Difference between revisions of "NAD810 LDAP LAB"
(→OpenLDAP Server configuration details:) |
(→e. verify the contents of ldif.ldapuser) |
||
(28 intermediate revisions by 5 users not shown) | |||
Line 3: | Line 3: | ||
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets. | The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets. | ||
− | In this lab, | + | In this lab, the instruction is for setting up an LDAP server with the base context of "dc=nad810,dc=com". Replace this with your own base context. After setting up the OpenLDAP server, you need to configure the LDAP clients to use the user account information stored in the LDAP server to perform user authenication on the client machine. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication. |
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall. | <b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall. | ||
Line 14: | Line 14: | ||
* openldap-servers | * openldap-servers | ||
* nss_ldap | * nss_ldap | ||
+ | * migrationtools | ||
− | + | ==OpenLDAP Server configuration Summary== | |
− | |||
− | |||
− | |||
#Create an OpenLDAP database | #Create an OpenLDAP database | ||
− | #Create an OpenLDAP “root” password and edit the OpenLDAP | + | #Create an OpenLDAP “root” password and edit the OpenLDAP database configuration file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif |
− | #Start the OpenLDAP server daemon | + | #Start the OpenLDAP server daemon - slapd.service |
− | #Create | + | #Create a base LDIF file for importing to the OpenLDAP database |
− | #Import | + | #Create a user account LDIF file for importing to the OpenLDAP database |
+ | #Import the LDIF files into the OpenLDAP database | ||
− | + | ==OpenLDAP Server configuration details:== | |
− | (1) Create | + | ===(1) Create/verify the directory for OpenLDAP database files=== |
+ | <pre> | ||
+ | mkdir /var/lib/ldap/ | ||
+ | chown ldap.ldap /var/lib/ldap | ||
+ | chmod 700 /var/lib/ldap | ||
+ | </pre> | ||
+ | The directory listing of /var/lib/ldap should be: | ||
+ | <pre> | ||
+ | [root@localhost cn=config]# ls -ldZ /var/lib/ldap | ||
+ | drwx------. ldap ldap system_u:object_r:slapd_db_t:s0 /var/lib/ldap | ||
+ | </pre> | ||
− | + | ===(2) Configure base content and root user "olcRootDN" and "olcRootPW" === | |
− | + | Configure the OpenLDAP “root” user and password by editing the OpenLDAP server's database configuration file “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif” | |
− | |||
− | + | Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create the password and put it in the LDAP server database configuration file mentioned above: | |
+ | <pre> | ||
− | + | slappasswd | |
− | |||
− | |||
− | New password: [ | + | New password: [secret] |
− | Re-enter new password: [ | + | Re-enter new password: [secret] |
− | {SSHA} | + | {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz <-- Copy this to the olcDatabase={2}hdb.ldif file |
+ | </pre> | ||
− | Add/Modify the | + | Add/Modify the olcDatabase={2}hdb.ldif file to have the following: |
− | + | <pre> | |
− | + | olcSuffix: dc=nad810,dc=com | |
− | + | olcRootDN: cn=Manager,dc=nad810,dc=com | |
− | + | olcRootPW: {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz | |
− | + | </pre> | |
− | + | Do not change other lines. | |
− | |||
− | |||
− | |||
− | |||
− | + | ===(3) Start the OpenLDAP server daemon slapd.service=== | |
+ | <pre> | ||
+ | systemctl start slapd.service | ||
+ | </pre> | ||
+ | To verify that the OpenLDAP server daemon is running and working, try the following query command: | ||
+ | <pre> | ||
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts | ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts | ||
− | + | </pre> | |
You should get something similar to the following: | You should get something similar to the following: | ||
− | + | <pre> | |
# extended LDIF | # extended LDIF | ||
# | # | ||
Line 81: | Line 90: | ||
# numResponses: 2 | # numResponses: 2 | ||
# numEntries: 1 | # numEntries: 1 | ||
+ | </pre> | ||
− | + | ===(4)Create LDIF files for importing to the OpenLDAP database=== | |
− | (4)Create | + | ====create the base context LDIF file for the nad810.com domain==== |
− | + | Create a file called "ldif.base" and add the following lines: | |
− | + | <pre> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
dn: dc=nad810,dc=com | dn: dc=nad810,dc=com | ||
dc: nad810 | dc: nad810 | ||
Line 155: | Line 107: | ||
description: All people in nad810 | description: All people in nad810 | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
+ | </pre> | ||
+ | (Make sure that you have a blank line before the 2nd "dn:" line) | ||
+ | ====a. add an user called “ldapuser” ==== | ||
+ | useradd -g users ldapuser | ||
+ | passwd ldapuser | ||
+ | |||
+ | ====b. extract the passwd entry for ldapuser === | ||
+ | Run the following command to extract the password entry from /etc/passwd to a file called "entry.ldapuser" to your current working directory: | ||
+ | <pre> | ||
+ | grep ldapuser /etc/passwd > entry.ldapuser | ||
+ | </pre> | ||
+ | ====c. Convert password entry to LDIF formation==== | ||
+ | Modify the migration tools configuration file to use our base context "dc=nad810,dc=com". | ||
+ | Back up the file /usr/share/migrationtools/migrate_common.ph and edit: | ||
+ | Line 71: $DEFAULT_MAIL_DOMAIN = "padl.com"; to "nad810.com" | ||
+ | Line 74: $DEFAULT_BASE = "dc=padl,dc=com"; to "dc=nad810,dc=com" | ||
+ | Line 90: $EXTENDED_SCHEMA = 0; to 1 | ||
+ | |||
+ | ====d. convert the entries for the "ldapuser" to LDIF format (ldif.ldapuser) ==== | ||
− | ( | + | (Note that "\" at the end of the line is used to tell the shell that |
+ | the next line as a continuation of the current line) | ||
− | + | /usr/share/openldap/migration/migrate_passwd.pl entry.ldapuser ldif.ldapuser | |
+ | |||
+ | ====e. verify the contents of ldif.ldapuser==== | ||
+ | <pre> | ||
+ | [root@localhost ~]# cat ldif.ldapuser | ||
+ | dn: uid=ldapuser,ou=People,dc=nad810,dc=com | ||
+ | uid: ldapuser | ||
+ | cn: ldapuser | ||
+ | sn: ldapuser | ||
+ | mail: ldapuser@nad810.com | ||
+ | objectClass: person | ||
+ | objectClass: organizationalPerson | ||
+ | objectClass: inetOrgPerson | ||
+ | objectClass: posixAccount | ||
+ | objectClass: top | ||
+ | objectClass: shadowAccount | ||
+ | userPassword: {crypt}$6$3/pjdd7S$9JiLgnXtnnO5y0ZTUXYW9mQXCA/ShjaxzjPUu3MhthGPkwQlmqIimGl8YQl3kLb4a15c81uGZ4vsXoBPFJbGl. | ||
+ | shadowLastChange: 16769 | ||
+ | shadowMin: 0 | ||
+ | shadowMax: 99999 | ||
+ | shadowWarning: 7 | ||
+ | loginShell: /bin/bash | ||
+ | uidNumber: 1001 | ||
+ | gidNumber: 100 | ||
+ | homeDirectory: /home/ldapuser | ||
+ | </pre> | ||
− | + | ===(5) Import LDIF files into the OpenLDAP database=== | |
− | |||
− | |||
+ | <pre> | ||
+ | ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.base | ||
+ | ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser | ||
+ | </pre> | ||
To test the OpenLDAP database: | To test the OpenLDAP database: | ||
ldapsearch -x -b 'dc=nad810,dc=com' '(objectclass=*)' | ldapsearch -x -b 'dc=nad810,dc=com' '(objectclass=*)' | ||
+ | |||
+ | ===(6) Use the sample database configure file === | ||
+ | cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | ||
+ | systemctl restart slapd.service | ||
==Part 2 - Setup and configure OpenLDAP Client== | ==Part 2 - Setup and configure OpenLDAP Client== | ||
Line 179: | Line 182: | ||
====Edit the client configuration file /etc/ldap.conf==== | ====Edit the client configuration file /etc/ldap.conf==== | ||
− | Find the line starts with the word "host" and set the IP address to the appropriate value | + | 1.- Find the line starts with the word "'''host'''" and set the IP address to the appropriate value -> Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server. |
− | Find the line starts with the word "base" and set the context to your base directory | + | 2.- Find the line starts with the word "'''base'''" and set the context to your base directory -> For the purpose of this lab, set it to: |
− | base dc= | + | base dc=nad810,dc=com |
+ | |||
+ | 3.- Find the line starting with "'''uri ldap://'''", if your client is the same machine than your server, leave 127.0.0.1, otherwise set it to the IP of the OpenLDAP server. | ||
+ | |||
+ | Note: The lines "'''base'''" and "'''uri ldap://'''" should be set in '''/etc/openldap/ldap.conf''' file as well. | ||
====Edit the name service switch configuration file /etc/nsswitch.conf==== | ====Edit the name service switch configuration file /etc/nsswitch.conf==== | ||
Enable LDAP for user authentication. | Enable LDAP for user authentication. | ||
+ | |||
+ | NesTutorial for Dummy.. | ||
+ | and now, config ldap client in GUI mode, lets do this.. | ||
+ | authconfig-tui | ||
====Test your OpenLDAP client with the ldapsearch command==== | ====Test your OpenLDAP client with the ldapsearch command==== | ||
ldapsearch -x 'uid=ldapuser' | ldapsearch -x 'uid=ldapuser' | ||
− | |||
= To Complete the Lab = | = To Complete the Lab = | ||
− | Document how to replace NIS with OpenLDAP and develop an | + | Document how to replace NIS with OpenLDAP and develop an interface to add new network users to the OpenLDAP server. |
Due Date: March 10, 2009 | Due Date: March 10, 2009 | ||
[[Category:OpenLDAP]][[Category:NAD810]][[Category:OPS535]] | [[Category:OpenLDAP]][[Category:NAD810]][[Category:OPS535]] |
Latest revision as of 16:24, 16 November 2016
Contents
- 1 LDAP server using OpenLDAP
- 1.1 Part 1 - OpenLDAP server setup and configuration
- 1.2 OpenLDAP Server configuration Summary
- 1.3 OpenLDAP Server configuration details:
- 1.3.1 (1) Create/verify the directory for OpenLDAP database files
- 1.3.2 (2) Configure base content and root user "olcRootDN" and "olcRootPW"
- 1.3.3 (3) Start the OpenLDAP server daemon slapd.service
- 1.3.4 (4)Create LDIF files for importing to the OpenLDAP database
- 1.3.5 =b. extract the passwd entry for ldapuser
- 1.3.6 (5) Import LDIF files into the OpenLDAP database
- 1.3.7 (6) Use the sample database configure file
- 1.4 Part 2 - Setup and configure OpenLDAP Client
- 2 To Complete the Lab
LDAP server using OpenLDAP
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.
In this lab, the instruction is for setting up an LDAP server with the base context of "dc=nad810,dc=com". Replace this with your own base context. After setting up the OpenLDAP server, you need to configure the LDAP clients to use the user account information stored in the LDAP server to perform user authenication on the client machine. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions You need to have these ports opened on your firewall.
Part 1 - OpenLDAP server setup and configuration
Required RPMS for the OpenLDAP server
- openldap
- openldap-clients (for testing the server)
- openldap-devel (optional)
- openldap-servers
- nss_ldap
- migrationtools
OpenLDAP Server configuration Summary
- Create an OpenLDAP database
- Create an OpenLDAP “root” password and edit the OpenLDAP database configuration file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
- Start the OpenLDAP server daemon - slapd.service
- Create a base LDIF file for importing to the OpenLDAP database
- Create a user account LDIF file for importing to the OpenLDAP database
- Import the LDIF files into the OpenLDAP database
OpenLDAP Server configuration details:
(1) Create/verify the directory for OpenLDAP database files
mkdir /var/lib/ldap/ chown ldap.ldap /var/lib/ldap chmod 700 /var/lib/ldap
The directory listing of /var/lib/ldap should be:
[root@localhost cn=config]# ls -ldZ /var/lib/ldap drwx------. ldap ldap system_u:object_r:slapd_db_t:s0 /var/lib/ldap
(2) Configure base content and root user "olcRootDN" and "olcRootPW"
Configure the OpenLDAP “root” user and password by editing the OpenLDAP server's database configuration file “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create the password and put it in the LDAP server database configuration file mentioned above:
slappasswd New password: [secret] Re-enter new password: [secret] {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz <-- Copy this to the olcDatabase={2}hdb.ldif file
Add/Modify the olcDatabase={2}hdb.ldif file to have the following:
olcSuffix: dc=nad810,dc=com olcRootDN: cn=Manager,dc=nad810,dc=com olcRootPW: {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz
Do not change other lines.
(3) Start the OpenLDAP server daemon slapd.service
systemctl start slapd.service
To verify that the OpenLDAP server daemon is running and working, try the following query command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
You should get something similar to the following:
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=nad810,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
(4)Create LDIF files for importing to the OpenLDAP database
create the base context LDIF file for the nad810.com domain
Create a file called "ldif.base" and add the following lines:
dn: dc=nad810,dc=com dc: nad810 description: root LDAP entry for nad810 objectClass: dcObject objectClass: organizationalUnit ou: rootobject dn: ou=People, dc=nad810, dc=com ou: People description: All people in nad810 objectClass: organizationalUnit
(Make sure that you have a blank line before the 2nd "dn:" line)
a. add an user called “ldapuser”
useradd -g users ldapuser passwd ldapuser
=b. extract the passwd entry for ldapuser
Run the following command to extract the password entry from /etc/passwd to a file called "entry.ldapuser" to your current working directory:
grep ldapuser /etc/passwd > entry.ldapuser
c. Convert password entry to LDIF formation
Modify the migration tools configuration file to use our base context "dc=nad810,dc=com".
Back up the file /usr/share/migrationtools/migrate_common.ph and edit: Line 71: $DEFAULT_MAIL_DOMAIN = "padl.com"; to "nad810.com" Line 74: $DEFAULT_BASE = "dc=padl,dc=com"; to "dc=nad810,dc=com" Line 90: $EXTENDED_SCHEMA = 0; to 1
d. convert the entries for the "ldapuser" to LDIF format (ldif.ldapuser)
(Note that "\" at the end of the line is used to tell the shell that the next line as a continuation of the current line)
/usr/share/openldap/migration/migrate_passwd.pl entry.ldapuser ldif.ldapuser
e. verify the contents of ldif.ldapuser
[root@localhost ~]# cat ldif.ldapuser dn: uid=ldapuser,ou=People,dc=nad810,dc=com uid: ldapuser cn: ldapuser sn: ldapuser mail: ldapuser@nad810.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$3/pjdd7S$9JiLgnXtnnO5y0ZTUXYW9mQXCA/ShjaxzjPUu3MhthGPkwQlmqIimGl8YQl3kLb4a15c81uGZ4vsXoBPFJbGl. shadowLastChange: 16769 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 100 homeDirectory: /home/ldapuser
(5) Import LDIF files into the OpenLDAP database
ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.base ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser
To test the OpenLDAP database:
ldapsearch -x -b 'dc=nad810,dc=com' '(objectclass=*)'
(6) Use the sample database configure file
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG systemctl restart slapd.service
Part 2 - Setup and configure OpenLDAP Client
Required RPMS for LDAP client
- openldap
- openldap-clients
- openldap-devel (optional)
- nss_ldap
OpenLDAP Client configuration
Edit the client configuration file /etc/ldap.conf
1.- Find the line starts with the word "host" and set the IP address to the appropriate value -> Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server.
2.- Find the line starts with the word "base" and set the context to your base directory -> For the purpose of this lab, set it to: base dc=nad810,dc=com
3.- Find the line starting with "uri ldap://", if your client is the same machine than your server, leave 127.0.0.1, otherwise set it to the IP of the OpenLDAP server.
Note: The lines "base" and "uri ldap://" should be set in /etc/openldap/ldap.conf file as well.
Edit the name service switch configuration file /etc/nsswitch.conf
Enable LDAP for user authentication.
NesTutorial for Dummy.. and now, config ldap client in GUI mode, lets do this..
authconfig-tui
Test your OpenLDAP client with the ldapsearch command
ldapsearch -x 'uid=ldapuser'
To Complete the Lab
Document how to replace NIS with OpenLDAP and develop an interface to add new network users to the OpenLDAP server. Due Date: March 10, 2009