OpenLDAP Server Configuration on RHEL7/Centos7

OpenLDAP Server Configuration on RHEL7/Centos7

SHORT INTRODUCTION

Openldap

An SSL certificate for Secure Socket Layer is used to secure and secure communications between the browser and the server. An SSL certificate is also known as a digital certificate.

Login into a main server – 192.168.33.25

Step 1: Install the required "Openldap" Packages:

[root@fosnix ~]# yum -y install openldap* migrationtools

Create LDAP root password for adminstration purpose:

[root@fosnix ~]# slappasswd
New password:
Re-enter new password:
{SSHA}MPxEsQsKYHLoXhXN+mSggQAg5RJvSRY4

Copy your encrypted password as shown above “{SSHA}MPxEsQsKYHLoXhXN+mSggQAg5RJvSRY4” & keep it aside

Step 2: Changes in OpenLDAP Server Configuration

[root@fosnix ~]# cd /etc/openldap/slapd.d/cn=config
[root@fosnix cn=config]# vi olcDatabase={2}hdb.ldif

Changes in details of “olcSuffix” & “olcRootDN” to your Domain name as shown below :

Copy paste these below three lines in the same file & also replace the “oldRootPW” encrypted  password with your one which you copied before:

olcRootPW: {SSHA}MPxEsQsKYHLoXhXN+mSggQAg5RJvSRY4
olcTLSCertificateFile: /etc/pki/tls/certs/learnitguideldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/learnitguideldapkey.pem

 Save & exit 

Step 3 : Provide the Moniter Privileges

Open the olcDatabase file from the below command & go to the line “olcAccess” – Replace the value “dc=my-domain,dc=net” to YOUR_DOMAIN

[root@fosnix cn=config]# vim olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by
dn.base="cn=Manager,dc=learnitguide,dc=net" read by * none

Verify the Configuration –

[root@fosnix cn=config]# slaptest -u
5ec183d3 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5ec183d3 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

Ignore the checksum error.

Step 4 : Create the self-signed certificate

[root@fosnix cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/fosnix.pem -keyout /etc/pki/tls/certs/fosnixkey.pem -days 365

Enter your company details to generate certificate as shown below :

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:UP
Locality Name (eg, city) [Default City]:Noida
Organization Name (eg, company) [Default Company Ltd]:Fosnix
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:fosnixx@gmail.com

Verify the created certificates under the location below :

[root@fosnix cn=config]# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 May 18 10:03 /etc/pki/tls/certs/fosnixkey.pem
-rw-r--r--. 1 root root 1379 May 18 10:03 /etc/pki/tls/certs/fosnix.pem

Step 5 : Start, Enable the Slapd Services & Configure the LDAP Services

[root@fosnix cn=config]# systemctl start slapd
[root@fosnix cn=config]# systemctl enable slapd

Configuring the LDAP Services –

[root@fosnix cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@fosnix cn=config]# chown -R ldap:ldap /var/lib/ldap/

Add the following schemes as follow:

[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 6 : Create Base Objects in OpenLDAP

[root@fosnix cn=config]# cd /usr/share/migrationtools/
[root@fosnix migrationtools]# vim migrate_common.ph

Go to line 71 and change to your domain name

$DEFAULT_MAIL_DOMAIN = "example.com";

Go to line 74 and change to your base name

$DEFAULT_BASE = "dc=example,dc=com";

Go to line 71 and change to your External Schema “0 to 1”:

$EXTENDED_SCHEMA = 1;

Save & Exit

Step 7: Generate a base.ldif file

[root@fosnix migrationtools]# touch /root/base.ldif
[root@fosnix migrationtools]# vim /root/base.ldif

Copy paste the below lines into your base.ldif file & also Change your domain name instead of example.com

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Save & Exit

Step 8: Create the Users

Create Users & Set the Passwords

[root@fosnix migrationtools]# useradd user1
[root@fosnix migrationtools]# useradd user2
[root@fosnix migrationtools]# passwd user1
[root@fosnix migrationtools]# passwd user2

Filter out the users & user groups

[root@fosnix migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd
[root@fosnix migrationtools]# grep ":10[0-9][0-9]" /etc/group > /root/group

Now Create the Individual Users to LDIF
Generate a ldif file for users & groups

[root@fosnix migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif
[root@fosnix migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif

Step 9: Import Users to the LDAP Database

[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif

Step 10: Test the Configuration & Stop Firewall to allow the Connection

[root@fosnix migrationtools]# ldapsearch -x cn=user1 -b dc=example,dc=com
[root@fosnix migrationtools]# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
[root@fosnix migrationtools]# systemctl stop firewalld

Step 10: NFS Configuration to export the Home Dorectory

Edit the export file & add an entry below to export the home directory

[root@fosnix migrationtools]# vim /etc/exports
/home *(rw,sync)

Save & Exit

Start, Enable rpcbind  & nfs services

[root@fosnix migrationtools]# yum -y install rpcbind nfs-utils
[root@fosnix migrationtools]# systemctl start rpcbind
[root@fosnix migrationtools]# systemctl start nfs
[root@fosnix migrationtools]# systemctl enable rpcbind
[root@fosnix migrationtools]# systemctl enable nfs

Test the NFS Configuration

[root@fosnix migrationtools]# showmount -e
Export list for example.com:
/home *

Step 11: Client Configurtion

Login into a client server – 192.168.33.20 

[root@client ~]# yum install -y openldap-clients nss-pam-ldapd
[root@client ~]# authconfig-tui

Steps for  LDAP Authentication

  1. Put ‘*’ Mark on “Use LDAP”
  2. Put ‘*’ Mark on “Use LDAP Authentication”
  3. Select “Next” 
  4. Enter the server field as “ldap://YOUR_DOMAIN/”
  5. If Base field is empty so fill it as “dc=YOUR_DOMAIN”
  6. Select “OK”.

Test the Configuration

[root@Client ~]# getent passwd user1
user1:x:1001:1001:user1:/home/user1:/bin/bash

If you get the ouput as above, them our Configurations are working properly

Mount the LDAP Users Home Directory

[root@client ~]# mount 192.168.33.25:/home /home

Similar Posts