OpenLDAP Server Configuration on RHEL 7 / CentOS 7
Step 1: Install the following packages:
# yum install -y openldap openldap-clients openldap-servers migrationtools
Step 2: Generate a LDAP encrypted password for Manager user (here redhat):
# slappasswd -s redhat -n > /etc/openldap/secret-passwd
Step 3: Configure OpenLDAP Server:
#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"
#do the following changes
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: PASTE YOUR ENCRYPTED PASSWORD HERE from /etc/openldap/secret-passwd
olcTLSCertificateFile: /etc/pki/CA/cacert.pem
olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem
:wq (save abd exit)
Step 4: Configure Monitoring Database Configuration file:
#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"
#do the following change
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
:wq (save and exit)
Step 5: Generate a X509 self sign certificate which is valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout /etc/pki/CA/private/cakey.pem -days 365
Country Name (2 letter code) [XX]: IN
State or Province Name (full name) []: Delhi
Locality Name (eg, city) [Default City]: New Delhi
Organization Name (eg, company) [Default Company Ltd]: Example, Inc.
Organizational Unit Name (eg, section) []: Training
Common Name (eg, your name or your server's hostname) []:server1.example.com
Email Address []: root@server1.example.com
Step 6: Secure the content of the /etc/pki/CA/ directory:
# cd /etc/pki/CA/
# chown ldap:ldap cacert.pem
# cd /etc/pki/CA/private/
# chown ldap:ldap cakey.pem
# chmod 600 cakey.pem
Step 7: Prepare the LDAP database:
# cp -rvf /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/
Step 8: Enable LDAPS:
#vim /etc/sysconfig/slapd
#Do the following changes
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
:wq (save and exit)
Step 9: Test the configuration:
# slaptest -u
Step 10: Start and enable the slapd service at boot:
# systemctl start slapd
# systemctl enable slapd
Step 11: Check the LDAP activity:
# netstat -lt | grep ldap
#netstat -tunlp | egrep "389|636"
Step 12: To start the configuration of the LDAP server, add the follwing LDAP schemas:
# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
##################################################
# NOTE-: You can add schema files according to your need: #
##################################################
Step 13: Now use Migration Tools to create LDAP DIT:
# cd /usr/share/migrationtools
# vim migrate_common.ph
#do the following chnages
on the Line Number 61, change "ou=Groups"
$NAMINGCONTEXT{'group'} = "ou=Groups";
on the Line Number 71, change your domain name
$DEFAULT_MAIL_DOMAIN = "example.com";
on the line number 74, change your base name
$DEFAULT_BASE = "dc=example,dc=com";
on the line number 90, change schema value
$EXTENDED_SCHEMA = 1;
:wq (save and exit)
Step 14: Generate a base.ldif file for your Domain DIT:
#./migrate_base.pl > /root/base.ldif
Step 15: Load "base.ldif" into LDAP Database:
#ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
Step 16: Now Create some users and Groups and migrate it from local database to LDAP database:
#mkdir /home/guests
#useradd -d /home/guests/ldapuser1 ldapuser1
#useradd -d /home/guests/ldapuser2 ldapuser2
#useradd -d /home/guests/ldapuser3 ldapuser3
#useradd -d /home/guests/ldapuser4 ldapuser4
#useradd -d /home/guests/ldapuser5 ldapuser5
#echo 'password' | passwd --stdin ldapuser1
#echo 'password' | passwd --stdin ldapuser2
#echo 'password' | passwd --stdin ldapuser3
#echo 'password' | passwd --stdin ldapuser4
#echo 'password' | passwd --stdin ldapuser5
Step 17: Now filter out these Users and Groups and it password from /etc/shadow to different file:
#getent passwd | tail -n 5 > /root/users
#getent shadow | tail -n 5 > /root/shadow
# getent group | tail -n 5 > /root/groups
Step 18: Now you can delete these users from local database:
#userdel ldapuser1
#userdel ldapuser2
#userdel ldapuser3
#userdel ldapuser4
#userdel ldapuser5
Step 19: Now you need to create ldif file for these users using migrationtools:
# cd /usr/share/migrationtools/
# vim migrate_passwd.pl
#search /etc/shadow and replace it into /root/shadow on Line Number 188.
:wq (save and exit)
# ./migrate_passwd.pl /root/users > /root/users.ldif
# ./migrate_group.pl /root/groups > /root/groups.ldif
Step 20: Upload these users and groups ldif file into LDAP Database:
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
Step 21: Now search LDAP DIT for all records:
# ldapsearch -x -b "dc=example,dc=com" -H ldap://server1.example.com
Step 22: Now share ldapusers home directories via NFS:
#vim /etc/exports
#Add the folloiwng line:
/home/guests 192.168.48.0/255.255.255.0(rw,sync)
:wq (save and exit)
#systemctl start nfs
#systemctl enable nfs
Step 23: Share your CA Certificate to clients via FTP/HTTP:
#yum install vsftpd httpd -y
# cp -rvf /etc/pki/CA/cacert.pem /var/ftp/pub/
# ln -s /var/ftp/pub/ /var/www/html/
#systemctl start vsftpd
#systemctl enable vsftpd
#systemctl start httpd
#systemctl enable httpd
Step 24: Now Go to the client machine and install the following packages:
#yum install openldap-clients sssd pam_ldap authconfig-gtk -y
Step 25: Run the "authconfig-gtk" command to configure as a LDAP Client:
# authconfig-gtk
Click on "Identity & Authentication" Tab
Click on drop down menu in "User Account Database" and Select "LDAP"
in LDAP Search Base DN: dc=example,dc=com
in LDAP Server: ldap://server1.example.com
Select the check Box of "Use TLS to encrypt connections"
Click "Download CA Certificate"
In Certificate URL: type http://server1.example.com/pub/cacert.pem
Authentication Protocol: LDAP Password
Click "OK"
# getent passwd ldapuser1
Step 26: Now Configure your client machine to access ldapusers home directory from
"server1.example.com"
#yum install autofs -y
#vim /etc/auto.master
#add the following line
/home/guests /etc/auto.guests
:wq (save and exit)
#vim /etc/auto.guests
#add the following line
* -rw server1.example.com:/home/guests/&
:wq (save and exit)
Step 27: Now start and enable autofs service at boot:
#systemctl restart autofs
#systemctl enable autofs
Step 28: Now try to login as ldapuseer on client machine:
#ssh ldapuser1@client.example.com
Password: password
[ldapuser1@client.exmaple.com ~]$
You may have some issue with Firewall/iptables, So add Ports/Services into firewall or disable it.
############Congratulations, You have configured LDAP server and client##############
# yum install -y openldap openldap-clients openldap-servers migrationtools
Step 2: Generate a LDAP encrypted password for Manager user (here redhat):
# slappasswd -s redhat -n > /etc/openldap/secret-passwd
Step 3: Configure OpenLDAP Server:
#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"
#do the following changes
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: PASTE YOUR ENCRYPTED PASSWORD HERE from /etc/openldap/secret-passwd
olcTLSCertificateFile: /etc/pki/CA/cacert.pem
olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem
:wq (save abd exit)
Step 4: Configure Monitoring Database Configuration file:
#vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"
#do the following change
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
:wq (save and exit)
Step 5: Generate a X509 self sign certificate which is valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout /etc/pki/CA/private/cakey.pem -days 365
Country Name (2 letter code) [XX]: IN
State or Province Name (full name) []: Delhi
Locality Name (eg, city) [Default City]: New Delhi
Organization Name (eg, company) [Default Company Ltd]: Example, Inc.
Organizational Unit Name (eg, section) []: Training
Common Name (eg, your name or your server's hostname) []:server1.example.com
Email Address []: root@server1.example.com
Step 6: Secure the content of the /etc/pki/CA/ directory:
# cd /etc/pki/CA/
# chown ldap:ldap cacert.pem
# cd /etc/pki/CA/private/
# chown ldap:ldap cakey.pem
# chmod 600 cakey.pem
Step 7: Prepare the LDAP database:
# cp -rvf /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/
Step 8: Enable LDAPS:
#vim /etc/sysconfig/slapd
#Do the following changes
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
:wq (save and exit)
Step 9: Test the configuration:
# slaptest -u
Step 10: Start and enable the slapd service at boot:
# systemctl start slapd
# systemctl enable slapd
Step 11: Check the LDAP activity:
# netstat -lt | grep ldap
#netstat -tunlp | egrep "389|636"
Step 12: To start the configuration of the LDAP server, add the follwing LDAP schemas:
# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
##################################################
# NOTE-: You can add schema files according to your need: #
##################################################
Step 13: Now use Migration Tools to create LDAP DIT:
# cd /usr/share/migrationtools
# vim migrate_common.ph
#do the following chnages
on the Line Number 61, change "ou=Groups"
$NAMINGCONTEXT{'group'} = "ou=Groups";
on the Line Number 71, change your domain name
$DEFAULT_MAIL_DOMAIN = "example.com";
on the line number 74, change your base name
$DEFAULT_BASE = "dc=example,dc=com";
on the line number 90, change schema value
$EXTENDED_SCHEMA = 1;
:wq (save and exit)
Step 14: Generate a base.ldif file for your Domain DIT:
#./migrate_base.pl > /root/base.ldif
Step 15: Load "base.ldif" into LDAP Database:
#ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
Step 16: Now Create some users and Groups and migrate it from local database to LDAP database:
#mkdir /home/guests
#useradd -d /home/guests/ldapuser1 ldapuser1
#useradd -d /home/guests/ldapuser2 ldapuser2
#useradd -d /home/guests/ldapuser3 ldapuser3
#useradd -d /home/guests/ldapuser4 ldapuser4
#useradd -d /home/guests/ldapuser5 ldapuser5
#echo 'password' | passwd --stdin ldapuser1
#echo 'password' | passwd --stdin ldapuser2
#echo 'password' | passwd --stdin ldapuser3
#echo 'password' | passwd --stdin ldapuser4
#echo 'password' | passwd --stdin ldapuser5
Step 17: Now filter out these Users and Groups and it password from /etc/shadow to different file:
#getent passwd | tail -n 5 > /root/users
#getent shadow | tail -n 5 > /root/shadow
# getent group | tail -n 5 > /root/groups
Step 18: Now you can delete these users from local database:
#userdel ldapuser1
#userdel ldapuser2
#userdel ldapuser3
#userdel ldapuser4
#userdel ldapuser5
Step 19: Now you need to create ldif file for these users using migrationtools:
# cd /usr/share/migrationtools/
# vim migrate_passwd.pl
#search /etc/shadow and replace it into /root/shadow on Line Number 188.
:wq (save and exit)
# ./migrate_passwd.pl /root/users > /root/users.ldif
# ./migrate_group.pl /root/groups > /root/groups.ldif
Step 20: Upload these users and groups ldif file into LDAP Database:
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
Step 21: Now search LDAP DIT for all records:
# ldapsearch -x -b "dc=example,dc=com" -H ldap://server1.example.com
Step 22: Now share ldapusers home directories via NFS:
#vim /etc/exports
#Add the folloiwng line:
/home/guests 192.168.48.0/255.255.255.0(rw,sync)
:wq (save and exit)
#systemctl start nfs
#systemctl enable nfs
Step 23: Share your CA Certificate to clients via FTP/HTTP:
#yum install vsftpd httpd -y
# cp -rvf /etc/pki/CA/cacert.pem /var/ftp/pub/
# ln -s /var/ftp/pub/ /var/www/html/
#systemctl start vsftpd
#systemctl enable vsftpd
#systemctl start httpd
#systemctl enable httpd
Step 24: Now Go to the client machine and install the following packages:
#yum install openldap-clients sssd pam_ldap authconfig-gtk -y
Step 25: Run the "authconfig-gtk" command to configure as a LDAP Client:
# authconfig-gtk
Click on "Identity & Authentication" Tab
Click on drop down menu in "User Account Database" and Select "LDAP"
in LDAP Search Base DN: dc=example,dc=com
in LDAP Server: ldap://server1.example.com
Select the check Box of "Use TLS to encrypt connections"
Click "Download CA Certificate"
In Certificate URL: type http://server1.example.com/pub/cacert.pem
Authentication Protocol: LDAP Password
Click "OK"
# getent passwd ldapuser1
Step 26: Now Configure your client machine to access ldapusers home directory from
"server1.example.com"
#yum install autofs -y
#vim /etc/auto.master
#add the following line
/home/guests /etc/auto.guests
:wq (save and exit)
#vim /etc/auto.guests
#add the following line
* -rw server1.example.com:/home/guests/&
:wq (save and exit)
Step 27: Now start and enable autofs service at boot:
#systemctl restart autofs
#systemctl enable autofs
Step 28: Now try to login as ldapuseer on client machine:
#ssh ldapuser1@client.example.com
Password: password
[ldapuser1@client.exmaple.com ~]$
You may have some issue with Firewall/iptables, So add Ports/Services into firewall or disable it.
############Congratulations, You have configured LDAP server and client##############