1
edit
Changes
New page: = LDAP server using OpenLDAP = The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance a...
= LDAP server using OpenLDAP =
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.
In this lab, you set up and configure an OpenLDAP server and configure LDAP clients to use the user account information stored in the LDAP server to perform user authenication. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall.
==Part 1 - OpenLDAP server setup and configuration ==
Required RPMS for the OpenLDAP server
* openldap
* openldap-clients (for testing the server)
* openldap-devel (optional)
* openldap-servers
* nss_ldap
Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap
===OpenLDAP Server configuration Summary===
#Create an OpenLDAP database
#Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf
#Start the OpenLDAP server daemon
#Create an LDIF file for importing to the OpenLDAP database
#Import an LDIF file into the OpenLDAP database
====OpenLDAP Server configuration details:====
(1) Create an OpenLDAP database
mkdir /var/lib/ldap/nad810.com
chown ldap.ldap /var/lib/ldap/nad810.com
chmod 700 /var/lib/ldap/nad810.com
(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
slappassword
New password: [nad810]
Re-enter new password: [nad810]
{SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx <-- Copy this to the slapd.conf file
Add/Modify the slapd.conf to show the following:
database ldbm
suffix “dc=ops535,dc=com”
rootdn “cn=Manager,dc=ops535,dc=com”
rootpw {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx
directory /var/lib/ldap/ops535.com
(3) Start the OpenLDAP server daemon
service ldap start
To verify that the service is working, try the following query command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
You should get something similar to the following:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=nad810,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
(4)Create an LDIF file for importing to the OpenLDAP database
a. add an user called “ldapuser”
useradd -g users ldapuser
passwd ldapuser
b. extract the passwd entry of ldapuser from /etc/passwd to a file called "entry.ldapuser"
grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser
c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"
grep root /etc/passwd > /etc/openldap/entry.root
d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):
(Note that "\" at the end of the line is used to tell the shell that
the next line as a continuation of the current line)
For ldapuser:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser
For root:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/entry.root /etc/openldap/ldif.root
e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)
dn: uid=ldapuser,ou=People,dc=padl,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12821
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 100
homeDirectory: /home/ldapuser
f. edit ldif.root
dn: uid=root,ou=People,dc=padl,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$3gRCMQww$8OCADPFZLjFr6DiFUi8Nn1
shadowLastChange: 12759
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
g. create an LDIF file for the nad810.com domain
dn: dc=nad810,dc=com
dc: nad810
description: root LDAP entry for nad810
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=nad810, dc=com
ou: People
description: All people in nad810
objectClass: organizationalUnit
(Make sure that you have a blank line before the 2nd "dn:" line)
(5) Import LDIF files into the OpenLDAP database
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ops535.com.ldif
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ldif.root
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ldif.ldapuser
To test the OpenLDAP database:
ldapsearch -x -b 'dc=ops535,dc=com' '(objectclass=*)'
==Part 2 - Setup and configure OpenLDAP Client==
Required RPMS for LDAP client
* openldap
* openldap-clients
* openldap-devel (optional)
* nss_ldap
===OpenLDAP Client configuration===
====Edit the client configuration file /etc/ldap.conf====
Find the line starts with the word "host" and set the IP address to the appropriate value. Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server
Find the line starts with the word "base" and set the context to your base directory. For the purpose of this lab, set it to
base dc=ops535,cd=com
====Edit the name service switch configuration file /etc/nsswitch.conf====
Enable LDAP for user authentication.
====Test your OpenLDAP client with the ldapsearch command====
ldapsearch -x 'uid=ldapuser'
= To Complete the Lab =
Document how to replace NIS with OpenLDAP and develop an easy interface to add new network users to the OpenLDAP server.
Due Date: March 10, 2009
[[Category:OpenLDAP]][[Category:NAD810]][[Category:OPS535]]
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.
In this lab, you set up and configure an OpenLDAP server and configure LDAP clients to use the user account information stored in the LDAP server to perform user authenication. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall.
==Part 1 - OpenLDAP server setup and configuration ==
Required RPMS for the OpenLDAP server
* openldap
* openldap-clients (for testing the server)
* openldap-devel (optional)
* openldap-servers
* nss_ldap
Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap
===OpenLDAP Server configuration Summary===
#Create an OpenLDAP database
#Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf
#Start the OpenLDAP server daemon
#Create an LDIF file for importing to the OpenLDAP database
#Import an LDIF file into the OpenLDAP database
====OpenLDAP Server configuration details:====
(1) Create an OpenLDAP database
mkdir /var/lib/ldap/nad810.com
chown ldap.ldap /var/lib/ldap/nad810.com
chmod 700 /var/lib/ldap/nad810.com
(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
slappassword
New password: [nad810]
Re-enter new password: [nad810]
{SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx <-- Copy this to the slapd.conf file
Add/Modify the slapd.conf to show the following:
database ldbm
suffix “dc=ops535,dc=com”
rootdn “cn=Manager,dc=ops535,dc=com”
rootpw {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx
directory /var/lib/ldap/ops535.com
(3) Start the OpenLDAP server daemon
service ldap start
To verify that the service is working, try the following query command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
You should get something similar to the following:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=nad810,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
(4)Create an LDIF file for importing to the OpenLDAP database
a. add an user called “ldapuser”
useradd -g users ldapuser
passwd ldapuser
b. extract the passwd entry of ldapuser from /etc/passwd to a file called "entry.ldapuser"
grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser
c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"
grep root /etc/passwd > /etc/openldap/entry.root
d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):
(Note that "\" at the end of the line is used to tell the shell that
the next line as a continuation of the current line)
For ldapuser:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser
For root:
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/entry.root /etc/openldap/ldif.root
e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)
dn: uid=ldapuser,ou=People,dc=padl,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 12821
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 100
homeDirectory: /home/ldapuser
f. edit ldif.root
dn: uid=root,ou=People,dc=padl,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$3gRCMQww$8OCADPFZLjFr6DiFUi8Nn1
shadowLastChange: 12759
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
g. create an LDIF file for the nad810.com domain
dn: dc=nad810,dc=com
dc: nad810
description: root LDAP entry for nad810
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=nad810, dc=com
ou: People
description: All people in nad810
objectClass: organizationalUnit
(Make sure that you have a blank line before the 2nd "dn:" line)
(5) Import LDIF files into the OpenLDAP database
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ops535.com.ldif
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ldif.root
ldapadd -x -D “cn=Manager,dc=ops535,dc=com” -W -f /etc/openldap/ldif.ldapuser
To test the OpenLDAP database:
ldapsearch -x -b 'dc=ops535,dc=com' '(objectclass=*)'
==Part 2 - Setup and configure OpenLDAP Client==
Required RPMS for LDAP client
* openldap
* openldap-clients
* openldap-devel (optional)
* nss_ldap
===OpenLDAP Client configuration===
====Edit the client configuration file /etc/ldap.conf====
Find the line starts with the word "host" and set the IP address to the appropriate value. Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server
Find the line starts with the word "base" and set the context to your base directory. For the purpose of this lab, set it to
base dc=ops535,cd=com
====Edit the name service switch configuration file /etc/nsswitch.conf====
Enable LDAP for user authentication.
====Test your OpenLDAP client with the ldapsearch command====
ldapsearch -x 'uid=ldapuser'
= To Complete the Lab =
Document how to replace NIS with OpenLDAP and develop an easy interface to add new network users to the OpenLDAP server.
Due Date: March 10, 2009
[[Category:OpenLDAP]][[Category:NAD810]][[Category:OPS535]]