Wednesday, April 15, 2015

Configuring OpenLDAP Server/Client on RHEL 6.X / CentOS 6.X


LDAP Server Configuration :

Step 1. Install OpenLDAP packages via YUM

 # yum install openldap*

Step 2. Now generate a encrypted password for Administrator User That is "Manager"

 # slappasswd
                New password: redhat
                Re-enter new password: redhat

                NOTE: You need to copy above generated password

Step 4. Now Configure OpenLDAP Server, so edit the following file

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

                olcSuffix: dc=goldenjohn,dc=com

                olcRootDN: cn=Manager,dc=goldenjohn,dc=com

                NOTE: Add these lines in the end of file

                olcTLSCertificateFile: /etc/pki/tls/certs/goldenjohn.pem
                olcTLSCertificateKeyFile: /etc/pki/tls/certs/goldenjohnkey.pem

                :wq (save and exit)

Step 5. Now specify the Monitoring privileges

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

                Inside this file search the following "cn=manager,dc=goldenjohn,dc=com"
                and change this into "cn=Manager,dc=goldenjohn,dc=com"

                :wq (save and exit)

Step 6. Now copy the sample database file

 # cp /usr/share/openldap-servers/DB_CONFIG.goldenjohn /var/lib/ldap/DB_CONFIG

 # chown -R ldap:ldap /var/lib/ldap/

 # updatedb

Step 7.  Configure OpenLDAP to listen on SSL/TLS

 # vim /etc/sysconfig/ldap

                SLAPD_LDAPS=yes #(default is no)

                :wq (save and exit)

Step 8. Now you need to create a certificate for OpenLDAP Server.

 # openssl req -new -x509 -nodes -out /etc/pki/tls/certs/goldenjohn.pem -keyout /etc/pki/tls/certs/goldenjohnkey.pem -days 365

                Country Name (2 letter code) [XX]:IN
                State or Province Name (full name) []:Tamil Nadu
                Locality Name (eg, city) [Default City]:Chennai
                Organization Name (eg, company) [Default Company Ltd]:Goldenjohn, Inc.
                Organizational Unit Name (eg, section) []:IT
                Common Name (eg, your name or your server's hostname) []
                Email Address []

Step 9. You need to change owner and group ownership of certificate and keyfile

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohn.pem

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohnkey.pem

 # ls -l /etc/pki/tls/certs/goldenjohn*

Step 10. Start/Restart the service of OpenLDAP

 # service slapd restart

 # chkconfig slapd on

Step 11. Now you need to create base objects in OpenLDAP.

                NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.

                there are two ways, (1). you can create it manually (2). you can use migration tools. In this goldenjohn I am using migration tools.

 # yum install migrationtools

 # cd /usr/share/migrationtools/

 # ls

 # vim

                on the Line Number 61, change "ou=Groups"
                  $NAMINGCONTEXT{'group'}             = "ou=Groups";

                 on the Line Number 71, change your domain name
                 $DEFAULT_MAIL_DOMAIN = "";

                on the line number 74, change your base name
                $DEFAULT_BASE = "dc=goldenjohn,dc=com";

                on the line number 90, change schema value
                $EXTENDED_SCHEMA = 1;

                :wq (save and exit)

                Now generate a base.ldif file for your Domain, use the following:

 # ./ > /root/base.ldif

                If you want to migrate your local users and groups on LDAP do the following:
                first I am creating 5 local users and groups and then I will migrate to LDAP.

 # mkdir /home/guests
 # useradd -d /home/guests/goldenjohn1 goldenjohn1
 # useradd -d /home/guests/goldenjohn2 goldenjohn2
 # useradd -d /home/guests/goldenjohn3 goldenjohn3
 # useradd -d /home/guests/goldenjohn4 goldenjohn4
 # useradd -d /home/guests/goldenjohn5 goldenjohn5

 # passwd goldenjohn1
 # passwd goldenjohn2
 # passwd goldenjohn3
 # passwd goldenjohn4
 # passwd goldenjohn5

Now you need to filter out these users from /etc/passwd to another file:

 # getent passwd | tail -n 5 > /root/users

Now you need to filter out password information from /etc/shadow to another file:

 # getent shadow | tail -n 5 > /root/passwords

Now you need to filter out user groups from /etc/group to another file:

# getent group | tail -n 5 > /root/groups

Now you have to generate ldif file of these filtered out files of users, passwords, and groups

So Open the following file to change the location of password file

# vim

Inside this file search /etc/shadow and change it to /root/passwords and then save and exit.

NOTE: "/etc/shadow" will be available approx the line number of 188.

Now generate a ldif file for users

# ./ /root/users > /root/users.ldif

Now Generate a ldif file for groups

# ./ /root/groups > /root/groups.ldif

Step 12. Now it' time to upload these ldif file to LDAP Server

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/base.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/users.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/groups.ldif

NOTE: It will as a password of "Manager", you have to type the password which you generated in encrypted format.

Now you can use "ldapsearch" command

# ldapsearch -x -b "dc=goldenjohn,dc=com"

Step 13. Now you need to share LDAP Users Home Directories via NFS they can mount the home directory on client machine.

#vim /etc/exports


:wq (save and exit)

# service nfs start 

# service rpcbind start

# chkconfig nfs on

# service iptables stop
# chkconfig iptables off

LDAP Client Configuration:

 # yum install -y openldap-clients nss-pam-ldapd nss_ldap autofs nfs-utils

 # authconfig --enableforcelegacy --update

 # authconfig --enableldap --enableldapauth --ldapserver="" --ldapbasedn="dc=goldenjohn,dc=com" --update

(If you enabling lower version centos 5.8 ldap means follow below
authconfig --enableforcelegacy --disableldaptls --update)

 NOTE : Put the LDAP server certificate into the /etc/openldap/cacerts directory.

 # authconfig --enableldaptls --update

 # getent passwd goldenjohn1

 # service nfs start 

 # service rpcbind start

 # service autofs start

 # vim /etc/auto.master

                /home/guests    /etc/auto.guests


 # vim /etc/auto.guests

                *       -rw


 # service autofs reload

# service nslcd restart

confirm the setup in client machine

I changed the /etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://
BASE dc=goldenjohn,dc=com

 # su - goldenjohn1

That's it enjoy with openldap installation ...