OpenLDAP Server and Client configuration in RHEL

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight client-server protocol for accessing directory services
Here I am showing how to configure LDAP server to manage/configure centralized user management. LDAP server is running on RHEL 6.2.
First we need to install openldap s package. Using YUM or RPM commands.
# yum install openldap* -y
 
Check the LDAP server name resolutions is configured properly. check the /etc/hosts and hostname command to check it.
 
 /etc/openldap/slapd.d/ is the main configuration directory for OpenLDAP server configuration.
Under /etc/openldap/slapd.d directory there is a sub-directory called cn=config . cn=config Directives contained in this entry generally apply to the server as a whole. Most of them are system or connection oriented, not database related. This entry must have the olcGlobal objectClass.
 
 Lets configure the OpenLDAP Server now.
Go to cn=config directory and check the files under the directory.
 
Now we need to edit the olcDatabase={2}hdb.ldif for changing the configuration.
Update the following variables according to your domain.

olcSuffix: dc=vinzlinux,dc=com
olcRootDN: cn=Manager,dc=vinzlinux,dc=com

Now generate an encrypted password for Administrator User That is "Manager”. Create the encrypted password using the following command.
#slappasswd
 
 Inside /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file add the following lines:
olcRootPW: < ENCRYPTED PASSWORD >
olcTLSCertificateFile: /etc/pki/tls/certs/vinzlinux.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/vinzlinuxkey.pem
 Here is the lines that I added to my server.

 Now specify the Monitoring privileges. For this we need to edit olcDatabase={1}monitor.ldif file and change the olcAccess variable.

This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requestors (specified by <who>). See the Access Control section of this chapter for a summary of basic usage.

Note: If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
Note: Access controls defined in the frontend are appended to all other databases' controls.

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=vinzlinux,dc=com" read by * none
 
 We need to configure the database now. lets copy the sample DB config file.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

We need to change owner and group ownership of this Database
# chown -R ldap:ldap /var/lib/ldap/

Run # updatedb command to update the database.

 
 Configure OpenLDAP to listen on SSL/TLS edit /etc/sysconfig/ldap and add the following line.
SLAPD_LDAPS=yes
 
We need to create a certificate for OpenLDAP Server. You can configure CA Server or something else, but here, I am creating a self-sign certificate.
Run openssl command to create the self-signed certificate
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/vinzlinux.pem -keyout /etc/pki/tls/certs/vinzlinuxkey.pem -days 365
 
check the certificates are created under /etc/pki/tls/certs

We need to change owner and group ownership of certificate and keyfile
# chown -Rf root:ldap /etc/pki/tls/certs/vinzlinux.pem
# chown -Rf root:ldap /etc/pki/tls/certs/vinzlinuxkey.pem

Now lets start the ldap service and enable it using the following command.
# service slapd start
# chkconfig slapd on

We need to make the certificate available to all clients. for this we need to configure the ftp and http.
Here is the steps:
# cp -rvf /etc/pki/tls/certs/vinzlinux.pem /var/ftp/pub/
# service vsftpd start
# ln -s /var/ftp/pub/ /var/www/html/
# chkconfig vsftpd on
# chkconfig httpd on


Let us not use firewall here. Here I am Stopping the iptables.
# service iptables stop
# chkconfig iptables off

Now we need to create base objects in OpenLDAP.
NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, we have to defining objectclass. there are two ways, (1). manual creation (2). using migration tools. In this example I am using migration tools.
So first install the migrationtools using yum.
# yum install migrationtools -y

Inside /usr/share/migrationtools/ there are lot of files and scripts.

We need to change some predefined values according to our domain name, for that do the following:
edit migrate_common.ph and update the following values
 change the following line in Line 61        
 $NAMINGCONTEXT{'group'}             = "ou=Groups";
Change your domain name in line 71
$DEFAULT_MAIL_DOMAIN = "vinzlinux.com";
Change your  base name in line 74.
$DEFAULT_BASE = "dc=vinzlinux,dc=com";
Change Schema value to 1 in line 90.
 $EXTENDED_SCHEMA = 1;
 
Now generate a base.ldif file for your Domain, use the following:
# cd /usr/share/migrationtools
#./migrate_base.pl > /root/base.ldif

Now let us create LDAP users in this server. use the following commands to create users.
# mkdir /home/guests
# useradd -d /home/guests/ldapuser1 ldapuser1
# useradd -d /home/guests/ldapuser2 ldapuser2
# useradd -d /home/guests/ldapuser3 ldapuser3

update the passwords for the ldapusers. use the following commands to update the passwords.
# echo "redhat" | passwd --stdin ldapuser1
# echo "redhat" | passwd --stdin ldapuser2
# echo "redhat" | passwd --stdin ldapuser3
 
We need to filter out these users from /etc/passwd to another file:
# getent passwd | tail -3 > /root/users
 
Next we need to filter out password information from /etc/shadow to another file
# getent shadow | tail -3 > /root/passwords
 
Filter out user groups from /etc/group to another file:
# getent group | tail -3 > /root/groups
 
Now we have to generate ldif file of these filtered out files of users, passwords, and groups
For this we need  file to change the location of password file
# vim migrate_passwd.pl
Inside this file search /etc/shadow and change it to /root/passwords and then save and exit
NOTE: "/etc/shadow" will be available approx in the line number of 188.

Now generate a ldif file for users
# ./migrate_passwd.pl /root/users > /root/users.ldif

Now Generate a ldif file for groups
# ./migrate_group.pl /root/groups > /root/groups.ldif

ldif file creation is finished let us upload these ldif file to LDAP Server . following command is used to upload the ldif config files to ldap server.

# ldapadd -x -W -D "cn=Manager,dc=vinzlinux,dc=com" -f /root/base.ldif 
It will as a password of "Manager", you have to type the password which you generated in encrypted format.

# ldapadd -x -W -D "cn=Manager,dc=vinzlinux,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager,dc=vinzlinux,dc=com" -f /root/groups.ldif

Now let us check the ldap configuration. We can use "ldapsearch" command to test it

We are done with LDAP configuration. Now only one step is pending we need to share LDAP Users Home Directories via NFS , So they can mount the home directory on client machine
Edit  /etc/exports and update the following information. I am sharing the home directory to all client machines in my network. Here is the entry in /etc/exports


Restart and enable the nfs service in the server
# service nfs restart
# chkconfig nfs on

verify the share directory from server. run showmount -e to check it.


Lets work on client side configuration Now.
I have a RHEL7.0 system which need to be configure as ldap client for this server. Here is the hostname information.


Check the ldapusers are available in client end. run the following command to check it.
# getent passwd ldapuser1
# getent passwd ldapuser2
# getent passwd ldapuser3
These commands did not return any values.


 Trying switch users for ldapuser. see if that works. and it is not working.


Now Lets configure the ldap client using authconfig-gtk command. this is a GUI command to configure Client authentication .we have authconfig-tui available for TUI and authconfig for CLI.
Here i am using authconfig-gtk command to perform the LDAP authentication.
(Note: authconfig-gtk command will be available in authconfig-gtk package.)
run #authconfig-gtk you will see the following window.

update the LDAP configuration details as below :

Click on Download CA certificate. where you need to give the details of the vinzlinux.crt certificate we made available to FTP location in the server.
First do a curl test from node1 (ldapclient) to check the certificate is available for extenal clients.
# curl http://ldap.vinzlinux.com/pub/vinzlinux.pem
Output will be like this.


Give this location to download the CA certificate for client configuration.


give OK and then Apply to apply the ldap client configuration.
Now if you run getent password ldapuser command it will show the entry.


Now setup the autofs in the client machine to mount the Home directory using nfs during the ldapuser login.
setup autofs to mount the home directories of ldapusers. create a file /etc/auto.master.d/ldap.autofs
Add the following entry.
/home/guests    /etc/auto.ldap

Now create /etc/auto.ldap file and add the following entry.

*       -rw     ldap.vinzlinux.com:/home/guests/&
Restart the autofs service and enable it.
# systemctl restart autofs
# systemctl enable autofs




now let us login and check . let me login as ldapuser1 from node1 .


Yes. I can login as ldapuser from node1 and ldapuser home directory is also mounted.
Thats all about simple Ldap Server and client Configuration in Redhat Linux.  Hope this is useful to you. Please share your feedback if any.