LDAP Server Configuration in RHEL 6.0

                         

System name:   ldap.example.com

Domain name:   example.com

System IP:     192.168.1.250

Step #1. Requirements

    compat-openldap

    openldap-clients

    openldap-devel

    openldap-servers

    migrationtools

You can install them using the command:

yum install *openldap* migrationtools

Step #2. Create LDAP root user password

[root@ldap ~]# slappasswd

   New password:

   Re-enter new password:

    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

[root@ldap ~]#  mkdir -m 700 /var/lib/ldap/example.com

[root@ldap ~]#  cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ~]#  chown -Rvf ldap:ldap /var/lib/ldap/

Step #3. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.conf

[root@ldap ~]# vim /etc/openldap/slapd.conf

Escà :%s/my-domain/example/gàEnter. Check the below lines same as in config file

database        bdb

     suffix          "dc=example,dc=com"

     rootdn          "cn=Manager,dc=example,dc=com"

     rootpw            {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #4. vim /usr/share/migrationtools/migrate_common.ph change padl to example

Escà :%s/padl/example/g & check the below line(71 & 74) is same in config

$DEFAULT_MAIL_DOMAIN = “example.comm";

$DEFAULT_BASE = "dc=example,dc=com";

Step # 5. Create a domain ldif file (/etc/openldap/example.com.ldif)

[root@ldap ~]# vim /etc/openldap/example.com.ldif

dn: dc=example,dc=com

dc: example

description: LDAP Admin

objectClass: dcObject

objectClass: organizationalUnit

ou: rootobject

dn: ou=People, dc=example,dc=com

ou: people

description: Users of example

objectClass: organizationalUnit

dn: ou=Group, dc=example,dc=com

ou: Group

description: Groups of example

objectClass: organizationalUnit

Step# 6 create a new config files using slaptest command

-----------------------------------------------------------------------------------------

1. Delete all files in directory /etc/openldap/slapd.d/ with the command

[root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*

2. Run slaptest for test the configuration file and create new configuration in directory /etc/openldap/slapd.d/.

[root@ezylinux ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

3. Set permissions for a new configuration file.

[root@ezylinux ~]# chown -R ldap:ldap /etc/openldap/slapd.d

[root@ezylinux ~]# chmod -R 000 /etc/openldap/slapd.d

[root@ezylinux ~]# chmod -R u+rwX /etc/openldap/slapd.d

# service slapd restart (if any warning provide permission as chown ldap:ldap /var/lib/ldap –Rvf or chown  ldap:ldap /etc/openldap/slapd.d)

Step # 7. Import all users in to the LDAP

Add the Domain ldif file

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  /etc/openldap/example.com.ldif

   Enter LDAP Password:

   adding new entry "dc=example,dc=com"

   adding new entry "ou=People, dc=example,dc=com"

  adding new entry "ou=group, dc=example,dc=com"

[root@ldap ~]#

Add the users:

[root@ldap  ~]# mkdir  /ldaphome

[root@ldap ~]# useradd –u 1000 -d /ldaphome/testusr testusr

[root@ldap ~]# passwd   testusr

   Changing password for user testusr.

   New UNIX password:

   Retype new UNIX password:

   passwd: all authentication tokens updated successfully.

Step # 8. Migrate local users to LDAP

 [root@ldap ~]# grep testusr /etc/passwd > /etc/openldap/passwd.testusr

[root@ldap ~]# grep testusr /etc/group > /etc/openldap/group.testusr

 [root@ldap ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/passwd.testusr /etc/openldap/testusr.ldif

[root@ldap ~]# /usr/share/migrationtools/migrate_group.pl /etc/openldap/group.testusr /etc/openldap/testusr-group.ldif

Setp# 9 Adding users & groups into Ldap server

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  /etc/openldap/testusr.ldif

   Enter LDAP Password:

   adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  /etc/openldap/testusr-group.ldif

   Enter LDAP Password:

   adding new entry "uid=ldapuser1,ou=Group,dc=example,dc=com"

Step # 10. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

Step# 11 NFS for ldapuser home share:

#yum install nfs-utils

#service rpcbind restart

Vim /etc/exports

/ldaphome *(rw,sync)

#Chkconfig nfs on

#Service nfs restart

Home directory Creation in LDAP server(optional)

Reference from: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Create_The_Home_Directory_For_ldapuser_On_The_LDAP_Client

[root@smallfry tmp]# mkdir /ldaphome/wml

[root@smallfry tmp]# chmod 700 /home/ldaphome/wml

[root@smallfry tmp]# cp /etc/skel/.* /home/ldaphome/wml

cp: omitting directory `/etc/skel/.'

cp: omitting directory `/etc/skel/..'

cp: omitting directory `/etc/skel/.kde'

[root@smallfry tmp]# chown -R wml:group /home/ldaphome/wml

[root@smallfry tmp]#

2. 0.      Step-by-step OpenLDAP Installation and Configuration of Client System

LDAP Client Configuration

Step # 1. Installation

[root@ldapclient ~]#  yum install nss-pam-ldapd nfs-utils autofs

Step # 2. Autofs configuration

[root@ldapclient ~] vim /etc/auto.master

Add the below line in end:

/ldaphome /etc/auto.misc - -timeout=60

[root@ldapclient ~] vim /etc/auto.misc

Add the below line in end

*          -rw,soft,intr     192.168.1.250:/ldaphome/&

[root@ldapclient ~] service autofs stop

[root@ldapclient ~] service autofs start

[root@ldapclient ~] service autofs reload

[root@ldapclient ~] service autofs restart

[root@ldapclient ~] service nfs restart

Step# 3 Settings ldap configuration

[root@ldapclient ~]# setup

Step #3. Settings

         [*] Use LDAP     [*] Use LDAP Authentication

    [Both should be checked]

        Click "Next".

        [ ] Use TLS   

        Server: ldap.example.com

        Base DN: dc=example,dc=com

        Click "Ok" to confirm.

                        OR

[root@ldapclient ~]# vim /etc/openldap/ldap.conf

URI ldap://ldap1.example.com

BASE dc=example,dc=com

[root@ldapclient ~] vim /etc/nssswitch.conf

passwd:     files ldap

shadow:     files ldap

group:      files ldap

netgroup:   files ldap

automount:  files ldap

#chkconfig nfs on

#chkconfig autofs on

#chkconfig rpcbind on

[root@ldapclient ~] vim /etc/nslcd.conf

uid nslcd

gid ldap

uri ldap://ldap1.example.com

base dc=example,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts

[root@ldapclient ~] vim /etc/pam_ldap.conf

Comment #host 127.0.0.1

base dc=example,dc=com

uri ldap://ldap1.example.com

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

Windows authentication through LDAP server

Step 1 # Install PGina software

Configure as below

1.0             You have done with all the settings, So now use the Plugin Tester tool before rebooting to load your client and test connectivity.

2.0             After that reboot the machine and Try to login from windows machine, you will get below windows.

Ldap commands:

User Password change in ldap server

#ldappasswd -s ilikecheese -D "cn=Manager,dc=example,dc=com"  -W -x “uid=aks,ou=People,dc=example,dc=com”

-S = new passwd prompt for user

-s = -s likecheese (here new password for aks is likecheese)

-W = Ldap passwd prompt

User delete from ldap server

#ldapdelete -D "cn=Manager,dc=example,dc=com" -W          "uid=aks,ou=People,dc=example,dc=com"

Group delete from ldap server

#ldapdelete -D "cn=Manager,dc=example,dc=com" –W  “cn=aks,ou=Group,dc=example,dc=com"

Group Ldif modify in ldap server

#ldapmodify -acx -D "cn=admin,dc=techhelplist,dc=com" -w mysecretpassword /
            -f users2group.ldif

LIf you prefer using the ldapmodify utility with the same ldif (by adding entries at the end of the file) then you have to use -ac options (add and continue on errorsJ

Below is group.ldif file format

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com

objectClass: top

objectClass: posixGroup

cn: accounting

userPassword: {crypt}x

gidNumber: 3000

Adding OpenLDAP users to groups

Update the above group as below:

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com

changetype: modify

add: memberuid

memberuid: wml

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com

changetype: modify

add: memberuid

memberuid: ssn

so the wml & ssn users will move to group log-usr

PHPLdapAdmin:

1.      yum install *httpd* php *php-*

2.      mv welcome.conf welcome.conf.dist

3.      cd /var/www/html

4.      unzip /home/tsg/phpldapadmin-1.2.2.zip

5.      mv phpldapadmin-1.2.2 ldapadmin

6.      cd ldapadmin/config

7.      cp config.php.example config.php

8.      service httpd restart

9.  http://ip/ldapadmin

Apache Configuration for LDAP Authentication:

#mkdir /var/www/html/ldaptest
#vim /var/www/html/index.html
<b> LDAP TEST PAGE </b>
:wq
 

#vim /etc/httpd/conf/httpd.conf

#Add the below lines

NameVirtualHost 192.168.1.250:80

<VirtualHost 192.168.1.250:80>
    ServerAdmin root@localhost
    DocumentRoot /var/www/html
    ServerName www.ldaptest.com
    ErrorLog logs/www.ldaptest.com-error_log
    CustomLog logs/www.ldaptest.com-access_log common
<Directory "/var/www/html/ldaptest/">
    AuthType Basic
    AuthName "Login with LDAP Username/Password"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl ldap://192.168.1.250/ou=People,dc=consim,dc=com?uid
    Require valid-user
</Directory>
</VirtualHost>
 

#service httpd restart

connect as http://192.168.1.250/ldaptest in browser