using migration tools.

 # yum install migrationtools

 # cd /usr/share/migrationtools/

 # ls

 # vim

                on the Line Number 61, change "ou=Groups"
                  $NAMINGCONTEXT{'group'}             = "ou=Groups";

                 on the Line Number 71, change your domain name
                 $DEFAULT_MAIL_DOMAIN = "";

                on the line number 74, change your base name
                $DEFAULT_BASE = "dc=goldenjohn,dc=com";

                on the line number 90, change schema value
                $EXTENDED_SCHEMA = 1;

                :wq (save and exit)

                Now generate a base.ldif file for your Domain, use the following:

 # ./ > /root/base.ldif

                If you want to migrate your local users and groups on LDAP do the following:
                first I am creating 5 local users and groups and then I will migrate to LDAP.

 # mkdir /home/guests
 # useradd -d /home/guests/goldenjohn1 goldenjohn1
 # useradd -d /home/guests/goldenjohn2 goldenjohn2
 # useradd -d /home/guests/goldenjohn3 goldenjohn3
 # useradd -d /home/guests/goldenjohn4 goldenjohn4
 # useradd -d /home/guests/goldenjohn5 goldenjohn5

 # passwd goldenjohn1
 # passwd goldenjohn2
 # passwd goldenjohn3
 # passwd goldenjohn4
 # passwd goldenjohn5

Now you need to filter out these users from /etc/passwd to another file:

 # getent passwd | tail -n 5 > /root/users

Now you need to filter out password information from /etc/shadow to another file:

 # getent shadow | tail -n 5 > /root/passwords

Now you need to filter out user groups from /etc/group to another file:

# getent group | tail -n 5 > /root/groups

Now you have to generate ldif file of these filtered out files of users, passwords, and groups

So Open the following file to change the location of password file

# vim

Inside this file search /etc/shadow and change it to /root/passwords and then save and exit.

NOTE: "/etc/shadow" will be available approx the line number of 188.

Now generate a ldif file for users

# ./ /root/users > /root/users.ldif

Now Generate a ldif file for groups

# ./ /root/groups > /root/groups.ldif

Step 12. Now it' time to upload these ldif file to LDAP Server

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/base.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/users.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/groups.ldif

NOTE: It will as a password of "Manager", you have to type the password which you generated in encrypted format.

Now you can use "ldapsearch" command

# ldapsearch -x -b "dc=goldenjohn,dc=com"

Step 13. Now you need to share LDAP Users Home Directories via NFS they can mount the home directory on client machine.

#vim /etc/exports


:wq (save and exit)

# service nfs start 

# service rpcbind start

# chkconfig nfs on

# service iptables stop
# chkconfig iptables off

LDAP Client Configuration:

 # yum install -y openldap-clients nss-pam-ldapd nss_ldap autofs nfs-utils

 # authconfig --enableforcelegacy --update

 # authconfig --enableldap --enableldapauth --ldapserver="" --ldapbasedn="dc=goldenjohn,dc=com" --update

(If you enabling lower version centos 5.8 ldap means follow below
authconfig --enableforcelegacy --disableldaptls --update)

 NOTE : Put the LDAP server certificate into the /etc/openldap/cacerts directory.

 # authconfig --enableldaptls --update

 # getent passwd goldenjohn1

 # service nfs start 

 # service rpcbind start

 # service autofs start

 # vim /etc/auto.master

                /home/guests    /etc/auto.guests


 # vim /etc/auto.guests

                *       -rw


 # service autofs reload

# service nslcd restart

confirm the setup in client machine

I changed the /etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://
BASE dc=goldenjohn,dc=com

 # su - goldenjohn1

That's it enjoy with openldap installation ...


  1. I posted on the wrong post. I'm getting the following:

    [root@localhost migrationtools]# ldapadd -x -W -D "cn=gmullin,dc=lava,dc=com" -f /root/ldap/base.ldif
    Enter LDAP Password:
    adding new entry "dc=lava,dc=com"
    ldap_add: Invalid syntax (21)
    additional info: objectClass: value #1 invalid per syntax

    I'm on CentOS 7. I read I need to import a schema, but having problems. How come you didn't have to do it on your installation?

  2. Centos 7.1 is different procedure,I will share the steps shortly..

  3. find the link update installation steps .