e LDAP server will be named instructor.example.com in this procedure.<\/p>\n
Install the following packages:<\/p>\n
# yum install -y openldap openldap-clients openldap-servers migrationtools net-tools.x86_64
\nGenerate a LDAP password from a secret key (using redhat):<\/p>\n
# slappasswd -s redhat -n > \/etc\/openldap\/passwd
\nGenerate a X509 certificate valid for 365 days:<\/p>\n
# openssl req -new -x509 -nodes -out \/etc\/openldap\/certs\/cert.pem -keyout \/etc\/openldap\/certs\/priv.pem -days 365
\nGenerating a 2048 bit RSA private key
\n…..+++
\n…………..+++
\nwriting new private key to ‘\/etc\/openldap\/certs\/priv.pem’
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [XX]:
\nState or Province Name (full name) []:
\nLocality Name (eg, city) [Default City]:
\nOrganization Name (eg, company) [Default Company Ltd]:
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, your name or your server’s hostname) []:instructor.example.com
\nEmail Address []:
\nSecure the content of the \/etc\/openldap\/certs directory:<\/p>\n
# cd \/etc\/openldap\/certs
\n# chown ldap:ldap *
\n# chmod 600 priv.pem
\nPrepare the LDAP database:<\/p>\n
cp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG
\nGenerate database files (don\u2019t worry about error messages!):<\/p>\n
# slaptest
\n53d61aab hdb_db_open: database “dc=my-domain,dc=com”: db_open(\/var\/lib\/ldap\/id2entry.bdb) failed: No such file or directory (2).
\n53d61aab backend_startup_one (type=hdb, suffix=”dc=my-domain,dc=com”): bi_db_open failed! (2)
\nslap_startup failed (test would succeed using the -u switch)
\nChange LDAP database ownership:<\/p>\n
# chown ldap:ldap \/var\/lib\/ldap\/*
\nActivate the slapd service at boot:<\/p>\n
# systemctl enable slapd
\nStart the slapd service:<\/p>\n
# systemctl start slapd
\nCheck the LDAP activity:<\/p>\n
# netstat -lt | grep ldap
\ntcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
\ntcp6 0 0 [::]:ldap [::]:* LISTEN
\nTo start the configuration of the LDAP server, add the cosine & nis LDAP schemas:<\/p>\n
# cd \/etc\/openldap\/schema
\n# ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -D “cn=config” -f cosine.ldif SASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nadding new entry “cn=cosine,cn=schema,cn=config”
\n# ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -D “cn=config” -f nis.ldif SASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nadding new entry “cn=nis,cn=schema,cn=config”
\nThen, create the \/etc\/openldap\/changes.ldif file and paste the following lines (replace password with the previously created password):<\/p>\n
To get the password which was previously generated:<\/p>\n
# cat \/etc\/openldap\/passwd
\n{SSHA}98bGGGdL+aj\/TFVayaTsKj\/xkfDZaYsRua1pge
\ndn: olcDatabase={2}hdb,cn=config
\nchangetype: modify
\nreplace: olcSuffix
\nolcSuffix: dc=example,dc=com<\/p>\n
dn: olcDatabase={2}hdb,cn=config
\nchangetype: modify
\nreplace: olcRootDN
\nolcRootDN: cn=Manager,dc=example,dc=com<\/p>\n
dn: olcDatabase={2}hdb,cn=config
\nchangetype: modify
\nreplace: olcRootPW
\nolcRootPW: {SSHA}98bGGGdL+aj\/TFVayaTsKj\/xkfDZaYsRua1pge<\/p>\n
dn: cn=config
\nchangetype: modify
\nreplace: olcTLSCertificateFile
\nolcTLSCertificateFile: \/etc\/openldap\/certs\/cert.pem<\/p>\n
dn: cn=config
\nchangetype: modify
\nreplace: olcTLSCertificateKeyFile
\nolcTLSCertificateKeyFile: \/etc\/openldap\/certs\/priv.pem<\/p>\n
dn: cn=config
\nchangetype: modify
\nreplace: olcLogLevel
\nolcLogLevel: -1<\/p>\n
dn: olcDatabase={1}monitor,cn=config
\nchangetype: modify
\nreplace: olcAccess
\nolcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authd by dn.base=”cn=Manager,dc=example,dc=comd by * none
\nSend the new configuration to the slapd server:<\/p>\n
# ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/changes.ldif SASL\/EXTERNAL authentication started
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\nSASL SSF: 0
\nmodifying entry “olcDatabase={2}hdb,cn=config”
\nmodifying entry “olcDatabase={2}hdb,cn=config”
\nmodifying entry “olcDatabase={2}hdb,cn=config”
\nmodifying entry “cn=config”
\nmodifying entry “cn=config”
\nmodifying entry “cn=config”
\nmodifying entry “olcDatabase={1}monitor,cn=config”
\nCreate the \/etc\/openldap\/base.ldif file and paste the following lines:<\/p>\n
dn: dc=example,dc=com
\ndc: example
\nobjectClass: top
\nobjectClass: domain<\/p>\n
dn: ou=People,dc=example,dc=com
\nou: People
\nobjectClass: top
\nobjectClass: organizationalUnit<\/p>\n
dn: ou=Group,dc=example,dc=com
\nou: Group
\nobjectClass: top
\nobjectClass: organizationalUnit
\nBuild the structure of the directory service:<\/p>\n
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif adding new entry “dc=example,dc=com”
\nadding new entry “ou=People,dc=example,dc=com”
\nadding new entry “ou=Group,dc=example,dc=com”
\nCreate two users for testing:<\/p>\n
# mkdir \/home\/guests
\n# useradd -d \/home\/guests\/ldapuser01 ldapuser01
\n# passwd ldapuser01 Changing password for user ldapuser01.
\nNew password: user01ldap
\nRetype new password: user01ldap
\npasswd: all authentication tokens updated successfully.
\n# useradd -d \/home\/guests\/ldapuser02 ldapuser02
\n# passwd ldapuser02 Changing password for user ldapuser02.
\nNew password: user02ldap
\nRetype new password: user02ldap
\npasswd: all authentication tokens updated successfully.
\nGo to the directory for the migration of the user accounts:<\/p>\n
# cd \/usr\/share\/migrationtools
\nEdit the migrate_common.ph file and replace in the following lines:<\/p>\n
$DEFAULT_MAIL_DOMAIN = “example.com”;
\n$DEFAULT_BASE = “dc=example,dc=com”;
\nCreate the current users in the directory service:<\/p>\n
# grep “:10[0-9][0-9]” \/etc\/passwd > passwd
\n# .\/migrate_passwd.pl passwd users.ldif
\n# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
\nadding new entry “uid=ldapuser01,ou=People,dc=example,dc=com”
\nadding new entry “uid=ldapuser02,ou=People,dc=example,dc=com”
\n# grep “:10[0-9][0-9]” \/etc\/group > group
\n# .\/migrate_group.pl group groups.ldif
\n# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
\nadding new entry “cn=ldapuser01,ou=Group,dc=example,dc=com”
\nadding new entry “cn=ldapuser02,ou=Group,dc=example,dc=com”
\nTest the configuration with the user called ldapuser01:<\/p>\n
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
\nAdd a new service to the firewall (ldap: port tcp 389):<\/p>\n
# firewall-cmd –permanent –add-service=ldap
\nReload the firewall configuration:<\/p>\n
# firewall-cmd –reload
\nEdit the \/etc\/rsyslog.conf file and add the following line:<\/p>\n
local4.* \/var\/log\/ldap.log
\nRestart the rsyslog service:<\/p>\n
# systemctl restart rsyslog
\nEdit the hosts file on the server:<\/p>\n
# cat \/etc\/hosts
\n192.168.56.106 instructor.example.com
\nLDAP Client configuration<\/p>\n
Add the same hosts file entry on the client:<\/p>\n
# cat \/etc\/hosts
\n192.168.56.106 instructor.example.com
\nInstall the following packages:<\/p>\n
# yum install -y openldap-clients nss-pam-ldapd
\nRun the authentication menu:<\/p>\n
# authconfig-tui
\nChoose the following options:<\/p>\n
– Cache Information
\n– Use LDAP
\n– Use MD5 Passwords
\n– Use Shadow Passwords
\n– Use LDAP Authentication
\n– Local authorization is sufficient
\nIn the LDAP Settings, type:<\/p>\n
Use TLS
\nldap:\/\/instructor.example.com
\ndc=example,dc=com
\nNote: Don\u2019t use TLS if you specify ldaps.<\/p>\n
Put the LDAP server certificate into the \/etc\/openldap\/cacerts directory when asked.<\/p>\n
Open another terminal window, and cd \/etc\/openldap\/cacerts.<\/p>\n
cd \/etc\/openldap\/cacerts
\nwget http:\/\/instructor.example.com\/cert.pem .
\nClose authconfig-tui.<\/p>\n
Test the connection to the LDAP server (the ldapuser02\u2018s line of the \/etc\/passwd file should be displayed):<\/p>\n
# getent passwd ldapuser02
\nldapuser02:x:1001:1001:ldapuser02:\/home\/guests\/ldapuser02:\/bin\/bash<\/p>\n","protected":false},"excerpt":{"rendered":"
e LDAP server will be named instructor.example.com in this procedure.<\/p>\n
Install the following packages:<\/p>\n
# yum install -y openldap openldap-clients openldap-servers migrationtools net-tools.x86_64 Generate a LDAP password from a secret key (using redhat):<\/p>\n
# slappasswd -s redhat -n > \/etc\/openldap\/passwd Generate a X509 certificate valid for 365 days:<\/p>\n
# openssl req -new -x509 -nodes -out […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6099"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6099"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6099\/revisions"}],"predecessor-version":[{"id":6100,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6099\/revisions\/6100"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}