Friday, January 30, 2015

How to configure OpenLDAP on RHEL(redhat)/CentOS Server

OPENLDAP

Pre-requisites:

The first things you need to do is ensure that OpenLDAP is properly installed, along with a few optional packages that will tie our system together. Obviously, the first step is to install OpenLDAP. The packages we need to have installed (on a RedHat system) are:
  • openldap
  • openldap-clients
  • openldap-devel
  • openldap-servers
  • nss_ldap

[root@linux0120 ~]# rpm -qa | grep openldap
openldap-devel-2.2.13-2
openldap-2.2.13-2
openldap-clients-2.2.13-2
[root@linux0120 ~]#

Since the openldap-server rpms is not currently with us, the same is upgraded to newer version.
Installing the required rpms:
[root@linux0120 ~]# mount lnxdev0001:/usr/local/src/ /mnt

[root@linux0120 ~]# rpm -Uvh /mnt/redhat/es4/RedHat/RPMS/openldap-*
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
error: Failed dependencies:
libodbc.so.1 is needed by openldap-servers-sql-2.2.13-3.i386
Suggested resolutions:
unixODBC-2.2.9-1.i386.rpm

[root@linux0120 ~]# rpm -e openldap-clients-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-devel-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-2.2.13-2
[root@linux0120 ~]# rpm -e openldap-2.2.13-2 --nodeps

[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-clients-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-clients-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-clients ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-devel-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-devel-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-devel ########################################### [100%]
[root@linux0120 ~]# rpm -ivh /mnt/redhat/es4/RedHat/RPMS/openldap-servers-2.2.13-3.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/openldap-servers-2.2.13-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:openldap-servers ########################################### [100%]


[root@linux0120 ~]# rpm -qa | grep openldap
openldap-clients-2.2.13-3
openldap-devel-2.2.13-3
openldap-servers-2.2.13-3
openldap-2.2.13-3
[root@linux0120 ~]# rpm -qa | grep nss_ldap
nss_ldap-226-1
[root@linux0120 ~]# rpm -Uvh /mnt/redhat/es4/RedHat/RPMS/nss_ldap-226-6.i386.rpm
warning: /mnt/redhat/es4/RedHat/RPMS/nss_ldap-226-6.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:nss_ldap ########################################### [100%]
The openldap-servers and openldap-devel packages are only required on the system that will be your authentication server. They are not required on the "client" systems.
The nss_ldap package is required for PAM authentication and for NSS information (ie. retrieving group, user, host, etc. information from the LDAP server). Once you have all of these packages installed, you can begin to configure your LDAP server.



Configuring the OpenLDAP Server

The first step in configuring your server is to edit the /etc/openldap/slapd.conf file. There are a few fields you will need to configure. In this topic, we will assume that your domain name to use on the LAN is "newindia.com" and will illustrate our configuration accordingly.
[root@linux0120 ~]# vi /etc/openldap/slapd.conf
database ldbm
suffix "dc=newindia,dc=com"
rootdn "cn=root,dc=newindia,dc=com"
rootpw {MD5}/39oNhuzZDdBZnzCjxM5TA==
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"



Get the MD5 crypt password as follows:
[root@linux0120 ~]# slappasswd -h{MD5}
New password:
Re-enter new password:
{MD5}/39oNhuzZDdBZnzCjxM5TA==



Before configuring your basic ACLs, let's start slapd and make sure it works.
[root@linux0120 ~]# /etc/init.d/ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [ OK ]



Once you have started the slapd server, you can test it by executing the following query:
[root@linux0120 ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=newindia,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1



This ensures that ldap is configured and working properly.

Enable the daemon to start at boot time itself:
[root@linux0120 ~]# chkconfig ldap on

Configuring Server ACLs

The final step on the server before we begin migrating data is to set the basic ACLs (Access Control Lists) for the LDAP server. This will ensure that people only have access to what they need to have access to, and will allow users to update their passwords, see their passwords, but prevent others from seeing the same.
Once again you need to edit the /etc/openldap/slapd.conf file. If you look in your slapd.conf file, you will see the following near the beginning:
# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
The /etc/openldap/slapd.access.conf
file is as good as any to place your ACLs in. You can either append your ACL rules to the end of the slapd.conf file, or insert them into slapd.access.conf. The choice is entirely up to you. If you do choose to use the access file, remove the example ACLs at the end of the slapd.conf file. Let's begin with some basic ACLs:



#This is a good place to put the access-control directives
olcAccess to dn=".*,dc=newindia,dc=com" attr=userPassword
by dn.base="cn=root,dc=newindia,dc=com" write
# by self write
by * auth
olcAccess to dn=".*,dc=newindia,dc=com" attr=mail
by dn="cn=root,dc=newindia,dc=com" write
# by self write
by * read
olcAccess to *
by * read
olcAccess to dn=".*,dc=newindia,dc=com"
# by self write
by read



What this does is restrict access to the userPassword attribute of any entry; that is, any dn in dc=newindia,dc=com. The owner of the entry can modify it, and the owner is defined by someone binding to the server using that dn and it's associated password. Otherwise, it can only be accessed for authentication/binding purposes, but cannot be viewed. The second entry allows the user to modify their mail attribute (ie. email address). The third entry specifies that any dn in ou=People,dc=newindia,dc=com must be read-only. This is where we protect the system from users deciding to change their username, gid or uid numbers, home directory, and so forth. Because the ACLs are read top down in a "first match wins" order, we have effectively given users access to change their own password and their own email address, but they are unable to touch any other information on their account. Everything else is read-only... to the world, and the user. Finally, the last entry is a catch-all for other parts of the database. This will allow users to make changes to their own address books, for example. If you will not be allowing users to use their own address books on this LDAP server, feel free to remove the "by self write" ACL of the last entry. This will still allow users to read group and hosts information. If you like, you can duplicate the second entry to allow users to modify their loginShell attribute so they can select what shell they wish to use, but I wouldn't recommend it.
To have the server use the new ACLs, be sure to restart it (service ldap restart on most Linux systems).
[root@linux0120 ~]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
Starting slapd: [ OK ]



In our environment the self write is disabled to all attributes.
Creating the LDAP entries:
To create the entry create an ldif file (LDAP inerchage fomat) and add to the database as follows:

o:

[bharath@linux0120 LDAP]$ cat domain.ldif
dn: dc=newindia,dc=com
dc: newindia
objectClass: top
objectClass: domain
objectClass:domainRelatedObject
associatedDomain: newindia.com
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f domain.ldif
Enter LDAP Password:
adding new entry “dc=newindia,dc=com”
[bharath@linux0120 LDAP]

ou:

[bharath@linux0120 LDAP]$ cat ou.ldif
dn: ou=Group,dc=newindia,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
asscociatedDomain: newindia.com

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f ou.ldif
Enter LDAP Password:
adding new entry "ou=Group,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

nisMapName:

[bharath@linux0120 LDAP]$ cat nisMapName.ldif
dn: nisMapName=netgroup.byhost,dc=newindia,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nismap
objectClass: domainRelatedObject
associatedDomain: newindia.com

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f nisMapName.ldif
Enter LDAP Password:
adding new entry "nisMapName=netgroup.byhost,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

cn:
(Simple Group)
[bharath@linux0120 LDAP]$ cat cn.ldif
dn: cn=users,ou=Group,dc=newindia,dc=com
cn: users
objectClass: top
objectClass: posixGroup
objectClass: domainRelatedObject
associatedDomain: newindia.com
gidNumber: 100
userPassword:

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f cn.ldif
Enter LDAP Password:
adding new entry "cn=users,ou=Group,dc=newindia,dc=com"
[bharath@linux0120 LDAP]$

(Shared Group)
[bharath@linux0120 LDAP]$ cat scn.ldif
dn: cn=java,ou=Group,dc=newindia,dc=com
cn: java
objectClass: top
objectClass: posixGroup
objectClass: domainRelatedObject
associatedDomain: newindia.com
gidNumber: 900
userPassword:
memberUid: kishore
memberUid: karthik
[bharath@linux0120 LDAP]$

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f scn.ldif
Enter LDAP Password:
adding new entry "cn=java,ou=Group,dc=newindia,dc=com"

[bharath@linux0120 LDAP]$

uid:

dn: uid=bharath,ou=People,dc=newindia,dc=com
uid: bharath
cn: bharath
givenName: bharath
sn: I
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
#objectClass: kerberosSecurityObject
objectClass: shadowAccount
mail: bharath@newindia.com
uidNumber: 678
gidNumber: 100
homeDirectory: /home/bharath
loginShell: /bin/bash
gecos: bharath I - SA
userPassword: {CRYPT}Fd4pwcZ.ncH6Q
shadowLastChange: 13200
shadowMax: 99999
shadowWarning: 7

The objectClass kerberosSecurityObject is not defined. Need to fix this.

Migrating Data

The next step is to begin migrating your data into your LDAP server.
The openldap servers rpm provides the migration perl scripts to generate the LDIF file from the existing files.

[root@linux0120 redhat]# cd /usr/share/openldap/migration/
Set the following in the migrate_common.ph file.
[root@linux0120 migration]# vi migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "dev02.newindia.com";
$DEFAULT_BASE = "dc=newindia,dc=com";
$DEFAULT_MAIL_HOST = "mail.dev02.newindia.com";
$EXTENDED_SCHEMA = 1;

Use the migrate_all_online.pl for all the data's like hosts, services, groups, protocols etc to be generated in the ldif file. Since the essential entries required are group and password files, the required ldif files are generated as follows:

[root@linux0120 migration]# ./migrate_base.pl > base.ldif
[root@linux0120 migration]# ./migrate_group.pl /etc/group group.ldif
[root@linux0120 migration]# ETC_SHADOW=/etc/shadow- ./migrate_passwd.pl /etc/passwd passwd.ldif

Add the data to the ldap database as follows:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f base.ldif
Enter LDAP Password:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f group.ldif
Enter LDAP Password:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f passwd.ldif

Creating the AUTOMOUNT MAPS for the shared directories on the LDAP Server:
The NIS MAPS which are created are as follows:
/etc/auto.master
/etc/auto.home
/etc/auto.home2
/etc/auto.data
/etc/nb_apps
/etc/nb_apps-7.2
/etc/nb_apps-es4
/etc/auto.clearcase-data

Let us consider all the above maps as organization units of the LDAP Directory structure.

Create the Organizational units as follows:
dn: ou=auto.master,dc=newindia,dc=com
ou: auto.master
objectClass: top
objectClass: autoMountMap

Create the share map for each of the shares with the corresponding map files. For example for /home share, the map file is auto.home and the same is created as follows:
dn: cn=/home,ou=auto.master,dc=newindia,dc=com
cn: /home
objectClass: autoMount
autoMountInformation: ldap:ou=auto.home,dc=newindia,dc=com

The above autoMountInformation instructs the LDAP server for mounting this share, check with the corresponding ou entry. (ou=auto.home).

Create the auto.home map as follows:
dn: ou=auto.home,dc=newindia,dc=com
ou: auto.home
objectClass: top
objectClass: autoMountMap

Create the map details for the above share as follows for each entry. For example,
bharath fileserv:/export/home/bharath
dn: cn=bharath,ou=auto.home,dc=newindia,dc=com
cn: bharath
objectClass: autoMount
autoMountInformation: fileserv.dev02.newindia.com:/export/home/bharath

Like this for each and every entry, the LDAP entry needs to be created for the same.

Create the ldif file as stated above and add to the LDAP database as follows:
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.ldif
Enter LDAP Password:

Note:
Instead of each and every entry for the user login accounts, a single account can be created and added to the LDAP database as follows:
dn: cn=*,ou=auto.home,dc=newindia,dc=com
cn: *
objectClass: autoMount
autoMountInformation: fileserv.dev02.newindia.com:/export/home/&

[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.ldif
Enter LDAP Password:


To migrate all the required file use the following scripts, to create the ldif files.

[bharath@linux0120 LDAP]$ cat auto.master.pl
#!/usr/bin/perl
use strict;
use warnings;

my $subdomain="dev02";
my $domain="newindia";
my $dom="com";
my $infile;
my $outfile;
my $mount;
my $mapfile;
my $configdir="/home/bharath/LDAP/";
my @data;

print "Enter the Master Map file\n";
$infile = <STDIN>;
chomp $infile;

$outfile = "$infile.ldif";

open FHO,">$outfile";

print FHO "dn: ou=$infile,dc=$domain,dc=$dom\n";
print FHO "ou: $infile\n";
print FHO "objectClass: top\n";
print FHO "objectClass: autoMountMap\n\n\n";

if (open FHI, "$configdir$infile")
{
while (<FHI>)
{
if(/^(\/)/)
{
@data = split;
$mount = $data[0];
$mapfile = $data[1];
print FHO "dn: cn=$mount,ou=$infile,dc=$domain,dc=$dom\n";
print FHO "cn: $mount\n";
print FHO "objectClass: autoMount\n";
print FHO "autoMountInformation: ldap:ou=$mapfile,dc=$domain,dc=$dom\n\n\n";
}
}
}
close FHI;
close FHO;



For all other files other than auto.master, use the following script and provide the file name when prompted.

[bharath@linux0120 LDAP]$ cat auto.all.pl
#!/usr/bin/perl
use warnings;
use strict;

my $subdomain="dev02";
my $domain="newindia";
my $dom="com";
my $infile;
my $outfile;
my @data;
my $words;
my $cn;
my $server;
my $share;
my $configdir="/home/bharath/LDAP/";

print "Enter the NIS map file\n";
$infile=<STDIN>;
chomp($infile);
$outfile="$infile.ldif";

open FHO, ">$outfile";
print FHO "dn: ou=$infile,dc=$domain,dc=$dom\n";
print FHO "ou: $infile\n";
print FHO "objectClass: top\n";
print FHO "objectClass: autoMountMap\n\n\n";

if (open FHI, "$configdir$infile")
{
while (<FHI>)
{
chomp($_);
if(/^(\w+)/)
{
s/(\s+)/ /g;
s/[:,&]/ /g;
@data = split(/\s+/,$_);
$words = scalar(@data);
if ($words eq 3)
{
$cn = $data[0];
$server = $data[1];
$share = $data[2];
print FHO "dn: cn=$cn,ou=$infile,dc=$domain,dc=$dom\n";
print FHO "cn: $cn\n";
print FHO "objectClass: autoMount\n";
print FHO "autoMountInformation: $server.$subdomain.$domain.$dom:$share\n\n\n";

}
else
{
print "The file conatins more than two words ($words). So skipped\n";
}
}
}
close FHI;
close FHO;
}
else
{
print "The \"",$infile, "\" does not exist in the \"" ,$configdir,"\" directory\n";
}

After creating the required ldif files, add the same to the LDAP Database.





Useful LDAP Commands:

ldapadd:
-x Simple authentication
-D bindn
-W prompt for bind password
-f ldif file
[bharath@linux0120 LDAP]$ ldapadd -x -D "cn=root,dc=newindia,dc=com" -W -f auto.data.ldif

ldapmodify:
Same as that of ldapadd.

ldapsearch:

-b basedn
[bharath@linux0120 LDAP]$ ldapsearch -x -b "ou=auto.home,dc=newindia,dc=com" "(cn=*)"

ldapdelete:
-r recursive
If the specified dn is a tree containing several leaves, then -r should be used, else only the specified dn will be deleted.
[bharath@linux0120 LDAP]$ ldapdelete -x -r -D "cn=root,dc=newindia,dc=com" "ou=auto.nb_apps-7.2,dc=newindia,dc=com" -W

ldappasswd:
-S prompt for newpassword
[bharath@linux0120 LDAP]$ ldappasswd -x -S -D "cn=root,dc=newindia,dc=com" -W "uid=bharath,ou=people,dc=newindia,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
Result: Success (0)


Configuring Client:

[root@www ~]# rpm -qa | grep ldap
nss_ldap-226-6
openldap-2.2.13-3
compat-openldap-2.1.30-3

The packages nss_ldap-226-6

Posted by at

1 comment:

  1. AnonymousFebruary 2, 2022 at 7:53 PM

    What are the best casino sites in India?
    With our new guide on what the best 카지노사이트luckclub casino sites offer, and some important tips to make a safe deposit, you'll find a good choice of the best online casinos

    ReplyDelete

Subscribe to: Post Comments (Atom)