How to install asterisk secure fail2ban

1) rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

If this is already installed, skip this step.

2) yum install fail2ban

3) if any error occur, clean yum and install fail2ban again by executing these command again.

        yum clean all
    yum install fail2ban
Step 2 : 

Open jail.local file

vi /etc/fail2ban/jail.local

Step 3 :

In this file , under asterisk-iptables heading, it will be shown like this as below

[asterisk-iptables]

enabled  = false
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 5

or you may have

[asterisk]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

Edit this to have parameters with following values ,

[asterisk]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 5

You can check the name of the log file in /etc/asterisk/logger.conf.

Generally , logpath = /var/log/asterisk/messages is for vanilla asterisk, use logpath = /var/log/asterisk/full for freepbx.

Step 4 : 

Now restart fail2ban

sudo service fail2ban restart

Step 5 :

 U can verify if asterisk fail2ban  is successfully started its service by typing this command

iptables -L

It will show like this if fail2ban for asterisk is successfullt installed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ASTERISK  all  --  anywhere             anywhere
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ASTERISK (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Step 6 :

You can set your fail2ban reg expression.

cd filter.d/
vi asterisk.conf

Please do include following failregex expression in asterisk.conf file.


failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

INSTALL AND SETUP SSH FAIL2BAN IN LINUX/CENTOS SERVER

1) rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

If this is already installed, skip this step.

2) yum install fail2ban

3) if any error occur, clean yum and install fail2ban again by executing these command again.

        yum clean all
    yum install fail2ban

4) If fail2ban installation is successfull.

cd /etc/fail2ban/

5) You cannot make any changes to "jail.conf" file. So make a copy of this file as "jail.local"

cp jail.conf jail.local

6) Open this file using any of your editor. I prefer vi editor.

vi jail.local

7) In this file , under ssh-iptables heading, it will be shown like this as below

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

8) Change enabled parameter of ssh-iptables to true.

Set maxretry parameter to any integer. If any user import incorrect ssh key beyond this limit, ip address of that user will be banned for your server. I have given 5 here.

You can also get mail when any ip get banned by setting "dest" and "sender" parameter for "sendmail-whois".

Give the complete path of the login details log file in logpath parameter.

9) Finally, restart fail2ban.

sudo service fail2ban restart

10) U can verify if ssh fail2ban is successfully started its service by typing this command,

iptables -L

It will show like this if fail2ban ssh is successfullt installed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

11) You can set your ssh fail2ban reg expression.

cd filter.d/
vi sshd.conf

12) Please do include following ssh failregex expression in sshd.conf file.

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: $
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: User exit$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: No supported authentication methods available$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: no authentication methods available$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sConnection closed by <HOST>$


13) You can check all ssh  fail2ban failregex with your previous user login log file :

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

ldap server linux

1) Setup networking. (Both IP should ping with each other and should be able to ssh each other and selinux should be disabled and firewalld should be disabled)
2) setup hostname of server :- server.mydomain.com (/etc/hostname :- make entry server.mydomain.com)
3) Setup client hostname:- client.mydomain.com
4) /etc/resolv.conf or /etc/hosts :-
ip server.mydomain.com server
ip client.mydomain.com client

******
A) At server End:- 
# yum install openldap* migrationtools -y

B) Configure Ldap password:-
# slappasswd

C) Configure Ldap server file:-

# cd /etc/openldap/slapd.d/cn=config
# vim olcDatabase={2}.hbd.ldif

olcSuffix dc=mydomain,dc=com
oldRootDN cn=Manager dc=mydomain,dc=com

and add following lines below:-

olcRootPW = {SSHA} (password generated by slappasswd command)
olcTLSCertificateFile = /etc/pki/tls/certs/mydomainldap.pem
olcTLSCertificateKeyFile = /etc/pki/tls/certs/mydomainldapkey.pem

D) Provide Monitoring Privileges
# vim olcDatabase={1}Monitor.ldif
change here dc=mydomain,dc=com

E) Verify the Configuration:-
# slaptest -u

F) Start and enable ldap service:-
# service slapd start
# service slapd enable
# netstat -tunlp | grep 389 (389 is ldap port number or we can also grep ldap service)

G) Configure Ldap Database 
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap. /var/lib/ldap/
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

H) Create Self Signed Certificates:- 
# openssl -new -x509 -nodes -out /etc/pki/tls/certs/mydomailldap.pem -keyout /etc/pki/tls/certs/mydomainldapkey.pem -days 365
# ls -lrth /etc/pki/tls/certs/*.pem (to check certicates)

I) Create Base object:-
# cd /usr/share/migrationtools/
# vim migrate_common.ph
line 71
$DEFAULT_MAIL_DOMAIN="mydomain.com"

line 74
$DEFAULT_BASE = "dc=mydomain,dc=com"

line 90
$EXTENDED_SCHEMA = 1;

J) CREATE BASE LDIF FILE FOR YOUR DOMAIN:-

# vim /root/base.ldif
dn: dc=mydomain,dc=com
objectclass: top
objectclass: object
objectclass: organization
o: mydomain com
dc: mydomain

dn: cn=Manager dc=mydomain,dc=com
objectclass: organizationRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationUnit
ou: People

dn: ou=Group,dc=mydomain,dc=com
ObjectClass: organizationUnit
ou: Group

K) User add and give password
# useradd ldapuser1
# echo "redhat" | passwd --stdin ldapuser1

L) make manually file from /etc/passwd file (TAKE ALL USERS RATHER THAN SYSTEM USERS AND ENTER IN SEPRATE FILE)
grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

M) Import and Migrate local user Database to LDAP Database
# ./migrate_group.pl /root/group /root/group.ldif
# ./migrate_passwd.pl /root/passwd /root/users.ldif

# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/base.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/groups.ldif

(note:- It will ask for password for Manager. at time of slappasswd creation which converted to hashed password)

N) Test the configuration:- search created users like we are searching for ldapuser1

# ldapsearch -x cn=ldapuser1 -b dc=mydomain,dc=com
# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)'
# service firewalld stop

O) Configure NFS Server for directory sharing:-

# vim /etc/exports
/home *(rw,sync)

# yum install rpcbind nfs-utils
# service nfs start
# service rpcbind start
# service nfs enable
# service rpcbind enable

P) test mounting:-
# showmount -e

Configre Client :-

A) client install
# yum install openldap-clients nss-pam-ldapd
# authconfig-tui (If it is not installed then install authconfig-gtk package)

B) configure server setting at client end:-
# authconfig-tui
1 Put * mark on  USE LDAP:-  [*] USE LDAP
2 Put * mark on "USE LDAP AUTHENTICATION"
3 Select Next and Enter
4 Enter Server Filed:- ldap://server.mydomain.com
5 Enter Base DN Field as "dc=mydomain,dc=com"
6 Select Ok and then Enter

C) Test Client Configuration:- Search for the ldap user by below command, if you are getting response then our ldap client configuration is working fine.

# getent passwd ldapuser1

D) Mount LDAP Users Home Directory on Client machine:-
# vim /etc/fstab
server.mydomain.com:/home /home auto defaults 0 0

# mount -a (to permanently mount and test the mount file if it will give error like no mount format then restart nfs on server side)

# su ldapuser1 (it should login with ldapuser1 on server)

sip unreachable alerts

If sip unreachable then send auto mail

vim /home/UNREACHABLE.sh


#!/bin/bash
COUNTER=0
DATE=`date "+%d.%m.%Y. %H:%M"`
Status=`/usr/sbin/asterisk -rx "sip show peers" |grep UNREACHABLE`
SIP=`/usr/sbin/asterisk -rx "sip show peers" |grep UNREACHABLE |wc -l`

if [ $SIP -gt 1 ]
then
echo -e "$Status" | mail -s "SIP Peer Unreachable `hostname` $DATE" example@mail.com
echo $Status
else
   echo "None of the condition met"
fi


Then set in crontab

crontab -e


* * * * * /bin/sh /home/UNREACHABLE.sh


thanks

Step-by-step OpenLDAP Installation and Configuration on server

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client.

Step by Step Installation and Configuration OpenLDAP Server

openldap 2.2.13-6.4E

System name:   ldap.xyz.com

Domain name:   xyz.com

System IP:     192.168.0.22

Note: Use your domain name and IP instead of xyz.

Easy steps for adding users:

    1. Create unix user

    2. Create unix user’s ldap passwd file

    3. Convert passwd.file to ldif file

    4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E

    openldap-clients.i386 0:2.2.13-6.4E

    openldap-devel.i386 0:2.2.13-6.4E

    openldap-servers.i386 0:2.2.13-6.4E

    openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

Step #2. Start the service

[root@ldap ~]# chkconfig –levels 235 ldap on

[root@ldap ~]# service ldap start

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd

    New password:

    Re-enter new password:

    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb

    #69 suffix          “dc=xyz,dc=com”

    #70 rootdn          “cn=Manager,dc=xyz,dc=com”

    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #5. Apply Changes

[root@ldap ~]# service ldap restart

Step #6. Create test users

[root@ldap ~]# useradd test1

[root@ldap ~]# passwd test1

    Changing password for user test1.

    New UNIX password:

    Retype new UNIX password:

    passwd: all authentication tokens updated successfully.

[root@ldap ~]# useradd test2

[root@ldap ~]# passwd test2

    Changing password for user test2.

    New UNIX password:

    Retype new UNIX password:

    passwd: all authentication tokens updated successfully.

[root@ldap ~]#

Note: Repeat the same for the rest of users

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root

[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1

[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

 Note: Repeat the same for the rest of users

Step #8. Update default settings on file /usr/share/openldap/migration/migrate_common.ph

    #71 $DEFAULT_MAIL_DOMAIN = “xyz.com”;

    #74 $DEFAULT_BASE = “dc=xyz,dc=com”;

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users

Step #10. Update root.ldif file for the “Manager” of LDAP Server

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=xyz,dc=com

    #2 uid: root

    #3 cn: Manager

    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/xyz.com.ldif)

[root@ldap ~]# cat /etc/openldap/xyz.com.ldif

    dn: dc=xyz,dc=com

    dc: xyz

    description: LDAP Admin

    objectClass: dcObject

    objectClass: organizationalUnit

    ou: rootobject

    dn: ou=People, dc=xyz,dc=com

    ou: People

    description: Users of xyz

    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/xyz.com.ldif

    Enter LDAP Password:

    adding new entry “dc=xyz,dc=com”

    adding new entry “ou=People, dc=xyz,dc=com”

[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/root.ldif

    Enter LDAP Password:

    adding new entry “uid=root,ou=People,dc=xyz,dc=com”

    adding new entry “uid=operator,ou=People,dc=xyz,dc=com”

[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/test1.ldif

    Enter LDAP Password:

    adding new entry “uid=test1,ou=People,dc=xyz,dc=com”

[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=xyz,dc=com” -W -f  /etc/openldap/test2.ldif

    Enter LDAP Password:

    adding new entry “uid=test2,ou=People,dc=xyz,dc=com”

 [root@ldap ~]#

 Note: Repeat the same for the rest of users

Step #13. Apply Changes

[root@ldap ~]# service ldap restart

Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b ‘dc=xyz,dc=com’ ‘(objectclass=*)’

LDAP-based Authentication in RHEL

As we will see, there are several other possible application scenarios, but in this guide we will focus entirely on LDAP-based authentication. In addition, please keep in mind that due to the vastness of the subject, we will only cover its basics here, but you can refer to the documentation outlined in the summary for more in-depth details.

For the same reason, you will note that I have decided to leave out several references to man pages of LDAP tools for the sake of brevity, but the corresponding explanations are at a fingertip’s distance (man ldapadd, for example).

That said, let’s get started.

Our Testing Environment

Our test environment consists of two RHEL 7 boxes:

Server: 192.168.0.18. FQDN: rhel7.mydomain.com
Client: 192.168.0.20. FQDN: ldapclient.mydomain.com

If you want, you can use the machine installed in Part 12: Automate RHEL 7 installations using Kickstart as client.

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol and consists in a set of protocols that allows a client to access, over a network, centrally stored information (such as a directory of login shells, absolute paths to home directories, and other typical system user information, for example) that should be accessible from different places or available to a large number of end users (another example would be a directory of home addresses and phone numbers of all employees in a company).

Keeping such (and more) information centrally means it can be more easily maintained and accessed by everyone who has been granted permissions to use it.

The following diagram offers a simplified diagram of LDAP, and is described below in greater detail:

LDAP Diagram

Explanation of above diagram in detail.

1. An entry in a LDAP directory represents a single unit or information and is uniquely identified by what is called a Distinguished Name.
2. An attribute is a piece of information associated with an entry (for example, addresses, available contact phone numbers, and email addresses).
3. Each attribute is assigned one or more values consisting in a space-separated list. A value that is unique per entry is called a Relative Distinguished Name.

That being said, let’s proceed with the server and client installations.

Installing and Configuring a LDAP Server and Client

In RHEL 7, LDAP is implemented by OpenLDAP. To install the server and client, use the following commands, respectively:

# yum update && yum install openldap openldap-clients openldap-servers
# yum update && yum install openldap openldap-clients nss-pam-ldapd

Once the installation is complete, there are some things we look at. The following steps should be performed on the server alone, unless explicitly noted:

1. Make sure SELinux does not get in the way by enabling the following booleans persistently, both on the server and the client:

# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Where allow_ypbind is required for LDAP-based authentication, and authlogin_nsswitch_use_ldap may be needed by some applications.

2. Enable and start the service:

# systemctl enable slapd.service
# systemctl start slapd.service

Keep in mind that you can also disable, restart, or stop the service with systemctl as well:

# systemctl disable slapd.service
# systemctl restart slapd.service
# systemctl stop slapd.service

3. Since the slapd service runs as the ldap user (which you can verify with ps -e -o pid,uname,comm | grep slapd), such user should own the /var/lib/ldap directory in order for the server to be able to modify entries created by administrative tools that can only be run as root (more on this in a minute).

Before changing the ownership of this directory recursively, copy the sample database configuration file for slapd into it:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

4. Set up an OpenLDAP administrative user and assign a password:

# slappasswd

as shown in the next image:

Set LDAP Admin Password

and create an LDIF file (ldaprootpasswd.ldif) with the following contents:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

where:

1. PASSWORD is the hashed string obtained earlier.
2. cn=config indicates global config options.
3. olcDatabase indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.

Referring to the theoretical background provided earlier, the ldaprootpasswd.ldif file will add an entry to the LDAP directory. In that entry, each line represents an attribute: value pair (where dn, changetype, add, and olcRootPW are the attributes and the strings to the right of each colon are their corresponding values).

You may want to keep this in mind as we proceed further, and please note that we are using the same Common Names (cn=) throughout the rest of this article, where each step depends on the previous one.

5. Now, add the corresponding LDAP entry by specifying the URI referring to the ldap server, where only the protocol/host/port fields are allowed.

# ldapadd -H ldapi:/// -f ldaprootpasswd.ldif 

The output should be similar to:

LDAP Configuration

and import some basic LDAP definitions from the /etc/openldap/schema directory:

# for def in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -H ldapi:/// -f /etc/openldap/schema/$def; done

LDAP Definitions

6. Have LDAP use your domain in its database.

Create another LDIF file, which we will call ldapdomain.ldif, with the following contents, replacing your domain (in the Domain Component dc=) and password as appropriate:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mydomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=mydomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * read

Then load it as follows:

# ldapmodify -H ldapi:/// -f ldapdomain.ldif

LDAP Domain Configuration

7. Now it’s time to add some entries to our LDAP directory. Attributes and values are separated by a colon (:)in the following file, which we’ll name baseldapdomain.ldif:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: mydomain com
dc: mydomain

dn: cn=Manager,dc=mydomain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: Group

Add the entries to the LDAP directory:

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f baseldapdomain.ldif

Add LDAP Domain Attributes and Values

8. Create a LDAP user called ldapuser (adduser ldapuser), then create the definitions for a LDAP group in ldapgroup.ldif.

# adduser ldapuser
# vi ldapgroup.ldif

Add following content.

dn: cn=Manager,ou=Group,dc=mydomain,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1004

where gidNumber is the GID in /etc/group for ldapuser) and load it:

# ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f ldapgroup.ldif

9. Add a LDIF file with the definitions for user ldapuser (ldapuser.ldif):

dn: uid=ldapuser,ou=People,dc=mydomain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
uid: ldapuser
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/ldapuser
userPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3M
loginShell: /bin/bash
gecos: ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

and load it:

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f ldapuser.ldif

LDAP User Configuration

Likewise, you can delete the user entry you just created:

# ldapdelete -x -W -D cn=Manager,dc=mydomain,dc=com "uid=ldapuser,ou=People,dc=mydomain,dc=com"

10. Allow communication through the firewall:

# firewall-cmd --add-service=ldap

11. Last, but not least, enable the client to authenticate using LDAP.

To help us in this final step, we will use the authconfig utility (an interface for configuring system authentication resources).

Using the following command, the home directory for the requested user is created if it doesn’t exist after the authentication against the LDAP server succeeds:

# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update

LDAP Client Configuration

Feel free to leave any questions you may have using the comment form below.