Friday, May 13, 2016

RHEL7-Open LDAP installation


Open LDAP installation

Install following packages
[root@sam tmp]# yum install openldap-servers openldap-clients migrationtools

[root@sam tmp]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@sam tmp]# chown -R ldap. /var/lib/ldap/


Generate hash password and copy the encripted password.

[root@sam tmp]# slappasswd
New password:
Re-enter new password:
{SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST
[root@sam tmp]#

go to the directory below and edit three files
[root@sam tmp]# cd /etc/openldap/slapd.d/cn\=config/
[root@sam cn=config]#


[root@sam cn=config]# ls
cn=schema       olcDatabase={0}config.ldif     olcDatabase={1}monitor.ldif
cn=schema.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={2}hdb.ldif
[root@sam cn=config]# vi olcDatabase\=\{0\}config.ldif

add the encripted password at the bottom of the page as follow

olcRootPW: {SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST



[root@sam cn=config]# vi olcDatabase\=\{2\}hdb.ldif

Replace the domain info

:%s/my-domain/expanor/
:%s/dc=com/dc=local/

append just below

olcRootPW: {SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST



the following at thebottom of the page

olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=expanor,dc=local" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=expanor,dc=local" write by self write by * read


wq!


[root@sam cn=config]# vi olcDatabase\=\{1\}monitor.ldif


change domain info

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none


replace
my-domain to expanor
com to local


[root@sam cn=config]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@sam cn=config]# systemctl start slapd
[root@sam cn=config]#

[root@sam cn=config]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-05-12 22:29:25 EDT; 20s ago
     Docs: man:slapd


[root@sam cn=config]# netstat -nltp | egrep "master|slapd"
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      29939/slapd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1790/master
tcp6       0      0 :::389                  :::*                    LISTEN      29939/slapd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1790/master
[root@sam cn=config]#


[root@sam cn=config]# firewall-cmd --get-services | grep ldap --color
[root@sam cn=config]# firewall-cmd --permanent --add-service=ldap
FirewallD is not running
[root@sam cn=config]# firewall-cmd --reload^C
[root@sam cn=config]#

working on scemas

[root@sam cn=config]# ls -l /etc/openldap/schema/
Import  following schemas

# ls -l cosine.ldif inetorgperson.ldif nis.ldif


[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@sam cn=config]#

[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@sam cn=config]#


Create a base.ldif file
base.ldif file what root entry is and organization unit stuff

[root@sam cn=config]# pwd
/etc/openldap/slapd.d/cn=config







[root@sam cn=config]# vi base.ldif
dn: dc=expanor,dc=local
objectClass: dcObject
objectClass: organization
dc: expanor
o : expanor

dn: ou=People,dc=expanor,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=expanor,dc=local
objectClass: organizationalUnit
ou: Group

wq!

[root@sam cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@sam cn=config]# ldapadd -x -D cn=Manager,dc=expanor,dc=local -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=expanor,dc=local"

adding new entry "ou=People,dc=expanor,dc=local"

adding new entry "ou=Group,dc=expanor,dc=local"

[root@sam cn=config]#


[root@sam cn=config]# ldapsearch -x -D cn=Manager,dc=expanor,dc=local -W -b dc=expanor,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# expanor.local
dn: dc=expanor,dc=local
objectClass: dcObject
objectClass: organization
dc: expanor
o: expanor

# People, expanor.local
dn: ou=People,dc=expanor,dc=local
objectClass: organizationalUnit
ou: People

# Group, expanor.local
dn: ou=Group,dc=expanor,dc=local
objectClass: organizationalUnit
ou: Group

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
[root@sam cn=config]#



now create some user and add them to ldap directory

create system users without password

[root@sam cn=config]# useradd ldapuser1
[root@sam cn=config]# useradd ldapuser2
[root@sam cn=config]#

[root@sam cn=config]# cd /usr/share/migrationtools/
[root@sam migrationtools]# ls

edit migrate_common.ph file and search for padl and replace with your own
search for EXT
[root@sam migrationtools]# vi migrate_common.ph

$DEFAULT_MAIL_DOMAIN = "expanor.local";

# Default base
$DEFAULT_BASE = "dc=expanor,dc=local";


$EXTENDED_SCHEMA = 0;
change the value to 1

save and exit

Note, you can use migrate_passwd.pl and migrate_group.pl file to create ldif file

Now, get the user we created for ldap test
[root@sam migrationtools]# grep ldap /etc/passwd | grep -v nologin >/var/tmp/ldap.users
[root@sam migrationtools]# grep ldap /etc/group | grep -v 55 >/var/tmp/ldap.groups



[root@sam migrationtools]# ./migrate_passwd.pl /var/tmp/ldap.users /var/tmp/ldap.users.ldif
[root@sam migrationtools]# ./migrate_group.pl /var/tmp/ldap.groups /var/tmp/ldap.groups.ldif
[root@sam migrationtools]#

[root@sam migrationtools]# cat /var/tmp/ldap.users.ldif
dn: uid=ldapuser1,ou=People,dc=expanor,dc=local
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@expanor.local

...........


Now, add user account to LDAP

[root@sam migrationtools]# ldapadd -x -D cn=Manager,DC=expanor,dc=local -W -f /var/tmp/ldap.groups.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=expanor,dc=local"

adding new entry "cn=ldapuser2,ou=Group,dc=expanor,dc=local"

[root@sam migrationtools]#


[root@sam migrationtools]# ldapadd -x -D cn=Manager,DC=expanor,DC=local -W -f /var/tmp/ldap.users.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=expanor,dc=local"

adding new entry "uid=ldapuser2,ou=People,dc=expanor,dc=local"

[root@sam migrationtools]#


[root@sam migrationtools]# kadmin.local
Authenticating as principal root/admin@EXPANOR.LOCAL with password.
kadmin.local:  addprinc ldapuser1
WARNING: no policy specified for ldapuser1@EXPANOR.LOCAL; defaulting to no policy
Enter password for principal "ldapuser1@EXPANOR.LOCAL":
Re-enter password for principal "ldapuser1@EXPANOR.LOCAL":
Principal "ldapuser1@EXPANOR.LOCAL" created.
kadmin.local:  addprinc ldapuser2
WARNING: no policy specified for ldapuser2@EXPANOR.LOCAL; defaulting to no policy
Enter password for principal "ldapuser2@EXPANOR.LOCAL":
Re-enter password for principal "ldapuser2@EXPANOR.LOCAL":
Principal "ldapuser2@EXPANOR.LOCAL" created.
kadmin.local:  quit
[root@sam migrationtools]#


Now, openldap server is configured


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


[root@localhost yum.repos.d]# yum install krb5-libs krb5-workstation

Is this ok [y/d/N]: y

[root@localhost yum.repos.d]# cd /etc/
[root@localhost etc]# cp -p krb5.conf krb5.conf.05132016
[root@localhost etc]# vi krb5.conf
[root@localhost etc]# cp -p krb5.conf krb5.conf.05132016^C


[root@localhost etc]# yum install pam_krb5 krb5.workstation


[root@localhost etc]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.20  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::a00:27ff:fe0b:df72  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:0b:df:72  txqueuelen 1000  (Ethernet)
        RX packets 8035  bytes 739424 (722.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1660  bytes 254872 (248.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



[root@localhost etc]# pwd
/etc
[root@localhost etc]# cd /var/tmp
[root@localhost tmp]# ls
abrt
sam.keytab
systemd-private-e9b92981f4d5492b8a2733819a295fd4-colord.service-IzHXQW
systemd-private-e9b92981f4d5492b8a2733819a295fd4-cups.service-tZljZC
systemd-private-e9b92981f4d5492b8a2733819a295fd4-rtkit-daemon.service-7q4Rdl
[root@localhost tmp]# less /etc/krb5.conf
[root@localhost tmp]# ktutil
ktutil:  rkt /tmp/sam.keytab
rkt: No such file or directory while reading keytab "/tmp/sam.keytab"
ktutil:  rkt /var/tmp/sam.keytab
ktutil:  wkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3     host/sam.expanor.local@EXPANOR.LOCAL
   2    3     host/sam.expanor.local@EXPANOR.LOCAL
   3    3     host/sam.expanor.local@EXPANOR.LOCAL
   4    3     host/sam.expanor.local@EXPANOR.LOCAL
   5    3     host/sam.expanor.local@EXPANOR.LOCAL
   6    3     host/sam.expanor.local@EXPANOR.LOCAL
   7    3     host/sam.expanor.local@EXPANOR.LOCAL
   8    3     host/sam.expanor.local@EXPANOR.LOCAL
ktutil:  quit
[root@localhost tmp]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.20  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::a00:27ff:fe0b:df72  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:0b:df:72  txqueuelen 1000  (Ethernet)
        RX packets 13543  bytes 1252736 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1972  bytes 346247 (338.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


[root@localhost tmp]# cd /etc/openldap/slapd.d/cn=config
-bash: cd: /etc/openldap/slapd.d/cn=config: No such file or directory
[root@localhost tmp]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: cannot stat ‘/usr/share/openldap-servers/DB_CONFIG.example’: No such file or directory
[root@localhost tmp]# id ldapuser1
id: ldapuser1: no such user
[root@localhost tmp]# yum install nss-pam-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
No package nss-pam-ldap available.
Error: Nothing to do
[root@localhost tmp]# yum install nss-pam-ldapd
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
--> Processing Dependency: nscd for package: nss-pam-ldapd-0.8.13-8.el7.x86_64
--> Running transaction check
---> Package nscd.x86_64 0:2.17-105.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================
 Package                Arch            Version               Repository        Size
=====================================================================================
Installing:
 nss-pam-ldapd          x86_64          0.8.13-8.el7          RHEL7.2          159 k
Installing for dependencies:
 nscd                   x86_64          2.17-105.el7          RHEL7.2          260 k

Transaction Summary
=====================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 419 k
Installed size: 586 k
Is this ok [y/d/N]: y
Downloading packages:
-------------------------------------------------------------------------------------
Total                                                   4.8 MB/s | 419 kB  00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nscd-2.17-105.el7.x86_64                                          1/2
  Installing : nss-pam-ldapd-0.8.13-8.el7.x86_64                                 2/2
  Verifying  : nss-pam-ldapd-0.8.13-8.el7.x86_64                                 1/2
  Verifying  : nscd-2.17-105.el7.x86_64                                          2/2

Installed:
  nss-pam-ldapd.x86_64 0:0.8.13-8.el7

Dependency Installed:
  nscd.x86_64 0:2.17-105.el7

Complete!
[root@localhost tmp]# authconfig-tui
^[[A^[[B^[[B^[[B^[[B^C[root@localhost tmp]# authconfig-tui
[root@localhost tmp]# vi /etc/nsswitch.conf
[root@localhost tmp]# grep ldapu /etc/passwd
[root@localhost tmp]# getent passwd ldapuser1
ldapuser1:x:1002:1002:ldapuser1:/home/ldapuser1:/bin/bash
[root@localhost tmp]# getent passwd ldapuser2
ldapuser2:x:1003:1003:ldapuser2:/home/ldapuser2:/bin/bash
[root@localhost tmp]# id ldapuser1
uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)
[root@localhost tmp]#

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)