Fork me on GitHub





събота, 22 октомври 2016 г.

Install and Configure OpenLDAP on CentOS / RHEL Linux


LDAP stands for Lightweight Directory Access Protocol.

LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.

The information is stored and organized in a hierarchical manner and the advantage of this approach is that the information can be grouped into containers and clients can access these containers whenever needed.

The OpenLDAP hierarchy is almost similar to the DNS hierarchy.

The following are the two most commonly used objects in OpenLDAP:

1. cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)

2. dc (domain component) – This refers to one of the container entries in the LDAP hierarchy. If in a setup the LDAP hierarchy is mapped to a DNS hierarchy, typically all DNS domains are referred to as DC objects.

For example, if there is user in the hierarchy sam.thegeekstuff.com, the fully distinguished name of this user is referred as cn=sam, dc=thegeekstuff, dc=com. If you noticed in the FDN (fully distinguished name), a comma is used a separator and not a dot, which is common in DNS.

By using the different LDAP entry types, you can setup a hierarchical directory structure. This is the reason why openLDAP is so widely used. You can easily build an openLDAP hierarchy where objects in the other locations are easily referred to without storing them on local servers. This makes OpenLDAP a lightweight directory, especially when compared to other directory servers such as Microsoft’s Active directory.

Now lets see how to setup a single instance of an LDAP server that can be used by multiple clients in your network for authentication.


Install OpenLDAP Packages


On CentOS and RedHat, use yum install as shown below, to install the openldap related packages.


 yum install -y openldap openldap-clients openldap-servers  



You should install the following three packages:

1 openldap-servers – This is the main LDAP server
2 openldap-clients – This contains all required LDAP client utilities
3 openldap – This packages contains the LDAP support libraries


LDAP Config Files


. config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.


. olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.


Create olcRootDN Account as Admin

It is always recommended to create a dedicated user account first with the full permissions to change information on the LDAP database.

Modify the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following is the default entry.

 # grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif  
 olcRootDN: cn=Manager,dc=my-domain,dc=com  



Change the above line to an admin user. In this example, user “ramesh” will be the olcRootDN.

 olcRootDN: cn=ramesh,dc=thegeekstuff,dc=com  



Create olcRootPW Root Password


Now use slappasswd command to create a hash for the root password you want to use. Once the password is generated, open the cn=config.ldif file, include the olcRootPW parameter, and copy the hashed password as shown below.

Execute the following command and specify a password. This will generate the hash for the given password.

 # slappasswd  
 New password: SecretLDAPRootPass2015  
 Re-enter new password: SecretLDAPRootPass2015  
 {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6  



Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below.

 # vim /etc/openldap/slapd.d/cn=config.ldif  
 olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6  



Create olcSuffix Domain Name


Now setup the olcSuffix and to set the domain that you want. Simply modify the line that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.

 # vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif  
 olcSuffix: dc=thegeekstuff,dc=com  



Verify The Configuration Files


Use slaptest command to verify the configuration file as shown below. This should display “testing succeeded” message as shown below.

 # slaptest -u  
 config file testing succeeded  



You might get the following messages during the above command, which you can ignore for now.

 54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"  
 54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"  



Start the LDAP Server


Start the ldap server as shown below.

 # service slapd start  
 Checking configuration files for slapd: [WARNING]  
 config file testing succeeded  
 Starting slapd:             [ OK ]  



Verify the LDAP Search


To verify the ldap server is configured successfully, you can use the below command and verify that the domain entry is present.

 # ldapsearch -x -b "dc=thegeekstuff,dc=com"  
 # extended LDIF  
 #  
 # LDAPv3  
 # base <dc=thegeekstuff,dc=com> with scope subtree  
 # filter: (objectclass=*)  
 # requesting: ALL  
 #  
 # search result  
 search: 2  
 result: 32 No such object  
 # numResponses: 1  



Base LDAP Structure in base.ldif


The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP database. If you are planning on adding in different types of entries, such as users, groups, computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its own container.

To create these OU’s, you can create an initial LDIF file as shown in the below example. In this example, this file allows you to create the base container which is dc=thegeekstuff,dc=com and it creates two organizational units with the names users and groups in that container.

 # cat base.ldif  
 dn: dc=thegeekstuff,dc=com  
 objectClass: dcObject  
 objectClass: organization  
 o: thegeekstuff.com  
 dc: thegeekstuff  
 dn: ou=users,dc=thegeekstuff,dc=com  
 objectClass: organizationalUnit  
 objectClass: top  
 ou: users  
 dn: ou=groups,dc=thegeekstuff,dc=com  
 objectClass: organizationalUnit  
 objectClass: top  
 ou: groups  



Import Base Structure Using ldapadd


Now we can import the base structure in to the LDAP directory using the ldapadd command as shown below.

 # ldapadd -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -f base.ldif  
 Enter LDAP Password:  
 adding new entry "dc=thegeekstuff,dc=com"  
 adding new entry "ou=users,dc=thegeekstuff,dc=com"  
 adding new entry "ou=groups,dc=thegeekstuff,dc=com"  



Verify the Base Structure using ldapsearch


To verify the OUs are successfully created, use the following ldapsearch command.

 # ldapsearch -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -b "dc=thegeekstuff,dc=com" "(objectclass=*)"  
 Enter LDAP Password:  



The output of the above command will display all the objects in the LDAP directory structure.


 # extended LDIF  
 #  
 # LDAPv3  
 # base <dc=thegeekstuff,dc=com> with scope subtree  
 # filter: (objectclass=*)  
 # requesting: ALL  
 #  
 # thegeekstuff.com  
 dn: dc=thegeekstuff,dc=com  
 objectClass: dcObject  
 objectClass: organization  
 o: thegeekstuff.com  
 dc: thegeekstuff  
 # users, thegeekstuff.com  
 dn: ou=users,dc=thegeekstuff,dc=com  
 objectClass: organizationalUnit  
 objectClass: top  
 ou: users  
 # groups, thegeekstuff.com  
 dn: ou=groups,dc=thegeekstuff,dc=com  
 objectClass: organizationalUnit  
 objectClass: top  
 ou: groups  
 # search result  
 search: 2  
 result: 0 Success  
 # numResponses: 4  
 # numEntries: 3  



In the next OpenLDAP article, we’ll explain how to add new users and groups to the LDAP Directory.



Add LDAP Users and Groups in OpenLDAP on Linux


To add something to the LDAP directory, you need to first create a LDIF file.

The ldif file should contain definitions for all attributes that are required for the entries that you want to create.

With this ldif file, you can use ldapadd command to import the entries into the directory as explained in this tutorial.

If you are new to OpenLDAP, you should first install OpenLDAP on your system.

Create a LDIF file for New User

The following is a sample LDIF file that will be used to create a new user.

 # cat adam.ldif  
 dn: uid=adam,ou=users,dc=tgs,dc=com  
 objectClass: top  
 objectClass: account  
 objectClass: posixAccount  
 objectClass: shadowAccount  
 cn: adam  
 uid: adam  
 uidNumber: 16859  
 gidNumber: 100  
 homeDirectory: /home/adam  
 loginShell: /bin/bash  
 gecos: adam  
 userPassword: {crypt}x  
 shadowLastChange: 0  
 shadowMax: 0  
 shadowWarning: 0  



Add a LDAP User using ldapadd


Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:

 # ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif  
 Enter LDAP Password:  
 adding new entry "uid=adam,ou=users,dc=tgs,dc=com"  



Assign Password to LDAP User


To set the password for the LDAP user we just created above, use ldappasswd command as shown in the below example:

 # ldappasswd -s welcome123 -W -D "cn=ramesh,dc=tgs,dc=com" -x "uid=adam,ou=users,dc=tgs,dc=com"  
 Enter LDAP Password:  



In the above command:

. -s specify the password for the username entry
. -x The username entry for which the password is changed
. -D specify your DN here. i.e Distinguished name to authenticate in the server


Create LDIF file for New Group


Similar to adding user, you’ll also need a ldif file to add a group.

To add a new group to the LDAP groups OU, you need to create a LDIF with the group information as shown in the example ldif file below.


 # cat group1.ldif  
 dn: cn=dbagrp,ou=groups,dc=tgs,dc=com  
 objectClass: top  
 objectClass: posixGroup  
 gidNumber: 678  



Add a LDAP Group using ldapadd


Just like adding user, use ldapadd command to add the group from the group1.ldif file that we created above.

 # ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f group1.ldif  
 Enter LDAP Password:  
 adding new entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"  



Create LDIF file for an existing Group


To add an existing user to a group, we should still create an ldif file.

First, create an ldif file. In this example, I am adding the user adam to the dbagrp (group id: 678)


 # cat file1.ldif  
 dn: cn=dbagrp,ou=groups,dc=tgs,dc=com  
 changetype: modify  
 add: memberuid  
 memberuid: adam  



Add an User to an existing Group using ldapmodify


To add an user to an existing group, we’ll be using ldapmodify. This example will use the above LDIF file to add user adam to dbagrp.

 # ldapmodify -x -W -D "cn=ramesh,dc=tgs,dc=com" -f file1.ldif  
 Enter LDAP Password:  
 modifying entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"  



Verify LDAP Entries


Once you’ve added an user or group, you can use ldapsearch to verify it.

Here is a simple example to verify if the users exists in the LDAP database:


 # ldapsearch -x -W -D "cn=ramesh,dc=tgs,dc=com" -b "uid=adam,ou=users,dc=tgs,dc=com" "(objectclass=*)"  
 Enter LDAP Password:  
 # extended LDIF  
 #  
 # LDAPv3  
 # base <uid=adam,ou=users,dc=tgs,dc=com> with scope subtree  
 # filter: (objectclass=*)  
 # requesting: ALL  
 #  
 # adam, users, tgs.com  
 dn: uid=adam,ou=users,dc=tgs,dc=com  
 objectClass: top  
 objectClass: account  
 objectClass: posixAccount  
 objectClass: shadowAccount  
 cn: adam  
 uid: adam  
 uidNumber: 16859  
 gidNumber: 100  
 homeDirectory: /home/adam  
 loginShell: /bin/bash  
 gecos: adam  
 shadowLastChange: 0  
 shadowMax: 0  
 shadowWarning: 0  
 userPassword:: e1NTSEF9b0lPd3AzYTBmT2xQcHBPNDcrK0VHRndEUjdMV2hSZ2U=  
 # search result  
 search: 2  
 result: 0 Success  
 # numResponses: 2  
 # numEntries: 1  



Delete an Entry from LDAP using ldapdelete


If you’ve made a mistake while adding an user or group, you can remove the entry using ldapdelete.

To delete an entry, you don’t need to create an ldif file. The following will delete user “adam” that we created earlier.


 # ldapdelete -W -D "cn=ramesh,dc=tgs,dc=com" "uid=adam,ou=users,dc=tgs,dc=com"  
 Enter LDAP Password:  

Няма коментари:

Публикуване на коментар