LDAP Server and Client Configuration
LDAP stands for 'Lightweight Access Protocol'. It’s a database which can be access over internet or intranet, whether you know domain or IP or not. LDAP database can access by many servers over a network. LDAP is also a database of Users, Groups, Services and Resources, which provides a centralized authentication service.
Before starting an LDAP session, a client needs to connect to the server known as the Directory System Agent, by defaultwhich is set to TCP port 389. As connection is established, the client and server exchange the packets of data.
What is SSL and TLS?
SSL (Secure Sockets Layer) certificates are an integral part of website security. When you visit a website with SSL the site’s SSL certificate enables you to encrypt the data you send, such as credit card information, names or addresses so it can’t be accessed by hackers.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. This is also a cryptographic protocol like SSL that provides communications security over a computer network.
What is SSL and TLS?
SSL (Secure Sockets Layer) certificates are an integral part of website security. When you visit a website with SSL the site’s SSL certificate enables you to encrypt the data you send, such as credit card information, names or addresses so it can’t be accessed by hackers.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. This is also a cryptographic protocol like SSL that provides communications security over a computer network.
LDAP SERVER CONFIGURATION:
- Install openldap-servers package
- Check IP & hostname
- Modify olcDatabasev bdb.ldif file
- Modify olcDatabasev monitor.ldif file
- Create Database Cache
- Update Database
- Create certificate for TLS (Transport Layer Security)
- Provide ownership of ldap group to your certificate & test configuration
- Restart ldap
- Copy certificate to FTP document root
- Make soft link from FTP document root to HTTP document root
- Stop IPTables and disable Firewalls
- Install migrationtools package to migrate users
- Make changes in Migrate_common.ph
- Redirect output of ./migrate-base.pl to /root/base.ldif
- Create directory /home/guests
- Create Users
- Redirect these users from /etc/passwd to /root/users
- Redirect passwords for all these users from /etc/shadow to /root/passwords
- Redirect home groups for all these users from /etc/group to /root/groups
- Make changes in Migrate_password.ph
- Run script ./migrate_password.pl /root/users
- Run script ./migrate_group.pl /root/groups
- Update base.ldif, users.ldif and group.ldif files to LDAP Server
LDAP CLIENT CONFIGURATION:
- Check IP and hostname
- Access Ldap server & provide details
- Switch to ldapusers
ACCESS HOME DIRECTORY FROM LDAP SERVER:
- ACCESS LDAP SERVER and share home directory of ldap users via NFS server
- Restart NFS service
- ACCESS LDAP CLIENT and make auto-mounting
- Reload auto-mounting service
This tutorial describes how to install and configure an OpenLDAP server and an OpenLDAP client.
OPENLDAP SERVER:
Step1: Install openldap-servers package.
# yum install openldap* -y
This will install four packages:
1. openldap-devel
2. openldap-servers
3. openldap-clients
4. cyrus-sasl-devel
# service slapd start
Step2: Check IP of PC on which you want to install OpenLDAP. For example we can take 192.168.10.130
Step3. Check Hostname. Here, we are using “ldap.example.com” and make an entry in /etc/hosts
# vi /etc/hosts
192.168.10.130 ldap.example.com ldap
We are done by installation. Now we will configure LDAP Server by using ldif files under /etc/openldap/slapd.d directory.
Step4: Modify olcDatabase bdb.ldif file:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
<< Go to line number 5 and provide your domain >>
olcSuffix: dc=example,dc=com
<< Go to line number 10 and provide your domain >>
olcRootDN: cn=Manager,dc=example,dc=com
NOTE: Do not set the cn of your root user to "root" (cn=root,dc=acme,dc=com)
<<We must make an entry for LDAP password. For this open another tab and use command “slappasswd” to create ldap password. This will provide a string. Copy that string and put in the last of this file. Also provide Certificate and Certificate Key file path>>
olcRootPW: {SSHA}uZLLxBTnVabGZCzBDulyvOJw/GauoADg
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem
:wq
Step5: Now we will provide monitoring privileges:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}monitor.ldif
In line number 4 change “cn=Manager,dc=example,dc=com”
:wq
Step6: Now it’s time for the Database cache:
First copy DB_CONFIG.example file to /var/lib/ldap
# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/
Step7: Update Database:
# updatedb
Step8: Now we will setup a certificate for TLS. For this first edit /etc/sysconfig/ldap:
# vi /etc/sysconfig/ldap
<<Go to Line Number 20 and change SLAPD_LDAPS from no to yes.>>
SLAPD_LDAPS=yes
SLAPD_LDAPS=yes
Now create a certificate by using openssl command and active it for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout /etc/pki/tls/certs/examplekey.pem -days 365
<< openssl: crytographic toolkit for SSL & TLS n/w protocols >>
<< req: activates the parts of openssl that deals with certificate requests >>
<< -new: generate new request >>
<< -x509: certificate display and signing utility >>
<< -nodes: stores private key without protecting it with a passphrase >>
<< -out *.pem: stores certificate request in a file *.pem >>
<< -keyout *key.pem: stores private key in a file *key.pem >>
<< days: certificate activation days >>
<< openssl: crytographic toolkit for SSL & TLS n/w protocols >>
<< req: activates the parts of openssl that deals with certificate requests >>
<< -new: generate new request >>
<< -x509: certificate display and signing utility >>
<< -nodes: stores private key without protecting it with a passphrase >>
<< -out *.pem: stores certificate request in a file *.pem >>
<< -keyout *key.pem: stores private key in a file *key.pem >>
<< days: certificate activation days >>
This will ask for below mentioned details to create your certificate, like:
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:Mumbai.inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap.example.com
Email Address []:root@ldap.example.com
You can verify both files:
# ll /etc/pki/tls/certs/example*
-rw-r--r--. 1 root root 1704 May 26 16:34 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root root 1448 May 26 16:34 /etc/pki/tls/certs/example.pem
Step9: Provide ownership of ldap group:
# chown -R root:ldap /etc/pki/tls/certs/example*
Verify:
# ll /etc/pki/tls/certs/example*
-rw-r--r--. 1 root ldap 1704 May 26 16:34 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root ldap 1448 May 26 16:34 /etc/pki/tls/certs/example.pem
Step10: Test your configuration:
# slaptest -u
config file testing succeeded
Step11: Restart LDAP service and make configuration on
# service slapd restart
# chkconfig slapd on
Step12: Now copy example.pem certificate to FTP default document root:
# cp -rvf /etc/pki/tls/certs/example.pem /var/ftp/pub/
`/etc/pki/tls/certs/example.pem' -> `/var/ftp/pub/example.pem'
# service vsftpd restart
# chkconfig vsftpd on
Step13: Create its soft link to default document root of HTTP:
# ln -s /var/ftp/pub/ /var/www/html/
Verify:
# ll /var/www/html/
total 0
lrwxrwxrwx. 1 root root 13 May 26 16:50 pub -> /var/ftp/pub/
# Service httpd restart
# chkconfig httpd on
Step14: Stop iptables and disable Firewalls:
# service iptables stop
# chkconfig iptables off
# system-config-firewall <<to disable Firewall>>
Step15: Organizations will often migrate to or from LDAP engines, as they grow and acquire new companies and need to migrate users into the same LDAP engine. So, now we will migrate the users:
# yum install migrationtools -y
Step16: Edit migrate_common.ph from directory:
# cd /usr/share/migrationtools
# vi migrate_common.ph
<<Change cn=Group to cn=Groups at line number 61>>
$NAMINGCONTEXT{'group'} = "cn=Groups";
<<Change your Default DNS Domain at line number 71>>
$DEFAULT_MAIL_DOMAIN = "example.com";
<<Change Default Base at line number 74>>
$DEFAULT_BASE = "dc=example,dc=com";
<<Change Extended Schema at from 0 to 1 in line number 90>>
$EXTENDED_SCHEMA = 1;
:wq
:wq
Step17: Redirect migrate.base.pl to /root/base.ldif
./migrate_base.pl > /root/base.ldif
Step18: Now create a directory /home/guests for ldap users:
# mkdir /home/guests
Step19: Now, create users, here I am creating 5 users for ldap;
# useradd -d /home/guests/ldapuser1 ldapuser1
# useradd -d /home/guests/ldapuser2 ldapuser2
# useradd -d /home/guests/ldapuser3 ldapuser3
# useradd -d /home/guests/ldapuser4 ldapuser4
# useradd -d /home/guests/ldapuser5 ldapuser5
# passwd ldapuser1
# passwd ldapuser2
# passwd ldapuser3
# passwd ldapuser4
# passwd ldapuser5
Step20: Redirect all these users from /etc/passwd to /root/users
# getent passwd | tail -n 5 > /root/users
Step21: Redirect passwords for all these users from /etc/shadow to /root/passwords
# getent shadow | tail -n 5 > /root/passwords
Step22: Redirect home groups for all these users from /etc/group to /root/groups
# getent group | tail -n 5 > /root/groups
Step23: Now, make all these changes in file “migrate_password.pl”
# vi migrate_password.pl
In Line number 188 replace /etc/shadow to /root/passwords
Step24: Run the script command:
# ./migrate_passwd.pl /root/users
<<Here, you can check the details of your users like uid, domain and cn etc>>
Redirect this output to ldif file, because ldap understands configuration file ended with *.ldif.
# ./migrate_passwd.pl /root/users > /root/users.ldif
Step25: Run the script command:
# ./migrate_group.pl /root/groups
<<Here, you can check group details>>
Redirect this output to ldif file, because ldap understands configuration file ended with *.ldif.
# ./migrate_group.pl /root/users > /root/groups.ldif
Now we have three ldif files in /root location
# ll /root/*.ldif
-rw-r--r--. 1 root root 2061 May 26 17:20 /root/base.ldif
-rw-r--r--. 1 root root 690 May 26 17:48 /root/groups.ldif
-rw-r--r--. 1 root root 2750 May 26 17:45 /root/users.ldif
Step26: Finally, we will update these files to LDAP Server:
Upload base.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/base.ldif
Upload users.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/users.ldif
Now upload groups.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/groups.ldif
<<You can check your ldap>>
# ldapsearch -x -b "dc=example,dc=com"
<<LDAP SERVER IS CONFIGURED NOW>>
OPENLDAP CLIENT:
Go to client machine in your network to use LDAP Server and its users.
Step1: Check IP of PC from which you want to access ldap server. For example we can take 192.168.10.133
Step2: Hostname must be different from the hostname of server, like;
# hostname
redhat.panacia.com
Step3: Verify user:
# su – ldapuser1
su: user ldapuser1 does not exist
Step4: Finally access ldap server by using one of below commands:
# system-config-authentication
OR
# authconfig -gtk
This will open a window. In Identity and Aithentication tab:
1. User account Database: LDAP
2. LDAP Search Base DN: dc=example,dc=com
3. LDAP Server: ldap://ldap.example.com
4. Check Check box in TLS to encrypt selections
5. Click on Download CA Certificate and provide Certificate URL: http://ldap.example.com/pub/example.pem
<<you can check certificate by using same url in browser>>
6. Authentication Method: LDAP Password
6. Authentication Method: LDAP Password
7. Finally hit on Apply, this will show output:
Starting sssd: [ OK ]
Step5: You can check all five users by:
# getent passwd ldapuser1
ldapuser1:*:502:502::/home/guests/ldapuser1:/bin/bash
getent passwd ldapuser2
ldapuser2:*:503:503::/home/guests/ldapuser2:/bin/bash
# getent passwd ldapuser3
ldapuser3:*:504:504::/home/guests/ldapuser3:/bin/bash
# getent passwd ldapuser4
ldapuser4:*:505:505::/home/guests/ldapuser4:/bin/bash
# getent passwd ldapuser5
ldapuser5:*:506:506::/home/guests/ldapuser5:/bin/bash
Step6: Now, switch to your ldapuser
# su - ldapuser1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
-bash-4.1$
Here, you can see that your ldapuser1 can login but it's not have home directory yet. So, if you want to access home directory from ldap server; AGAIN GO BACK TO LDAP SERVER and share home directories via NFS server:
Step7: Install NFS server;
# yum install nfs* -y
# service nfs start
Step8: Share home directory and restart NFS service:
# vi /etc/exports
/home/guests 192.168.10.0/255.255.255.0(rw,sync)
# Service nfs restart
# chkconfig nfs on
<<Verify mounting>>
# showmount -e ldap.example.com
Export list for ldap.example.com:
/home/guests 192.168.10.0/255.255.255.0
Step9: GO BACK TO LDAP CLIENT and make auto-mounting:
<<Go to auto.master file and make entry>>
# vi /etc/auto.master
/home/guests /etc/auto.guests
<<Go to auto.guests file and make entry>>
# vi /etc/auto.guests
* -rw ldap.example.com:/home/guests/&
Step10: Reload autofs service:
# service autofs reload
Step11: Now again access ldap server by user ldapuser1:
# su - ldapuser1
[ldapuser1@redhat ~]$
# su - ldapuser2
[ldapuser2@redhat ~]$
# su - ldapuser3
[ldapuser3@redhat ~]$
# su - ldapuser4
[ldapuser4@redhat ~]$
# su - ldapuser5
[ldapuser5@redhat ~]$
No comments:
Post a Comment