LDAP: Configure a LDAP directory service for user connection.

Share this link

Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname.

Install the following packages:

# yum install -y openldap openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):

# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Secure the content of the /etc/openldap/certs directory:

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Start the configuration of the LDAP server:

# cd /etc/openldap/slapd.d/cn=config

Edit the olcDatabase={2}bdb.ldif file and replace/type the values specified in bold:

olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: passwd # password previously generated
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

Edit the olcDatabase={1}monitor.ldif file and replace/type the values specified in bold:

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Edit the /etc/sysconfig/ldap file and change the following option from ‘no‘ to ‘yes‘:

SLAPD_LDAPS=yes

Check the LDAP configuration (there should be no error message):

# slaptest -u

Generate database files (don’t worry about error messages!):

# slaptest

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:

# chkconfig slapd on

Start the slapd service:

# service slapd start

Check the LDAP activity:

# netstat -lt | grep ldap

Create the /etc/openldap/base.ldif file with the following content:

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Build the structure of the directory service:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif

Create two users for testing:

# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02

Go to the directory for the migration of the user accounts:

# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:

# grep ":5[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
# grep ":5[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Add two new rules to the firewall:

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT

Save the firewall configuration:

# service iptables save

Edit the /etc/rsyslog.conf file and add the following line:

local4.* /var/log/ldap.log

Edit the /etc/openldap/slapd.d/cn=config.ldif file and add the following line in the middle of the file:

olcLogLevel: -1

Restart the rsyslog service:

# service rsyslog restart

In addition, Ramdev’s blog provides interesting information (configuration, troubleshooting, etc) on this topic.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

8 Comments on "LDAP: Configure a LDAP directory service for user connection."

Notify of
Sort by:   newest | oldest
suave
Guest
suave

Isn’t there a mistake in the step :
Generate database files (don’t worry about error messages!):
# slaptest
Shouldn’t it be like this ? :
# slapadd [ switches arguments ]

gigtom
Member
gigtom

At the point where I need to build the structure of the directory service, I get the message: base.ldif: no such file or directory. Any advice?

dss1821
Member
dss1821

Getting error:
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”

Not sure whats causing it or correct it.

ronnie
Member
ronnie

Thanks for the guide, managed to get my ldap up, however no luck to create new user besides the original created 2 test user, any guide on that?

ronnie
Member
ronnie

Managed to add user after trying, thanks!

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Add 100MB of swap space to the machine using a new logical volume.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a NFS server that exports the /opt directory in read-only mode.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...