Download - RHEL6 Openldap Server
RHEL6 openldap server configuration step by step
Step 1: first we need to install the required packages:
#yum install openldap-servers migrationtools
Step2:As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the/etc/openldap/slapd.d/directory.
Now create the ldap password:
#slappasswd
youll get something like this {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV as a result. This is the string we will have to add to the bdb.ldif config file.
# vim/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3:We now set the admin password and specify the location of our encryption certificate and key.
add these 3 lines at the end of the file bdb.ldif file:
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuVolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4:Now we have to specify the monitoring privileges
#vim/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
again, we have to replace the default domain name with our domain name
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g
Step 5:Now its time for the Database Cache
#updatedb#cp/usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example/var/lib/ldap/DB_CONFIG#chown -Rf ldap:ldap/var/lib/ldap/
Step 6:Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldapSLAPD_LDAPS=yes
Now we can create the certificate
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Step 7:Time to test our configuration
# slaptest -u
config file testing succeeded
Step 8:Start the ldap server
#service sladp start
lets check if our ldap server really works:
#ldapsearch -x -b dc=yourdomain,dc=com
if you get a search: 2 then your on track!
Step 9:Configure the base domain
#vi base.ldifdn: dc=yourdomain,dc=netdc: yourdomainobjectClass: topobjectClass: domaindn: ou=People,dc=yourdomain,dc=netou: PeopleobjectClass: topobjectClass: organizationalUnitdn: ou=Group,dc=yourdomain,dc=netou: GroupobjectClass: topobjectClass: organizationalUnit
now we import our base information to the ldap directory:
#ldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f base.ldif
Step 10:lets migrate the users
Go to the directory /usr/share/migrationtools. Edit the file# vim /usr/share/migrationtools/migrate_common.phSet:
# Default DNS domain$DEFAULT_MAIL_DOMAIN = yourdomain.com;# Default base$DEFAULT_BASE = dc=yourdomain,dc=com;#grep :5[0-9][0-9] /etc/passwd > passwd#grep :5[0-9][0-9] /etc/group > group#./migrate_passwd.pl passwd > users.ldif#./migrate_group.pl group > group.ldif#sed -e s/ou=Group/ou=Groups/g group.ldif > groups.ldifldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f users.ldifldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f groups.ldif
Step 11:Testing the ldap server. We check if user mani exists#ldapsearch -x cn=mani -b dc=mycompany,dc=com
If the test is successful your done :)
************************All The Best*******************regards cnuvasan
OpenLDAP is an opensource implementation of Lightweight Directory Access Protocal.Read moreabout OpenLDAP Project. I am using CentOS 5 for configuring OpenLDAP server. Below are the steps which I have performed during configuration. This article will help you step by step to Install and Configure OpenLDAP Server.
Network Details: Below is the network details used while writing this article.
System name: openldap.example.com
System IP: 192.168.10.50
Domain Name: example.com
Step 1: Create Test AccountsFirsty create two test user accounts in your linux system using following commnands.
# useradd ldapuser1
# useradd ldapuser2
# passwd ldapuser1
# passwd ldapuser2
Step 2: Install Requird PackagesBelow is list of software required for setup openldap
compat-openldap
openldap-clients
openldap-devel
openldap-servers
openldap-servers-sql
Install all packages using following command.
# yum install *openldap* -y
Step 3: Setup OpenLDAP root PasswordAfter installing openldap packages, First create OpenLDAP root user password
# slappasswd
New password:
Re-enter new password:
{SSHA}BONOBgJZNZc3A+UFq3fcjRn2YHsZVkXw
Step 4:Edit Configuration FileEdit openldap configuration file with new values , use rootpw value get from slappasswd command in above step
# vi /etc/openldap/slapd.conf
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}BONOBgJZNZc3A+UFq3fcjRn2YHsZVkXw
Step 5:Setup LDAP Database FileCopye example LDAP database file at below location. Use given example file from openldap
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Step 6 Start ServicesStart openldap service and setup service to auto start on system boot
# service ldap start
# chkconfig ldap on
Step 7: Create Domain LDIF FileNow Create ldif (LDAP Data Interchange Format) file for your domainexample.com, You can use any filename with extension ldif
# vim /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=users,dc=example,dc=com
ou: users
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Step 8: Create Users LDIF FileAfter creating ldif file for your domain, Let create ldif file for all test users.
# cd /usr/share/openldap/migration/
# grep root /etc/passwd > /etc/openldap/passwd.root
# grep ldapuser1 /etc/passwd > /etc/openldap/passwd.ldapuser1
# grep ldapuser2 /etc/passwd > /etc/openldap/passwd.ldapuser2
# ./migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif
# ./migrate_passwd.pl /etc/openldap/passwd.ldapuser1 /etc/openldap/ldapuser1.ldif
# ./migrate_passwd.pl /etc/openldap/passwd.ldapuser1 /etc/openldap/ldapuser2.ldif
Step 9: Edit Users LDIF FilesModify all LDIF files created for users as per below given example for ldapuser1.
# vim /etc/openldap/ldapuser1.ldif
dn: uid=ldapuser1,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
description: 802.1x user
radiusFilterId: "Enterasys:version=1:policy=Enterprise User"
userPassword: {crypt}$1$rN6WLraT$9skdu7BpRUM6v7DiEhQXt1
shadowLastChange: 15419
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 612
gidNumber: 612
homeDirectory: /home/ldapuser1
Note:Make sure you have added below 3 file in ldif for integrating radius-ldap authentication
objectClass: radiusprofile
description: 802.1x user
radiusFilterId: Enterasys:version=1:policy=Enterprise User
Step 10: Import All DataImport all Data from configuration files to LDAP databaseImporting base.ldif:# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=users,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
Importing root.ldif:# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/root.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=users,dc=example,dc=com"
adding new entry "uid=operator,ou=users,dc=example,dc=com"
Importing ldapuser1.ldif:# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldapuser1.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=users,dc=example,dc=com"
Importing ldapuser2.ldif:# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldapuser2.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser2,ou=users,dc=example,dc=com"
Step 11: Restart LDAP ServiceStop and Start LDAP service using following command.
# /etc/init.d/ldap stop
# /etc/init.d/ldap start
Step 12: Test Your SetupYou setup has been completed, Lets test your ldap server using ldapsearch
# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
CongratulationsYour ldap setup has been completed. Read our next articleSetup FreeRadius Authentication with OpenLDAPInstall OpenLDAP
[root@master ~]#yum-y install openldap-servers openldap-clients
[root@master ~]#vi/etc/sysconfig/ldap# line 16: uncomment and change
SLAPD_LDAPI=
yes
[root@master ~]#vi/etc/openldap/slapd.conf# create new
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
[root@master ~]#rm-rf /etc/openldap/slapd.d/*
[root@master ~]#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded[root@master ~]#vi/etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif# line 4: change
olcAccess:{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[root@master ~]#vi/etc/openldap/slapd.d/cn=config/olcDatabase\={2}monitor.ldif# create new
dn: olcDatabase={2}monitorobjectClass: olcDatabaseConfigolcDatabase: {2}monitorolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * breakolcAddContentAcl: FALSEolcLastMod: TRUEolcMaxDerefDepth: 15olcReadOnly: FALSEolcMonitoring: FALSEstructuralObjectClass: olcDatabaseConfigcreatorsName: cn=configmodifiersName: cn=config
[root@master ~]#chown-R ldap. /etc/openldap/slapd.d
[root@master ~]#chmod-R 700 /etc/openldap/slapd.d
[root@master ~]#/etc/rc.d/init.d/slapd start
Starting slapd: [ OK ][root@master ~]#chkconfigslapd on
[2]Initial Configuration
[root@master ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=core,cn=schema,cn=config"[root@master ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=cosine,cn=schema,cn=config"
[root@master ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=nis,cn=schema,cn=config"
[root@master ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@master ~]#slappasswd# generate password
New password:
# input any one
Re-enter new password:{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@master ~]#vibackend.ldif# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "olcRootPW: ***" to your own password generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=server,dc=world
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=world
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=world" write by * read
[root@master ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"
[root@master ~]#vifrontend.ldif# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "userPassword: ***" to your own password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups
[root@master ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif
Enter LDAP Password:
# password you set
adding new entry "dc=server,dc=world"
adding new entry "cn=admin,dc=server,dc=world"
adding new entry "ou=people,dc=server,dc=world"
adding new entry "ou=groups,dc=server,dc=world"
[3]Add Existing local Users to LDAP Directory
[root@master ~]#vildapuser.sh# extract local users who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
UID1=`echo $line | cut -d: -f1`
NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
if [ ! "$NAME" ]
then
NAME=$UID1
else
NAME=`echo $NAME | sed -e "s/%/ /g"`
fi
SN=`echo $NAME | awk '{print $2}'`
if [ ! "$SN" ]
then
SN=$NAME
fi
GIVEN=`echo $NAME | awk '{print $1}'`
UID2=`echo $line | cut -d: -f3`
GID=`echo $line | cut -d: -f4`
PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
SHELL=`echo $line | cut -d: -f7`
HOME=`echo $line | cut -d: -f6`
EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
if [ ! "$FLAG" ]
then
FLAG="0"
fi
WARN=`passwd -S $UID1 | awk '{print $6}'`
MIN=`passwd -S $UID1 | awk '{print $4}'`
MAX=`passwd -S $UID1 | awk '{print $5}'`
LAST=`grep $UID1: /etc/shadow | cut -d: -f3`
echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "uid: $UID1" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: $GIVEN" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: $UID2" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
echo "userPassword: {crypt}$PASS" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: $SHELL" >> $LDIF
echo "homeDirectory: $HOME" >> $LDIF
echo "shadowExpire: $EXPIRE" >> $LDIF
echo "shadowFlag: $FLAG" >> $LDIF
echo "shadowWarning: $WARN" >> $LDIF
echo "shadowMin: $MIN" >> $LDIF
echo "shadowMax: $MAX" >> $LDIF
echo "shadowLastChange: $LAST" >> $LDIF
echo >> $LDIF
done
[root@master ~]#sh ldapuser.sh
[root@master ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
# LDAP admin password
adding new entry "uid=fermi,ou=people,dc=server,dc=world"
adding new entry "uid=cent,ou=people,dc=server,dc=world"
adding new entry "uid=ubuntu,ou=people,dc=server,dc=world"
adding new entry "uid=debian,ou=people,dc=server,dc=world"
adding new entry "uid=fedora,ou=people,dc=server,dc=world"
[4]Add existing local groups to LDAP directory.
[root@master ~]#vildapgroup.sh# extract local groups who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=server,dc=world'
LDIF='ldapgroup.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
CN=`echo $line | cut -d: -f1`
GID=`echo $line | cut -d: -f3`
echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
for user in ${users} ; do
echo "memberUid: ${user}" >> $LDIF
done
echo >> $LDIF
done
[root@master ~]#sh ldapgroup.sh
[root@master ~]#ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapgroup.ldif
Enter LDAP Password:
# LDAP admin password
adding new entry "cn=fermi,ou=groups,dc=server,dc=world"
adding new entry "cn=cent,ou=groups,dc=server,dc=world"
adding new entry "cn=ubuntu,ou=groups,dc=server,dc=world"
adding new entry "cn=debian,ou=groups,dc=server,dc=world"
adding new entry "cn=fedora,ou=groups,dc=server,dc=world"
[5]If you'd like to delete User or Group in LDAP, Do as below.
[root@master ~]#ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "uid=cent,ou=people,dc=server,dc=world"
Enter LDAP Password:[root@master ~]#ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "cn=cent,ou=groups,dc=server,dc=world"
Enter LDAP Password:
LDAP Server