LDAP SERVER & CLEINT CONFIGURATION RHEL 6
I made this page to help anyone to install and configuration ldap server and client I hope it will be easy for all.
Packages Required
We need to install the following packages for both ldap server and client except migrationtools-47-7.el6.noarch it will be on server only.
compat-openldap-2.3.43-2.el6.i686
openldap-servers-2.4.23-15.el6.i686
openldap-clients-2.4.23-15.el6.i686
openldap-2.4.23-15.el6.i686
openldap-devel-2.4.23-15.el6.i686
nss-pam-ldapd-0.7.5-7.el6.i686
migrationtools-47-7.el6.noarch 2
Server side configuration
We need to run the following command at server side:
1- # cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
2- #vim /etc/openldap/slapd.conf you need to change few things based one photo below
3- To enable TLS you should add the following lines in /etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow
4- Under /etc/openldap/slapd.d/ you will see folder called cn=config we need to add few lines at the following file olcDatabase={1}bdb.ldif
5- vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif and the lines below
olcRootPW: {SSHA}ccFKiy8ska8IhNwwlaNYxiBNbilWe5M1(output of slappasswd)
olcTLSCertificateFile: /etc/openldap/cacerts/server.pem
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.pem 3
6- after finished editing file press Esc and press : to be in command mode in vim like the command below
:%s/dc=my-domain,dc=com/dc=your_domain,dc=com/g then press :x
7- that above command will replace my-domain and com with new domain
8- Copy a default DB_CONFIG file which sets cache and tuning options for the Berkley database backend (this also needs to be writeable by the ldap user). cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
9- Create test user to make test with this user ldapuser1 and ldapuser2 through the following command
#useradd –g users ldapuser1
#passwd ldapuser1 and set user password
10- Now we need to create ldap db through the following command
#vim /usr/share/migrationtools/migrate_common.ph
# in command mode at vim for above file you should write the following
:%s/dc=my-domain,dc=com/dc=your_domain,dc=com/g
Then press :x to save your change
#cd /usr/share/migrationtools
#./migrate_all_offline.sh this will rebuild ldap DB under /var/lib/ldap
11- Now you should change owner ship of ldap DB files to ldap and ldap group too through the following command
#chown –R ldap.ldap /var/lib/ldap
#chown –R ldap.ldap /etc/openldap/slapd.d
Enable TLS
12- Now we will create certificate file to enable TLS through openssl command please check commands below:
#cd /etc/openldap/cacerts/
#openssl req -newkey rsa:1024 -x509 -nodes -out server.pem –keyout\ server.pem -days 3650
Then fill information like country stat.
13- Now you have certificate file for both server and client side at same file we will the following command to create separate certificate file for client side
#grep -A 100 CERTIFICATE server.pem > client.pem
#chown -R ldap:ldap /etc/openldap/cacerts/
14- vim /etc/sysconfig/ldap then change the following like from no to yes
SLAPD_LDAPS=yes 4
dn: dc=your_domain,dc=com
dc: your_domain
objectClass: top
objectClass: domain
dn: ou=People,dc= your_domain,dc= com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc= your_domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Base domain configuration & migration
15- we need to creat ldif file under /etc/openldap/schema/ not must to create it under this path but to collect all config files of ldap under one place this files it will help us to add user in ldap server
# cd /etc/openldap/schema/
#vim base.ldif
# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
16- now you can start sldap service by the following command:
# /etc/rc.d/init.d/slapd start
Test server configuration
17- Now we need to verify our config work fine or not first we need to check is ldaps ports by the following commands
#netstat -lt | grep ldaps
tcp 0 0 *:ldaps *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN 5
adding new entry "dc= your_domain,dc=com"
adding new entry "ou=People,dc= your_domain,dc=com"
adding new entry "ou=Group,dc= your_domain,dc=com"
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The output it should be like the following lines
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=testnv,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
18- Now we will try to add Admin user in ldap by the following command:
#ldapadd -x -W -D "cn=Admin,dc=your_domain,dc=com" -f \ /etc/openldap/schema/base.ldif
After that command you should enter the ldap password you had entered by command slappasswd and you should see result like the box below
Client Configuration
Now that we have a server which is responding correctly, we can configure our clients to authenticate to the LDAP server.
There is easy tool configure the machine as ldap client it called system-config-authentication.
We will explain how to use it below 6
19- From command line at client machine run
# system-config-authentication &
You will get at your screen the following photo
20- Please note you should replace testnv and come with your domain name.
21- You must use ldap password for authentication method
22- Check box for use TLS to encrypt connections
23- The file called client.pem we had created before you should upload it on http web server or ftp
We will use here http server for example http://xx.xx.xx.xx/rhel6/client.pem then press apply. 7
Client configuration verification
24- After filling information at above box you need to check first the certificate file loaded correctly at your system through the following command
# cd /etc/openldap/cacerts
Run ls with l option you will see the client.pem name converted to authconfig_downloaded.pem
as command output showed
# ll
total 4
-rw-r--r-- 1 root root 1038 Sep 23 15:42 authconfig_downloaded.pem
lrwxrwxrwx 1 root root 25 Sep 23 18:38 fde58659.0 -> authconfig_downloaded.pem
25- We need to check network switch by # vi /etc/nsswitch.conf
You will see the tool added sss passwd, shadow and group section please check the photo below. 8
26- We need to check now ldap.conf under /etc/openldap
The photo below will show what line has added in that file
27- At sssd.conf under /etc/sssd you should see the same like photo above at end of this file under [domain/default] section
28- The last file you should check configuration at it password-auth under /etc/pam.d
Add new user at ldap server how to
To add new user at ldap server we need to do the following steps
29- Run useradd command at ldap server
A) #useradd newuser ; passwd newuser
B) we need to migrate new user base on the following commands explain
C) #cat /etc/passwd | grep newuser > /etc/openldap/schema/newuser
D) # /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/schema/newuser \ /etc/openldap/schema/ newuser.ldif
E) Also we need to update ldap user group by run the following command
# cat /etc/group | grep newuser > newuser.group
#/usr/share/migrationtools/migrate_group.pl newuser.group newuser.group.ldif
F) Now you can run ldapadd like example below to update ldap with new users
#ldapadd -cxWD cn=Admin,dc=testnv,dc=com -f newuser.ldif
Also we need to update ldap with new users groups by run the following command
#ldapadd -cxWD cn=Admin,dc=testnv,dc=com -f newuser.group.ldif
30- Now we need to share /home via nfs service
#vim /etc/exports and add the lines below
/home *(rw,sync)
# service nfs restart
31- At client we need to enable auto mount for ldap server home directory vi the following steps
A) #vi /etc/auto.master ( add the following line)
/home /etc/auto.home --timeout 60
Then save via :x
B) create new file under /etc called aut.home
#vi /etc/auto.home ( add the following line at this file)
* -fstype=nfs,rw,intr,rsize=32768,wsize=32768,hard,bg,nosuid,noexec,tcp you_nfs_server_ip:/home/&
C) we need to restart autofs via service command
# service autofs restart
D) at ldap client you can try to run su command followed by newuser as example below showing
[root@localhost ~]# su - newuser
[newuser@localhost ~]$
No comments:
Post a Comment