Open main menu

CDOT Wiki β

Changes

Open LDAP

6,020 bytes added, 08:49, 23 February 2016
Created page with 'OpenLDAP The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directo…'
OpenLDAP
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.

In this lab, you set up and configure a OpenLDAP server and clients to provide network service of user authenication. You can then use the OpenLDAP client/server to replace your NIS client/server for network user authentication.

Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions

Part 1 - OpenLDAP server setup and configuration on CentOS 7
Install the following packages required for the OpenLDAP server on centos2

openldap
openldap-clients
openldap-devel
openldap-servers
nss_ldap
migrationtools
Reference:

Text Book Chapter 17 - OpenLDAP
Documentation: file:///usr/share/doc/openldap-servers-2.3.27/guide.html
Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap

OpenLDAP Server configuration Summary overview

Create an OpenLDAP database

Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf

Start the OpenLDAP server daemon

Create an LDIF file for importing to the OpenLDAP database

Import an LDIF file into the OpenLDAP database

OpenLDAP Server configuration details:

*** Complete this step on centos2 ***

Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
slappasswd

New password: [enterpassword]

Re-enter new password: [enterpassword]

{SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx <-- Copy this to the configuration file as outlined below, this is sample output only. Copy what your command outputs.

Modify the configuration file (/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif). Specifically the following lines need to be added/changed to show as:

olcSuffix: dc=learnid,dc=org

olcRootDN: cn=Manager,dc=learnid,dc=org

olcRootPW: {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx

olcDbDirectory: /var/lib/ldap {only if this doesn't exist}


Modify the configuration file (/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif). Add a password entry only using YOUR output from the slappasswd command:

olcRootPW: {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx

Start the OpenLDAP server daemon and enable it to start on boot
sudo systemctl start slapd

sudo systemctl enable slapd
To verify that the service is working, try the following query command:

ldapsearch -x -b '' -s base '(objectclass=*)' nameingContexts

Create an LDIF file for importing to the OpenLDAP database
a. add an user called “ldapuser”

useradd -g users ldapuser
passwd ldapuser

b. extract the passwd entry of ldapuser from /etc/passwd to a file called "entry.ldapuser"

grep -w ldapuser /etc/passwd > /etc/openldap/entry.ldapuser

c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"

grep -w root /etc/passwd > /etc/openldap/entry.root

d. Before running the migration script, edit the file “migrate_common.ph” in /usr/share/migrationtools and change the following lines to match your base domain. If you don't change these, the migration script will use the default values which are "padl.com", "dc=padl,dc=com".

Default DNS domain

$DEFAULT_MAIL_DOMAIN = "learnid.org";

Default base

$DEFAULT_BASE = "dc=learnid,dc=org";

e. Convert the entries for ldapuser and root to the LDIF format (ldif.ldapuser and ldif.root)

(Note that "\" is used to tell the shell the next line as a continuation of the current line)

For ldapuser:
/usr/share/migrationtools/migrate_passwd.pl \

/etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser

For root:
/usr/share/migrationtools/migrate_passwd.pl \

/etc/openldap/entry.root /etc/openldap/ldif.root
f. create an LDIF file (in /etc/openldap) for your domain (ldif.learnid.org)

dn: dc=learnid,dc=org
dc: learnid
description: root LDAP entry for learnid
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

g. create an LDIF file (in /etc/openldap) for the container People (ldif.people

dn: ou=People, dc=learnid, dc=org
ou: People
description: All people in learnid
objectClass: organizationalUnit
Before importing the user ldif files, the required Schema's must be imported with the following commands
ldapadd -D "cn=config" -W -H ldapi:// -f /etc/openldap/schema/cosine.ldif

ldapadd -D "cn=config" -W -H ldapi:// -f /etc/openldap/schema/nis.ldif
Import LDIF files into the OpenLDAP database

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.learnid.org

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.root

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.ldapuser

To test the OpenLDAP database:

ldapsearch -x -b 'dc=learnid,dc=org' '(objectclass=*)'
Part 2 - Setup and configure OpenLDAP Client *** to be completed on centos3 ***

Required RPMS for LDAP client

openldap
openldap-clients
nss_ldap
nss-pam-ldapd
OpenLDAP Client configuration

If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use the “authconfig-tui” tool on the client machine.

*** Note: the ldap user does not have home directory on the client unless you provide it via NFS. ***

Configure the name service switch configuration (/etc/nsswitch.conf) file to use ldap for authentication:

passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap

2. Edit the ldap configuration file to set up client configuration (/etc/openldap/ldap.conf):

BASE: dc=learnid,dc=org

To complete the lab, show the output of the "ldapsearch" command to your instructor or lab assistant.

ldapsearch -x -b 'dc=learnid,dc=org' -h ip-of-your-ldap-server 'uid=ldapuser'
13,420
edits