Now Reading
How to configure LDAP Server in RHEL/CentOS
2

How to configure LDAP Server in RHEL/CentOS

To configure LDAP in RHEL7/CentOS

LDAP stands for Lightweight Directory Access Protocol, it is a directory service protocol for centralized authentication for the clients over a network. LDAP allow users to access centrally stored information like directories and files on the server. LDAP holds user accounts and information about all the users so they don’t need to have an account locally.

Setup Environment

LDAP Server:   IP-192.168.5.88     HostName-server.linuxhelp.com
LDAP Client:   IP-192.168.5.89      HostName-client.linuxhelp.com

Requirements

  • Make sure the client and server can be able to communicate each other by IP address or hostname.
  • You Must have Domain Name Controller (DNS) for resolving the domain names between server and client.

Note: If you don’t have DNS you can create entry in /etc/hosts file for resolving the domain names.

Below is the example for hosts file entry.

192.168.5.88 server.linuxhelp.com
192.168.5.89 client.linuxhelp.com

To configure LDAP Server

Install the required packages for setting up LDAP Server.

[root@linuxhelp ~]# yum install openldap* migrationtools -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Package openldap-2.4.39-3.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package compat-openldap.x86_64 1:2.3.43-5.el7 will be installed
.
.
.
clients.x86_64 0:2.4.39-3.el7       
  openldap-devel.x86_64 0:2.4.39-3.el7         openldap-servers.x86_64 0:2.4.39-3.el7       

Dependency Installed:
  cyrus-sasl-devel.x86_64 0:2.1.26-17.el7                                                                                                   

Complete!

Once the installation is completed,  setup the root password for administration purpose.

[root@linuxhelp ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}b28RwTpbqZ5/kxro785tKExdK4uyOX7T

Now it will generate the encrypted format for your root password. Make a note of this password, as you need to use this password later, while editing the configuration file for LDAP.

Go to this directory /etc/openldap/slapd.d/cn=config to edit the configuration file for LDAP. Now edit the file called “olcDatabase={1}monitor.ldif ” “olcDatabase={2}hdb.ldif” as follows.

[root@linuxhelp ~]# cd /etc/openldap/slapd.d/cn=config
[root@linuxhelp cn=config]# ls -l
total 20
drwxr-x---. 2 ldap ldap  28 May 15 00:33 cn=schema
-rw-------. 1 ldap ldap 378 May 15 00:33 cn=schema.ldif
-rw-------. 1 ldap ldap 513 May 15 00:33 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 408 May 15 00:33 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 562 May 15 00:33 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap 609 May 15 00:33 olcDatabase={2}hdb.ldif
[root@linuxhelp cn=config]# vim olcDatabase={2}hdb.ldif

Now edit the variables of “olcSuffix” and “olcRootDN” as follows. 
Note: you need to mention your domain name instead of dc=my-domain,dc=com to your domain name. For a example my domain “linuxhelp.com”, change dc=linuxhelp,dc=com

olcSuffix: dc=linuxhelp,dc=com
olcRootDN: cn=Manager,dc=linuxhelp,dc=com

And add the below lines in the end of the configuration file. Instead of olcRootPW: enter your root password of LDAP in encrypted format that we have previously generated. And mention the Certification path that we are going to generate later.

olcRootPW: {SSHA}b28RwTpbqZ5/kxro785tKExdK4uyOX7T
olcTLSCertificateFile: /etc/pki/tls/certs/linuxhelp.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/linuxhelpkey.pem

Now edit the “olcDatabase={1}monitor.ldif” configuration file in the same directory. Here also replace your domain name instead dc=my-domain,dc=com as follows.

[root@linuxhelp cn=config]# vim olcDatabase={1}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=linuxhelp,dc=com" read by * none

Then verify the configuration file using slaptest command.

[root@linuxhelp cn=config]# slaptest -u
5737a49a ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5737a49a ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

Now the slaptest in succeeded. Just ignore the Checksum error, it’s not a big issue. Start and enable the service

[root@linuxhelp cn=config]# systemctl start slapd
[root@linuxhelp cn=config]# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

Configure the Database for LDAP and change the file permissions to ldap user and ldap group.

[root@linuxhelp cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@linuxhelp cn=config]# chown -R ldap:ldap /var/lib/ldap/

Add the following LDAP Schemas.

[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@linuxhelp cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

Generate the certificate file that we have mentioned in the configuration file for LDAP. While generating it will ask your for some information to provide.

[root@linuxhelp cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/linuxhelp.pem -keyout /etc/pki/tls/certs/linuxhelpkey.pem -days 365
Generating a 2048 bit RSA private key
...........................................+++
..............................................................................................................+++
writing new private key to '/etc/pki/tls/certs/linuxhelpkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:linuxhelp
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server.linuxhelp.com
Email Address []:

To verify about the generated certificate run the following command.

[root@linuxhelp cn=config]# ls -l /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 May 15 03:52 /etc/pki/tls/certs/linuxhelpkey.pem
-rw-r--r--. 1 root root 1318 May 15 03:52 /etc/pki/tls/certs/linuxhelp.pem

Now navigate to this directory /usr/share/migrations/ to edit “migratinos_common.ph

[root@linuxhelp cn=config]# cd /usr/share/migrationtools/
[root@linuxhelp migrationtools]# vim migrate_common.ph

Go to line number 71 and edit domain name as required.

$DEFAULT_MAIL_DOMAIN = "linuxhelp.com";

And edit the base name in line number 74.

$DEFAULT_BASE = "dc=linuxhelp,dc=com";

Go to line number 90 and change the EXTENDED_SCHEMA value to “1

$EXTENDED_SCHEMA = 1;

Generate the base.ldif file for domain.

[root@linuxhelp migrationtools]# vim /root/base.ldif

Create entry like below, and change domain name.

dn: dc=linuxhelp,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: linuxhelp com
dc: linuxhelp

dn: cn=Manager,dc=linuxhelp,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=linxuhelp,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=linuxhelp,dc=com
objectClass: organizationalUnit
ou: Group

Create ldapusers in the ldapserver and create password for users to login from the client side.

[root@linuxhelp migrationtools]# useradd ldapuser1
[root@linuxhelp migrationtools]# useradd ldapuser2
[root@linuxhelp migrationtools]# passwd ldapuser1
Changing password for user ldapuser1.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@linuxhelp migrationtools]# passwd ldapuser2
Changing password for user ldapuser2.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Copy the user and group information for ldapusers from the respective files /etc/passwd and /etc/group, and paste the information to a new file as follows.

[root@linuxhelp migrationtools]# tail /etc/passwd
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:993:991::/run/gnome-initial-setup/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
user1:x:1000:1000:user1:/home/user1:/bin/bash
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
[root@linuxhelp migrationtools]# vim /root/passwd

ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
[root@linuxhelp migrationtools]# tail /etc/group
stapdev:x:158:
slocate:x:21:
postdrop:x:90:
postfix:x:89:
sshd:x:74:
tcpdump:x:72:
user1:x:1000:user1
ldap:x:55:
ldapuser1:x:1001:
ldapuser2:x:1002:
[root@linuxhelp migrationtools]# vim /root/group

ldapuser1:x:1001:
ldapuser2:x:1002:

Convert the individual users and groups file into ldif (LDAP Data Interchange Format) format.

[root@linuxhelp migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif
[root@linuxhelp migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif

Now it’s time to import the all ldif files under the root directory created respectively for base, users and groups into the LDAP Database.

[root@linuxhelp migrationtools]# ldapadd -x -W -D "cn=Manager,dc=linuxhelp,dc=com" -f /root/base.ldif
Enter LDAP Password: 
adding new entry "dc=linuxhelp,dc=com"
adding new entry "cn=Manager,dc=linuxhelp,dc=com"
adding new entry "ou=People,dc=linuxhelp,dc=com"
adding new entry "ou=Group,dc=linuxhelp,dc=com"
[root@linuxhelp migrationtools]# ldapadd -x -W -D "cn=Manager,dc=linuxhelp,dc=com" -f /root/users.ldif 
Enter LDAP Password: 
adding new entry "uid=ldapuser1,ou=People,dc=linuxhelp,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=linuxhelp,dc=com"
[root@linuxhelp migrationtools]# ldapadd -x -W -D "cn=Manager,dc=linuxhelp,dc=com" -f /root/groups.ldif 
Enter LDAP Password: 
adding new entry "cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=linuxhelp,dc=com"

Check whether the information is imported to the database.

[root@linuxhelp migrationtools]# ldapsearch -x cn=ldapuser1 -b dc=linuxhelp,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=linuxhelp,dc=com> with scope subtree
# filter: cn=ldapuser1
# requesting: ALL
#

# ldapuser1, People, linuxhelp.com
dn: uid=ldapuser1,ou=People,dc=linuxhelp,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhuYVphQ0JnJFFrYVdaOWgzLjYwbHNaS0I1LlduVTFMUVZkem1
 6aHJpb3E0c2pwNTFvRGRMMFFBNlgzTkJWMDgucm1lbmpBcjJ1dlFISjdBMGhzM2JLWktES2RDWXEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1

# ldapuser1, Group, linuxhelp.com
dn: cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@linuxhelp migrationtools]# ldapsearch -x -b 'dc=linuxhelp,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=linuxhelp,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# linuxhelp.com
dn: dc=linuxhelp,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linuxhelp com
dc: linuxhelp

# Manager, linuxhelp.com
dn: cn=Manager,dc=linuxhelp,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# People, linuxhelp.com
dn: ou=People,dc=linuxhelp,dc=com
objectClass: organizationalUnit
ou: People

# Group, linuxhelp.com
dn: ou=Group,dc=linuxhelp,dc=com
objectClass: organizationalUnit
ou: Group

# ldapuser1, People, linuxhelp.com
dn: uid=ldapuser1,ou=People,dc=linuxhelp,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhuYVphQ0JnJFFrYVdaOWgzLjYwbHNaS0I1LlduVTFMUVZkem1
 6aHJpb3E0c2pwNTFvRGRMMFFBNlgzTkJWMDgucm1lbmpBcjJ1dlFISjdBMGhzM2JLWktES2RDWXEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1

# ldapuser2, People, linuxhelp.com
dn: uid=ldapuser2,ou=People,dc=linuxhelp,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@linuxhelp.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEc1MC5hU0JiJHNud0FjNVUyMGh3OHpWNVdoN3dWZEJFV01MNjV
 RbzZLcUdJTWpSTXJaZkZ4dUxjZlNESTUzZXBraTlGeXZ0bnlpRHlMUUdnVzd2dWVod3JCMjVkLnEv
shadowLastChange: 16935
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser2

# ldapuser1, Group, linuxhelp.com
dn: cn=ldapuser1,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001

# ldapuser2, Group, linuxhelp.com
dn: cn=ldapuser2,ou=Group,dc=linuxhelp,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 1002

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

Now add the firewall rule for LDAP

[root@linuxhelp migrationtools]# firewall-cmd --permanent --add-service=ldap
success
[root@linuxhelp migrationtools]# firewall-cmd --reload
Success

Now the configuration for the LDAP server is done. But we need to share the home directories for the LDAP users by using NFS and Autofs service to avoid getting the error “Home Directory not found” for our users in the client side. Make sure you have NFS packages is installed in your server. Then now share the home directory via /etc/exports as follows.

[root@linuxhelp migrationtools]# vim /etc/exports
/home  *(rw,sync)

Now start and enable the nfs service

[root@linuxhelp migrationtools]# systemctl start nfs-server
[root@linuxhelp migrationtools]# systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'

To Configure Client for LDAP Authentication

Install the LDAP client packages.

[root@linuxhelp ~]# yum install openldap-clients nss-pam-ldapd -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: ftp.iitm.ac.in
 * extras: ftp.iitm.ac.in
 * updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
.
.
.
Dependency Updated:
  glibc.x86_64 0:2.17-106.el7_2.6            glibc-common.x86_64 0:2.17-106.el7_2.6            openldap.x86_64 0:2.4.40-9.el7_2           

Complete!

Now setup LDAP Authentication using “authconfig” command.

[root@linuxhelp ~]# authconfig-tui

snap 1
snap 2

Now run the following command to test client side configuration is properly working or not.

[root@linuxhelp ~]# getent passwd ldapuser1
ldapuser1:x:1001:1001:ldapuser1:/home/ldapuser1:/bin/bash

Now we can know that we have login for ldapuser1 on the ldap server.

[root@linuxhelp ~]# su - ldapuser1
su: warning: cannot change directory to /home/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/ldapuser1': Permission denied
-bash-4.2$ logout

Here we are getting the error “cannot create directory”. We must configure autofs service in client side to create the home directory. Now run the following command to install the autofs package.

[root@linuxhelp ~]# yum install autofs -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: ftp.iitm.ac.in
 * extras: ftp.iitm.ac.in
 * updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package autofs.x86_64 1:5.0.7-54.el7 will be installed
.
.
.
Installed:
  autofs.x86_64 1:5.0.7-54.el7                                                                                                              
Dependency Installed:
  hesiod.x86_64 0:3.2.1-3.el7                                                                                                               
Complete!

Now edit the /etc/auto.master and /etc/auto.misc file as follows in order to create home directory in the server.

[root@linuxhelp ~]# vim /etc/auto.master
/home	/etc/auto.misc
[root@linuxhelp ~]# vim /etc/auto.misc
* -fstype=nfs,rw,nosuid,soft  server.linuxhelp.com:/home/& 

Now restart and enable the autofs service and  then try to login as ldapuser.

[root@linuxhelp ~]# systemctl restart autofs
[root@linuxhelp ~]# systemctl enable autofs
ln -s '/usr/lib/systemd/system/autofs.service' '/etc/systemd/system/multi-user.target.wants/autofs.service'
[root@linuxhelp ~]# su - ldapuser1
Last login: Sun May 15 04:34:03 IST 2016 on pts/1
[ldapuser1@linuxhelp ~]$

Thank you! for using Linux Help.

You find this tutorial helpful? Share with your friends to keep it alive.

For more help topics browse our website www.linuxhelp.com

Be the first to comment, we value your suggestions. For further queries please comment below.

2 Comments
  • lasertest
    November 27, 2016 at 1:37 pm

    This paragraph will assist the internet users for building up new
    weblog or even a blog from start to end.

  • write a paper for me
    December 25, 2016 at 7:29 pm

    Awesome! Its actually amazing piece of writing, I have got much clear idea regarding from this post.

Leave a Response