LDAP SERVER & CLEINT CONFIGURATION RHEL 6 WITH LTS

      I made this page to help anyone to install and configuration ldap server and client I hope it will be easy for all.

Packages Required

We need to install the following packages for both ldap server and client except migrationtools-47-7.el6.noarch it will be on server only.

compat-openldap-2.3.43-2.el6.i686

openldap-servers-2.4.23-15.el6.i686

openldap-clients-2.4.23-15.el6.i686

openldap-2.4.23-15.el6.i686

openldap-devel-2.4.23-15.el6.i686

nss-pam-ldapd-0.7.5-7.el6.i686

migrationtools-47-7.el6.noarch 2

Server side configuration

We need to run the following command at server side:

1- # cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

2- #vim /etc/openldap/slapd.conf you need to change few things based one photo below 

3- To enable TLS you should add the following lines in /etc/openldap/slapd.conf

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA

TLSCACertificateFile /etc/openldap/cacerts/server.pem

TLSCertificateFile /etc/openldap/cacerts/server.pem

TLSCertificateKeyFile /etc/openldap/cacerts/server.pem

TLSVerifyClient allow

4- Under /etc/openldap/slapd.d/ you will see folder called cn=config we need to add few lines at the following file olcDatabase={1}bdb.ldif

5- vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif and the lines below  

olcRootPW: {SSHA}ccFKiy8ska8IhNwwlaNYxiBNbilWe5M1(output of slappasswd)

olcTLSCertificateFile: /etc/openldap/cacerts/server.pem

olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.pem 3

6- after finished editing file press Esc and press : to be in command mode in vim like the command below

:%s/dc=my-domain,dc=com/dc=your_domain,dc=com/g then press :x

7- that above command will replace my-domain and com with new domain

8- Copy a default DB_CONFIG file which sets cache and tuning options for the Berkley database backend (this also needs to be writeable by the ldap user). cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

9- Create test user to make test with this user ldapuser1 and ldapuser2 through the following command

#useradd –g users ldapuser1

#passwd ldapuser1 and set user password

10- Now we need to create ldap db through the following command

#vim /usr/share/migrationtools/migrate_common.ph

# in command mode at vim for above file you should write the following

:%s/dc=my-domain,dc=com/dc=your_domain,dc=com/g

Then press :x to save your change

#cd /usr/share/migrationtools

#./migrate_all_offline.sh this will rebuild ldap DB under /var/lib/ldap

11- Now you should change owner ship of ldap DB files to ldap and ldap group too through the following command

#chown –R ldap.ldap /var/lib/ldap

#chown –R ldap.ldap /etc/openldap/slapd.d

Enable TLS

12- Now we will create certificate file to enable TLS through openssl command please check commands below:

#cd /etc/openldap/cacerts/

#openssl req -newkey rsa:1024 -x509 -nodes -out server.pem –keyout\ server.pem -days 3650

Then fill information like country stat.

13- Now you have certificate file for both server and client side at same file we will the following command to create separate certificate file for client side

#grep -A 100 CERTIFICATE server.pem > client.pem

#chown -R ldap:ldap /etc/openldap/cacerts/

14- vim /etc/sysconfig/ldap then change the following like from no to yes

SLAPD_LDAPS=yes 4

dn: dc=your_domain,dc=com

dc: your_domain

objectClass: top

objectClass: domain

dn: ou=People,dc= your_domain,dc= com

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc= your_domain,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

Base domain configuration & migration

15- we need to creat ldif file under /etc/openldap/schema/ not must to create it under this path but to collect all config files of ldap under one place this files it will help us to add user in ldap server

# cd /etc/openldap/schema/

#vim base.ldif

# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif

# /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif

16- now you can start sldap service by the following command:

# /etc/rc.d/init.d/slapd start

Test server configuration

17- Now we need to verify our config work fine or not first we need to check is ldaps ports by the following commands

#netstat -lt | grep ldaps

tcp 0 0 *:ldaps *:* LISTEN

tcp 0 0 *:ldaps *:* LISTEN 5

adding new entry "dc= your_domain,dc=com"

adding new entry "ou=People,dc= your_domain,dc=com"

adding new entry "ou=Group,dc= your_domain,dc=com"

# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The output it should be like the following lines

# extended LDIF

#

# LDAPv3

# base <> with scope baseObject

# filter: (objectclass=*)

# requesting: namingContexts

#

#

dn:

namingContexts: dc=testnv,dc=com

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

18- Now we will try to add Admin user in ldap by the following command:

#ldapadd -x -W -D "cn=Admin,dc=your_domain,dc=com" -f \ /etc/openldap/schema/base.ldif

After that command you should enter the ldap password you had entered by command slappasswd and you should see result like the box below

Client Configuration

Now that we have a server which is responding correctly, we can configure our clients to authenticate to the LDAP server.

There is easy tool configure the machine as ldap client it called system-config-authentication.

We will explain how to use it below 6

19- From command line at client machine run

# system-config-authentication &

You will get at your screen the following photo

20- Please note you should replace testnv and come with your domain name.

21- You must use ldap password for authentication method

22- Check box for use TLS to encrypt connections

23- The file called client.pem we had created before you should upload it on http web server or ftp

We will use here http server for example http://xx.xx.xx.xx/rhel6/client.pem then press apply. 7

Client configuration verification

24- After filling information at above box you need to check first the certificate file loaded correctly at your system through the following command

# cd /etc/openldap/cacerts

Run ls with l option you will see the client.pem name converted to authconfig_downloaded.pem

as command output showed

# ll

total 4

-rw-r--r-- 1 root root 1038 Sep 23 15:42 authconfig_downloaded.pem

lrwxrwxrwx 1 root root 25 Sep 23 18:38 fde58659.0 -> authconfig_downloaded.pem  

25- We need to check network switch by # vi /etc/nsswitch.conf

You will see the tool added sss passwd, shadow and group section please check the photo below. 8

26- We need to check now ldap.conf under /etc/openldap

The photo below will show what line has added in that file

27- At sssd.conf under /etc/sssd you should see the same like photo above at end of this file under [domain/default] section

28- The last file you should check configuration at it password-auth under /etc/pam.d

Add new user at ldap server how to

To add new user at ldap server we need to do the following steps

29- Run useradd command at ldap server

A) #useradd newuser ; passwd newuser

B) we need to migrate new user base on the following commands explain

C) #cat /etc/passwd | grep newuser > /etc/openldap/schema/newuser

D) # /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/schema/newuser \ /etc/openldap/schema/ newuser.ldif

E) Also we need to update ldap user group by run the following command

# cat /etc/group | grep newuser > newuser.group

#/usr/share/migrationtools/migrate_group.pl newuser.group newuser.group.ldif

F) Now you can run ldapadd like example below to update ldap with new users

#ldapadd -cxWD cn=Admin,dc=testnv,dc=com -f newuser.ldif

Also we need to update ldap with new users groups by run the following command

#ldapadd -cxWD cn=Admin,dc=testnv,dc=com -f newuser.group.ldif

30- Now we need to share /home via nfs service

#vim /etc/exports and add the lines below

/home *(rw,sync)

# service nfs restart

31- At client we need to enable auto mount for ldap server home directory vi the following steps

A) #vi /etc/auto.master ( add the following line)

/home /etc/auto.home --timeout 60

Then save via :x

B) create new file under /etc called aut.home

#vi /etc/auto.home ( add the following line at this file)

* -fstype=nfs,rw,intr,rsize=32768,wsize=32768,hard,bg,nosuid,noexec,tcp you_nfs_server_ip:/home/&

C) we need to restart autofs via service command

# service autofs restart

D) at ldap client you can try to run su command followed by newuser as example below showing

[root@localhost ~]# su - newuser

[newuser@localhost ~]$

now your ldap server working fine and have a nice day