Open LDAP installation
Install following packages
[root@sam tmp]# yum install openldap-servers openldap-clients migrationtools
[root@sam tmp]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sam tmp]# chown -R ldap. /var/lib/ldap/
Generate hash password and copy the encripted password.
[root@sam tmp]# slappasswd
New password:
Re-enter new password:
{SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST
[root@sam tmp]#
go to the directory below and edit three files
[root@sam tmp]# cd /etc/openldap/slapd.d/cn\=config/
[root@sam cn=config]#
[root@sam cn=config]# ls
cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif
cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}hdb.ldif
[root@sam cn=config]# vi olcDatabase\=\{0\}config.ldif
add the encripted password at the bottom of the page as follow
olcRootPW: {SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST
[root@sam cn=config]# vi olcDatabase\=\{2\}hdb.ldif
Replace the domain info
:%s/my-domain/expanor/
:%s/dc=com/dc=local/
append just below
olcRootPW: {SSHA}GfPyEU88pNqYCgAaG+DqpyG89wtawEST
the following at thebottom of the page
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=expanor,dc=local" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=expanor,dc=local" write by self write by * read
wq!
[root@sam cn=config]# vi olcDatabase\=\{1\}monitor.ldif
change domain info
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
replace
my-domain to expanor
com to local
[root@sam cn=config]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@sam cn=config]# systemctl start slapd
[root@sam cn=config]#
[root@sam cn=config]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-05-12 22:29:25 EDT; 20s ago
Docs: man:slapd
[root@sam cn=config]# netstat -nltp | egrep "master|slapd"
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 29939/slapd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1790/master
tcp6 0 0 :::389 :::* LISTEN 29939/slapd
tcp6 0 0 ::1:25 :::* LISTEN 1790/master
[root@sam cn=config]#
[root@sam cn=config]# firewall-cmd --get-services | grep ldap --color
[root@sam cn=config]# firewall-cmd --permanent --add-service=ldap
FirewallD is not running
[root@sam cn=config]# firewall-cmd --reload^C
[root@sam cn=config]#
working on scemas
[root@sam cn=config]# ls -l /etc/openldap/schema/
Import following schemas
# ls -l cosine.ldif inetorgperson.ldif nis.ldif
[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@sam cn=config]#
[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@sam cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@sam cn=config]#
Create a base.ldif file
base.ldif file what root entry is and organization unit stuff
[root@sam cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@sam cn=config]# vi base.ldif
dn: dc=expanor,dc=local
objectClass: dcObject
objectClass: organization
dc: expanor
o : expanor
dn: ou=People,dc=expanor,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=expanor,dc=local
objectClass: organizationalUnit
ou: Group
wq!
[root@sam cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@sam cn=config]# ldapadd -x -D cn=Manager,dc=expanor,dc=local -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=expanor,dc=local"
adding new entry "ou=People,dc=expanor,dc=local"
adding new entry "ou=Group,dc=expanor,dc=local"
[root@sam cn=config]#
[root@sam cn=config]# ldapsearch -x -D cn=Manager,dc=expanor,dc=local -W -b dc=expanor,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=expanor,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# expanor.local
dn: dc=expanor,dc=local
objectClass: dcObject
objectClass: organization
dc: expanor
o: expanor
# People, expanor.local
dn: ou=People,dc=expanor,dc=local
objectClass: organizationalUnit
ou: People
# Group, expanor.local
dn: ou=Group,dc=expanor,dc=local
objectClass: organizationalUnit
ou: Group
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
[root@sam cn=config]#
now create some user and add them to ldap directory
create system users without password
[root@sam cn=config]# useradd ldapuser1
[root@sam cn=config]# useradd ldapuser2
[root@sam cn=config]#
[root@sam cn=config]# cd /usr/share/migrationtools/
[root@sam migrationtools]# ls
edit migrate_common.ph file and search for padl and replace with your own
search for EXT
[root@sam migrationtools]# vi migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "expanor.local";
# Default base
$DEFAULT_BASE = "dc=expanor,dc=local";
$EXTENDED_SCHEMA = 0;
change the value to 1
save and exit
Note, you can use migrate_passwd.pl and migrate_group.pl file to create ldif file
Now, get the user we created for ldap test
[root@sam migrationtools]# grep ldap /etc/passwd | grep -v nologin >/var/tmp/ldap.users
[root@sam migrationtools]# grep ldap /etc/group | grep -v 55 >/var/tmp/ldap.groups
[root@sam migrationtools]# ./migrate_passwd.pl /var/tmp/ldap.users /var/tmp/ldap.users.ldif
[root@sam migrationtools]# ./migrate_group.pl /var/tmp/ldap.groups /var/tmp/ldap.groups.ldif
[root@sam migrationtools]#
[root@sam migrationtools]# cat /var/tmp/ldap.users.ldif
dn: uid=ldapuser1,ou=People,dc=expanor,dc=local
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@expanor.local
...........
Now, add user account to LDAP
[root@sam migrationtools]# ldapadd -x -D cn=Manager,DC=expanor,dc=local -W -f /var/tmp/ldap.groups.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=expanor,dc=local"
adding new entry "cn=ldapuser2,ou=Group,dc=expanor,dc=local"
[root@sam migrationtools]#
[root@sam migrationtools]# ldapadd -x -D cn=Manager,DC=expanor,DC=local -W -f /var/tmp/ldap.users.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=expanor,dc=local"
adding new entry "uid=ldapuser2,ou=People,dc=expanor,dc=local"
[root@sam migrationtools]#
[root@sam migrationtools]# kadmin.local
Authenticating as principal root/admin@EXPANOR.LOCAL with password.
kadmin.local: addprinc ldapuser1
WARNING: no policy specified for ldapuser1@EXPANOR.LOCAL; defaulting to no policy
Enter password for principal "ldapuser1@EXPANOR.LOCAL":
Re-enter password for principal "ldapuser1@EXPANOR.LOCAL":
Principal "ldapuser1@EXPANOR.LOCAL" created.
kadmin.local: addprinc ldapuser2
WARNING: no policy specified for ldapuser2@EXPANOR.LOCAL; defaulting to no policy
Enter password for principal "ldapuser2@EXPANOR.LOCAL":
Re-enter password for principal "ldapuser2@EXPANOR.LOCAL":
Principal "ldapuser2@EXPANOR.LOCAL" created.
kadmin.local: quit
[root@sam migrationtools]#
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@localhost yum.repos.d]# yum install krb5-libs krb5-workstation
Is this ok [y/d/N]: y
[root@localhost yum.repos.d]# cd /etc/
[root@localhost etc]# cp -p krb5.conf krb5.conf.05132016
[root@localhost etc]# vi krb5.conf
[root@localhost etc]# cp -p krb5.conf krb5.conf.05132016^C
[root@localhost etc]# yum install pam_krb5 krb5.workstation
[root@localhost etc]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::a00:27ff:fe0b:df72 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:0b:df:72 txqueuelen 1000 (Ethernet)
RX packets 8035 bytes 739424 (722.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1660 bytes 254872 (248.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost etc]# pwd
/etc
[root@localhost etc]# cd /var/tmp
[root@localhost tmp]# ls
abrt
sam.keytab
systemd-private-e9b92981f4d5492b8a2733819a295fd4-colord.service-IzHXQW
systemd-private-e9b92981f4d5492b8a2733819a295fd4-cups.service-tZljZC
systemd-private-e9b92981f4d5492b8a2733819a295fd4-rtkit-daemon.service-7q4Rdl
[root@localhost tmp]# less /etc/krb5.conf
[root@localhost tmp]# ktutil
ktutil: rkt /tmp/sam.keytab
rkt: No such file or directory while reading keytab "/tmp/sam.keytab"
ktutil: rkt /var/tmp/sam.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/sam.expanor.local@EXPANOR.LOCAL
2 3 host/sam.expanor.local@EXPANOR.LOCAL
3 3 host/sam.expanor.local@EXPANOR.LOCAL
4 3 host/sam.expanor.local@EXPANOR.LOCAL
5 3 host/sam.expanor.local@EXPANOR.LOCAL
6 3 host/sam.expanor.local@EXPANOR.LOCAL
7 3 host/sam.expanor.local@EXPANOR.LOCAL
8 3 host/sam.expanor.local@EXPANOR.LOCAL
ktutil: quit
[root@localhost tmp]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.20 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::a00:27ff:fe0b:df72 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:0b:df:72 txqueuelen 1000 (Ethernet)
RX packets 13543 bytes 1252736 (1.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1972 bytes 346247 (338.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost tmp]# cd /etc/openldap/slapd.d/cn=config
-bash: cd: /etc/openldap/slapd.d/cn=config: No such file or directory
[root@localhost tmp]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: cannot stat ‘/usr/share/openldap-servers/DB_CONFIG.example’: No such file or directory
[root@localhost tmp]# id ldapuser1
id: ldapuser1: no such user
[root@localhost tmp]# yum install nss-pam-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
No package nss-pam-ldap available.
Error: Nothing to do
[root@localhost tmp]# yum install nss-pam-ldapd
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.8.13-8.el7 will be installed
--> Processing Dependency: nscd for package: nss-pam-ldapd-0.8.13-8.el7.x86_64
--> Running transaction check
---> Package nscd.x86_64 0:2.17-105.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================
Package Arch Version Repository Size
=====================================================================================
Installing:
nss-pam-ldapd x86_64 0.8.13-8.el7 RHEL7.2 159 k
Installing for dependencies:
nscd x86_64 2.17-105.el7 RHEL7.2 260 k
Transaction Summary
=====================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 419 k
Installed size: 586 k
Is this ok [y/d/N]: y
Downloading packages:
-------------------------------------------------------------------------------------
Total 4.8 MB/s | 419 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : nscd-2.17-105.el7.x86_64 1/2
Installing : nss-pam-ldapd-0.8.13-8.el7.x86_64 2/2
Verifying : nss-pam-ldapd-0.8.13-8.el7.x86_64 1/2
Verifying : nscd-2.17-105.el7.x86_64 2/2
Installed:
nss-pam-ldapd.x86_64 0:0.8.13-8.el7
Dependency Installed:
nscd.x86_64 0:2.17-105.el7
Complete!
[root@localhost tmp]# authconfig-tui
^[[A^[[B^[[B^[[B^[[B^C[root@localhost tmp]# authconfig-tui
[root@localhost tmp]# vi /etc/nsswitch.conf
[root@localhost tmp]# grep ldapu /etc/passwd
[root@localhost tmp]# getent passwd ldapuser1
ldapuser1:x:1002:1002:ldapuser1:/home/ldapuser1:/bin/bash
[root@localhost tmp]# getent passwd ldapuser2
ldapuser2:x:1003:1003:ldapuser2:/home/ldapuser2:/bin/bash
[root@localhost tmp]# id ldapuser1
uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)
[root@localhost tmp]#
No comments:
Post a Comment