Tuesday, May 26, 2015

OpenLDAP Server / Client Configuration on CentOS 7.X / Redhat 7.X


Step 1: Install the following packages:

 # yum install -y openldap openldap-clients openldap-servers migrationtools

Step 2: Generate a LDAP encrypted password for Manager user  (here redhat):

 # slappasswd -s redhat -n > /etc/openldap/secret-passwd

Step 3: Configure OpenLDAP Server:

 #vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

 #do the following changes

 olcSuffix: dc=goldenjohn,dc=com

 olcRootDN: cn=Manager,dc=goldenjohn,dc=com

 olcRootPW: PASTE YOUR ENCRYPTED PASSWORD HERE from /etc/openldap/secret-passwd

 olcTLSCertificateFile: /etc/pki/CA/cacert.pem

 olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem

 :wq (save abd exit)

Step 4: Configure Monitoring Database Configuration file:

 #vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

 #do the following change

 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=goldenjohn,dc=com" read by * none


 :wq (save and exit)

Step 5: Generate a X509 self sign certificate which is valid for 365 days:

 # openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout /etc/pki/CA/private/cakey.pem -days 365

 Country Name (2 letter code) [XX]: IN

 State or Province Name (full name) []: Chennai 

 Locality Name (eg, city) [Default City]: Tamil Nadu 
 Organization Name (eg, company) [Default Company Ltd]: Goldenjohn, Inc.

 Organizational Unit Name (eg, section) []: IT

 Common Name (eg, your name or your server's hostname) []:ldap.goldenjohn.com

 Email Address []: root@ldap.goldenjohn.com

Step 6: Secure the content of the /etc/pki/CA/ directory:

 # cd /etc/pki/CA/

 # chown ldap:ldap cacert.pem

 # cd /etc/pki/CA/private/

 # chown ldap:ldap cakey.pem

 # chmod 600 cakey.pem

Step 7: Prepare the LDAP database:


 # cp -rvf /usr/share/openldap-servers/DB_CONFIG.example  # chown -R ldap:ldap /var/lib/ldap/

Step 8: Enable LDAPS:

 #vim /etc/sysconfig/slapd

  #Do the following changes

 SLAPD_URLS="ldapi:///   ldap:///   ldaps:///"

 :wq (save and exit)


Step 9: Test the configuration:

 # slaptest -u

Step 10: Start and enable the slapd service at boot:

 # systemctl start slapd

 # systemctl enable slapd

Step 11: Check the LDAP activity:

 # netstat -lt | grep ldap

 #netstat -tunlp | egrep "389|636"


Step 12: To start the configuration of the LDAP server, add the follwing LDAP schemas:

 # cd /etc/openldap/schema

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

                        Note : you can add the schema file according to your need 

Step 13: Now use Migration Tools to create LDAP DIT:

 # cd /usr/share/migrationtools

 # vim migrate_common.ph

 #do the following chnages

 on the Line Number 61, change "ou=Groups"
   $NAMINGCONTEXT{'group'}             = "ou=Groups";

 on the Line Number 71, change your domain name
  $DEFAULT_MAIL_DOMAIN = "goldenjohn.com";

 on the line number 74, change your base name
         $DEFAULT_BASE = "dc=goldenjohn,dc=com";

 on the line number 90, change schema value
  $EXTENDED_SCHEMA = 1;


 :wq (save and exit)

Step 14: Generate a base.ldif file for your Domain DIT:

 #./migrate_base.pl > /root/base.ldif

Step 15: Load "base.ldif" into LDAP Database:

 #ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/base.ldif

Step 16: Now Create some users and Groups and migrate it from local database to LDAP database:

 #mkdir /home/guests
 #useradd -d /home/guests/ldapuser1 ldapuser1
 #useradd -d /home/guests/ldapuser2 ldapuser2
 #useradd -d /home/guests/ldapuser3 ldapuser3
 #useradd -d /home/guests/ldapuser4 ldapuser4
 #useradd -d /home/guests/ldapuser5 ldapuser5

 #echo 'password' | passwd --stdin ldapuser1
 #echo 'password' | passwd --stdin ldapuser2
 #echo 'password' | passwd --stdin ldapuser3
 #echo 'password' | passwd --stdin ldapuser4
 #echo 'password' | passwd --stdin ldapuser5

Step 17: Now filter out these Users and Groups and it password from /etc/shadow to different file:

 #getent passwd | tail -n 5 > /root/users

 #getent shadow | tail -n 5 > /root/shadow

 # getent group | tail -n 5 > /root/groups

Step 18: Now you can delete these users from local database:

 #userdel ldapuser1
 #userdel ldapuser2
 #userdel ldapuser3
 #userdel ldapuser4
 #userdel ldapuser5

Step 19: Now you need to create ldif file for these users using migrationtools:

 # cd /usr/share/migrationtools/

 # vim migrate_passwd.pl

 #search /etc/shadow and replace it into /root/shadow on Line Number 188.

 :wq (save and exit)

 # ./migrate_passwd.pl /root/users > /root/users.ldif

 # ./migrate_group.pl /root/groups > /root/groups.ldif

Step 20: Upload these users and groups ldif file into LDAP Database:

 # ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/users.ldif

 # ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/groups.ldif

Step 21: Now search LDAP DIT for all records:

 # ldapsearch -x -b "dc=goldenjohn,dc=com" -H ldap://server1.goldenjohn.com

Step 22: Now share ldapusers home directories via NFS:

 #vim /etc/exports

 #Add the folloiwng line:

 /home/guests    192.168.48.0/255.255.255.0(rw,sync)


 :wq (save and exit)

 #systemctl start nfs

 #systemctl enable nfs

Step 23: Share your CA Certificate to clients via FTP/HTTP:

 #yum install vsftpd httpd -y

 # cp -rvf /etc/pki/CA/cacert.pem /var/ftp/pub/

 # ln -s /var/ftp/pub/ /var/www/html/

 #systemctl start vsftpd

 #systemctl enable vsftpd

 #systemctl start httpd

 #systemctl enable httpd

Step 24: Now Go to the client machine and install the following packages:

 #yum install openldap-clients sssd pam_ldap authconfig-gtk -y

Step 25: Run the "authconfig-gtk" command to configure as a LDAP Client:

 # authconfig-gtk

 Click on "Identity & Authentication" Tab

 Click on drop down menu in "User Account Database" and Select "LDAP"

 in LDAP Search Base DN: dc=goldenjohn,dc=com

 in LDAP Server: ldap://server1.goldenjohn.com

 Select the check Box of "Use TLS to encrypt connections"

 Click "Download CA Certificate"

 In Certificate URL: type http://server1.goldenjohn.com/pub/cacert.pem

 Authentication Protocol: LDAP Password

 Click "OK"


 # getent passwd ldapuser1

Step 26: Now Configure your client machine to access ldapusers  home directory from  
                "server1.goldenjohn.com"

 #yum install autofs -y

 #vim /etc/auto.master

 #add the following line

 /home/guests /etc/auto.guests

 :wq (save and exit)

 #vim /etc/auto.guests

 #add the following line

 * -rw server1.goldenjohn.com:/home/guests/&

 :wq (save and exit)

Step 27: Now start and enable autofs service at boot:

 #systemctl restart autofs

 #systemctl enable autofs

Step 28: Now try to login as ldapuseer on client machine:

 #ssh ldapuser1@client.goldenjohn.com

 Password: password

 [ldapuser1@client.golden.com ~]$


 You may have some issue with Firewall/iptables, So add Ports/Services into firewall or disable it. 


That’s  it you can enjoy with your openldap installation .