RHEL7: Configure a LDAP directory service for user connection.

Share this link

Presentation of LDAP

LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia).

Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.

This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).

During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).

Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).

Installation Procedure

Install the following packages:

# yum install -y openldap openldap-clients openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):

# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Secure the content of the /etc/openldap/certs directory:

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Generate database files (don’t worry about error messages!):

# slaptest
53d61aab hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
53d61aab backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:

# systemctl enable slapd

Start the slapd service:

# systemctl start slapd

Check the LDAP activity:

# netstat -lt | grep ldap
tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:ldap               [::]:*                  LISTEN

Alternatively, you can use: # ss -ltap | grep ldap

To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:

# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: passwd # previously generated password (see above)

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Send the new configuration to the slapd server:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"

Create the /etc/openldap/base.ldif file and paste the following lines:

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Build the structure of the directory service:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

Create two users for testing:

# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
Changing password for user ldapuser01.
New password: user01ldap
Retype new password: user01ldap
passwd: all authentication tokens updated successfully.
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02
Changing password for user ldapuser02.
New password: user02ldap
Retype new password: user02ldap
passwd: all authentication tokens updated successfully.

User Account Migration

Go to the directory for the migration of the user accounts:

# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:

# grep ":10[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"
# grep ":10[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Firewall Configuration

Add a new service to the firewall (ldap: port tcp 389):

# firewall-cmd --permanent --add-service=ldap

Reload the firewall configuration:

# firewall-cmd --reload

Edit the /etc/rsyslog.conf file and add the following line:

local4.* /var/log/ldap.log

Restart the rsyslog service:

# systemctl restart rsyslog

Additional Resources

If you want to learn more about the LDAP topic, you can read this free LDAP book.
Fedora documentation‘s got a chapter about Configuring Directory Servers and OpenLDAP.
You can also read this tutorial about using OpenLDAP with MariaDB backend in Docker.
The Linoxide website provides a tutorial about Setting up OpenLDAP multi-master replication.
The learnitguide.net website offers a tutorial about Configuring an OpenLDAP server on RHEL 7.

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.50 out of 5)
Loading...

Leave a Reply

63 Comments on "RHEL7: Configure a LDAP directory service for user connection."

Notify of
Sort by:   newest | oldest
gigtom
Member
gigtom

wow,good man, followed you line by line and LDAP server running very smoothly.
Questions:
How do you setup the GUI side
and
is one expected to set this up during RHCSA exam??

redhatplayer
Member
redhatplayer

when I go to this command “ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif”
an error msg shown : “base.ldif No such file or directory”

I follow your steps by coping and pasting the command to the command line. Do you have any suggestion to such problems. Thanks.

china-student
Member
china-student

[root@example migrationtools]# grep “:10[0-9][0-9]” /etc/passwd > passwd
[root@example migrationtools]# ./migrate_passwd.pl passwd users.ldif
[root@example migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
ldap_bind: Invalid credentials (49)
[root@example migrationtools]#
[root@example migrationtools]#

Raul
Member
Raul

Excellent article. Thanks for sharing. May I suggest though to replace the line containing:

ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif

by:

ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

?

timlee
Member
timlee

everything was going fine until here please help:

[root@rhel7-testServer schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

reale1
Member
reale1

All is well until I get to the ‘Build the structure of the directory service’ I run the ldapadd command and I get this error:
ber_get_next failed.
ldap_result: Can’t contact LDAP server (-1)

my server is running RHEL7.1 and selinux is permissive.

thanks in advance for any help you can provide.

TCJ
Member
TCJ
Hi thanks for fantastic website. I only wish things could go smooth with me. You wrote: openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout I had to do this like this: openssl req -new -x509 -nodes -keyout /etc/openldap/certs/cert.pem Then it worked. When you wrote: Generate a LDAP password from a secret key (here redhat): slappasswd -s redhat -n > /etc/openldap/passwd I just made up non-existing file, then created some secret key with ssh-keygen and replace redhat with it. However when I’m in config /etc/openldap/changes.ldif replace password with the previously created password) then what should I do ? Put plain text… Read more »
jaaffersadiq
Member
jaaffersadiq

Excellent Article !! Can be treated a perfect walkthrough document for LDAP Server configuration in RHEL7 !! Cheers !!

Phrosgone
Member
Phrosgone

Great tutorial, everything worked fine! Just one questions about the ports: In your tutorial you are opening port 389. As we are using a certificate and therefore ldaps, shouldn’t it be port 636?

tron
Member
tron

Thanks for the tutorial.
On the 636 port thingy, I was also surprised for not using ldaps.
I found that to enable it, you should edit /etc/sysconfig/slapd and add ldaps:/// there in SLAPD_URLS.

Also, TLSCACertificateFile should be added according to OPENLDAP documentation (same cert in the case of a Self Signed Cert)

kevbuntu
Member
kevbuntu

my server works if I user ldapwhoami ldap:/// but if I use ldaps:/// I would get:

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

and if I add this to /etc/sysconfig/slapd:
SLAPD_URLS=”ldapi:/// ldaps:///”

# Any custom options
SLAPD_OPTIONS=”-g ldap”

Not even ldap:/// would work. Not quite sure how to add TLSCACertificateFile to openldap, if you believe that is the problem. but ldapwhoami ldap:/// should still work and it will if I change the /etc/sysconfig/slapd to SLAPD_URLS=”ldapi:/// ldaps:///”. Thanks for any thoughs and feedbacks.

kevbuntu
Member
kevbuntu

I have solved the part with regard to SLAPD_URLS by adding “ldap:/// ldapi:/// ldaps:///” but not sure the certificated part is correct as ldpas still does not work . I followed these two links but still no joy:

http://www.server-world.info/en/note?os=CentOS_7&p=ssl
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4

mehboob
Member
mehboob

Hi Dear
Do we have to configure LDAP server in the exam which you showed on this page.
because in exam objectives it says:
**Configure a system to use an existing authentication service for user and group information**

asifshabir
Member
asifshabir

Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):

I am stuck in this step. I don’t see any password generated previously ?
Can you please help on this

suresh
Member
suresh

Hi CertDepot,
I have a requirement to configure LDAP in production. But i dont want to install OPENLDAP. Do we have any difference between LDAP and OPEN LDAP.. Do you have any configuration steps for LDAP.

2) Once server setup done. how do i configure ldap client, so that i can login to redhat machine with the user which i created on ldap user

Please help me on by two question s

regards
suresh bk

akash.dhongde
Member
akash.dhongde

Very good article Man I really appreciate it. I just need your help I have configured OpenLdap for my GIT server everything is going well but the only problem with the users password. For every user, I have to set a password but the users are not able to change it after. How do I force the users to change their password at first login?
Please suggest! I have googled it a lot but no possible solution found.

binni
Member
binni

Do we need to install a dns server prior to this openldap server configuration?

Victor
Member
Victor
Hello Everyone I am working on configuring ldap using this article. I believe i messed up executing ldapserach returns the following error . [root@linux7 schema]# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=ldapuser01 # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 Will be glad if someone can help in rectifying this. Below are few of the details of my settings i have on the Linux machine [root@linux7 schema]# hostname linux7.ak.com [root@linux7 schema]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1… Read more »
lostsoul352
Member
lostsoul352

How do you enable LDAPS? When I tried by editing /etc/sysconfig/slapd and putting in SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///” it doesn’t work.

I get

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

Have you tested this with self-signed certificates?

kevbuntu
Member
kevbuntu

Would there be a similar link for ldap replication, this is very good. I am trying this site below for centos 7, seems easy but does not work. Nothing on this site ever worked for me even though looks very well put together.

http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5

asifshabir
Member
asifshabir

Is this also an RHCSA exam requirement or we need to configure Client part only ??

scryptkiddy
Member
scryptkiddy

I wasn’t able to copy / paste the changes.ldif (I’m using VirtualBox, which doesn’t seem to allow copy/paste even though I have clipboard enabled between host and guest…). But I verified it, literally 4 times, very slowly, and its correct.

But apparently its not, I get:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/opnldap/changes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”

modifying entry “olcDatabase={2}hdb,cn=config”

modifying entry “olcDatabase={2}hdb,cn=config”

modifying entry “cn=config”

modifying entry “cn=config”

modifying entry “cn=config”

ldapmodify: invalid format (line 35) entry: “olcDatabase={1}monitor,cn=config”
#
Line 35 is the long one, staring with dn.base… looks good. So hmm, suggestions?

Thanks!

SK

scryptkiddy
Member
scryptkiddy

Figured it out, there was a hidden line feed that was somehow entered due to the small vbox screen… The pain we IT guys go through just to prepare a server to just prepare for an exam, lol. Dedicated bunch aren’t we?!

Now on to the client side to test my external ldap authentication skills.

SK

sashsz
Member
sashsz

After the step: “To start the configuration of the LDAP server, add the cosine & nis LDAP schemas” I am getting this error:

ldap_modify: Confidentiality required (13)
additional info: stronger confidentiality required for update

Any ideas?

samuel.sappa
Member
samuel.sappa

Hi CertDepot,
Need your enlightment for practicing LDAP. Can we use IPA Server instead or this is different?

n40lab
Member
n40lab

Great article indeed! Really useful for Red Hat and Linux Foundation exams, please keep up the good work!. I’d like to make a suggestion. As netstat is not installed by default in CentOS/RedHat 7 maybe you could change:

netstat -lt | grep ldap

With:

ss -ltap | grep ldap

It seems that ss replaced netstat, but of course you can still use it installing the net-tools package (yum install net-tools).

Cheers!

scruff
Member
scruff

Hi, stuck on:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif

getting the error
ladp_bind: Invalid credentials (49)

Although I used “redhat” as password.

Any ideas?

Lisenet
Member

I would try to reset the password.

Generate a new password:

# slappasswd -h {SSHA}

Create an LDIF to change it:

# cat ./change_pw.ldif
dn: cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}sha_value_you_got_above

Change the password:

# ldapadd -Y EXTERNAL -H ldapi:/// -f ./change_pw.ldif

RajeevD
Member
RajeevD

Hello! Please help me I’m stuck at here too. I tried several times from scratch (even from fresh CentOS7 installations) but I still get
ladp_bind: Invalid credentials (49)
after
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user account named "tony" with password “redhat” and belonging to a secondary group called “team”.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments