Skip to main content

Openldap server and client configration in rhel6 with tls


lets see the openldap server setup configuration on rhel 6
 
In my setup 
my server name is:- node5.example.com
ipaddress is :- 192.168.0.100/24
domain name is:- example.com
openldap-server version is:- openldap-servers-2.4.23-20
my server os is:- RedHat Enterprise Linux 6.2



Step 1: first we need to install the required packages:

#yum install openldap-servers openldap-clients

here the openldap-server for configure the ldapserver and openldap-clients for configure the client..

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration is in this /etc/openldap/slapd.d/ directory.


First of all we need set the password for administrator(we called it Manager) by using this command.

#slappasswd
password: mypasswd
retype-password: mypasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add into config file. So we need to copy it.

Now time to open configuration file..


# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif

here we need to change domain name..

substitute “my-domain.com” with “example.com”
replace the domain by using “sed” other wise we can replace the domain in file manualy.
We can use this command to chabge this

:%s/dc=my-domain,dc=com/dc=example,dc=com/g

We now set the administrator(Manager) password..
and if you want make that encrypt then we need to add those line's over there

add these 3 lines at the end of the file “bdb.ldif” file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem

Step 4: Now we have to specify the monitoring privileges
if you want to monitoring then we need to specify those lines in this file..


#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

again, we have to replace the default domain name with our domain name

now can replace the default domain name manualy or by using “sed”

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=example,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb

othere wise automatic calculation of cache we need to copy that file in this location

#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

now set the permission for ldap user also.

#chown -Rf ldap:ldap /var/lib/ldap/


Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS= options in this manner

#vim /etc/sysconfig/ldap
SLAPD_LDAPS=yes -----(default is no)

Now we need to create certificate.

There is lots of options for gen rate the certificate we can use any method.
I am going with this command.


#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout /etc/pki/tls/certs/examplekey.pem -days 365

fill the required information of command

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/example.pem
# chmod -Rf root:ldap /etc/pki/tls/certs/examplekey.pem
check the read permission for ldap user........


Step 7: Time to test our configuration

Now time to check the ldap configuration

# slaptest -u

“config file testing succeeded” answer should we come..



Step 8:  Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x -b ”dc=example,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain
you can create this file manualy other wise download from this link

http://www.4shared.com/file/TtQTedYv/base.html

#vim /root/base.ldif


dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Hosts,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Rpc,dc=example,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Services,dc=example,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: nisMapName=netgroup.byuser,dc=example,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Mounts,dc=example,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Networks,dc=example,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Netgroup,dc=example,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Protocols,dc=example,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=Aliases,dc=example,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

dn: nisMapName=netgroup.byhost,dc=example,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: example.com




now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/base.ldif


Step 10: add the users in ldap
now time to add the users into ldap database. Fo Do that only we need to create a .ldif file and we can add it into ldap.
download the users file.

http://www.4shared.com/file/tYZhCL47/users.html


# vim /root/users.ldif

dn: uid=vishvendra,ou=People,dc=example,dc=com
uid: vishvendra
cn: vishvendra Chauhan
givenName: vishvendra Singh Chauhan
sn: 1
mail: vishvendra.singh.chauhan@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}2RxVB3Cb+JZxqLDD4EucbGKEew9bhXNB
shadowLastChange: 12797
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 911
gidNumber: 911
homeDirectory: /home/vishvendra
gecos: Vishvendra's user
#ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/users.ldif

Now test this user's List.



Step 11: Testing the ldap server. We check is user vishvendra exists

#ldapsearch -x ”cn=vishvendra”  -b ”dc=example,dc=com”

it should be receive success result.



Ldap Client Configuration



there is only few steps for connect the client with ldap server.


First pf all we need to install the required package's on client side.

Step first:-


#yum install openldap-clients


Step Two:-
simple run the authentication command.


#authconfig-gtk or authconfig-tui or system-config-authentication

put the url of certificate. which is already shared from your server...


Now should be able to find the users in the ldap database..


#ldapsearch -x -ZZ


Ldap users migration and connectivity with outher "directories services" will coming soon......

****************************************All The Best**************************************************








Comments

Post a Comment

Popular posts from this blog

Docker Container Management from Cockpit

Cockpit can manage containers via docker. This functionality is present in the Cockpit docker package. Cockpit communicates with docker via its API via the /var/run/docker.sock unix socket. The docker API is root equivalent, and on a properly configured system, only root can access the docker API. If the currently logged in user is not root then Cockpit will try to escalate the user’s privileges via Polkit or sudo before connecting to the socket. Alternatively, we can create a docker Unix group. Anyone in that docker group can then access the docker API, and gain root privileges on the system. [root@rhel8 ~] #  yum install cockpit-docker    -y  Once the package installed then "containers" section would be added in the dashboard and we can manage the containers and images from the console. We can search or pull an image from docker hub just by searching with the keyword like nginx centos.   Once the Image downloaded we can start a contai
Post a Comment
Read more

Remote Systems Management With Cockpit

The cockpit is a Red Hat Enterprise Linux web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment. In RHEL 8 Cockpit is the default installation candidate we can just start the service and then can start the management of machines. For RHEL7 or Fedora based machines we can follow steps to install and configure the cockpit.  Following are the few features of cockpit.  Managing services Managing user accounts Managing and monitoring system services Configuring network interfaces and firewall Reviewing system logs Managing virtual machines Creating diagnostic reports Setting kernel dump configuration Configuring SELinux Updating software Managing system subscriptions Installation of cockpit package.  [root@rhel8 ~] #  dnf   install cockpit cockpit-dashboard  -y  We need to enable the socket.  [root@rhel8 ~] #  systemctl enable --now cockpit.socket If firewall is runnin
Post a Comment
Read more

Containers Without Docker on RHEL/Fedora

Docker is perfectly doing well with the containerization. Since docker uses the Server/Client architecture to run the containers. So, even if I am a client or developer who just wants to create a docker image from Dockerfile I need to start the docker daemon which of course generates some extra overhead on the machine.  Also, a daemon that needs to run on your system, and it needs to run with root privileges which might have certain security implications. Here now the solution is available where we do not need to start the daemon to create the containers. We can create the images and push them any of the repositories and images are fully compatible to run on any of the environment.  Podman is an open-source Linux tool for working with containers. That includes containers in registries such as docker.io and quay.io. let's start with the podman to manage the containers.  Install the package  [root@rhel8 ~] # dnf install podman -y  OR [root@rhel8 ~] # yum
1 comment
Read more