Home » Centos/RHEL » Install and configure LDAP server on Centos and RHEL

Install and configure LDAP server on Centos and RHEL

OpenLDAP is a free open-source LDAP convention. LDAP remains for Lightweight Directory Access Protocol. A LDAP server essentially is a non-social database which is upgraded for getting to, however not composing, information. It is principally utilized as a location book (for e.g. email customers) or validation backend to different administrations, (for example, Samba, where it is utilized to imitate an area controller, or Linux framework verification, where it replaces/and so on/passwd) and essentially holds the client information. This article will describe that how to install and configure LDAP server on Centos and RHEL.
Install OpenLDAP server by executing following command.

[root@linuxpcfix ~]# yum install openldap openldap-servers openldap-clients

Copy the sample slapd.conf file as given below.

[root@linuxpcfix ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

setup and generate the encrypted password for rootdn to use in /etc/openldap/slapd.conf

[root@linuxpcfix ~]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX

Note: copy the generate and password and keep is safe place if will require.

Now to modify the /etc/openldap/slapd.conf file as given below

[root@linuxpcfix ~] vi /etc/openldap/slapd.conf
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
        by dn.exact=”cn=Manager,dc=ldap,dc=linuxpcfix,dc=com” read
        by * none
#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          “dc=ldap,dc=linuxpcfix,dc=com”
checkpoint      1024 15
rootdn          “cn=Manager,dc=ldap,dc=linuxpcfix,dc=com”
rootpw          {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
loglevel        256
sizelimit       unlimited

after that remove the existing ldap configuration files as given below.

[root@linuxpcfix ~]# rm -rf /var/lib/ldap/*
[root@linuxpcfix ~]# rm -rf /etc/openldap/slapd.d/*

Copy the sample DB_CONFIG file to /var/lib/ldap/

[root@linuxpcfix ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Verify the errors in /etc/openldap/slapd.conf using the below command

[root@linuxpcfix ~]# slaptest -u
config file testing succeeded

change file and directory permissions and ownership on /var/lib/ldap/ and /etc/openldap/slapd.d/ to ldap

[root@linuxpcfix ~]# chown -Rf ldap. /etc/openldap/slapd.d/
[root@linuxpcfix ~]# chown -Rf ldap. /var/lib/ldap/
[root@linuxpcfix ~]# chmod 700 /var/lib/ldap/
[root@linuxpcfix ~]# chmod 700 /etc/openldap/slapd.d/

Now Change configuration file into dynamic configuration under /etc/openldap/slapd.d/ directory

[root@linuxpcfix ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded

start openldap server 

[root@linuxpcfix ~]# service slapd start
Starting slapd:                                            [  OK  ]
[root@linuxpcfix ~]# chkconfig slapd on
root@cm1 [~]# service slapd status
slapd (pid 711055) is running…
root@cm1 [~]# netstat -plan | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 711055/slapd
tcp 0 0 :::389 :::* LISTEN 711055/slapd
unix 2 [ ACC ] STREAM LISTENING 31014188 711055/slapd /var/run/ldapi
unix 2 [ ] DGRAM 31014182 711055/slapd

To enable ldaps install ssl certificate by using following steps.
Install openssl packages.

[root@linuxpcfix ~]# yum install openssl

now generate certificate using following commands.

[root@linuxpcfix ~]# openssl req -newkey rsa:1024 -x509 -nodes -out /etc/pki/tls/certs/ldap.linuxpcfix_pubkey.pem -keyout /etc/pki/tls/certs/ldap.linuxpcfix_privkey.pem -days 365

Set permission on the generated certificates to ldap

[root@linuxpcfix ~]# chown ldap.ldap /etc/pki/tls/certs/ldaplinuxpcfix_p*

Modify the certificate files path in the following config file.

[root@linuxpcfix~]vi /etc/openldap/slapd.d/cn\=config.ldif
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.linuxpcfix_pubkey.pem
olcTLSCertificateKeyFile:/etc/pki/tls/certs/ldap.linuxpcfix_privkey.pem

Now edit the file /etc/sysconfig/ldap given below.

[root@linuxpcfix ~]# vim /etc/sysconfig/ldap
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes

Restart the SLAPD process

[root@linuxpcfix ~]# service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ] 

Create a base for the DIT (Directory Information Tree) using the following file

[root@linuxpcfix ~]#cd /etc/openldap/schema
[root@linuxpcfix ~]vi dit.ldif

append the following lines

# Setup a Groups OU
dn: ou=Groups,dc=ldap,dc=linuxpcfix,dc=com
objectClass: organizationalUnit
ou: Groups

dn: ou=Admins,dc=ldap,dc=linuxpcfix,dc=com
objectClass: organizationalUnit
ou: Admins

# Setup a user with name firstuser with some basic info
dn: uid=firstuser,ou=Users,dc=ldap,dc=linuxpcfix,dc=com
uid: firstuser
cn: firstuser
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/firstuser
uidNumber: 15000
gidNumber: 10000
userPassword: user@147#
mail: emailid@userdomain.com
gecos: firstuser User

# Setup a ldapusers group under Groups OU
dn: cn=ldapusers,ou=Groups,dc=ldap,dc=linuxpcfix,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: user@147#
gidNumber: 10000
memberuid: uid=firstuser

after that modify the ldap.conf file as given below.

[root@linuxpcfix ~] vi /etc/openldap/ldap.conf
TLS_REQCERT allow
BASE dc=ldeo,dc=example,dc=com
URI ldap://ldap.linuxpcfix.com
or
URI ldaps://ldap.linuxpcfix.com:666
HOST 12x.12x.12x.12x (server ip address)

Now update Directory information tree with the values in the file dit.ldif

[root@linuxpcfix ~]# ldapadd -x -D “cn=Manager,dc=ldap,dc=linuxpcfix,dc=com” -W -f dit.ldif -H ldaps://ldap.linuxpcfix.com Enter LDAP Password:
adding new entry “dc=ldap,dc=linuxpcfix,dc=com”

adding new entry “ou=Users,dc=ldap,dc=linuxpcfix,dc=com”

adding new entry “ou=Groups,dc=ldap,dc=linuxpcfix,dc=com”

adding new entry”uid=firstuser,ou=Users,dc=ldap,dc=linuxpcfix,dc=com”

adding new entry”cn=ldapusers,ou=Groups,dc=ldap,dc=linuxpcfix,dc=com”

Search the DIT using the following command to find the newly added values

[root@linuxpcfix ~]# ldapsearch -x -b “dc=ldap,dc=linuxpcfix,dc=com” -H ldaps://ldap.linuxpcfix.com

Client configuration.

[root@ localhost ~]# yum install sssd openldap-clients
[root@ localhost ~]# vi /etc/openldap/ldap.conf
ssl     start_tls
TLS_REQCERT    allow
TLS_CACERTDIR /etc/openldap/cacerts
BASE    dc=ldap,dc=linuxpcfix,dc=com
URI     ldap://ldap.linuxpcfix.com
HOST    ldap server ip address

Create a sssd.conf file at this location /etc/sssd/sssd.conf

[root@localhost ~]# vi /etc/sssd/sssd.conf
ldap_search_base = dc=ldap,dc=linuxpcfix,dc=com
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldap://ldap.linuxpcfix.com/
#or with ldaps
ldap_uri = ldaps://ldap.linuxpcfix.com/
ldap_chpass_uri = ldaps://.ldap.linuxpcfix.com/
krb5_kdcip = ldap.linuxpcfix.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = ldap.linuxpcfix.com

Enable LDAP authentication on client system as given below.

[root@localhost~]# authconfig-tui

then provide require information according dailup box.

[root@ localhost ~]# authconfig –enablesssd –enablesssdauth –enablelocauthorize –enablemkhomedir –update
[root@ localhost ~]# getent passwd firstuser
firstuser:*:15000:10000:firstuser User:/home/firstuser:/bin/bash
[root@ localhost ~]# id firstuser
uid=15000(student1) gid=10000(ldapusers) groups=10000(ldapusers)

after that login to the client system with LDAP user

[root@ localhost ~]# su – firstuser
Creating directory ‘/home/firstuser’.
[firstuser@localhost ~]$ pwd
/home/firstuser

Troubleshooting:
Incase you get error as below:
bdb_db_open: database “dc=ldap,dc=linuxpcfix,dc=com”: db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).

Then initialize DB files for content in /var/lib/ldap directory

[root@linuxpcfix ~]# echo “” | slapadd -f /etc/openldap/slapd.conf 

After this again run the command

[root@ linuxpcfix ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

About

I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry from last 7 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

Time limit is exhausted. Please reload the CAPTCHA.

Categorized Tag Cloud