LDAP server-client configuration

[root@ldap ~]# hostname
ldap.example.com

[root@ldap ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever

2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:2c:a3:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.98/24 brd 192.168.122.255 scope global eth1

[root@ldap ~]# yum -y install *openldap* migrationtools

[root@ldap ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Rp9UzYd8D5odddWi/lXj2y0zvcki0pau
edit the below file as per requirement

[root@ldap ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com

——-add this lines ——
olcRootPW: {SSHA}Rp9UzYd8D5odddWi/lXj2y0zvcki0pau
olcTLSCertificateFile: /etc/pki/tls/certs/exampleldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/exampleldapkey.pem

[root@ldap ~]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/exampleldap.pem -keyout /etc/pki/tls/certs/exampleldapkey.pem -days 365
Generating a 2048 bit RSA private key
……..+++
…………..+++
writing new private key to ‘/etc/pki/tls/certs/exampleldapkey.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:AP
Locality Name (eg, city) [Default City]:HYDERABAD
Organization Name (eg, company) [Default Company Ltd]:MYCOMPANY
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:ldap.example.com
Email Address []:mohammedrafi494@gmail.com

[root@ldap ~]# ll /etc/pki/tls/certs/*.pem
-rw-r–r–. 1 root root 1704 May 17 06:01 /etc/pki/tls/certs/exampleldapkey.pem
-rw-r–r–. 1 root root 1444 May 17 06:01 /etc/pki/tls/certs/exampleldap.pem

[root@ldap ~]# slaptest -u
573a6732 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
config file testing succeeded

[root@ldap ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=exter
nal,cn=auth” read by dn.base=”cn=manager,dc=example,dc=com” read by * n
one

[root@ldap ~]# slaptest -u
573a67dc ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
573a67dc ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
config file testing succeeded

[root@ldap ~]# service slapd status
slapd is stopped

[root@ldap ~]# service slapd start
Checking configuration files for slapd: [WARNING]
573a67f8 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
573a67f8 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
config file testing succeeded
Starting slapd: [ OK ]

[root@ldap ~]# netstat -tlpn |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2661/slapd
tcp 0 0 :::389 :::* LISTEN 2661/slapd

[root@ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ~]# ls -l /var/lib/ldap/DB_CONFIG
-rw-r–r–. 1 root root 845 May 17 06:09 /var/lib/ldap/DB_CONFIG

[root@ldap ~]# chown -R ldap:ldap /var/lib/ldap/

[root@ldap ~]# ls -l /var/lib/ldap/DB_CONFIG
-rw-r–r–. 1 ldap ldap 845 May 17 06:09 /var/lib/ldap/DB_CONFIG

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=cosine,cn=schema,cn=config”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: “0.9.2342.19200300.100.1.2”

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=nis,cn=schema,cn=config”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: “1.3.6.1.1.1.1.2”

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=inetorgperson,cn=schema,cn=config”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: “2.16.840.1.113730.3.1.1”

[root@ldap ~]# cd /usr/share/migrationtools/

[root@ldap migrationtools]# ll
total 128
-rwxr-xr-x. 1 root root 2652 Aug 24 2010 migrate_aliases.pl
-rwxr-xr-x. 1 root root 2950 Aug 24 2010 migrate_all_netinfo_offline.sh
-rwxr-xr-x. 1 root root 2946 Aug 24 2010 migrate_all_netinfo_online.sh
-rwxr-xr-x. 1 root root 3011 Aug 24 2010 migrate_all_nis_offline.sh
-rwxr-xr-x. 1 root root 3006 Aug 24 2010 migrate_all_nis_online.sh
-rwxr-xr-x. 1 root root 3164 Aug 24 2010 migrate_all_nisplus_offline.sh
-rwxr-xr-x. 1 root root 3146 Aug 24 2010 migrate_all_nisplus_online.sh
-rwxr-xr-x. 1 root root 5267 Aug 24 2010 migrate_all_offline.sh
-rwxr-xr-x. 1 root root 7468 Aug 24 2010 migrate_all_online.sh
-rwxr-xr-x. 1 root root 3278 Aug 24 2010 migrate_automount.pl
-rwxr-xr-x. 1 root root 2608 Aug 24 2010 migrate_base.pl
-rw-r–r–. 1 root root 8880 Aug 24 2010 migrate_common.ph
-rwxr-xr-x. 1 root root 2952 Aug 24 2010 migrate_fstab.pl
-rwxr-xr-x. 1 root root 2714 Aug 24 2010 migrate_group.pl
-rwxr-xr-x. 1 root root 2751 Aug 24 2010 migrate_hosts.pl
-rwxr-xr-x. 1 root root 2856 Aug 24 2010 migrate_netgroup_byhost.pl
-rwxr-xr-x. 1 root root 2856 Aug 24 2010 migrate_netgroup_byuser.pl
-rwxr-xr-x. 1 root root 3879 Aug 24 2010 migrate_netgroup.pl
-rwxr-xr-x. 1 root root 2840 Aug 24 2010 migrate_networks.pl
-rwxr-xr-x. 1 root root 5635 Aug 24 2010 migrate_passwd.pl
-rwxr-xr-x. 1 root root 2428 Aug 24 2010 migrate_profile.pl
-rwxr-xr-x. 1 root root 2873 Aug 24 2010 migrate_protocols.pl
-rwxr-xr-x. 1 root root 2854 Aug 24 2010 migrate_rpc.pl
-rwxr-xr-x. 1 root root 10248 Aug 24 2010 migrate_services.pl
-rwxr-xr-x. 1 root root 3419 Aug 24 2010 migrate_slapd_conf.pl

make the changes in the line specified below with ur domain name

[root@ldap migrationtools]# vim migrate_common.ph

70 # Default DNS domain
71 $DEFAULT_MAIL_DOMAIN = “example.com”;
72
73 # Default base
74 $DEFAULT_BASE = “dc=example,dc=com”;
90 $EXTENDED_SCHEMA = 1;

[root@ldap migrationtools]# touch /root/base.ldif
Add the fallowing content

[root@ldap migrationtools]# vim /root/base.ldif

[root@ldap migrationtools]# cat /root/base.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

[root@ldap migrationtools]# useradd test1

[root@ldap migrationtools]# useradd test2

[root@ldap migrationtools]# echo “redhat” | passwd –stdin test1
Changing password for user test1.
passwd: all authentication tokens updated successfully.

[root@ldap migrationtools]# echo “redhat” | passwd –stdin test2
Changing password for user test2.
passwd: all authentication tokens updated successfully.

[root@ldap migrationtools]# tail -n2 /etc/passwd

test1:x:501:501::/home/test1:/bin/bash

test2:x:502:502::/home/test2:/bin/bash

[root@ldap migrationtools]# cat /root/passwd
test1:x:501:501::/home/test1:/bin/bash
test2:x:502:502::/home/test2:/bin/bash

[root@ldap migrationtools]# tail -n2 /etc/group
test1:x:501:
test2:x:502:

[root@ldap migrationtools]# tail -n2 /etc/group > /root/group

[root@ldap migrationtools]# cat /root/group
test1:x:501:
test2:x:502:

[root@ldap migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif

[root@ldap migrationtools]# ./migrate_passwd.pl /root/group /root/group.ldif

[root@ldap migrationtools]# cat /root/users.ldif
dn: uid=test1,ou=People,dc=example,dc=com
uid: test1
cn: test1
sn: test1
mail: test1@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$lYtkr2Uh$H3w.h8VKnHvPKFKckf6DLN4wTXW7hG40QNhD1EbfO.nbee9vrAxZaht/efXZ5kEB8V7IzD1uSBrUe1M7kYqiV1
shadowLastChange: 16938
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/test1
dn: uid=test2,ou=People,dc=example,dc=com
uid: test2
cn: test2
sn: test2
mail: test2@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$BG8iWYjS$r8455js658fYCeFtFa5YNuzzxhq./Y9.TQtdmKWrCO1UWHZEQqUUOdwJI4meSMhyjp9loSz9BKXG2wUa6.x5G.
shadowLastChange: 16938
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/test2

[root@ldap migrationtools]# cat /root/group.ldif
dn: uid=test1,ou=People,dc=example,dc=com
uid: test1
cn: test1
sn: test1
mail: test1@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$lYtkr2Uh$H3w.h8VKnHvPKFKckf6DLN4wTXW7hG40QNhD1EbfO.nbee9vrAxZaht/efXZ5kEB8V7IzD1uSBrUe1M7kYqiV1
shadowLastChange: 16938
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
uidNumber: 501
gidNumber:
homeDirectory:
dn: uid=test2,ou=People,dc=example,dc=com
uid: test2
cn: test2
sn: test2
mail: test2@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$BG8iWYjS$r8455js658fYCeFtFa5YNuzzxhq./Y9.TQtdmKWrCO1UWHZEQqUUOdwJI4meSMhyjp9loSz9BKXG2wUa6.x5G.
shadowLastChange: 16938
shadowMin: 0shadowMax: 99999
shadowWarning: 7
uidNumber: 502
gidNumber:
homeDirectory:

[root@ldap migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/base.ldif
Enter LDAP Password:
adding new entry “dc=example,dc=com”
adding new entry “cn=Manager,dc=example,dc=com”
adding new entry “ou=People,dc=example,dc=com”
adding new entry “ou=Group,dc=example,dc=com”

[root@ldap migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/users.ldif
Enter LDAP Password:
adding new entry “uid=test1,ou=People,dc=example,dc=com”
adding new entry “uid=test2,ou=People,dc=example,dc=com”

[root@ldap migrationtools]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/groups.ldif 
Enter LDAP Password:
adding new entry “uid=test1,ou=People,dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: gidNumber: value #0 invalid per syntax

[root@ldap migrationtools]# yum install nfs* rpcbind -y

[root@ldap ~]#service iptables stop

[root@ldap ~]#chkconfig iptables off

[root@ldap ~]#service rpcbind start

[root@ldap ~]#chkconfig rpcbind on

[root@ldap ~]#service nfs status

[root@ldap ~]#service nfs start

[root@ldap ~]#chkconfig nfs on


[root@ldap ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 8822/slapd
tcp 0 0 0.0.0.0:54246 0.0.0.0:* LISTEN 3108/rpc.mountd
tcp 0 0 0.0.0.0:45959 0.0.0.0:* LISTEN 1480/rpc.statd
tcp 0 0 0.0.0.0:35849 0.0.0.0:* LISTEN 3108/rpc.mountd
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3103/rpc.rquotad
tcp 0 0 0.0.0.0:46447 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2676/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1705/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1523/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1791/master
tcp 0 0 0.0.0.0:45563 0.0.0.0:* LISTEN 3108/rpc.mountd
tcp 0 0 :::2049 :::* LISTEN –
tcp 0 0 :::54754 :::* LISTEN 3108/rpc.mountd
tcp 0 0 :::389 :::* LISTEN 8822/slapd
tcp 0 0 :::35912 :::* LISTEN 3108/rpc.mountd
tcp 0 0 :::46954 :::* LISTEN 3108/rpc.mountd
tcp 0 0 :::37999 :::* LISTEN –
tcp 0 0 :::111 :::* LISTEN 2676/rpcbind
tcp 0 0 :::80 :::* LISTEN 8850/httpd
tcp 0 0 :::34640 :::* LISTEN 1480/rpc.statd
tcp 0 0 :::22 :::* LISTEN 1705/sshd
tcp 0 0 ::1:631 :::* LISTEN 1523/cupsd
tcp 0 0 ::1:25 :::* LISTEN 1791/master

—————————————————————————————————-

[root@client ~]# yum install -y openldap-clients nss-pam-ldapd
[root@client ~]# authconfig-tui

[root@client ~]# authconfig-tui
Starting sssd: [ OK ]

[root@client ~]# getent passwd test1
test1:*:501:501:test1:/home/test1:/bin/bash

[root@client ~]# getent passwd test2
test2:*:502:502:test2:/home/test2:/bin/bash

[root@client ~]# su – test1
su: warning: cannot change directory to /home/test1: No such file or directory
id: cannot find name for group ID 501
-bash-4.1$ pwd
/root

-bash-4.1$ hostname
client.example.com

-bash-4.1$ logout

[root@client ~]# vim /etc/fstab
192.168.122.235:/home /home nfs defaults 0 0

[root@client ~]# df -hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/vg_client-lv_root
ext4 13G 3.9G 8.2G 33% /
tmpfs tmpfs 499M 80K 499M 1% /dev/shm
/dev/sda1 ext4 477M 37M 415M 9% /boot

[root@client ~]# mount -a

[root@client ~]# df -hT
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/vg_client-lv_root
ext4 13G 3.9G 8.2G 33% /
tmpfs tmpfs 499M 80K 499M 1% /dev/shm
/dev/sda1 ext4 477M 37M 415M 9% /boot
192.168.122.235:/home
nfs 13G 3.8G 8.3G 32% /home

[root@client ~]# su – test1
id: cannot find name for group ID 501

[test1@client ~]$ pwd
/home/test1

[test1@client ~]$ tail /etc/passwd
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
mohammedrafi:x:500:500:mohammedrafi:/home/mohammedrafi:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin

[test1@client ~]$ hostname
client.example.com

[test1@client ~]$ touch 123

[test1@client ~]$ ls -l
total 0
-rw-r–r–. 1 nobody nobody 0 May 17 12:24 123

———————–In server————————

[root@ldap ~]# ls -l /home/test1/
total 0
-rw-r–r–. 1 test1 test1 0 May 17 12:24 123

[root@ldap ~]# yum install epel-release

[root@ldap ~]# yum install phpldapadmin -y

Make the changes in the lines numbers as specified

[root@ldap ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
397 $servers->setValue(‘login’,’attr’,’dn’);
398 //$servers->setValue(‘login’,’attr’,’uid’);

[root@ldap ~]# vim /etc/phpldapadmin/config.php
Allow from 127.0.0.1 192.168.122.235

[root@ldap ~]# service slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [WARNING]
573acab8 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
573acab8 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
config file testing succeeded
Starting slapd: [ OK ]

[root@ldap ~]# service httpd status
httpd is stopped

[root@ldap ~]# service httpd start
Starting httpd: [ OK ]

[root@ldap ~]# chkconfig httpd on

[root@ldap ~]# cp /etc/pki/tls/certs/exampleldapkey.pem /var/www/html/

[root@ldap ~]# ls -l /var/www/html/
total 4
-rw-r–r–. 1 root root 1704 May 17 13:16 exampleldapkey.pem

——————–on client side——

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s