Mar 6, 2010

LDAP Server Configuration

LDAP Configuration in RHEL 5.0


Release:
RedHat Enterprise Linux 5.0

Problem:
LDAP Configuration in RHEL 5.0


Solution:
Assumptions:
Domain Name                : tech.in
Host Name                    : server
IP Address                     : 172.16.1.248

Server Side Configuration:

1)      Install the required RPMs for LDAP server
a.       Openldap
b.       Openldap-devel
c.       Openldap-clients
d.       Openldap-servers
e.       Nss_ldap

2)      Create a dedicated directory for putting all database information, with the ownership of “ldap”. Default directory is /var/lib/ldap.
# mkdir /var/lib/ldap/tech.in
# chown ldap:ldap /var/lib/ldap/tech.in

3)      Create an encrypted password for LDAP “root” user and save the output, because it is needed in the “slapd.conf” file
# slappasswd

4)      Update the LDAP configuration file
# vi /etc/openldap/slapd.conf

#####################################          
# ldbm and/or bdb database definitions
#####################################    
database         ldbm
suffix           "dc=tech,dc=in"
rootdn           "cn=Manager,dc=tech,dc=in"
rootpw           {SSHA}+TARB6GQJ7rJvzx5f8h7fGT9r0fwDh32                          (* It is generated from "slappasswd" command)
directory        /var/lib/ldap/example

5)      Start the LDAP daemon to load the contents of the slapd.conf file
# service ldap start

6)      Crete a user account
# useradd –g users ldaptest
# passwd ldaptest

Note: The user’s password must be in LDAP Data Interchange Files (LDIF) format before it can be imported to the LDAP database.

7)      Extract the “ldaptest” user information from the /etc/passwd file and save it for converting to LDIF format
# grep ldaptest /etc/passwd > /etc/openldap/passwd.ldaptest

8)      If  it is freshly configured LDAP database, “root” user account also needed
# grep root /etc/passwd > /etc/openldap/passwd.root

9)      Now convert the /etc/passwd data into an LDIF format using the “migrate_passwd.pl” conversion program

# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.ladptest /etc/openldap/ldaptest.ldif

# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

10)    Before import this LDIF files to LDAP database we need to edit this LDIF file
# vi /etc/openldap/ldaptest.ldif

dn: uid=ldaptest,ou=People,dc=tech,dc=in
uid: ldaptest
cn: ldaptest
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$Z2XOYyLu$QNCNnYWqL1hh9.7S3HWEv.
shadowLastChange: 14771
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 100
homeDirectory: /home/ldaptest

11)    In slapd.conf, “root” user have a common name (CN) of “Manager”. Add this information to the root LDIF file.
# vi /etc/openldap/root.ldif

dn: uid=root,ou=People,dc=tech,dc=in
uid: root
cn: Manager
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$RyAMPQs9$LejMX5ACSu2Qe4Os6fzFa/
shadowLastChange: 14766
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

dn: uid=operator,ou=People,dc=tech,dc=in
uid: operator
cn: operator
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}*
shadowLastChange: 14711
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 11
gidNumber: 0
homeDirectory: /root
gecos: operator

12)    The attributes of the “tech.in” domain defined by using the below LDIF file.
# vi /etc/openldap/tech.in.ldif

dn: dc=tech,dc=in
dc: tech
description: Root LDAP entry for tech.in
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People,dc=tech,dc=in
ou: People
description: All people in organisation
objectClass: organizationalUnit

13)    Import all the three LDIF files into the database using the ldapadd command
# ldapadd –x –D “cn=Manager,dc=tech,dc=in” –W –f /etc/openldap/tech.in.ldif

# ldapadd –x –D “cn=Manager,dc=tech,dc=in” –W –f /etc/openldap/root.ldif

# ldapadd –x –D “cn=Manager,dc=tech,dc=in” –W –f /etc/openldap/ldaptest.ldif

14)    View all the LDAP database entries using the ldapsearch command
# ldapsearch –x –b ‘dc=tech,dc=in’ ‘(objectclass=*)’


Client side Configuration:

15)    Install the required RPMs
a.       Openldap
b.       Openldap-clients
c.       Openldap-devel
d.       Nss_ldap

16)    LDAP clients are configured using the /etc/openldap/ldap.conf file. Mention the LDAP server IP and domain name here
#vi /etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST    172.16.1.248
BASE    dc=tech, dc=in
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
~

17)    Add the LDAP server information to the client using the authconfig command
# authconfig–tui



    
Note: After this step check the “/etc/nsswitch.conf” file and ensure that, it has references to the LDAP.
     
18)    Restart the SSH daemon to re-read the modified nsswitch.conf file
# service sshd restart

19)    Create home directories for “ldaptest” user in client machine.
# mkdir /home/ldaptest
# chmod 700 /home/ldaptest
# chown ldaptest:users /home/ldaptest
# cp /etc/skel/.bash* /home/ldaptest
# chown ldaptest /home /home/ldaptest/.bash*

20)    Now login as a “ldaptest” user and check




Modifying LDAP account by “root” user:

21)   Create a script to add a user into LDAP database and place it into the “/usr/local/bin/addldapuser
# vi /usr/local/bin/addldapuser

#!/bin/bash
grep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/tech/ > /tmp/changeldappasswd.ldif
cat /tmp/changeldappasswd.ldif | sed s/com/in/ > /tmp/changeldappasswd.ldif
ldapadd -x -D "cn=Manager,dc=tech,dc=in" -W –f /tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*

22)   Script to delete a LDAP user
# vi /usr/local/bin/deleteldapuser

#!/bin/bash
ldapdelete -x -W -D "cn=Manager,dc=tech,dc=in" "uid=$1,ou=People,dc=tech,dc=in"


23)   To modify the LDAP user  accounts use the below scripts
# vi /usr/local/bin/modifyldapuser

#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/tech/ >  /tmp/modifyldapuser.ldif
cat /tmp/modifyldapuser.ldif | sed s/com/in/ > /tmp/modifyldapuser.ldif
/usr/bin/ldapmodify -x -D "cn=Manager,dc=tech,dc=in" -W –f /tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*

24)   Make the Scripts executables using the “chmod” command
# chmod 700 /usr/local/bin/addldapuser
# chmod 700 /usr/local/bin/deleteldapuser
# chmod 700 /usr/local/bin/modifyldapuser

25)   Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server.

4 comments:

Unknown said...

ldapadd -x -D "cn=Manager,dc=xxx,dc=xxx" -W -f /etc/openldap/xxx.ldif

throws error:
ldap_bind: Invalid credentials (49)

to solve this problem
rm -rf /etc/openldap/slad.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d
chmod -R 000 /etc/openldap/slapd.d
chmod -R u+rwX /etc/openldap/slapd.d

service slapd restart

ldapadd -x -D "cn=Manager,dc=xxx,dc=xxx" -W -f /etc/openldap/xxx.ldif

ldapsearch -x -b 'dc=rajiv,dc=np' '(objectclass=*)'

Anonymous said...

Thanks it helped me a lot in understanding server configuration and my ldap server is working

Anonymous said...

Had trouble configuring my ldap server at home.

Followed your steps and worked like a charm at the first shot.

Cheers,
Ram

Selvam M said...

Very Nice! It helped me to configure without any issue, thanks.