Step-by-step OpenLDAP Installation and Configuration on server

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client.

Step by Step Installation and Configuration OpenLDAP Server

openldap 2.2.13-6.4E

System name:   ldap.xyz.com

Domain name:   xyz.com

System IP:     192.168.0.22

Note: Use your domain name and IP instead of xyz.

Easy steps for adding users:

    1. Create unix user

    2. Create unix user’s ldap passwd file

    3. Convert passwd.file to ldif file

    4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E

    openldap-clients.i386 0:2.2.13-6.4E

    openldap-devel.i386 0:2.2.13-6.4E

    openldap-servers.i386 0:2.2.13-6.4E

    openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

Step #2. Start the service

[root@ldap ~]# chkconfig –levels 235 ldap on

[root@ldap ~]# service ldap start

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd

    New password:

    Re-enter new password:

    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb

    #69 suffix          “dc=xyz,dc=com”

    #70 rootdn          “cn=Manager,dc=xyz,dc=com”

    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #5. Apply Changes

[root@ldap ~]# service ldap restart

Step #6. Create test users

[root@ldap ~]# useradd test1

[root@ldap ~]# passwd test1

    Changing password for user test1.

    New UNIX password:

    Retype new UNIX password:

    passwd: all authentication tokens updated successfully.

[root@ldap ~]# useradd test2

[root@ldap ~]# passwd test2

    Changing password for user test2.

    New UNIX password:

    Retype new UNIX password:

    passwd: all authentication tokens updated successfully.

[root@ldap ~]#

Note: Repeat the same for the rest of users

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root

[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1

[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

 Note: Repeat the same for the rest of users

Step #8. Update default settings on file /usr/share/openldap/migration/migrate_common.ph

    #71 $DEFAULT_MAIL_DOMAIN = “xyz.com”;

    #74 $DEFAULT_BASE = “dc=xyz,dc=com”;

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users

Step #10. Update root.ldif file for the “Manager” of LDAP Server

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=xyz,dc=com

    #2 uid: root

    #3 cn: Manager

    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/xyz.com.ldif)

[root@ldap ~]# cat /etc/openldap/xyz.com.ldif

    dn: dc=xyz,dc=com

    dc: xyz

    description: LDAP Admin

    objectClass: dcObject

    objectClass: organizationalUnit

    ou: rootobject

    dn: ou=People, dc=xyz,dc=com

    ou: People

    description: Users of xyz

    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/xyz.com.ldif

    Enter LDAP Password:

    adding new entry “dc=xyz,dc=com”

    adding new entry “ou=People, dc=xyz,dc=com”

[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/root.ldif

    Enter LDAP Password:

    adding new entry “uid=root,ou=People,dc=xyz,dc=com”

    adding new entry “uid=operator,ou=People,dc=xyz,dc=com”

[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/test1.ldif

    Enter LDAP Password:

    adding new entry “uid=test1,ou=People,dc=xyz,dc=com”

[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/test2.ldif

    Enter LDAP Password:

    adding new entry “uid=test2,ou=People,dc=xyz,dc=com”

 [root@ldap ~]#

 Note: Repeat the same for the rest of users

Step #13. Apply Changes

[root@ldap ~]# service ldap restart

Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b ‘dc=xyz,dc=com’ ‘(objectclass=*)’

LDAP-based Authentication in RHEL

As we will see, there are several other possible application scenarios, but in this guide we will focus entirely on LDAP-based authentication. In addition, please keep in mind that due to the vastness of the subject, we will only cover its basics here, but you can refer to the documentation outlined in the summary for more in-depth details.

For the same reason, you will note that I have decided to leave out several references to man pages of LDAP tools for the sake of brevity, but the corresponding explanations are at a fingertip’s distance (man ldapadd, for example).

That said, let’s get started.

Our Testing Environment

Our test environment consists of two RHEL 7 boxes:

Server: 192.168.0.18. FQDN: rhel7.mydomain.com
Client: 192.168.0.20. FQDN: ldapclient.mydomain.com

If you want, you can use the machine installed in Part 12: Automate RHEL 7 installations using Kickstart as client.

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol and consists in a set of protocols that allows a client to access, over a network, centrally stored information (such as a directory of login shells, absolute paths to home directories, and other typical system user information, for example) that should be accessible from different places or available to a large number of end users (another example would be a directory of home addresses and phone numbers of all employees in a company).

Keeping such (and more) information centrally means it can be more easily maintained and accessed by everyone who has been granted permissions to use it.

The following diagram offers a simplified diagram of LDAP, and is described below in greater detail:

LDAP Diagram

Explanation of above diagram in detail.

1. An entry in a LDAP directory represents a single unit or information and is uniquely identified by what is called a Distinguished Name.
2. An attribute is a piece of information associated with an entry (for example, addresses, available contact phone numbers, and email addresses).
3. Each attribute is assigned one or more values consisting in a space-separated list. A value that is unique per entry is called a Relative Distinguished Name.

That being said, let’s proceed with the server and client installations.

Installing and Configuring a LDAP Server and Client

In RHEL 7, LDAP is implemented by OpenLDAP. To install the server and client, use the following commands, respectively:

# yum update && yum install openldap openldap-clients openldap-servers
# yum update && yum install openldap openldap-clients nss-pam-ldapd

Once the installation is complete, there are some things we look at. The following steps should be performed on the server alone, unless explicitly noted:

1. Make sure SELinux does not get in the way by enabling the following booleans persistently, both on the server and the client:

# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Where allow_ypbind is required for LDAP-based authentication, and authlogin_nsswitch_use_ldap may be needed by some applications.

2. Enable and start the service:

# systemctl enable slapd.service
# systemctl start slapd.service

Keep in mind that you can also disable, restart, or stop the service with systemctl as well:

# systemctl disable slapd.service
# systemctl restart slapd.service
# systemctl stop slapd.service

3. Since the slapd service runs as the ldap user (which you can verify with ps -e -o pid,uname,comm | grep slapd), such user should own the /var/lib/ldap directory in order for the server to be able to modify entries created by administrative tools that can only be run as root (more on this in a minute).

Before changing the ownership of this directory recursively, copy the sample database configuration file for slapd into it:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

4. Set up an OpenLDAP administrative user and assign a password:

# slappasswd

as shown in the next image:

Set LDAP Admin Password

and create an LDIF file (ldaprootpasswd.ldif) with the following contents:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

where:

1. PASSWORD is the hashed string obtained earlier.
2. cn=config indicates global config options.
3. olcDatabase indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.

Referring to the theoretical background provided earlier, the ldaprootpasswd.ldif file will add an entry to the LDAP directory. In that entry, each line represents an attribute: value pair (where dn, changetype, add, and olcRootPW are the attributes and the strings to the right of each colon are their corresponding values).

You may want to keep this in mind as we proceed further, and please note that we are using the same Common Names (cn=) throughout the rest of this article, where each step depends on the previous one.

5. Now, add the corresponding LDAP entry by specifying the URI referring to the ldap server, where only the protocol/host/port fields are allowed.

# ldapadd -H ldapi:/// -f ldaprootpasswd.ldif 

The output should be similar to:

LDAP Configuration

and import some basic LDAP definitions from the /etc/openldap/schema directory:

# for def in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -H ldapi:/// -f /etc/openldap/schema/$def; done

LDAP Definitions

6. Have LDAP use your domain in its database.

Create another LDIF file, which we will call ldapdomain.ldif, with the following contents, replacing your domain (in the Domain Component dc=) and password as appropriate:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mydomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=mydomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * read

Then load it as follows:

# ldapmodify -H ldapi:/// -f ldapdomain.ldif

LDAP Domain Configuration

7. Now it’s time to add some entries to our LDAP directory. Attributes and values are separated by a colon (:)in the following file, which we’ll name baseldapdomain.ldif:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: mydomain com
dc: mydomain

dn: cn=Manager,dc=mydomain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: Group

Add the entries to the LDAP directory:

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f baseldapdomain.ldif

Add LDAP Domain Attributes and Values

8. Create a LDAP user called ldapuser (adduser ldapuser), then create the definitions for a LDAP group in ldapgroup.ldif.

# adduser ldapuser
# vi ldapgroup.ldif

Add following content.

dn: cn=Manager,ou=Group,dc=mydomain,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1004

where gidNumber is the GID in /etc/group for ldapuser) and load it:

# ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f ldapgroup.ldif

9. Add a LDIF file with the definitions for user ldapuser (ldapuser.ldif):

dn: uid=ldapuser,ou=People,dc=mydomain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
uid: ldapuser
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/ldapuser
userPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3M
loginShell: /bin/bash
gecos: ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

and load it:

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f ldapuser.ldif

LDAP User Configuration

Likewise, you can delete the user entry you just created:

# ldapdelete -x -W -D cn=Manager,dc=mydomain,dc=com "uid=ldapuser,ou=People,dc=mydomain,dc=com"

10. Allow communication through the firewall:

# firewall-cmd --add-service=ldap

11. Last, but not least, enable the client to authenticate using LDAP.

To help us in this final step, we will use the authconfig utility (an interface for configuring system authentication resources).

Using the following command, the home directory for the requested user is created if it doesn’t exist after the authentication against the LDAP server succeeds:

# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update

LDAP Client Configuration

Feel free to leave any questions you may have using the comment form below.

How To Open A Port In CentOS 7 With Firewalld

Open Specific Port
Opening a port in firewalld is fairly straightforward, in the below example we allow traffic in from any source IP address to TCP port 100. First we modify the persistent configuration, then we reload firewall-cmd to load this change into the running configuration.

[root@centos7 ~]# firewall-cmd --permanent --add-port=100/tcp
success
[root@centos7 ~]# firewall-cmd --reload
success

If the --permanent flag is not specified, this will only change the running configuration but will not be saved.

We can check the ports that are opened in the current default zone with ‘--list-ports’.

[root@centos7 ~]# firewall-cmd --list-ports
100/tcp

As expected we see that TCP port 100 is open.

Should we wish to remove a port, we can use ‘--remove-port=’ instead.

We can also open a range of ports in the same way.

[root@centos7 ~]# firewall-cmd --permanent --add-port=200-300/tcp
success

Open Predefined Service

Rather than manually specifying a port number to allow through the firewall, we can make use of a bunch of predefined services which may be easier. For example instead of opening TCP port 80, we can use the ‘http’ service.

[root@centos7 ~]# firewall-cmd --permanent --add-service=http
success
[root@centos7 ~]# firewall-cmd --reload
success

Now if we list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed through by default.

[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client http ssh

This is a predefined service and can be found as an XML file in the /usr/lib/firewalld/services/ directory. Here’s what the http service we just used looks like.

[root@centos7 ~]# cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

We can create custom services by copying one of these into the /etc/firewalld/services/ directory and then customizing it. The services in the /usr/lib/firewalld/services/ directory should NOT be modified, changes should be copied into /etc/firewalld/services/ followed by a reload of firewall-cmd to pick up the changes.

Linux two Face ssh authentication with centralized Database server

Create Databases :- 

1. mysql -uroot -p
2. create database Login;
3. use Login;
4. create table user (id int(10), Name varchar(25), Password varchar(25));
5. insert into user (id,Name,Password) values (1,'mukesh','mukesh@123');
6. exit

Copy Below script  :-

vim /tmp/Login.sh

#!/bin/bash
mukesh=`/usr/bin/ps ax | grep $$ | grep -v grep | awk '{ print $2 }'`
user=root                 #Databases UserName
password=Voip@90 #Database Password
DB=Login                 #Database Name
host=192.168.2.176 #Set Local or centralized Server Ip
while [ 1=1 ]
do
UserName=$(whiptail --inputbox "please enter your username" 8 78 --title "User Name" 3>&1 1>&2 2>&3)
                                                                        # A trick to swap stdout and stderr.
# Again, you can pack this inside if, but it seems really long for some 80-col terminal users.
exitstatus=$?
if [ $exitstatus = 0 ]; then

                Password=$(whiptail --passwordbox "please enter your Password" 8 78 --title "Password" 3>&1 1>&2 2>&3)
                if [ $exitstatus = 0 ]; then
        {
    for ((i = 0 ; i <= 100 ; i+=5)); do
        sleep 0.1
        echo $i
    done
} | whiptail --gauge "Please wait while we check..." 6 50 0

                IsUserExist=$(echo "SELECT count(*) as '' from user  WHERE Name='$UserName'  AND Password='$Password' limit 1 " | mysql $DB -u $user -p$password )
                        if [ "$IsUserExist" -eq 1 ] ;then
echo "Thanks for Login $UserName" > test_textbox
#                  filename height width
whiptail --textbox test_textbox 12 80
                        break
                        else
                        echo "You have enter wrong Username & Password." > test_textbox
#                  filename height width
whiptail --textbox test_textbox 12 80

                        logout=`/usr/bin/pkill -9 -t $mukesh`
                        continue
                        fi
                else
                logout=`/usr/bin/pkill -9 -t $mukesh`
                fi

else
    echo "User selected Cancel."
logout=`/usr/bin/pkill -9 -t $mukesh`
fi
done

Create custom Centos 7 Kickstart boot CD iso

Scenario: You want to create a custom CentOS 7 / RHEL 7 boot CD with custom kickstart files located on the CD. Furthermore you want to perform some post installation tasks like running some Puppet manifests. In this post I describe the process based on CentOS 7.1.

1) Install a base CentOS 7.1 virtual machine
First you need to install your build environment. It is sufficient to install a “@Base” system.
2) Prepare your build environment
If the installation of your CentOS 7.1 virtual machine is finished you can continue with preparing your build environment.
2.1 Create needed folder structure as root

mkdir -p ~/kickstart_build/isolinux/{images,ks,LiveOS,Packages,postinstall}

The folders will contain the following:

• images: contents of the images directory located on the CentOS DVD
• ks: all your kickstart files which we will create later on
• LiveOS: contents of the LieveOS directory on the CentOS DVD
• Packages: all RPM packages from CentOS 7 DVD plus additional packages. In my case I will also install Puppet agent. Therefore I need some packages from Puppet Labs
• postinstall: everything you want so to do after installation, for example executing custom scripts or in my case Puppet modules.

2.2 Copy needed content
Now you need to copy all needed content from the CentOS DVD to your local folders. Please save the CentOS 7 ISO file in /tmp and mount it somewhere.

mkdir -p /mnt/iso
mount -o loop /tmp/CentOS-7-x86_64-DVD-1503-01.iso /mnt/iso
cp /mnt/iso/.discinfo ~/kickstart_build/isolinux/
cp /mnt/iso/isolinux/* ~/kickstart_build/isolinux/
rsync -av /mnt/iso/images/ ~/kickstart_build/isolinux/images/
cp /mnt/iso/LiveOS/* ~/kickstart_build/isolinux/LiveOS/
ll /mnt/iso/repodata/ | grep -i comps
-rw-r--r--. 1 root root 157580 1. Apr 01:43 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml.gz
cp /mnt/iso/repodata/0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml.gz ~/kickstart_build/
cd ~/kickstart_build/
gunzip 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml
mv 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml comps.xml

2.3 Get additional packages if needed
As I already mentioned I will also install Puppet Opensource client on my machines to install and configure my machines as needed. So I need to implement additional packages on the custom boot ISO to be able to install and run Puppet manifests.

mkdir /tmp/packages
cd /tmp/packages
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libselinux-ruby-2.2.2-6.el7.x86_64.rpm
wget -e robots=off --mirror --no-parent --no-host-directories --cut-dirs=4 http://yum.puppetlabs.com/el/7/products/x86_64/
wget -e robots=off --mirror --no-parent --no-host-directories --cut-dirs=4 http://yum.puppetlabs.com/el/7/dependencies/x86_64/
rm -Rf index* repodata

2.4 Copy all your packages and create repodata
Now it`s time to bring the CentOS packages and your additional needed packages together. First copy all packages from CentOS 7 ISO to your local folder. Afterwards you can move all additional packages from /tmp/packages to your kickstart packages folder:

rsync -av /mnt/iso/Packages/ ~/kickstart_build/isolinux/Packages/
rsync -av /tmp/packages/ ~/kickstart_build/isolinux/Packages/

Now we need to create the repodata folder in ~/kickstart_build/isolinux/Packages/:

yum install -y createrepo
cd ~/kickstart_build/isolinux
createrepo -g ~/kickstart_build/comps.xml .

3) Prepare Kickstart file
3.1 Create a kickstart
You need to create the kickstart file in ~/kickstart_build/isolinux/ks and name it for example ks.cfg. The content can look like this:

#version=RHEL7
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use text install
install
text
# Run the Setup Agent on first boot
firstboot --disable
#ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
# System language
lang de_DE.UTF-8
# Network information
network --bootproto=static --device=ens3 --noipv6 --activate --ip=192.168.100.2 --netmask=255.255.255.0 --gateway=192.168.100.1 --nameserver=192.168.100.1 --hostname=infrastructure.reimer.local
network --bootproto=static --device=ens9 --noipv6 --activate --ip=10.10.100.2 --netmask=255.255.255.0
# Root password
rootpw --iscrypted "some-crypted-password"
# System timezone
timezone Europe/Berlin --isUtc
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot --fstype="xfs" --size=512
part pv.219 --fstype="lvmpv" --size 1 --grow
volgroup vg_system --pesize=4096 pv.219
logvol / --fstype="xfs" --size=1 --grow --label="rootlv" --name=rootlv --vgname=vg_system
logvol swap --fstype="swap" --size=2048 --name=swaplv --vgname=vg_system
reboot
%packages
@core
@Base
kexec-tools
git
mc
screen
puppet
tree
%end

You can validate your kickstart file like this:

ksvalidator ~/kickstart_build/isolinux/ks/ks.cfg

To create a crypted root password which you can use within your kickstart file do the following:

python -c 'import crypt; print(crypt.crypt("My Password", "$6$My Salt"))'

This generates a SHA512 crypted password.
3.2 Create kickstart postinstallation section
If you want to perform some postinstallation tasks within your kickstart installation you can add an appropriate section in the kickstart file. In my case I want to perform my Puppet configuration during the kickstart installation.
HINT: Be careful. In this case the first step will be the copy of the Puppet manifests from the ISO from which you boot your machine you want to kickstart. This action takes place in the NON-CHROOTED environment. The second step will be the Puppet run itself. This takes place in the CHROOTED environment.
Add the following at the end of your kickstart file:

# Copy needed Puppet files to /root/postinstall
%post --nochroot
#!/bin/sh
set -x -v
exec 1>/mnt/sysimage/root/kickstart-stage1.log 2>&1
echo "==> copying files from media to install drive..."
cp -r /run/install/repo/postinstall /mnt/sysimage/root
%end
%post
#!/bin/sh
set -x -v
exec 1>/root/kickstart-stage2.log 2>&1
ls -l /root/postinstall
puppet apply -l /root/puppetrun.log /root/postinstall/puppet/manifests/site.pp --modulepath=/root/postinstall/puppet/modules/ $*
%end

4) Time for action: create your custom CentOS 7 ISO file and test it

yum install -y genisoimage
cd ~/kickstart_build/
mkisofs -o centos-7-custom.iso -b isolinux.bin -c boot.cat -no-emul-boot -V 'CentOS 7 x86_64' -boot-load-size 4 -boot-info-table -R -J -v -T isolinux/

Now start a new virtual machine from your custom CentOS 7 ISO file and insert the following option at kernel boot:

linux inst.ks=cdrom:/dev/cdrom:/ks/ks.cfg

Congratulations http://www.frankreimer.de/?p=522 Your kickstart installation should run.