Step-by-Step Install and Configure OpenLDAP on RHEL7/CentOS 7 Linux
OpenLDAP Server Configuration on RHEL7/Centos7
Lightweight Directory Access Protocol (LDAP in short) is an industry-standard, lightweight, widely used set of protocols for accessing directory services. A directory service is a shared information infrastructure for accessing, managing, organizing, and updating everyday items and network resources, such as users, groups, devices, email addresses, telephone numbers, volumes, and many other objects.
The LDAP information model is based on entries. An entry in a LDAP directory represents a single unit or information and is uniquely identified by what is called a Distinguished Name (DN). Each of the entry’s attributes has a type and one or more values.
An attribute is a piece of information associated with an entry. The types are typically mnemonic strings, such as “cn” for common name, or “mail” for the email address. Each attribute is assigned one or more values consisting in a space-separated list.
The following is an illustration of how information is arranged in the LDAP directory.
Our Lab Setup:
Prerequisites:
2. Make an entry of each host in /etc/hosts for name resolution or Configure it in DNS to resolve the IP.
check my youtube video "Install and Configure OpenLDAP on RHEL7/CentOS 7 Linux" for your reference.
Installing LDAP Server:
Login into the server server01 (10.0.0.2) and do the following steps to configure OpenLDAP Server.
1. Install the required LDAP Packages :
Install the appropriate LDAP packages "OpenLDAP" and "migrationtools" using yum to avoid dependencies issues.
# yum -y install openldap* migrationtools
2. Enable and Start the SLAPD service :
# systemctl start slapd
# systemctl enable slapd
# netstat -lt | grep ldap
3. Create a LDAP root password for administration purposes:
# slappasswd
4. Edit the OpenLDAP Server Configuration:
OpenLDAP server Configuration files are located in /etc/openldap/slapd.d/.
Go to cn=config directory under /etc/openldap/slapd.d/ and edit the "olcDatabase={2}hdb.ldif" for changing the configuration.
# cd /etc/openldap/slapd.d/cn=
# vi olcDatabase={2}hdb.ldif
Change the variables of "olcSuffix" and "olcRootDN" according to your domain as below.
olcSuffix: dc=meetdarji,dc=com
olcRootDN: cn=Manager,dc=meetdarji,dc=com
Add the below three lines additionally in the same configuration file.
olcRootPW: {SSHA}*************
olcTLSCertificateFile: /etc/pki/tls/certs/meetdarji.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/meetdarjikey.pem
Replace the "olcRootPW" value with your copied passwd. Now Save and exit the configuration file. After saved file, looking like this.
The suffix line names the domain for which the LDAP server provides information and should be changed to your domain name. The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as above.
5. Provide the Monitor privileges:
Open the file /etc/openldap/slapd.d/cn=
# vi olcDatabase={1}monitor.ldif
Note: If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
Note: Access controls defined in the frontend are appended to all other databases' controls.
Verify the configuration
# slaptest -u
Ignore the Checksum errors as of now.
6. Configure the LDAP Database :
Copy the Sample Database Configuration file, change the file permissions as below.
# cp /usr/share/openldap-servers/
# chown -R ldap:ldap /var/lib/ldap/
Add the following LDAP Schemas
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
7. Create the self-signed certificate :
In Step 3, We have specified our certificate locations. But we have not created yet, Let's create the self-signed certificate,
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/meetdarji.pem -keyout /etc/pki/tls/certs/meetdarjikey.pem -days 365
Provide your company details to generate the certificate below.
Verify the created certificates under the location /etc/pki/tls/certs/
# ll /etc/pki/tls/certs/*.pem
8. Create base objects in OpenLDAP:
To create base objects in OpenLDAP, we need migration tools to be installed. We have already installed the migrationtools in the step 1 itself. So You will see a lot of files and scripts under /usr/share/migrationtools/.
We need to change some predefined values in the file "migrate_common.ph" according to our domain name, for that do the following:
# cd /usr/share/migrationtools/
# vi migrate_common.ph
OpenLDAP server Configuration files are located in /etc/openldap/slapd.d/.
Go to cn=config directory under /etc/openldap/slapd.d/ and edit the "olcDatabase={2}hdb.ldif" for changing the configuration.
# cd /etc/openldap/slapd.d/cn=
# vi olcDatabase={2}hdb.ldif
Change the variables of "olcSuffix" and "olcRootDN" according to your domain as below.
olcSuffix: dc=meetdarji,dc=com
olcRootDN: cn=Manager,dc=meetdarji,dc=com
Add the below three lines additionally in the same configuration file.
olcRootPW: {SSHA}*************
olcTLSCertificateFile: /etc/pki/tls/certs/meetdarji.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/meetdarjikey.pem
Replace the "olcRootPW" value with your copied passwd. Now Save and exit the configuration file. After saved file, looking like this.
The suffix line names the domain for which the LDAP server provides information and should be changed to your domain name. The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as above.
5. Provide the Monitor privileges:
Open the file /etc/openldap/slapd.d/cn=
# vi olcDatabase={1}monitor.ldif
Note: If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
Note: Access controls defined in the frontend are appended to all other databases' controls.
Verify the configuration
# slaptest -u
Ignore the Checksum errors as of now.
6. Configure the LDAP Database :
Copy the Sample Database Configuration file, change the file permissions as below.
# cp /usr/share/openldap-servers/
# chown -R ldap:ldap /var/lib/ldap/
Add the following LDAP Schemas
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
7. Create the self-signed certificate :
In Step 3, We have specified our certificate locations. But we have not created yet, Let's create the self-signed certificate,
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/meetdarji.pem -keyout /etc/pki/tls/certs/meetdarjikey.pem -days 365
Provide your company details to generate the certificate below.
Verify the created certificates under the location /etc/pki/tls/certs/
# ll /etc/pki/tls/certs/*.pem
8. Create base objects in OpenLDAP:
To create base objects in OpenLDAP, we need migration tools to be installed. We have already installed the migrationtools in the step 1 itself. So You will see a lot of files and scripts under /usr/share/migrationtools/.
We need to change some predefined values in the file "migrate_common.ph" according to our domain name, for that do the following:
# cd /usr/share/migrationtools/
# vi migrate_common.ph
:set number
Go to Line Number 71 and change your domain name
Go to line number 74 and change your base name
Go to line number 90 and change your EXTENDED_SCHEMA from "0" to "1"
Finally, Save and Exit the file.
9. Generate a base.ldif file for your Domain:
# vim /root/base.ldif
Copy the below lines and paste inside the file /root/base.ldif.
dn: dc=meetdarji,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: meetdarji com
dc: meetdarji
dn: cn=Manager,dc=meetdarji,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=meetdarji,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=meetdarji,dc=com
objectClass: organizationalUnit
ou: Group
Replace with your domain name instead of meetdarji.com, Save and exit the file.
10. Create a Local Users :
Let's create some local users and groups, then we will migrate to LDAP. For testing purposes, I create two users as below.
# useradd ldapuser1
# useradd ldapuser2
# echo "redhat" | passwd --stdin ldapuser1
# echo "redhat" | passwd --stdin ldapuser2
Filter out these user from /etc/passwd to another file:
# grep -i ldapuser* /etc/passwd > /root/passwd
Filter out user group from /etc/group to another file:
# grep -i ldapuser* /etc/group > /root/group
Now Convert the Individual Users file to LDAP Data Interchange Format (LDIF)
Generate a ldif file for users
# cd /usr/share/migrationtools/
# ./migrate_passwd.pl /root/passwd /root/users.ldif
Generate a ldif file for groups
# ./migrate_group.pl /root/group /root/groups.ldif
Go to Line Number 71 and change your domain name
Go to line number 74 and change your base name
Go to line number 90 and change your EXTENDED_SCHEMA from "0" to "1"
Finally, Save and Exit the file.
9. Generate a base.ldif file for your Domain:
# vim /root/base.ldif
Copy the below lines and paste inside the file /root/base.ldif.
dn: dc=meetdarji,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: meetdarji com
dc: meetdarji
dn: cn=Manager,dc=meetdarji,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=meetdarji,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=meetdarji,dc=com
objectClass: organizationalUnit
ou: Group
Replace with your domain name instead of meetdarji.com, Save and exit the file.
10. Create a Local Users :
Let's create some local users and groups, then we will migrate to LDAP. For testing purposes, I create two users as below.
# useradd ldapuser1
# useradd ldapuser2
# echo "redhat" | passwd --stdin ldapuser1
# echo "redhat" | passwd --stdin ldapuser2
Filter out these user from /etc/passwd to another file:
# grep -i ldapuser* /etc/passwd > /root/passwd
Filter out user group from /etc/group to another file:
# grep -i ldapuser* /etc/group > /root/group
Now Convert the Individual Users file to LDAP Data Interchange Format (LDIF)
Generate a ldif file for users
# cd /usr/share/migrationtools/
# ./migrate_passwd.pl /root/passwd /root/users.ldif
Generate a ldif file for groups
# ./migrate_group.pl /root/group /root/groups.ldif
11. Import Users in to the LDAP Database:
Let's update this ldif file to LDAP Database.
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
Enter "Manager" password
ldap_bind: Invalid credentials (49): If you get this error then simply reset the "manager" password.
# slappasswd
Copy the encrypted the password from the above output "{SSHA}*********************".
# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
Now again Replace the "olcRootPW" value with your copied password. And Save and exit the configuration file.
# systemctl restart slapd.service
Now try
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
NOTE: It will ask for a password of "Manager", you have to type the password which you generated in an encrypted format.
12. Test the configuration:
To test the configuration, search for the user "ldapuser1" in LDAP as below.
# ldapsearch -x cn=ldapuser1 -b dc=meetdarji,dc=com
It prints all the user information:
# ldapsearch -x -b 'dc=meetdarji,dc=com' '(objectclass=*)'
13. Stop Firewalld to allow the connection.
# systemctl stop firewalld
LDAP Configuration is done, but we need to share the LDAP Users Home Directories via NFS. So Users who logged in the client servers will also be able to save their data remotely on LDAP Server. Here we use simple fstab entry for testing purpose also watch this demo on youtube, how to configure Linux Clients for LDAP Authentication to OpenLDAP Server.
14. NFS Configuration to export the Home Directory.
Edit the file /etc/exports and add an entry as below to export the home directory.
# vi /etc/exports
/home *(rw,sync)
Save and Exit the file.
Enable and restart rpcbind and nfs service.
# yum -y install rpcbind nfs-utils
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs
Test the NFS Configuration
# showmount -e
OpenLDAP Client Configuration on RHEL7/Centos7
Login into the client01 (10.0.0.3) server and do the following steps.
1. Ldap Client Configuration to use LDAP Server
# yum install -y openldap-clients nss-pam-ldapd
# authconfig-tui
Steps to follow for LDAP Authentication:
1. Put '*' Mark on "Use LDAP"
2. Put '*' Mark on "Use LDAP Authentication"
3. Select "Next" and Enter.
4. Enter the server field as "ldap://10.0.0.2/"
5. Enter the Base DN Field as "dc=meetdarji,dc=com"
6. Select "OK" and Enter
2. Test the Client Configuration.
Search the ldap user using the below command and check the output. If you get output, then our LDAP Configurations are working properly.
# getent passwd ldapuser1
Let's update this ldif file to LDAP Database.
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
Enter "Manager" password
# slappasswd
Copy the encrypted the password from the above output "{SSHA}*********************".
# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# systemctl restart slapd.service
Now try
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
# ldapadd -x -W -D "cn=Manager,dc=meetdarji,
12. Test the configuration:
To test the configuration, search for the user "ldapuser1" in LDAP as below.
# ldapsearch -x cn=ldapuser1 -b dc=meetdarji,dc=com
It prints all the user information:
# ldapsearch -x -b 'dc=meetdarji,dc=com' '(objectclass=*)'
13. Stop Firewalld to allow the connection.
# systemctl stop firewalld
LDAP Configuration is done, but we need to share the LDAP Users Home Directories via NFS. So Users who logged in the client servers will also be able to save their data remotely on LDAP Server. Here we use simple fstab entry for testing purpose also watch this demo on youtube, how to configure Linux Clients for LDAP Authentication to OpenLDAP Server.
14. NFS Configuration to export the Home Directory.
Edit the file /etc/exports and add an entry as below to export the home directory.
# vi /etc/exports
/home *(rw,sync)
Save and Exit the file.
Enable and restart rpcbind and nfs service.
# yum -y install rpcbind nfs-utils
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs
Test the NFS Configuration
# showmount -e
OpenLDAP Client Configuration on RHEL7/Centos7
Login into the client01 (10.0.0.3) server and do the following steps.
1. Ldap Client Configuration to use LDAP Server
# yum install -y openldap-clients nss-pam-ldapd
# authconfig-tui
Steps to follow for LDAP Authentication:
1. Put '*' Mark on "Use LDAP"
2. Put '*' Mark on "Use LDAP Authentication"
3. Select "Next" and Enter.
4. Enter the server field as "ldap://10.0.0.2/"
5. Enter the Base DN Field as "dc=meetdarji,dc=com"
6. Select "OK" and Enter
2. Test the Client Configuration.
Search the ldap user using the below command and check the output. If you get output, then our LDAP Configurations are working properly.
# getent passwd ldapuser1
# getent passwd ldapuser2
3. Mount the LDAP Users Home Directory:
Add the below entry to mount the LDAP Users home directory in the file /etc/fstab as below.
10.0.0.2:/home /home auto defaults 0 0
# mount -a
That's all from the client end. Now login using the LDAP User to ensure the authentication.
# su - ldapuser1
3. Mount the LDAP Users Home Directory:
Add the below entry to mount the LDAP Users home directory in the file /etc/fstab as below.
10.0.0.2:/home /home auto defaults 0 0
# mount -a
That's all from the client end. Now login using the LDAP User to ensure the authentication.
# su - ldapuser1
Lastly, I hope the steps from the article to install and configure OpenLDAP on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
This course was really great!! RedHat EX200 Dumps
ReplyDelete