LDAP = Leight Weight Access Protocol
OU = Organisational Unit
CN = Common Name
DN = Distinguish Name
RDN = Relative Distinguish Name
DC = Domain Component
L = location
O = Organisation
ST = State
C = County
dit = Directory Information Tree
LDIF = Ldap Data Interchange Format
OID = Object Identifier
SN = Surname
openLDAP directory service is based on a client-server model. LDAP transferred “Lightweight directory access protocol” is a directory service protocol that runs on a layer above the TCP/IP stack.
Requirements – RHEL7/Centos 7 with minimal installation OR GUI installation is enough
Server Profile :-
Packages : openldap, migrationtools
Port Number: 389, 636
Step 1: Installing LDAP packages using yum.
Step 2: Start the all services.
Step 3: Add the services into Firewall.
Step 4: Check the LDAP LISTEN status.
Step 5: Generating LDAP admin password and save it.
Save the admin password. /root/slappassword.
Step 6: Edit the olcDatabase={1}monitor.ldif and olcDatabase={2}hdb.ldif files.
Step 7: copy the DB_CONFIG FILE and change permission.
Step 8: Add EXTERNALs inside the schema.
Step 9: Generating Certificate.
Step 10: Change migration config.
Step 11: Creating openLDAP database file.
Step 12: Create users and assign password.
Step 12: Separate the Ldap users and migrate to ldif.
Step 13: Change your local user as an ldap user.
Step 13: Config NFS export.
Step 13: Restart all services.
Step 1: Installing packages using yum in Client Machine.
Step 2: Start and Enable the services.
Step 3: ldap server details.
Step 4: Mount user /home directory using autofs.
# ldapsearch -x -b "dc=test,dc=com" -z 1000 | less (TO VIEW ALL LDAP USERS)
Step 1: Installing LDAP packages using yum.
#yum install openldap* -y
#yum install migrationtools* -y
#yum install nfs-utils* -y
Step 2: Start the all services.
#systemctl start slapd
#systemctl start nfs-server
#systemctl start rpcbind
#systemctl enable slapd
#systemctl enable nfs-server
#systemctl enable rpcbind
#systemctl is-active slapd.service
Step 3: Add the services into Firewall.
#firewall-cmd --permanent --add-service=ldap
#firewall-cmd --permanent --add-service=ldaps
#firewall-cmd --permanent --add-service=nfs
#firewall-cmd --permanent --add-service=rpc-bind
#firewall-cmd --permanent --add-service=mountd
#firewall-cmd --permanent --add-port=389/tcp
#firewall-cmd –reload
Step 4: Check the LDAP LISTEN status.
#netstat –lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
# netstat –lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
Step 5: Generating LDAP admin password and save it.
#slappasswd
(PLEASE ENTER THE NEW PASSWORD OF THE slappasswd)
New password:
Re-enter new password:
{SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca
(as shown in above slappasswd command will generate an password with encryption, please copy above encrypted password and keep it safe this password we are going to use in further configuration)
Step 6: Edit the olcDatabase={1}monitor.ldif and olcDatabase={2}hdb.ldif files.
# cd /etc/openldap/slapd.d/cn\=config/
# vim olcDatabase\=\{2\}hdb.ldif
add the generated password to below file and change olcSuffix olcRootDN olcRootPW and add key file location as shown in below (bold ones have to modify)
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 84f4b9ab
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcRootDN: cn=Manager,dc=test,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0d18483c-a233-1035-80e7-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.739165Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z
olcRootPW: {SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca
olcTLSCertificateFile: /etc/pki/tls/cets/testldap.pem
olcTLSCertificateFile: /etc/pki/tls/cets/testldapkey.pemolcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0d18483c-a233-1035-80e7-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.739165Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z
olcRootPW: {SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca
olcTLSCertificateFile: /etc/pki/tls/cets/testldap.pem
olcTLSCertificateFile: /etc/pki/tls/cets/testldapkey.pem
Now edit the file monitor.ldif and add modify dc=my-domain,dc=com to your domain as shown in below
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 6811e2bd
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=test,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 0d18340a-a233-1035-80e6-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.738646Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z
# slaptest -u
5726e5d0 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5726e5d0 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
Step 7: copy the DB_CONFIG FILE and change permission.
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -R ldap:ldap /var/lib/ldap/
#updatedb
Step 8: Add EXTERNALs inside the schema.
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
============================================================================
Step 9: Generating Certificate.
Generating x509 certificate for 365 days.
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/testldap.pem -keyout /etc/pki/tls/certs/testldapkey.pem -days 365
============================================================================
Generating a 2048 bit RSA private key
.................+++
...+++
writing new private key to '/etc/pki/tls/certs/testldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:TELENGANA
Locality Name (eg, city) [Default City]:HYDERABAD
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:TEST
Email Address []:
============================================================================
as mentioned above you can give the details are else just hit enter in all the fields. Verify your certificate files by listing directory, key file names should match exactly with above configuration
# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1708 May 1 22:58 /etc/pki/tls/certs/testldapkey.pem
-rw-r--r--. 1 root root 1306 May 1 22:58 /etc/pki/tls/certs/testldap.pem
Step 10: Change migration config.
Go to directory path as mentioned below and edit the file migrate_common.ph file add few entries with your domain name as below.
# cd /usr/share/migrationtools/
# vim migrate_common.ph
At 61 line $NAMINGCONTEXT{'group'} = "ou=Groups";
At 71 line
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.com";
# Default base
$DEFAULT_BASE = "dc=test,dc=com";
At 90 line
$EXTENDED_SCHEMA = 1;
Step 11: Creating openLDAP database file.
Now we just create an openLDAP database with file extension as .ldif
vim /root/base.ldif
dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: test com
dc: test
dn: cn=Manager,dc=test,dc=com
ObjectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=com
ObjectClass: organizationalUnit
ou: Group
Step 12: Create users and assign password.
# useradd ldapuser1
# useradd ldapuser2
# useradd ldapuser3
# useradd ldapuser4
# echo "redhat" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser3
Changing password for user ldapuser3.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser4
Changing password for user ldapuser4.
passwd: all authentication tokens updated successfully.
Step 12: Separate the Ldap users and migrate to ldif.
# getent passwd (TO GET THE LIST OF USER)
# getent passwd | tail -n 4
# getent passwd | tail -n 4 > /root/users
[root@system1 migrationtools]# ./migrate_passwd.pl /root/users /root/users.ldif
Step 13: Change your local user as an ldap user.
After that migrate your local users as openLDAP users.
ldapadd -x -W -D "cn=Manager,dc=test,dc=com" -f /root/base.ldif
Enter LDAP Password:
======================RESULT IS LIKE BELOW==================================
adding new entry "dc=test,dc=com"
adding new entry "cn=Manager,dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"
============================================================================
ldapadd -x -W -D "cn=Manager,dc=test,dc=com" -f /root/users.ldif
Enter LDAP Password:
======================RESULT IS LIKE BELOW==================================
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"
adding new entry "uid=ldapuser3,ou=People,dc=test,dc=com"
adding new entry "uid=ldapuser4,ou=People,dc=test,dc=com"
============================================================================
Verify the users using below command:-
ldapsearch -x cn=ldapuser1 -b dc=test,dc=com
======================RESULT IS LIKE BELOW==================================
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: cn=ldapuser1
# requesting: ALL
#
# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@test.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDBmWk1ZaU5lJGlraDQ4VE9DVU9YL3dvWDFJcDFyaDE=
shadowLastChange: 16923
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
============================================================================
To access the home folder of main server.
chmod 777 /home
Step 13: Config NFS export.
#vi /etc/exports
/home *(rw,sync)
# exportfs -rv
# showmount -e localhost (TO CHECK WHETHER THE FILE IS SHOWING OR NOT).
Export list for localhost:
/home *
Step 13: Restart all services.
#systemctl restart slapd
#systemctl restart nfs-server
#systemctl restart rpcbind
#firewall-cmd –reload
# /etc/openldap/ldap.conf (LDAP CONFIGURATION)
---- SERVER SIDE CONFIGURATION WAS COMPLETED ----
---- SERVER SIDE CONFIGURATION WAS COMPLETED ----
Step 1: Installing packages using yum in Client Machine.
# yum install openldap-clients nss-pam-ldapd sssd authconfig-gtk* -y
#yum install nfs-utils rpcbind autofs* -y
Step 2: Start and Enable the services.
#systemctl start autofs
#systemctl start nfs-server
#systemctl start rpcbind
#systemctl enable nfs-server
#systemctl enable rpcbind
#systemctl enable autofs
Step 3: ldap server details.
#authconfig-tui
Select [*] Use LDAP
select [*] Use LDAP Authentication
click Next
Server: ldap://192.168.145.132
Base DN: dc:test,dc=com
verify the ldap user information using below command
# getent passwd ldapuser1
ldapuser1:x:1001:1001::/home/guests/ldapuser1:/bin/bash
# su - ldapuser1
Last login: Sat Apr 30 04:58:43 PDT 2016 on pts/0
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory (USER HOME DIRECTORY IS NOT ACCESSING)
Step 4: Mount user /home directory using autofs.
# vim /etc/auto.master
/home /etc/auto.ldapuser (ADD THE ENTRY AT 8 TH LINE)
cat /etc/auto.ldapuser
* -rw 192.168.145.132:/home/&
# systemctl restart autofs
# systemctl enable autofs
# getent passwd (TO CHECK THE /ETC/PASSWD FILE AT SERVER SIDE).
