Scribd
Upload
25 views4 pages

LDAP Server Configuration RHEL7

Uploaded by

corp.la.sf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
25 views4 pages

LDAP Server Configuration RHEL7

Uploaded by

corp.la.sf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

LDAP SERVER CONFIGURATION

1) yum install openldap*


2) change the hostname to ldap.example.com
3) edit the /etc/hosts file
4) try to ping with hostname
5) yum install *openldap* migrationtools -y
6) go to /etc/openldap/slap.d/cn\=config directory using cd command.
6) open olcDatabase \=\{2\}hdb.ldif using vim
Change the olcsuffix: dc=example,dc=com (assume that my domain name is example.com
and the fqdn is ldap.example.com)
olcrootdn: cn=Manager,dc=example,dc=com
save& exit
7)generate a slap password
slappasswd
newpassword:
re-enter:
that will generate an encryted password (copy the password).
Open olcdatabase \=\{2\}hdb.ldif using vim
paste the copied slap password at the end of olcdatabase \=\{2\}hdb.ldif file.

Add the following lines in this file:

olcRootPW: � paste slap password�/

olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem
save& exit

8) Open olcDatabase\=\{1\}monitor.ldif using vim


Modify the olc Access line cn=Manager (here M should be capital letter)
dc=example,dc=com
save& exit

slaptest �u -> it will check the configuration file error.

9) Systemctl enable slapd


Systemctl start slapd
Systemctl restart slapd

10) cp -rvf /usr/share/doc/openldap-servers-2.4.39/DB_CONFIG.example


/var/lib/ldap/DB-CONFIG

*** if DB-CONFIG.example not available try the below path

Or
cp -rvf /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB-CONFIG

11) chown �R ldap:ldap /var/lib/ldap


ls �l /var/lib/ldap (now the user and group changed to ldap)

12) ldapadd �Y EXTERNAL �H ldapi:/// -f /etc/openldap/schema/cosine.ldif


ldapadd �Y EXTERNAL �H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd �Y EXTERNAL �H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

? now we will generate a self signed certificate.


? openssl req -new �x509 �nodes �out /etc/pki/tls/certs/example.pem -keyout
/etc/pki/tls/certs/examplekey.pem -days 365
Country name : BD
State : DHK
Locality : Mirpur
Organ : IT
Or unit : ldap.example.com
Common name : ldap.example.com
Email : [email protected]
Check the files created or not in /certs folder by ls command

12) chown �R root:ldap /etc/pki/tls/certs/example*


That will change the group to ldap for those 2 files
13) systemctl enable slapd
14) systemctl start slapd
systemctl restart slapd

15) copy the cert file from /certs to /ftp/pub


cp -rfv /etc/pki/tls/certs/example.pem /var/ftp/pub
16) create a link of /ftp/pub inside of /var/www /html
Cd /var/www/html
ln �s /var/ftp/pub

17) start permanently both ftp and http service


18) serviceiptables stop for rhel6
19) chkconfigiptables off (to stop firewall and service permantly) for rhel6
Systemctl stop firewalld ---- foor rhel7
20) yum install migrationtools - if necessary

21) cd /usr/share/migrationtools
22) vim migrate_common.ph ? change line 71
DEFAULT_MAIL_DOMAIN = �example.com�;
DEFAULT_BASE = �dc=example,dc=com�;
line 90
EXTENDED_SCHEMA=1
line 61
in the else section change the $NAMINGCONTEXT{�group�}=�ou=Groups�;
Save & exit
23) ./migrate_base.pl ?chkeverything ? $DEFAULT-MAIL-DOMAIN=�example.com�;
ok or not ? $DEFAULT-BASE= �dc=example,dc=com�;
? $EXTENDED_SCHEMA=1;
save& exit
24) ./migrate_base.pl >/root/base.ldif

25) mkdir /home/guests


26) useradd -d /home/guests/ldapuser1 ldapuser1
passwd ldapuser1
(sameway we can create multiple user and set password for them)

27) getent passwd? to check the ldap users


28) getent passwd|tail �n 5 ? to seethe last five users
29)getent passwd|tail �n 5 > /root/users that will send last 5 ldap users into
/root/users file
30) vi /root/users ? to check the info.
31)getent shadow | tail �n 5 > /root/passwords? that will send last 5 ldap users
password to /root/passwd
32) getent group | tail �n 5 > /root/groups ? that will send last 5 file ldapuser
group info to /root/groups file
33) vim migrate_passwd.pl (make sure you are inside of /usr/share/migrationtools)
Find /etc/shadow and change to /root/passwords in open (SHADOW , �/root/passwords�)
line number 188.
34)./migrate_passwd.pl /root/users ?check the ldap users
save& exit
35) )./migrate_passwd.pl /root/users > /root/users.ldif?that will create ldif file
inside of root
36) )./migrate_passwd.pl /root/groups > /root/groups.ldif? now, we will upload
the .ldif files to LDAP server.
37) ldapadd �x -W �D �cn=Manager, dc=example,dc=com� -f /root/base.ldif? provide
ldap password of the same for users.ldif and groups.ldif
38) ldapadd-x -W -D �cn=Manager, dc=example,dc=com� -f /root/users.ldif
39) ldapadd-x -W -D �cn=Manager, dc=example,dc=com� -f /root/groups.ldif
40) ldapsearch �x cn=ldapuser1 �b dc=example,dc=com ? that will show ldapuser1
information.
Firewall-cmd �permanent �add-service=ldap
Firewall-cmd �reload
Systemctl restart firewalld

LDAP Server configuration completed now lets configure ldap client

? Go to client machine /etc/hosts file and add ldap server ip with domain name
likes 172.16.16.200 ldap.example.com ldap
? yum install authconfig* authconfig-gtk sssd -y
?try to ping the server using domain
?try to login to machine using ldapser1 (you will be denied)
? try to see the ldapuser info using ?getent passwd ldapuser1 command nothing will
show. Hence you need to open authentication configuration windows using ?
authconfig-gtk
? Select LDAP from user account database
? LDAP seach base dn: dc=example,dc=com (ldap server domain name)
LDAP server : ldap://ldap.example.com (ldap server domain path)
?Check ?use TLS to encrypt connection and click �Download CA Certificate�
? Type the path of certificate file like ?http://ldap.example.com/pub/example.pem
* Alternatively you may browse this path with firefox before applying this whether
it is working or not?
?click on ? click apply to get out from �Authentiation configuration windows�
?Now try getent command that will show ldap user info like ?getent passwd ldapuser1
try to login with the user name - su � ldapuser1 now the user will be able to login
but it will not getting home directory to access to the home directory from ldap
server we need to share the home directory of the ldap server through nfs.

NFS Configuration on LDAP Server


1) vim /etc/exports
/home /guests 172.16.0.0/16(rw,sync)
Save & exit
eportfs -ra
2)Restart the NFS service an permanently start it.
3) shomount �e ldap.example.com ? that will show the nfs shares
4) if not added already add nfs in firewall and reload
Again need to go Client Part

*** yum install autofs


Systemctl enable autofs (do not start autofs service yet)
1) vim /etc/auto.master.d/test.autofs
/home/guests /etc/auto.guests
save& exit
2) vim /etc/auto.guests
* -rw ldap.example.com:/home/guests/&
3) systemctl restart autofs
4) su � ldapuser1

*** sometimes you may see after login with ldapuser you can see fifferent user name
this is because the uid of the ldapuser and client pc user uid is same. so change
the uid.

You might also like