RHEL7: Configure a LDAP directory service for user connection.

Share this link

Presentation of LDAP

LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia).

Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.

This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).

During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).

Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).

Installation Procedure

Install the following packages:

# yum install -y openldap openldap-clients openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):

# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Secure the content of the /etc/openldap/certs directory:

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Generate database files (don’t worry about error messages!):

# slaptest
53d61aab hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
53d61aab backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:

# systemctl enable slapd

Start the slapd service:

# systemctl start slapd

Check the LDAP activity:

# netstat -lt | grep ldap
tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:ldap               [::]:*                  LISTEN

Alternatively, you can use: # ss -ltap | grep ldap

To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:

# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace PASSWORD with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: PASSWORD

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Note: A problem with olcTLSCertificateFile and olcTLSCertificateKeyFile has been reported in recent versions of OpenLDAP (details) coming with RHEL 7.5; these attributes have to be modified at the same time:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile 
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

Send the new configuration to the slapd server:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"

Create the /etc/openldap/base.ldif file and paste the following lines:

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Build the structure of the directory service:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

Note: In case you’ve got the following error message “ldap_bind: Invalid credentials (49)”, check the password line is correct and re-run ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif if not.
For example: olcRootPW: {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg

Create two users for testing:

# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
Changing password for user ldapuser01.
New password: user01ldap
Retype new password: user01ldap
passwd: all authentication tokens updated successfully.
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02
Changing password for user ldapuser02.
New password: user02ldap
Retype new password: user02ldap
passwd: all authentication tokens updated successfully.

User Account Migration

Go to the directory for the migration of the user accounts:

# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:

# grep ":10[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"
# grep ":10[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Firewall Configuration

Add a new service to the firewall (ldap: port tcp 389):

# firewall-cmd --permanent --add-service=ldap

Reload the firewall configuration:

# firewall-cmd --reload

Edit the /etc/rsyslog.conf file and add the following line:

local4.* /var/log/ldap.log

Restart the rsyslog service:

# systemctl restart rsyslog

Additional Resources

If you want to learn more about the LDAP topic, you can read this free LDAP book.
Fedora documentation‘s got a chapter about Configuring Directory Servers and OpenLDAP.
You can also read this tutorial about using OpenLDAP with MariaDB backend in Docker.
The Linoxide website provides a tutorial about Setting up OpenLDAP multi-master replication.
The learnitguide.net website offers a tutorial about Configuring an OpenLDAP server on RHEL 7.

Essay on my mother writemypaper4me.org are you confused about writing an essay on my mother.

1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 4.58 out of 5)
Loading...
109 comments on “RHEL7: Configure a LDAP directory service for user connection.
  1. gigtom says:

    wow,good man, followed you line by line and LDAP server running very smoothly.
    Questions:
    How do you setup the GUI side
    and
    is one expected to set this up during RHCSA exam??

  2. redhatplayer says:

    when I go to this command “ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif”
    an error msg shown : “base.ldif No such file or directory”

    I follow your steps by coping and pasting the command to the command line. Do you have any suggestion to such problems. Thanks.

  3. china-student says:

    [root@example migrationtools]# grep “:10[0-9][0-9]” /etc/passwd > passwd
    [root@example migrationtools]# ./migrate_passwd.pl passwd users.ldif
    [root@example migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
    ldap_bind: Invalid credentials (49)
    [root@example migrationtools]#
    [root@example migrationtools]#

  4. Raul says:

    Excellent article. Thanks for sharing. May I suggest though to replace the line containing:

    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif

    by:

    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

    ?

  5. timlee says:

    everything was going fine until here please help:

    [root@rhel7-testServer schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

  6. reale1 says:

    All is well until I get to the ‘Build the structure of the directory service’ I run the ldapadd command and I get this error:
    ber_get_next failed.
    ldap_result: Can’t contact LDAP server (-1)

    my server is running RHEL7.1 and selinux is permissive.

    thanks in advance for any help you can provide.

  7. TCJ says:

    Hi thanks for fantastic website. I only wish things could go smooth with me.

    You wrote:
    openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout

    I had to do this like this:
    openssl req -new -x509 -nodes -keyout /etc/openldap/certs/cert.pem
    Then it worked.

    When you wrote:
    Generate a LDAP password from a secret key (here redhat):
    slappasswd -s redhat -n > /etc/openldap/passwd

    I just made up non-existing file, then created some secret key with ssh-keygen and replace redhat with it.

    However when I’m in config /etc/openldap/changes.ldif
    replace password with the previously created password)
    then what should I do ? Put plain text password for my generated key? Or path to it?

    Nevertheless when I
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
    my output is
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “olcDatabase={2}hdb,cn=config”

    modifying entry “olcDatabase={2}hdb,cn=config”

    modifying entry “olcDatabase={2}hdb,cn=config”
    ldap_modify: Constraint violation (19)
    additional info: extra cruft after
    Thus I get ldap_bind: Invalid credentials (49)
    on STEP:
    ldapadd -x -w /root/kluczLDAP -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
    HELP

    • CertDepot says:

      I didn’t write: # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout
      but: # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
      I repeat my instructions:
      # slappasswd -s redhat -n > /etc/openldap/passwd
      # cat /etc/openldap/passwd
      {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg
      Then, replace passwd # previously generated password (see above) with {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg
      Good luck 😉

  8. jaaffersadiq says:

    Excellent Article !! Can be treated a perfect walkthrough document for LDAP Server configuration in RHEL7 !! Cheers !!

  9. Phrosgone says:

    Great tutorial, everything worked fine! Just one questions about the ports: In your tutorial you are opening port 389. As we are using a certificate and therefore ldaps, shouldn’t it be port 636?

  10. tron says:

    Thanks for the tutorial.
    On the 636 port thingy, I was also surprised for not using ldaps.
    I found that to enable it, you should edit /etc/sysconfig/slapd and add ldaps:/// there in SLAPD_URLS.

    Also, TLSCACertificateFile should be added according to OPENLDAP documentation (same cert in the case of a Self Signed Cert)

  11. mehboob says:

    Hi Dear
    Do we have to configure LDAP server in the exam which you showed on this page.
    because in exam objectives it says:
    **Configure a system to use an existing authentication service for user and group information**

    • CertDepot says:

      No, you definitively don’t need to configure a LDAP server during the RHCSA 7 exam.
      However, in order to test your LDAP client configuration, it is better to set up such a server in your own lab.

  12. asifshabir says:

    Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):

    I am stuck in this step. I don’t see any password generated previously ?
    Can you please help on this

  13. suresh says:

    Hi CertDepot,
    I have a requirement to configure LDAP in production. But i dont want to install OPENLDAP. Do we have any difference between LDAP and OPEN LDAP.. Do you have any configuration steps for LDAP.

    2) Once server setup done. how do i configure ldap client, so that i can login to redhat machine with the user which i created on ldap user

    Please help me on by two question s

    regards
    suresh bk

    • CertDepot says:

      This website is mainly around the RHCSA and RHCE exams, it doesn’t explain how to set up all the available tools outside this context.
      However, to answer your question, besides OpenLDAP, you can look at FreeIPA that is also a LDAP server. You have two options: install the FreeIPA server with all its components (Kerberos, Apache, LDAP, DNS, etc -> https://www.certdepot.net/rhel7-configure-freeipa-server/) or only install the LDAP component called 389.

  14. akash.dhongde says:

    Very good article Man I really appreciate it. I just need your help I have configured OpenLdap for my GIT server everything is going well but the only problem with the users password. For every user, I have to set a password but the users are not able to change it after. How do I force the users to change their password at first login?
    Please suggest! I have googled it a lot but no possible solution found.

  15. binni says:

    Do we need to install a dns server prior to this openldap server configuration?

  16. Victor says:

    Hello Everyone

    I am working on configuring ldap using this article. I believe i messed up

    executing ldapserach returns the following error .

    [root@linux7 schema]# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: cn=ldapuser01
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

    Will be glad if someone can help in rectifying this.

    Below are few of the details of my settings i have on the Linux machine

    [root@linux7 schema]# hostname
    linux7.ak.com
    [root@linux7 schema]# cat /etc/hosts
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    192.168.66.150 linux7.ak.com

    [root@linux7 schema]# cat /etc/openldap/changes.ldif
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcSuffix
    olcSuffix: dc=ak,dc=com

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootDN
    olcRootDN: cn=Manager,dc=ak,dc=com

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootPW
    olcRootPW: {SSHA}st++Pz9tulT4t0AackWoAPONq3HgNEOI

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/cert.pem

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: -1

    dn: olcDatabase={1}monitor,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=”cn=Manager,dc=ak,dc=com” read by * none
    [root@linux7 schema]#

  17. lostsoul352 says:

    How do you enable LDAPS? When I tried by editing /etc/sysconfig/slapd and putting in SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///” it doesn’t work.

    I get

    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    Have you tested this with self-signed certificates?

  18. kevbuntu says:

    Would there be a similar link for ldap replication, this is very good. I am trying this site below for centos 7, seems easy but does not work. Nothing on this site ever worked for me even though looks very well put together.

    http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5

  19. asifshabir says:

    Is this also an RHCSA exam requirement or we need to configure Client part only ??

  20. scryptkiddy says:

    I wasn’t able to copy / paste the changes.ldif (I’m using VirtualBox, which doesn’t seem to allow copy/paste even though I have clipboard enabled between host and guest…). But I verified it, literally 4 times, very slowly, and its correct.

    But apparently its not, I get:
    # ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/opnldap/changes.ldif

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “olcDatabase={2}hdb,cn=config”

    modifying entry “olcDatabase={2}hdb,cn=config”

    modifying entry “olcDatabase={2}hdb,cn=config”

    modifying entry “cn=config”

    modifying entry “cn=config”

    modifying entry “cn=config”

    ldapmodify: invalid format (line 35) entry: “olcDatabase={1}monitor,cn=config”
    #
    Line 35 is the long one, staring with dn.base… looks good. So hmm, suggestions?

    Thanks!

    SK

    • scryptkiddy says:

      Figured it out, there was a hidden line feed that was somehow entered due to the small vbox screen… The pain we IT guys go through just to prepare a server to just prepare for an exam, lol. Dedicated bunch aren’t we?!

      Now on to the client side to test my external ldap authentication skills.

      SK

  21. sashsz says:

    After the step: “To start the configuration of the LDAP server, add the cosine & nis LDAP schemas” I am getting this error:

    ldap_modify: Confidentiality required (13)
    additional info: stronger confidentiality required for update

    Any ideas?

  22. samuel.sappa says:

    Hi CertDepot,
    Need your enlightment for practicing LDAP. Can we use IPA Server instead or this is different?

    • CertDepot says:

      I think it’s different. The OpenLDAP server configuration takes time but is a proved solution.

      • samuel.sappa says:

        Hi CertDepot,
        Sorry for asking again IMHO when we install IPA server isn’t the LDAP and Kerberos automatically configured also, so we don’t have to do it manually
        Again thank you for your reply and info

        • CertDepot says:

          Yes, a lot of things are set automatically. However, on the client side, the configuration can be slightly different.
          I’m not saying that it’s not possible, I only think it can be slightly different.

  23. n40lab says:

    Great article indeed! Really useful for Red Hat and Linux Foundation exams, please keep up the good work!. I’d like to make a suggestion. As netstat is not installed by default in CentOS/RedHat 7 maybe you could change:

    netstat -lt | grep ldap

    With:

    ss -ltap | grep ldap

    It seems that ss replaced netstat, but of course you can still use it installing the net-tools package (yum install net-tools).

    Cheers!

  24. scruff says:

    Hi, stuck on:
    # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif

    getting the error
    ladp_bind: Invalid credentials (49)

    Although I used “redhat” as password.

    Any ideas?

    • Lisenet says:

      I would try to reset the password.

      Generate a new password:

      # slappasswd -h {SSHA}

      Create an LDIF to change it:

      # cat ./change_pw.ldif
      dn: cn=config
      changetype: modify
      replace: olcRootPW
      olcRootPW: {SSHA}sha_value_you_got_above

      Change the password:

      # ldapadd -Y EXTERNAL -H ldapi:/// -f ./change_pw.ldif

      • RajeevD says:

        Hello! Please help me I’m stuck at here too. I tried several times from scratch (even from fresh CentOS7 installations) but I still get
        ladp_bind: Invalid credentials (49)
        after
        # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

  25. Sami says:

    If you bump into the error:
    “ldap_add: Invalid syntax (21)
    additional info: objectClass: value #2 invalid per syntax”
    when trying to migrate users try:
    # grep “:100[1-9]” /etc/passwd > passwd

  26. agentsan says:

    Hi, Thanks for the tutorial. I successfully configured ldap server. I’ve a silly question, while I am configuring ldap client using the gui system-config-authentication command, which certificate i need to download for the TLS encryption download CA Certificate?

  27. centosnoob says:

    Hello CertDepot! Thank you very much for creating this site! I have followed your instructions step-by-step but now I am facing an issue at step “Build the structure of the directory service:” When I use this command:
    ldapadd -x -w centos -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
    I receive the following reply:
    ldap_bind: Invalid credentials (49)
    Do you know where I have gone wrong? Thank you for your time and help!

  28. wobee says:

    Hello CertDepot and thank you for your tutorial.
    I have a problem with it.
    When i push the command :” ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif” i have this next error :

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “olcDatabase={2}hdb,cn=config”
    ldap_modify: No such object (32)
    matched DN: cn=config
    Could you help me please?

  29. blahblah says:

    I’m about half way through, am now at changes.ldif

    I’m using a server with a hostname in the format:
    servernumber.subdomain.name.com

    Can I still use dc=example,dc=com ??

    Does it have to be related in any way whatsoever, to the hostname? I understand I’ll have to edit /etc/hosts of the clients I’m setting up.

    • blahblah says:

      OK decided to just change static hostname on the server. Followed this guide *precisely* on a CentOS server and it’s all working now, from a CentOS client.

      At first I couldn’t get the LDAP client to work on Fedora, so thought maybe the server was misconfigured ? Doesn’t matter anymore.

      Also, in the middle, I accidentally followed your RHEL6/2014 version of this guide, on a different page, and then when I came back to this RHEL7 version, I couldn’t:
      systemctl start slapd
      But I realized that I just had to delete the olcRootPW: line from olcDatabase={2}bdb.ldif

      Many thanks ! Was relatively painless. Now I just have to memorize ‘>.<' [it's an emoji!]

  30. ntcong says:

    Hi,
    Thanks for the excellent article.
    Question: how can I set the the access permission to each OU (organization unit) ?
    I mean I have installed LDAP successfully.
    My domain is ntcong.net, there are 2 OU : People and Group.
    Currently, when I use the LDAP client, I can access to LDAP server without any username/password (even if LDAP client requires username/password and I enter with invalid username/password, it can access to LDAP server too)
    So how can I set the username1 can access to ou: People but this user (username1) cannot access to ou: Group ?
    I am using Centos7. I searched this one in internet but the AC(Access control) in openLDAP based on Centos7 is different than the others.
    Could you please help me in this case.
    Thank you so much and Have nice day!.
    Regards,
    Cong

    • Lisenet says:

      When you say you can access LDAP server without authentication, do you mean you can bind with invalid password, or you can actually read data with invalid password?

      You are likely going to need to restrict access, the folloing may work (depending on your LDAP setup obviously):

      * by dn=”cn=admin,dc=top” write by dn=”cn=autobind,dc=top” read by self write by users read by anonymous auth by * none

      So the above means that admin can write, autobind can read, anonymous users are provided access to the userPassword attribute for the initial connection to occur, and all users have read access to their passwords due to “by self write” permissions.

  31. Peatross says:

    I ran into the same problem as others with the error:ldap_bind: Invalid credentials (49)
    I got it to work, but didn’t troubleshoot too much after I got it to work, I’ll leave that to smarter people.

    So, what I did was change olcRootPW: in changes.ldif to just plain text redhat:

    olcRootPW:redhat

    That worked after running:
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
    and then:
    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

    just because I was curious, after which I tried again with a newly created hash with the command:

    slappasswd -s redhat

    and copied the result from the console and not the file and put that hash back into the changes.ldif, did the same steps as above and then further ldapadds worked also.

    So it seems to be something when copying the hash, maybe your getting a space before or after or a carriage return when copying it in? Good luck.

  32. tarek.elganainy says:

    Excellent topic. I just stuck in the following step:
    [root@rh7 MigrationTools-47]# ./migrate_passwd.pl passwd users.ldif
    Undefined subroutine &main::getsuffix called at ./migrate_passwd.pl line 43.

  33. zi says:

    if you just sudo ldapuser how can you change the password of ldapuser?

  34. Deeresh says:

    Great! Followed the steps and everything is working fine. Thank you. But it would be even better if certdepot provides (in this website itself. not in third party websites) the steps for AutoFS and NFS Server configuration steps to mount the ldapusers’ home directories when needed.

  35. Ph.linux says:

    CertDepot, is it ok to not to use the certificate in ldap exam even they have provided, because I’m going to use authconfig-tui in exam, and may I know if it safe to use authconfig-tui during the exam?

    • CertDepot says:

      If they provide you a certificate, why wouldn’t you use it? It doesn’t make sense!
      Concerning authconfig-tui, I said in one of my tutorials that it was deprecated because I read it. However, it is still one of the simplest way to perform the different tasks during the exam. You can use it without any problem.

  36. Ph.linux says:

    Hi CertDepot, thank you so much, I passed the RHCSA exam. This is my first time to take certification. I’m glad that your site was one of my sources while I was preparing the exam.

  37. Sameer says:

    Those who are getting credential error on line:
    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
    ldap_bind: Invalid credentials (49)

    Solution:
    The comment after line:
    /etc/openldap/changes.ldif
    need to be removed. That is remove the part “# previously generated password (see above)”. The script is assuming it forms part of the password.
    Only the word passwd needs to be replaced with the content of /etc/openldap/passwd

    After removing, re-run:
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
    You shall be good to go.

    @CertDepot: can you modify this part in the tutorial please?

  38. Sameer says:

    I am getting an error on line :
    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
    adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
    ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

    Can someone help please?

    I also tried:
    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /usr/share/migrationtools/users.ldif
    adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
    ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

    Same error

  39. Sameer says:

    error:
    ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
    adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
    ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

    Solution:
    replace all line with “dn: uid=ldapuser01,ou=People,dc=padl,dc=com” to “dn: uid=ldapuser01,ou=People,dc=example,dc=com” in file /usr/share/migrationtools/users.ldif

    same for /usr/share/migrationtools/groups.ldif

  40. cxc14 says:

    If anyone is having a problem on Red Hat/CentOS 7.5, change

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/cert.pem

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem to:

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/cert.pem

    ref: https://github.com/ansible/ansible/issues/25665

  41. mikaeel says:

    Hi CertDepot, is authconfig-tui still a valid method to use when doing ldap authentication in the RHCSA exam?

    • CertDepot says:

      In the official RHEL documentation, it is written that the authconfig-tui command is deprecated. However, it is still a prefectly valid method to use when configuring ldap authentication. It’s only a frond-end for the authconfig command.

  42. vijaykumarmaua says:

    Hi Certdepot

    I was trying to install openldap server using the instruction provided by your tutorial. When starting the systemctl start slapd below two errors came in journalctl.

    1.Aug 31 05:44:20 instructor.example.com slapd[1347]: tlsmc_cert_create_hash_symlink: ERROR: OS error: Permission denied

    Solution:
    # grep slapd /var/log/audit/audit.log | audit2allow
    #============= slapd_t ==============
    allow slapd_t slapd_tmp_t:lnk_file create;
    After confirm above, make a policy.

    # grep slapd /var/log/audit/audit.log | audit2allow -m slapd > slapd.te
    # grep slapd /var/log/audit/audit.log | audit2allow -M slapd
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i slapd.pp
    # semodule -i slapd.pp

    2.Aug 31 06:32:00 instructor.example.com slapd[1698]: main: TLS init def ctx failed: -1

    Solution: I searched on internet everywhere but could not find any thing to resolve this issue, disabled SELinux and problem solved.

    May you help me about what could be the SELinux policy to resolve this issue?

  43. chuckfarley says:

    I have followed this procedure 3 times now and I can never get the credentials right. I even used the redhat password exactly as you do and it still doesn’t work. Obviously, something has changed.
    Please help.

  44. Michael says:

    Hi,
    after running this command :
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif

    I get this error :

    modifying entry “cn=config”
    ldap_modify: Other (e.g., implementation specific) error (80)

    Please help me finish installing ldap server,
    Thanks.

    • Michael says:

      Thanks, I found the problem myself, added the following lines as instructed for RHEL 7.5 despite actually using RHEL 7.3.

      dn: cn=config
      changetype: modify
      replace: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/openldap/certs/cert.pem

      replace: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

      Problem is I can only establish LDAP connection
      to server without TLS, on the client side I used
      yum groups install “Directory Client”
      authconfig-tui
      copied the cert file from server with scp to
      /etc/openldap/cacerts
      I get an error on /var/log/messages saying “Server is unavailble: Could not initialize TLS.

      Already tried turning off SELINUX, created a firewall rule allowing LDAP and SLDAP with no success.
      .
      any advice?

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 3 minutes.
Configure your machine to be a router.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...