Sunday, January 20, 2019

ldap server linux

1) Setup networking. (Both IP should ping with each other and should be able to ssh each other and selinux should be disabled and firewalld should be disabled)
2) setup hostname of server :- (/etc/hostname :- make entry
3) Setup client hostname:-
4) /etc/resolv.conf or /etc/hosts :-
ip server
ip client

A) At server End:- 
# yum install openldap* migrationtools -y

B) Configure Ldap password:-
# slappasswd

C) Configure Ldap server file:-

# cd /etc/openldap/slapd.d/cn=config
# vim olcDatabase={2}.hbd.ldif

olcSuffix dc=mydomain,dc=com
oldRootDN cn=Manager dc=mydomain,dc=com

and add following lines below:-

olcRootPW = {SSHA} (password generated by slappasswd command)
olcTLSCertificateFile = /etc/pki/tls/certs/mydomainldap.pem
olcTLSCertificateKeyFile = /etc/pki/tls/certs/mydomainldapkey.pem

D) Provide Monitoring Privileges
# vim olcDatabase={1}Monitor.ldif
change here dc=mydomain,dc=com

E) Verify the Configuration:-
# slaptest -u

F) Start and enable ldap service:-
# service slapd start
# service slapd enable
# netstat -tunlp | grep 389 (389 is ldap port number or we can also grep ldap service)

G) Configure Ldap Database 
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap. /var/lib/ldap/
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

H) Create Self Signed Certificates:- 
# openssl -new -x509 -nodes -out /etc/pki/tls/certs/mydomailldap.pem -keyout /etc/pki/tls/certs/mydomainldapkey.pem -days 365
# ls -lrth /etc/pki/tls/certs/*.pem (to check certicates)

I) Create Base object:-
# cd /usr/share/migrationtools/
# vim
line 71

line 74
$DEFAULT_BASE = "dc=mydomain,dc=com"

line 90


# vim /root/base.ldif
dn: dc=mydomain,dc=com
objectclass: top
objectclass: object
objectclass: organization
o: mydomain com
dc: mydomain

dn: cn=Manager dc=mydomain,dc=com
objectclass: organizationRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationUnit
ou: People

dn: ou=Group,dc=mydomain,dc=com
ObjectClass: organizationUnit
ou: Group

K) User add and give password
# useradd ldapuser1
# echo "redhat" | passwd --stdin ldapuser1

L) make manually file from /etc/passwd file (TAKE ALL USERS RATHER THAN SYSTEM USERS AND ENTER IN SEPRATE FILE)
grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

M) Import and Migrate local user Database to LDAP Database
# ./ /root/group /root/group.ldif
# ./ /root/passwd /root/users.ldif

# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/base.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/groups.ldif

(note:- It will ask for password for Manager. at time of slappasswd creation which converted to hashed password)

N) Test the configuration:- search created users like we are searching for ldapuser1

# ldapsearch -x cn=ldapuser1 -b dc=mydomain,dc=com
# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)'
# service firewalld stop

O) Configure NFS Server for directory sharing:-

# vim /etc/exports
/home *(rw,sync)

# yum install rpcbind nfs-utils
# service nfs start
# service rpcbind start
# service nfs enable
# service rpcbind enable

P) test mounting:-
# showmount -e

Configre Client :-

A) client install
# yum install openldap-clients nss-pam-ldapd
# authconfig-tui (If it is not installed then install authconfig-gtk package)

B) configure server setting at client end:-
# authconfig-tui
1 Put * mark on  USE LDAP:-  [*] USE LDAP
3 Select Next and Enter
4 Enter Server Filed:- ldap://
5 Enter Base DN Field as "dc=mydomain,dc=com"
6 Select Ok and then Enter

C) Test Client Configuration:- Search for the ldap user by below command, if you are getting response then our ldap client configuration is working fine.

# getent passwd ldapuser1

D) Mount LDAP Users Home Directory on Client machine:-
# vim /etc/fstab /home auto defaults 0 0

# mount -a (to permanently mount and test the mount file if it will give error like no mount format then restart nfs on server side)

# su ldapuser1 (it should login with ldapuser1 on server)

No comments:

Post a Comment

TicTic v2.2 - Android media app for creating and sharing short videos

Facebook Twitter Tiktik – Android app for creating and sharing short videos. The customizable social video application to build ...

Popular Posts