LDAP, as we know it is a directory protocol that we use for user authentication. LDAP offers a lot of features that make it indispensable for Linux Admins. Having a central LDAP server makes user-management quite easy & less tedious. Imagine, setting hundreds of users on hundreds of servers 😉 With a working LDAP server in place, all such user-management activities become very easy for an Admin. Adding or deleting users is much less problematic & more robust using LDAP.
In this tutorial, I will demonstrate how we can set-up LDAP server & its clients on Linux using OpenLDAP.
Lab Description : –
LDAP Server : – server.shashank.com(192.168.0.123)
LDAP Client : – client.shashank.com(192.168.0.125)
LDAP Server-side Configuration.
Install below packages on LDAP Server.
Delete the contents of
/etc/openldap/slapd.d/ directory. You may move the contents to some other location for safety.
Start slapd service.
service slapd start
slappasswd command & choose a password. Copy the hashed password from the output.
/usr/share/openldap-servers/slapd.conf.obsolete file to
Now edit the
/etc/openldap/slapd.conf file & move to database definitions. Make the suitable changes like suffix & rootdn. Paste the copied hashed password against rootpw. Below is my slapd.conf file showing the database definitions section. Notice the highlighted areas.
[root@server ~]# cd /usr/share/migrationtools/
migrate_common.ph file with the below content.
$Default DNS domain $DEFAULT_MAIL_DOMAIN = "shashank.com";
$Default base $DEFAULT_BASE = "dc=shashank,dc=com";
$EXTENDED_SCHEMA = 1;
We will now build the base of LDAP tree. For this, execute
[root@server migrationtools]# ./migrate_base.pl > /etc/openldap/base.ldif
Now execute the
migrate_password script which will migrate all local users to LDAP users in the ldif file. You may wish to filter only those users who you would want to be a part of LDAP authentication.
passwd file contains all the users including service accounts. Make sure you filter out those accounts in a separate file and pass that as first argument to below script.
[root@server migrationtools]# ./migrate_passwd.pl /etc/passwd /etc/openldap/LDAPusers.ldif
Now issue below command to populate the tree with LDAP base. It will ask for the SLAPD password.
[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/base.ldif
Now that we have the required LDAP skeleton, we can now populate the tree with LDAP users. Issue below command. You will see that objects are being added to LDAP.
[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/LDAPusers.ldif
slapd service. If everything is OK, you can then see your LDAP server working.
LDAP Client-side Configuration.
Install these packages.
Issue below command. This also enable auto-creation of home-directories when LDAP user logs-in for the first time. Make sure of the double hyphens here. Wrong syntax is quite likely to happen. Double check the syntax.
[root@client migrationtools]# authconfig --enableldap --enableldapauth --ldapserver=IP_addr_of_LDAP_server --ldapbasedn="dc=shashank,dc=com" --enablemkhomedir --update
Test LDAP Client by logging into LDAP accounts.
Verifying LDAP Client
nscd services. (In case you have caching DNS server)
Caveats – Sometimes you may not be able to login to client machines with LDAP id even after performing above client side steps. In that case, try restarting nslcd & nscd services (in case of cached DNS). Also, issue authconfig-tui command to check if details are correct. Restart nslcd & nscd services. It will work 😉 🙂