Installing & Configuring LDAP server and client on CENTOS 7 and FEDORA 21 Server

Posted: May 25, 2015 in Linux

When i started to learn how to configure LDAP server i wasn’t able to find detailed and accurate step by step instructions,so i decided to post my experience.Instructions written here i have found on several forums/blogs,and this is one comprehensive guide,I hope you’ll find this usefull.

I used CENTos 7 as LDAP server and Fedora Server 21 as LDAP client

Let’s start to configure our server:

First,install openldap and openlda-server packages:

Untitled

Open /etc/openldap/slapd.d/cn=config.ldif  file in your favorite editor and add following directives:

olcConnMaxPending
The olcConnMaxPending directive allows you to specify the maximum number of pending requests for an anonymous session.(default 100)

olcConnMaxPendingAuth
The olcConnMaxPendingAuth directive allows you to specify the maximum number of pending requests for an authenticated session (default 100)

olcIdleTimeout

The olcIdleTimeout directive allows you to specify how many seconds to wait before closing an idle connection. (default 0)

Add path to certificate files (we’ll create it shortly)

Content of cn=config.ldif file:

# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 = 45f2f7b5
dn: cn=config
objectClass: olcGlobal
cn: config
olcAllows: bind_v2 bind_anon_cred
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcIdleTimeout: 180
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /etc/openldap/ssl/slapdcert.pem
olcTLSCertificateKeyFile: /etc/openldap/ssl/slapdkey.pem
structuralObjectClass: olcGlobal
entryUUID: 3c0e2f98-967d-1034-9d0f-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.659444Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z

then,modify /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file.

Enter domain name (example.com) and user who will populate LDAP database (i used root user)

File content:

# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 acf4938f
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth” read by dn.base=”cn=root,dc=example,dc=com” read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 3c12350c-967d-1034-9d14-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.685866Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z

create admin password:

[root@server ~]$ slappasswd
New password:
Re-enter new password:

You’ll get password’s hashed output:

{SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f

Copy the final encrypted output ({SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f) for use in the

olcPW section in olcDatabase={2}hdb.ldif file in /etc/openldap/slapd.d/cn=config directory

Content of olcDatabase={2}hdb.ldif

# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 3f4c95ee
dn: olcDatabase={2}hdb
olcReadOnly: FALSE
olcRootDN: cn=root,dc=example,dc=com
olcSuffix: dc=example,dc=com
olcRootPW: {SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 3c123bba-967d-1034-9d15-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.686038Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z

olcReadOnly

The olcReadOnly directive allows you to use the database in a read-only mode. It takes the following form:

olcReadOnly: boolean

It accepts either TRUE (enable the read-only mode), or FALSE (enable modifications of the database). The default option is FALSE.If you set olcReadOnly:TRUE (as i did) :),you’ll won’t be able to perform

LDAP database update (ldap_modify: Server is unwilling to perform (53))

olcRootDN
The olcRootDN directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory.It accepts a Distinguished Name (DN).(cn=root,dc=example,dc=com)

olcRootPW
The olcRootPW directive allows you to set a password for the user that is specified using the olcRootDN directive.(You’ll put here hashed password)

olcSuffix
The olcSuffix directive allows you to specify the domain for which to provide information.

now test configuration:in terminal (as root) type

slaptest -u

You should get next output

Untitled1

Checksum error won’t prevent server from running but it’s bit annoying.Here i found solution:

http://injustfiveminutes.com/2014/10/28/how-to-fix-ldif_read_file-checksum-error/

Note:i needed to modify tail command to produce fixed.ldif file:

tail -n +3 /tmp/olcDatabase={1}monitor.ldif > /tmp/fixed.ldif

(repeat this for remaining two files)

run slaptest -u again,you should get following output:

Untitled

We configured LDAP server to use SSL keys but we still didn’t create any.

For testing purposes i created self-signing certificate.

Create /etc/openldap/ssl folder and generate keys:

Untitled2

This will create the certificate and provate keys in the /etc/openldap/ssl/ directory,make sure that the ldap user can read them.

[root@server ~]$ chown -Rf root:ldap /etc/openldap/ssl
[root@server ~]$ chmod -Rf 750 /etc/openldap/ssl

start slapd service and check if it listens on LDPAS ports

Untitled

Before starting to build our LDAP database,we need to import schemas in order to avoid following errors:

adding new entry “dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax

ldapadd -Y EXTERNAL -H ldapi:// -f  /etc/openldap/schema/core.ldif

ldapadd -Y EXTERNAL -H ldapi:// -f  /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:// -f  /etc/openldap/schema/nis.ldif

Search & test the database:

ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts

Untitled

Now build LDAP database,create empty file (base.ldif) and populate it with data

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

dn: ou=group,dc=example,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit

now import it into database:

[root@server1 cn=config]# ldapadd -x -W -D “cn=root,dc=example,dc=com” -f ./base.ldif
Enter LDAP Password:
adding new entry “dc=example,dc=com”
adding new entry “ou=people,dc=example,dc=com”
adding new entry “ou=group,dc=example,dc=com”

Now migrate existing users (i only had one,root user)

First,modify migration scripts (migrate_common.ph) in /usr/share/migrationtoolst folder to use our example.com domain.

If you have no migrationtools folder install migration tools package:

yum install migrationtoools -y

Untitled

Migration tools will create ldif file (people.ldif in our case) which will be used to populate LDAP database,

[root@server1 slapd.d]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif

and group:

[root@server1 slapd.d]# /usr/share/migrationtools/migrate_passwd.pl /etc/group group.ldif

Now import users & groups into LDAP server:

[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f people.ldif

[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f group.ldif

Test the LDAP database content:

[root@server1 slapd.d]# ldapsearch -xWD “cn=root,dc=example,dc=com” -b “dc=example,dc=com”
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

# people, example.com
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

———output cut—————-

Now,we can add new user to group,(you can use people.ldif as a template)

create gordon.ldif file for new user gordon

dn: uid=gordon,ou=people,dc=example,dc=com
uid: gordon
cn: gordon gotham
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$TUAgiILnArH7dyF4$TpSEXoTAPMvQR3ipQWqaQ8gbAlHMB8udOaeRwePs3PkTK4ePuENozOZkVc8Qdjwe.vjvm4YOccIMdLF/MdsDk0
shadowLastChange: 16579
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/gordon
gecos: gordon gotham

The same is for group,content of file gordon-group.ldif,again,group.ldif can be used as a template:

gordon-group.ldif

dn: cn=gordon,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: gordon
userPassword: {crypt}x
gidNumber: 1003

Add new user and group to LDAP server:

[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f .don.ldif

Enter LDAP Password:
adding new entry “uid=gordon,ou=people,dc=example,dc=com”

[root@server1 slapd.d]#  ldapadd -xWD “cn=root,dc=example,dc=com” -f gordon-group.ldif
Enter LDAP Password:
adding new entry “cn=gordon,ou=group,dc=exaple,dc=com”

Now,set password for user gordon: (i set 123456 as password)

[root@server1 slapd.d]# ldappasswd -xWD “cn=root,dc=example,dc=com” -s 123456 “uid=don,ou=people,dc=example,dc=com”
Enter LDAP Password:

Now we can set our LDAP client,but first,we need to make our cert available to client.

On the server i installed apache web server,created /var/www/html/inst folder and

copied cert key (slapdcert.pem) to inst folder

[root@server1 slapd.d]# yum install httpd -y

[root@server1 slapd.d]# systemctl start httpd

[root@server1 slapd.d]# mkdir /var/www/html/inst/

[root@server1 slapd.d]# cp /etc/openldap/ssl/slapdcert.pem /var/www/html/inst/

[root@server1 slapd.d]# chcon -R –reference=/var/www/html/ /var/www/html/inst

[root@server1 slapd.d]# firewall-cmd –zone=public –add-port=80/tcp –permanent

[root@server1 slapd.d]# firewall-cmd –reload

Now try to access server1 from the client

Untitled

On the client,install openldap-clients nss-pam-ldapd and sssd packages and

run authconfig-gtk command

Untitled

Enter LDAP base DN and LDAP server,click Download CA Certificate enter

http://server1.example.com/inst,click OK and Apply (of course,make sure that server1.example.com is resolveable from the client)

Now,we need to tell system to search for ldap server,

open /etc/nssswitch.conf file and add following directives:

We instruct our machine that,if user is not found in local file (/etc/passwd /etc/grpup),he look at the LDAP server

passwd: files ldap
shadow: files ldap
group: files ldap

save and close file

Restart sssd service,if you try now to log in to the terminal as su gordon,you won’t be able to do so

Hmm,what’s wrong now ?

See the log file:

[root@localhost cacerts]#  tail -n 20 /var/log/messages

Untitled

Could not start TLS encryption. TLS error -8172: Peers’s certificate issuer has been marked as not trusted by the user.

We have to add the CA certificate that signed the LDAP server’s cert to the client

First,from server1,copy slapdcert pem to /etc/openldap/cacerts/ folder (i used SCP) then

from the client,run  /etc/pki/tls/misc/c_hash /etc/openldap/cacerts/slapdcert.pem

Untitled

It will create 8 digit hex number and we have to create a symlink called that 8 digit number.0 pointing to the slapdcert.pem file.

[root@localhost cacerts]# ln -s /etc/openldap/cacerts/ /etc/openldap/cacerts/35157f9e.0

restart sssd service and try to log in as gordon

Untitled

Yeah!,it finally works !!.

Advertisements
Comments
  1. Sheik Ahmed SM says:

    Good Effort. I need Linux Firewall step by step Guide.

    Like

  2. tanmoy das says:

    Hi,
    i am getting this error need help.
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s