LDAP, as we know it is a directory protocol that we use for user authentication. LDAP offers a lot of features that make it indispensable for Linux Admins. Having a central LDAP server makes user-management quite easy & less tedious. Imagine, setting hundreds of users on hundreds of servers 😉 With a working LDAP server in place, all such user-management activities become very easy for an Admin. Adding or deleting users is much less problematic & more robust using LDAP.
In this tutorial, I will demonstrate how we can set-up LDAP server & its clients on Linux using OpenLDAP.
Lab Description : –
LDAP Server : – server.shashank.com(192.168.0.123)
LDAP Client : – client.shashank.com(192.168.0.125)
LDAP Server-side Configuration.
1. Install required packages.
Install below packages on your LDAP Server.
2. Empty the OpenLDAP configuration directory.
Delete the contents of
/etc/openldap/slapd.d/ directory. You may move the contents to some other location for safety.
service slapd start
4. Add a password for OpenLDAP.
slappasswd command & choose a password. Copy the hashed password from the output.
slapd.conf configuration file from existing template.
/usr/share/openldap-servers/slapd.conf.obsolete file to
slapd.conf configuration file.
Now edit the
/etc/openldap/slapd.conf file & move to database definitions. Make the suitable changes like suffix & rootdn. Paste the copied hashed password (step # 4) against rootpw. Below is my slapd.conf file showing the database definitions section. Notice the highlighted areas.
7. Go to
This directory contains perl scripts that we will use to build LDAP tree & migrate our existing local users to LDAP.
[root@server ~]# cd /usr/share/migrationtools/
8. Edit the
This migrate_common.pl perl script is used to define our domains. We need to edit this file with the below content. Choose your values accordingly.
$Default DNS domain $DEFAULT_MAIL_DOMAIN = "shashank.com";
$Default base $DEFAULT_BASE = "dc=shashank,dc=com";
$EXTENDED_SCHEMA = 1;
9. Build LDAP tree.
We will now build the base of LDAP tree. For this, execute
migrate_base.pl script. You can see below that this script is redirecting the output to a file called base.ldif which will act as Base Node for LDAP.
[root@server migrationtools]# ./migrate_base.pl > /etc/openldap/base.ldif
9. Migrate your local users to OpenLDAP database.
Now execute the
migrate_password script which will migrate all local users to LDAP users in the
LDAPusers.ldif file. You may wish to filter out only those users who you would want to be a part of LDAP authentication, before executing this script.
passwd file contains all the users including service accounts. Make sure you filter out those accounts in a separate file and pass that as first argument to below script.
[root@server migrationtools]# ./migrate_passwd.pl /etc/passwd /etc/openldap/LDAPusers.ldif
10. Populate LDAP base with required data.
Now issue below command to populate the tree with LDAP base. It will ask for the SLAPD password (The one you created in step #4). Again, choose appropriate CN/DC.
[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/base.ldif
11. Populate the whole LDAP tree with user data.
Now that we have the required LDAP skeleton, we can now populate the tree with LDAP users. Issue below command. You will see that objects are being added to LDAP.
[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/LDAPusers.ldif
slapd service. If everything is OK, you will then see your LDAP server working.
LDAP Client-side Configuration.
1. Install required packages.
2. Enable LDAP authentication.
Issue below command. This also enable auto-creation of home-directories when LDAP user logs-in for the first time. Make sure of the double hyphens here. Wrong syntax is quite likely to happen. Double check the syntax.
[root@client migrationtools]# authconfig --enableldap --enableldapauth --ldapserver=IP_addr_of_LDAP_server --ldapbasedn="dc=shashank,dc=com" --enablemkhomedir --update
3. Test LDAP Client by logging into LDAP accounts.
Verifying LDAP Client
nscd services. (In case you have caching DNS server)
Caveats – Sometimes you may not be able to login to client machines with LDAP id even after performing above client side steps. In that case, try restarting
nscd services (in case of cached DNS). Also, issue
authconfig-tui command to check if details are correct. Restart nslcd & nscd services. It will work 😉 🙂