OpenLDAP is a free open-source LDAP convention. LDAP remains for Lightweight Directory Access Protocol. A LDAP server essentially is a non-social database which is upgraded for getting to, however not composing, information. It is principally utilized as a location book (for e.g. email customers) or validation backend to different administrations, (for example, Samba, where it is utilized to imitate an area controller, or Linux framework verification, where it replaces/and so on/passwd) and essentially holds the client information. This article will describe that how to install and configure LDAP server on Centos and RHEL.
Install OpenLDAP server by executing following command.
Copy the sample slapd.conf file as given below.
setup and generate the encrypted password for rootdn to use in /etc/openldap/slapd.conf
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
Note: copy the generate and password and keep is safe place if will require.
Now to modify the /etc/openldap/slapd.conf file as given below
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=ldap,dc=linuxpcfix,dc=com” read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix “dc=ldap,dc=linuxpcfix,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=ldap,dc=linuxpcfix,dc=com”
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
loglevel 256
sizelimit unlimited
after that remove the existing ldap configuration files as given below.
[root@linuxpcfix ~]# rm -rf /etc/openldap/slapd.d/*
Copy the sample DB_CONFIG file to /var/lib/ldap/
Verify the errors in /etc/openldap/slapd.conf using the below command
config file testing succeeded
change file and directory permissions and ownership on /var/lib/ldap/ and /etc/openldap/slapd.d/ to ldap
[root@linuxpcfix ~]# chown -Rf ldap. /var/lib/ldap/
[root@linuxpcfix ~]# chmod 700 /var/lib/ldap/
[root@linuxpcfix ~]# chmod 700 /etc/openldap/slapd.d/
Now Change configuration file into dynamic configuration under /etc/openldap/slapd.d/ directory
config file testing succeeded
start openldap server
Starting slapd: [ OK ]
[root@linuxpcfix ~]# chkconfig slapd on
root@cm1 [~]# service slapd status
slapd (pid 711055) is running…
root@cm1 [~]# netstat -plan | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 711055/slapd
tcp 0 0 :::389 :::* LISTEN 711055/slapd
unix 2 [ ACC ] STREAM LISTENING 31014188 711055/slapd /var/run/ldapi
unix 2 [ ] DGRAM 31014182 711055/slapd
To enable ldaps install ssl certificate by using following steps.
Install openssl packages.
now generate certificate using following commands.
Set permission on the generated certificates to ldap
Modify the certificate files path in the following config file.
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.linuxpcfix_pubkey.pem
olcTLSCertificateKeyFile:/etc/pki/tls/certs/ldap.linuxpcfix_privkey.pem
Now edit the file /etc/sysconfig/ldap given below.
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes
Restart the SLAPD process
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
Create a base for the DIT (Directory Information Tree) using the following file
[root@linuxpcfix ~]vi dit.ldif
append the following lines
dn: ou=Groups,dc=ldap,dc=linuxpcfix,dc=com
objectClass: organizationalUnit
ou: Groups
dn: ou=Admins,dc=ldap,dc=linuxpcfix,dc=com
objectClass: organizationalUnit
ou: Admins
# Setup a user with name firstuser with some basic info
dn: uid=firstuser,ou=Users,dc=ldap,dc=linuxpcfix,dc=com
uid: firstuser
cn: firstuser
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/firstuser
uidNumber: 15000
gidNumber: 10000
userPassword: user@147#
mail: emailid@userdomain.com
gecos: firstuser User
# Setup a ldapusers group under Groups OU
dn: cn=ldapusers,ou=Groups,dc=ldap,dc=linuxpcfix,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: user@147#
gidNumber: 10000
memberuid: uid=firstuser
after that modify the ldap.conf file as given below.
TLS_REQCERT allow
BASE dc=ldeo,dc=example,dc=com
URI ldap://ldap.linuxpcfix.com
or
URI ldaps://ldap.linuxpcfix.com:666
HOST 12x.12x.12x.12x (server ip address)
Now update Directory information tree with the values in the file dit.ldif
adding new entry “dc=ldap,dc=linuxpcfix,dc=com”
adding new entry “ou=Users,dc=ldap,dc=linuxpcfix,dc=com”
adding new entry “ou=Groups,dc=ldap,dc=linuxpcfix,dc=com”
adding new entry”uid=firstuser,ou=Users,dc=ldap,dc=linuxpcfix,dc=com”
adding new entry”cn=ldapusers,ou=Groups,dc=ldap,dc=linuxpcfix,dc=com”
Search the DIT using the following command to find the newly added values
Client configuration.
[root@ localhost ~]# vi /etc/openldap/ldap.conf
ssl start_tls
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
BASE dc=ldap,dc=linuxpcfix,dc=com
URI ldap://ldap.linuxpcfix.com
HOST ldap server ip address
Create a sssd.conf file at this location /etc/sssd/sssd.conf
ldap_search_base = dc=ldap,dc=linuxpcfix,dc=com
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldap://ldap.linuxpcfix.com/
#or with ldaps
ldap_uri = ldaps://ldap.linuxpcfix.com/
ldap_chpass_uri = ldaps://.ldap.linuxpcfix.com/
krb5_kdcip = ldap.linuxpcfix.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = ldap.linuxpcfix.com
Enable LDAP authentication on client system as given below.
then provide require information according dailup box.
[root@ localhost ~]# getent passwd firstuser
firstuser:*:15000:10000:firstuser User:/home/firstuser:/bin/bash
[root@ localhost ~]# id firstuser
uid=15000(student1) gid=10000(ldapusers) groups=10000(ldapusers)
after that login to the client system with LDAP user
Creating directory ‘/home/firstuser’.
[firstuser@localhost ~]$ pwd
/home/firstuser
Troubleshooting:
Incase you get error as below:
bdb_db_open: database “dc=ldap,dc=linuxpcfix,dc=com”: db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
Then initialize DB files for content in /var/lib/ldap directory
After this again run the command
I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry since more than 14 years.
