What is
LDAP
LDAP ( Lightweight Directory Access
Protocol) is client-server protocol which provides directory services to the
client machines. Each LDAP server contain the data required to
making up the LDAP database, a high performance transactional database.
LDAP manages it’s data in the form objects which are defined with several
attributes.
Right now the
current LDAP standard provides following basic types of object classes:
- Groups –
unordered lists of individual objects or groups of objects
- Location –
e.g. Country name and description
- Organisational
Units – for Organisational classification of the
directory
- People –
Individual user login accounts in the directory
As mentioned earlier each object class
supported by additional information in the form of attributes. And these
attributes are paired together with the values that customizes each object as
unique entity in the LDAP database.
e.g: for example the “user” object
has an attribute named “commonName in short cn” which is having the
user name as it’s value
In this post, I
am providing the steps required to configure a LDAP Server (
RHEL 6.3 ) with basic LDAP configuration, and then later configure a ldap
client to use the nscld authentication ( legecy for RHEL6.3). And we also
discussed about sssd autentication which is out of scope for this document.
Configuration of
LDAP Server
Check for the required LDAP Packages
[root@kkraj ~]# rpm
-qa|grep ldap
compat-openldap-2.3.43-2.el6.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-servers-sql-2.4.23-26.el6_3.2.x86_64
python-ldap-2.3.10-1.el6.x86_64
openldap-devel-2.4.23-26.el6_3.2.x86_64
krb5-server-ldap-1.9-33.el6.x86_64
bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64
openldap-servers-2.4.23-26.el6_3.2.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
php-ldap-5.3.3-14.el6_3.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
ldapjdk-4.18-6.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64
compat-openldap-2.3.43-2.el6.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-servers-sql-2.4.23-26.el6_3.2.x86_64
python-ldap-2.3.10-1.el6.x86_64
openldap-devel-2.4.23-26.el6_3.2.x86_64
krb5-server-ldap-1.9-33.el6.x86_64
bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64
openldap-servers-2.4.23-26.el6_3.2.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
php-ldap-5.3.3-14.el6_3.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
ldapjdk-4.18-6.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64
[root@kkraj
~]# cat /var/lib/ldap/DB_CONFIG
cat: /var/lib/ldap/DB_CONFIG: No such file or directory
cat: /var/lib/ldap/DB_CONFIG: No such file or directory
[root@kkraj
~]# egrep -v “^#|^$” /usr/share/openldap-servers/DB_CONFIG.example
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
Initialize the DB_CONFIG Settings from default file
[root@kkraj ~]# egrep -v
“^#|^$” /usr/share/openldap-servers/DB_CONFIG.example >
/var/lib/ldap/DB_CONFIG
Before Proceeding for futher
configuration just stop the iptables first
# service iptables stop
Get the copy of sample
slapd.conf and mke modifications as per our requirement
[root@kkraj ~]# cp
/usr/share/openldap-servers/slapd.conf.obsolete /root/slapd.conf
Generate root password for LDAP cn=config configuration:
[root@kkraj ~]# slappasswd
New password: <pasword>
Re-enter new password:<password>
{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <== note down this encrypted password [root@kkraj ~]# vi /root/slapd.conf
And made below modifiations, under “database bdb” Sectionsuffix “dc=kkraj,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=my-domain,dc=com”
New password: <pasword>
Re-enter new password:<password>
{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <== note down this encrypted password [root@kkraj ~]# vi /root/slapd.conf
And made below modifiations, under “database bdb” Sectionsuffix “dc=kkraj,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=my-domain,dc=com”
rootdn
“cn=Manager,dc=kkraj,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q [root@kkraj log]#
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q [root@kkraj log]#
Stop the Slapd Service while
you make modifications
# service slapd stop
Modify /root/slapd.conf to
reflect the domain name and password
[root@kkraj log]# cat
/root/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args # Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap # moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “\”OpenLDAP Server\””
TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none # enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=my-domain,dc=com” read
by * none #######################################################################
# database definitions
####################################################################### database bdb
suffix “dc=kkraj,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=kkraj,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap # Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@kkraj log]#
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args # Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap # moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “\”OpenLDAP Server\””
TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none # enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=my-domain,dc=com” read
by * none #######################################################################
# database definitions
####################################################################### database bdb
suffix “dc=kkraj,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=kkraj,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap # Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@kkraj log]#
Note
:
In earlier
versions, LDAP configuration used to done by the file slapd.conf file, where as
in RHEL 6 the file level configuration become obsolete and now we have to
dynamic configuration (cn=config) using the ldap backend tools like
ldapadd/ldapdel/ldapmodify.
But Instead of
using dynamic configuration from the basic setup, we are configuring slapd.conf
file and converting it into dynamic configuration using ldaptest. As
a prerequisite we will remove the all existing configuration as shown below.
Removing default ldap
configuration data
[root@kkraj ~]# rm -rf
/etc/openldap/slapd.d/*[root@kkraj ~]# rm -rf /var/lib/ldap/*
Initialize DB files for content in /var/lib/ldap directory
[root@kkraj ~]# echo “” | slapadd -f
/root/slapd.conf
The first database does not allow
slapadd; using the first available one (2)
Convert the slapd.conf to cn=config model
root@kkraj ~]# slaptest -f
/root/slapd.conf -F /etc/openldap/slapd.d/
config file testing
succeeded
[root@kkraj ~]# ls -l
/etc/openldap/slapd.d/
total 8
drwxr-x— 3 root root 4096 Mar 24 20:52 cn=config
-rw——- 1 root root 1120 Mar 24 20:52 cn=config.ldif
total 8
drwxr-x— 3 root root 4096 Mar 24 20:52 cn=config
-rw——- 1 root root 1120 Mar 24 20:52 cn=config.ldif
Make sure ldap user has read
& write permission under /etc/openldap/slapd.d and /var/lib/ldap directory.
[root@kkraj ~]# chown -R
ldap:ldap /etc/openldap/slapd.d
[root@kkraj ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@kkraj ~]# chown -R ldap.ldap /var/lib/ldap
[root@kkraj ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@kkraj ~]# chown -R ldap.ldap /var/lib/ldap
Make sure slapi support enabled
in /etc/sysconfig/ldap file
[root@kkraj ~]# grep LDAPI
/etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
# – it doesn’t overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# – it isn’t overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
# – it doesn’t overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# – it isn’t overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
Start the slapd server
[root@kkraj ~]# service
slapd start
Starting slapd: [ OK ]
Starting slapd: [ OK ]
Test if the slapd backend configurations can be listed
with an ldapsearch command.
[root@kkraj ~]# ldapsearch
-Y EXTERNAL -H ldapi:/// -b cn=config |more
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0 :::::: SNIP the ouput :::: # # {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=kkraj,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=kkraj,dc=com
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0 # search result
search: 2
result: 0 Success # numResponses: 19
# numEntries: 18
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0 :::::: SNIP the ouput :::: # # {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=kkraj,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=kkraj,dc=com
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0 # search result
search: 2
result: 0 Success # numResponses: 19
# numEntries: 18
Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory
root@kkraj ~]# slaptest -f
/root/slapd.conf -F /etc/openldap/slapd.d/
config file testing
succeeded
Making a change to slapd
backend using ldapmodify.
The sample configuration
steps mentioned above does not add a rootpw for cn=config, if the slapd
backend configuration needs to be viewed/modified remotely, then a bind
password is needed(so we can bind using cn=admin,cn=config. The following example
shows how to add a rootpw for cn=config using the ldapi:// interface as root
user.
[root@kkraj ~]#
[root@kkraj ~]#
[root@kkraj ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <<< the encrypted password that we created using slappasswd earlier
[root@kkraj ~]#
[root@kkraj ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <<< the encrypted password that we created using slappasswd earlier
modifying entry
“olcDatabase={0}config,cn=config” ^D
Now we will make some basic
entries for domain, and organizational units, groups and people.
[root@kkraj log]# cat >
/root/domain.ldif
dn: dc=kkraj,dc=com
objectClass: top
objectClass: domain
dc: kkraj dn: ou=Groups,dc=kkraj,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=kkraj,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: dc=kkraj,dc=com
objectClass: top
objectClass: domain
dc: kkraj dn: ou=Groups,dc=kkraj,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=kkraj,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
^D
[root@kkraj log]# [root@kkraj
cn=config]# ldapadd -x -h localhost -D cn=Manager,dc=kkraj,dc=com -f
/root/domain.ldif -W
Enter LDAP Password: <== enter the password you enabled for bdb database
Enter LDAP Password: <== enter the password you enabled for bdb database
adding new entry “dc=kkraj,dc=com”
adding new entry “ou=Groups,dc=kkraj,dc=com”
adding new entry “ou=People,dc=kkraj,dc=com”
adding new entry “ou=Groups,dc=kkraj,dc=com”
adding new entry “ou=People,dc=kkraj,dc=com”
Now we will add one sample user
name “kkraj” and group named “redhat”, using the ldif file /root/user.ldif
[root@kkraj cn=config]#
cat > /root/user.ldif
dn: uid=kkraj,ou=People,dc=kkraj,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: kkraj
cn: ldap user1
homeDirectory: /home/kkraj
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q dn: cn=redhat,ou=Groups,dc=kkraj,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
dn: uid=kkraj,ou=People,dc=kkraj,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: kkraj
cn: ldap user1
homeDirectory: /home/kkraj
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q dn: cn=redhat,ou=Groups,dc=kkraj,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500
[root@kkraj cn=config]#
ldapadd -x -h localhost -D cn=Manager,dc=kkraj,dc=com -f /root/user.ldif -W
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=kkraj,ou=People,dc=kkraj,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=kkraj,dc=com”
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=kkraj,ou=People,dc=kkraj,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=kkraj,dc=com”
Kkraj1: LDAP CLient Configuration
Check for all required client Packages
[root@kkraj1log]# rpm
-qa|grep ldap
pam_ldap-185-11.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
ldapjdk-4.18-6.el6.x86_64
[root@kkraj1log]#
pam_ldap-185-11.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
ldapjdk-4.18-6.el6.x86_64
[root@kkraj1log]#
REDHAT 6 support using two
kinds of authentication procedures
Two Types of
Authentication Services helps LDAP clients to allow logins:
1. SSSD ( System Security
Services Daemon)
2. NSLCD based
Authentication
Authentication Type 1 : SSSD ( system
Security Services Daemon) : A service which provides access to different
identity and authentication providers. SSSD uses the configuration information
from /etc/sssd.conf for identity lookup and authentication. But inorder to user
SSSD based LDAP authentication either TLS/SSL or LDAPS is required. If the LDAP
server is used only as an identity provider an encrypted channel is not needed.
Configuring LDAP client using SSSD (Recommended)
Required SSSD packages:
# yum install sssd sssd-client
Configure the system,
using command-line
# authconfig –enableldap –enableldapauth –ldapserver=”kkraj″
–ldapbasedn=”dc=kkraj,dc=com” –enableldaptls –update
Or If you want to use menu based configuration(GUI) use the below command
System>Administration>Authentication (or execute authconfig-gtk from a terminal)
Or If you want to use menu based configuration(GUI) use the below command
System>Administration>Authentication (or execute authconfig-gtk from a terminal)
Important Note : If No Certificate servers available for TLS authentication
you won’t be able to login using the ldapusers, and you will get following
errors:::: Client login says access denied as below
login
as: kkraj
kkraj@192.168.1.32’s password:
Access denied::: syslog will log below errors /var/log/messages Mar 24 11:10:48 kkraj1sssd: Starting up
Mar 24 11:10:48 kkraj1sssd[be[default]]: Starting up
Mar 24 11:10:48 kkraj1sssd[nss]: Starting up
Mar 24 11:10:48 kkraj1sssd[pam]: Starting up
Mar 24 11:10:59 kkraj1sssd[be[default]]: Could not start TLS encryption. TLS error -8157:Certificate extension not found.
kkraj@192.168.1.32’s password:
Access denied::: syslog will log below errors /var/log/messages Mar 24 11:10:48 kkraj1sssd: Starting up
Mar 24 11:10:48 kkraj1sssd[be[default]]: Starting up
Mar 24 11:10:48 kkraj1sssd[nss]: Starting up
Mar 24 11:10:48 kkraj1sssd[pam]: Starting up
Mar 24 11:10:59 kkraj1sssd[be[default]]: Could not start TLS encryption. TLS error -8157:Certificate extension not found.
Authentication Type 2 : Configuring LDAP client using nslcd.The nss-pam-ldapd provides
the nss-pam-ldapd daemon (nslcd) which uses a directory server to look up name
service information on behalf of a lightweight nsswitch module. The
authentication part is handled by pam_ldap ( nss_ldap from padl.com ).
Currently nss-pam-ldapd’s
own pam_ldap is disabled.nslcd uses configuration information from
/etc/nslcd.conf file and pam_ldap uses /etc/pam_ldap.conf file(If authconfig is
used, both the files are updated automatically).
Install Required Packages :
# yum install
nss-pam-ldapd pam_ldap
Edit
/etc/sysconfig/authconfig, change “FORCELEGACY” option to “yes”, as below
Authconfig will try to use
sssd by default, in order to configure nslcd, enable FORCELEGACY option in
authconfig as shown below.
FORCELEGACY=yes
or you can enable this parameter from command line , using
# authconfig –enableforcelegacy –update
Finally enable ldap authentication for the client using the command
or you can enable this parameter from command line , using
# authconfig –enableforcelegacy –update
Finally enable ldap authentication for the client using the command
[root@kkraj]# authconfig
–enableldap –enableldapauth –ldapserver=ldapserver –ldapbasedn=”dc=kkraj,dc=com”
–update
Starting nslcd: [ OK ]
Starting oddjobd: [ OK ]
Starting nslcd: [ OK ]
Starting oddjobd: [ OK ]
Restart the nslcd service.
[root@kkraj1log]# service
nslcd restart
Stopping nslcd: [FAILED]
Starting nslcd: [ OK ]
Stopping nslcd: [FAILED]
Starting nslcd: [ OK ]
Confirm that server able to
see the ldap users.
[root@kkraj1log]# getent
passwd kkraj
kkraj:{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q:1250:1500:ldap
user1:/home/kkraj:/bin/bash
Login from the client
login as: kkraj
kkraj@192.168.1.32’s password:
Creating home directory for kkraj.
[kkraj@kkraj1~]$
kkraj@192.168.1.32’s password:
Creating home directory for kkraj.
[kkraj@kkraj1~]$
If you want to
know little more about LDAP just stay tuned with me, for the next post.
Ok Buddy let's test me on this Again I'll touch with you.
ReplyDeleteChears.