Scribd Logo
Upload

Welcome to Scribd!

  • 106 views

    Ldap Server Configuration

    Uploaded by

    Saminadane Thiyagarajan
    This document provides instructions for installing and configuring an OpenLDAP server on CentOS 7 without using an LDAP migration tool. It describes installing required packages, configuring the LDAP server, importing an LDIF file, adding certificates, enabling LDAPS, configuring logging, setting firewall rules, and verifying the installation. Key steps include editing configuration files, generating passwords, importing the first entry, and adding several schema files. The goal is to set up a basic working OpenLDAP directory service.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Ldap Server Configuration

    Uploaded by

    Saminadane Thiyagarajan
    106 views20 pages
    This document provides instructions for installing and configuring an OpenLDAP server on CentOS 7 without using an LDAP migration tool. It describes installing required packages, configuring the LDAP server, importing an LDIF file, adding certificates, enabling LDAPS, configuring logging, setting firewall rules, and verifying the installation. Key steps include editing configuration files, generating passwords, importing the first entry, and adding several schema files. The goal is to set up a basic working OpenLDAP directory service.

    Original Title

    Ldap Server Configuration(1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides instructions for installing and configuring an OpenLDAP server on CentOS 7 without using an LDAP migration tool. It describes installing required packages, configuring the LDAP server, importing an LDIF file, adding certificates, enabling LDAPS, configuring logging, setting firewall rules, and verifying the installation. Key steps include editing configuration files, generating passwords, importing the first entry, and adding several schema files. The goal is to set up a basic working OpenLDAP directory service.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    106 views20 pages

    Ldap Server Configuration

    Uploaded by

    Saminadane Thiyagarajan
    This document provides instructions for installing and configuring an OpenLDAP server on CentOS 7 without using an LDAP migration tool. It describes installing required packages, configuring the LDAP server, importing an LDIF file, adding certificates, enabling LDAPS, configuring logging, setting firewall rules, and verifying the installation. Key steps include editing configuration files, generating passwords, importing the first entry, and adding several schema files. The goal is to set up a basic working OpenLDAP directory service.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 20

    Openldap server configuration without ldap migration

    tool

    OpenLdap
    LDAP Directory Server Installation and configuration. Description: Lightweight Directory
    Access Protocol (LDAP) is a means of serving data on individuals, system users, network devices
    and systems over the network for e-mail clients, applications requiring authentication or
    information.

    Uses Of OpenLdap
    1- LDAP not only keeps a list of users, you can use it as storage for your files.
    2- It can be used for authenticating users as we mentioned above.
    3- LDAP can be used as a yellow pages directory service for an organization to provide
    information about users or employees, departments, contact information, phone numbers,
    addresses, private data or whatever.

    What is my setup?

    Server: Centos-7 www.linuxpert.com 172.16.10.7/16

    Tasks we will be doing


    Install software packages for OpenLDAP
    Configure LDAP & logging
    Set up firewall rules
    Do a first import of an ldif file
    Verify our first import
    Create ldap users
    Manualy
    LdapAdmin.exe

    Installing OpenLDAP
    1- Install The All Required Packages
    # yum install -y openldap openldap-clients openldap-servers

    2- Verify the installation using the below command

    # rpm -qa | grep openldap


    openldap-clients-2.4.40-13.el7.x86_64
    openldap-2.4.40-13.el7.x86_64
    openldap-servers-2.4.40-13.el7.x86_64

    3- Now Configure OpenLDAP Server

    # cd /etc/openldap/slapd.d/cn\=config

    4- Find out which files you need to update using the below grep command

    # grep my-domain *

    olcDatabase={1}monitor.ldif: al,cn=auth" read by dn.base="cn=Manager,dc=my-


    domain,dc=com" read by * none
    olcDatabase={2}hdb.ldif:olcSuffix: dc=my-domain,dc=com

    5- Open these two files in vi editor and change all occurrences of my-
    domain to linuxpert. I opened them and changed it with the following vi
    command ":%s/my-domain/linuxpert/"

    # vim olcDatabase\=\{1\}monitor.ldif

    # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.


    # CRC32 6ba73e26
    dn: olcDatabase={1}monitor
    objectClass: olcDatabaseConfig
    olcDatabase: {1}monitor
    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
    al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
    structuralObjectClass: olcDatabaseConfig
    entryUUID: d170f806-1d9c-1037-96e2-afed7615c980
    creatorsName: cn=config
    createTimestamp: 20170825045136Z
    entryCSN: 20170825045136.003135Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20170825045136Z
    :%s/my-domain/linuxpert

    :wq! (Save & Quit)

    # vim olcDatabase\=\{2\}hdb.ldif

    # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.


    # CRC32 d7a0a170
    dn: olcDatabase={2}hdb
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {2}hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=my-domain,dc=com
    olcRootDN: cn=Manager,dc=my-domain,dc=com
    olcDbIndex: objectClass eq,pres
    olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
    structuralObjectClass: olcHdbConfig
    entryUUID: d17107f6-1d9c-1037-96e3-afed7615c980
    creatorsName: cn=config
    createTimestamp: 20170825045136Z
    entryCSN: 20170825045136.003543Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20170825045136Z

    :%s/my-domain/linuxpert

    :wq! (Save & Quit)

    5- Generate a LDAP encrypted password for Manager user

    # slappasswd

    New password:
    Re-enter new password:
    {SSHA}PlOJU60HjF+WTt9/8L10fjPyTugQ79V

    Copy the above password hash. We need to add it to one config files. Open up the following one
    files and Look for line that starts with olcRootDN.

    Add the following line next to this line in the above one files

    # vim olcDatabase\=\{2\}hdb.ldif
    olcRootDN: cn=Manager,dc=linuxpert,dc=com
    olcRootPW: {SSHA}PbLFyieb9d0mPWSEbcfqRs0gMSutJXzE

    :wq (Save & Quit)

    6- Generate a X509 self sign certificate which is valid for 365 days:

    # openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout


    /etc/pki/CA/private/cakey.pem -days 365

    Generating a 2048 bit RSA private key


    ...............................................+++
    ...........+++
    writing new private key to '/etc/pki/CA/private/cakey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:IN
    State or Province Name (full name) []:NEW DELHI
    Locality Name (eg, city) [Default City]:DELHI
    Organization Name (eg, company) [Default Company Ltd]:Mauryanpentool.com
    Organizational Unit Name (eg, section) []:Linux
    Common Name (eg, your name or your server's hostname) []:www.linuxpert.com
    Email Address []:ashutoshsmaurya@gmail.com

    # cd /etc/pki/CA/
    # chown ldap:ldap cacert.pem
    # cd /etc/pki/CA/private/
    # chown ldap:ldap cakey.pem
    # chmod 600 cakey.pem

    7- Add certificate file in "olcDatabase={2}bdb.ldif"


    # vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

    olcRootDN: cn=Manager,dc=linuxpert,dc=com
    olcRootPW: {SSHA}PbLFyieb9d0mPWSEbcfqRs0gMSutJXzE
    olcTLSCertificateFile: /etc/pki/CA/cacert.pem
    olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem

    :wq (Save & Quit)

    7- Copy database config file

    Copy DB_CONFIG.example from /usr/share/openldap-servers to /var/lib/ldap and set correct


    permissions as shown below

    # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    # chown -R ldap.ldap /var/lib/ldap

    8- Enable LDAPS

    # vim /etc/sysconfig/slapd

    SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

    :wq (Save & Quit)

    9- Configure LDAP Logging


    now let’s set up logging. Open /etc/rsyslog.conf

    # vim /etc/rsyslog.conf

    # Add the below line


    # Ldap Log
    local4.* /var/log/slapd/slapd.log

    :wq (Save & Quit)

    # mkdir /var/log/slapd
    # chmod 755 /var/log/slapd
    # chown ldap.ldap /var/log/slapd

    10- Ldap server uses the following ports. We need to add firewalled rules to
    allow connections on port 389 (LDAP) and 636 (LDAPS Add the below
    Firewalled rule).

    # firewall-cmd --permanent --add-port=389/tcp


    # firewall-cmd --permanent --add-port=636/tcp
    # firewall-cmd –reload

    11- Restart Services

    # systemctl restart rsyslog


    # systemctl restart firewalld
    # systemctl start slapd
    # systemctl enable slapd

    12- Set up first import using ldapadd (Create a file named firstimport.ldif)

    # vim firstimport.ldif

    dn: dc=linuxpert,dc=com
    dc: linuxpert
    o: linuxpert
    objectclass: dcobject
    objectclass: organization

    # ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f firstimport.ldif

    Enter LDAP Password:


    adding new entry "dc=linuxpert,dc=com"

    Enter the admin password that you created earlier when asked. This command will add the root
    entry to the ldap server.

    -x : use simple authentication instead of SASL


    -D : binddn, the distinguished name to bind to the ldap directory
    -W : prompt for authentication instead of entering password in the command line
    -f : read information from the given file instead of the standard input

    13- Verify import using ldapsearch

    Now that we have added a single entry, we will verify it by querying the ldap server as below
    # ldapsearch -x -b dc=linuxpert,dc=com

    # extended LDIF
    #
    # LDAPv3
    # base <dc=linuxpert,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    # linuxpert.com
    dn: dc=linuxpert,dc=com
    dc: linuxpert
    o: linuxpert
    objectClass: dcObject
    objectClass: organization

    # search result
    search: 2
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

    If you want to see the actual query output without comments and ldap version information use -
    LLL option as shown below.

    # ldapsearch -x -LLL -b dc=linuxpert,dc=com

    dn: dc=linuxpert,dc=com
    dc: linuxpert
    o: linuxpert
    objectClass: dcObject
    objectClass: organization

    14- Add schema file

    Note- Schema file by default added in rhel-6 & Centos-6 and you can check in this location "# ls
    /etc/openldap/slapd.d/cn\=config/cn\=schema/") and no need to add this file in rhel-6 &
    centos-6.

    # cd /etc/openldap/schema

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif


    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=cosine,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=nis,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=collective,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=corba,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=core,cn=schema,cn=config"
    ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=duaconf,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif


    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=dyngroup,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=inetorgperson,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=java,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=misc,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=openldap,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif

    SASL/EXTERNAL authentication started


    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=pmi,cn=schema,cn=config"

    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif


    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "cn=ppolicy,cn=schema,cn=config"

    # cd

    Note- You can add schema files according to your need

    15- LDAP Users Management

    1- Use Manually (Command’s)


    2- Use LDAPADMIN.EXE (Windows Software)

    First Use Manually

    Add OU (organizational units)-

    # vim usersou.ldif

    dn: ou=users,dc=linuxpert,dc=com
    ObjectClass: organizationalUnit
    ou: users
    dn: ou=groups,dc=linuxpert,dc=com
    ObjectClass: organizationalUnit
    ou: groups

    :wq (Save & Quit)

    Now add it to LDAP using the below command

    # ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f usersou.ldif

    Enter LDAP Password:


    adding new entry "ou=users,dc=linuxpert,dc=com"

    adding new entry "ou=groups,dc=linuxpert,dc=com"

    We shall add a user to the newly created users organizational unit. Create a file named users.ldif
    and enter the below content.
    Add user

    # vim users.ldif

    dn: cn=ashu,ou=groups,dc=linuxpert,dc=com
    cn: ashu
    objectClass: top
    objectClass: posixGroup
    gidNumber: 5000

    dn: uid=ashu,ou=users,dc=linuxpert,dc=com
    cn: Ashu Linux
    givenName: Ashu
    sn: Linux
    uid: ashu
    uidNumber: 5003
    gidNumber: 5003
    homeDirectory: /home/ashu
    objectClass: top
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    loginShell: /bin/bash
    userPassword: {CRYPT}*

    :wq (Save & Quit)

    # ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f users.ldif

    Enter LDAP Password:


    adding new entry "cn=ashu,ou=groups,dc=linuxpert,dc=com"

    adding new entry "uid=ashu,ou=users,dc=linuxpert,dc=com"

    Set up password for the newly created user using the below command

    # ldappasswd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -S
    "uid=ashu,ou=users,dc=linuxpert,dc=com"
    New password: *******
    Re-enter new password: ******
    Enter LDAP Password: ***************

    We are done adding an user and his primary group. Query LDAP for users Lets query the user
    we created in the previous step. You can use any of the user fields to query ldap. Try the
    following search commands.

    # ldapsearch -x -LLL "uid=ashu" -b "ou=users,dc=linuxpert,dc=com"

    dn: uid=ashu,ou=users,dc=linuxpert,dc=com
    cn: Ashu Linux
    givenName: Ashu
    sn: Linux
    uid: ashu
    uidNumber: 5003
    gidNumber: 5003
    homeDirectory: /home/ashu
    objectClass: top
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    loginShell: /bin/bash
    userPassword:: e1NTSEF9NnBrV1pGUlVTT1JDVjVzMkFtdzdhUWtUM2FzUjdDQVM=

    OR

    # ldapsearch -x -LLL "cn=Ashu Linux" -b "ou=users,dc=linuxpert,dc=com"

    dn: uid=ashu,ou=users,dc=linuxpert,dc=com

    cn: Ashu Linux

    givenName: Ashu

    sn: Linux

    uid: ashu

    uidNumber: 5003
    gidNumber: 5003

    homeDirectory: /home/ashu

    objectClass: top

    objectClass: posixAccount

    objectClass: shadowAccount

    objectClass: inetOrgPerson

    objectClass: organizationalPerson

    objectClass: person

    loginShell: /bin/bash

    userPassword:: e1NTSEF9NnBrV1pGUlVTT1JDVjVzMkFtdzdhUWtUM2FzUjdDQVM=

    Search All User

    # ldapsearch -x -LLL "cn=*" -b "ou=users,dc=linuxpert,dc=com"

    Delete Ldap User-

    # ldapdelete -W -D "cn=Manager,dc=linuxpert,dc=com"
    "uid=user1,ou=users,dc=linuxpert,dc=com"

    Enter LDAP Password:

    Use LDAPADMIN.EXE @Windows


    Ldap Admin is a free Windows LDAP client and administration tool for LDAP directory
    management. This application lets you browse, search, modify, create and delete objects on
    LDAP server. It also supports more complex operations such as directory copy and move
    between remote servers and extends the common edit functions to support specific object types
    (such as groups and accounts).

    First Download Ldapadmin.exe file below mention url

    http://www.ldapadmin.org/download/ldapadmin.html

    Run LdapAdmin.exe File


    Now open ldap admin

    Click to start and click connect


    Click to New Connection-

    Enter the LDAP Server details


    Click Test Connection

    Click Ok  Ok
    Now you can see the Ldap Server
    Double click the LDAP Server
    Create new user-> Right Click on OU Users -> New  User- >
    Right Click uid=user1  Set password

    Right Click OU=Groups ->> New --> Group


    Click to add button and add user1 -> ok ->ok

    Now u can see the user1 ..

    Search the command Line

    # ldapsearch -x -LLL "cn=*" -b "ou=users,dc=linuxpert,dc=com"

    LDAP Server Configuration Successfully Done.

    -Ashutosh

    Reference- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-
    ldap-pam.html

    You might also like