Deleting The Entire LDAP Tree In RHEL 6


Sometimes we need to delete the entire LDAP tree so as to add new users or to populate that with different information. While same can be achieved using ldapadd/ldapmodify commands, it can be quite painful if the tree becomes quite complex. Better way is to just delete the contents of LDAP tree & we can then populate with desired users/details. Below is how to get it done.

Advertisements

Configuring LDAP Server & Clients in RHEL 6/CentOS Using OpenLDAP


LDAP, as we know it is a directory protocol that we use for user authentication. LDAP offers a lot of features that make it indispensable for Linux Admins. Having a central LDAP server makes user-management quite easy & less tedious. Imagine, setting hundreds of users on hundreds of servers 😉 With a working LDAP server in place, all such user-management activities become very easy for an Admin. Adding or deleting users is much less problematic & more robust using LDAP.

In this tutorial, I will demonstrate how we can set-up LDAP server & its clients on Linux using OpenLDAP.

Lab Description : – 

LDAP Server : – server.shashank.com(192.168.0.123)

LDAP Client : – client.shashank.com(192.168.0.125)

LDAP Server-side Configuration.

1. Install required packages.

Install below packages on your LDAP Server.

openldap.x86_64
openldap-clients.x86_64
openldap-servers.x86_64
migrationtools.noarch

2. Empty the OpenLDAP configuration directory.

Delete the contents of  /etc/openldap/slapd.d/ directory. You may move the contents to some other location for safety.

3. Start slapd service.

service slapd start

4. Add a password for OpenLDAP.

Run slappasswd command & choose a password. Copy the hashed password from the output.

5. Copy slapd.conf configuration file from existing template.

Now copy /usr/share/openldap-servers/slapd.conf.obsolete file to /etc/openldap/slapd.conf

6. Edit slapd.conf configuration file.

Now edit the /etc/openldap/slapd.conf file & move to database definitions. Make the suitable changes like suffix & rootdn. Paste the copied hashed password (step # 4) against rootpw. Below is my slapd.conf file showing the database definitions section. Notice the highlighted areas.

Slapd.conf Configuration.

Slapd.conf Configuration.

7. Go to usr/share/migrationtools directory.

This directory contains perl scripts that we will use to build LDAP tree & migrate our existing local users to LDAP.

[root@server ~]# cd /usr/share/migrationtools/
[root@server migrationtools]#

8. Edit the migrate_common.pl file

This migrate_common.pl perl script is used to define our domains. We need to edit this file with the below content. Choose your values accordingly.

$Default DNS domain $DEFAULT_MAIL_DOMAIN = "shashank.com";
$Default base $DEFAULT_BASE = "dc=shashank,dc=com";
$EXTENDED_SCHEMA = 1;

9. Build LDAP tree.

We will now build the base of LDAP tree. For this, execute migrate_base.pl script. You can see below that this script is redirecting the output to a file called base.ldif which will act as Base Node for LDAP.

[root@server migrationtools]# ./migrate_base.pl > /etc/openldap/base.ldif

9. Migrate your local users to OpenLDAP database.

Now execute the migrate_password script which will migrate all local users to LDAP users in the LDAPusers.ldif file. You may wish to filter out only those users who you would want to be a part of LDAP authentication, before executing this script. passwd file contains all the users including service accounts. Make sure you filter out those accounts in a separate file and pass that as first argument to below script.

[root@server migrationtools]# ./migrate_passwd.pl /etc/passwd /etc/openldap/LDAPusers.ldif

10. Populate LDAP base with required data.

Now issue below command to populate the tree with LDAP base. It will ask for the SLAPD password (The one you created in step #4). Again, choose appropriate CN/DC.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/base.ldif

11. Populate the whole LDAP tree with user data.

Now that we have the required LDAP skeleton, we can now populate the tree with LDAP users. Issue below command. You will see that objects are being added to LDAP.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/LDAPusers.ldif

Restart slapd service. If everything is OK, you will then see your LDAP server working.

LDAP Client-side Configuration.

1. Install required packages.

openldap.x86_64
openldap-clients.x86_64

2. Enable LDAP authentication.

Issue below command. This also enable auto-creation of home-directories when LDAP user logs-in for the first time. Make sure of the double hyphens here. Wrong syntax is quite likely to happen. Double check the syntax.

[root@client migrationtools]# authconfig --enableldap --enableldapauth --ldapserver=IP_addr_of_LDAP_server --ldapbasedn="dc=shashank,dc=com" --enablemkhomedir --update

3. Test LDAP Client by logging into LDAP accounts.

Verifying LDAP Client

Verifying LDAP Client

4. Restart nslcd & nscd services. (In case you have caching DNS server)

Caveats – Sometimes you may not be able to login to client machines with LDAP id even after performing above client side steps. In that case, try restarting nslcd & nscd services (in case of cached DNS). Also, issue authconfig-tui command to check if details are correct. Restart nslcd & nscd services. It will work 😉 🙂

How To Fix “rpcbind dead but pid file exists” Error in RHEL 6


My job as a Linux Admin revolves a lot around NFS. My current set-up has 3 dedicated NFS servers & 29 NFS clients. So, the performance of NFS is always a top priority. But of late, I had been facing challenges with a few clients where NFS services wouldn’t start 😦 Threw below error. And because of this, client machines would experience ridiculously long hangs 😦

[root@serverlog]# service nfs status
rpc.svcgssd is stopped
rpc.mountd dead but subsys locked
nfsd dead but subsys locked

And when I tried to start it, it got hung.

[root@server log]# service nfs start
Starting NFS services: [ OK ]
Starting NFS mountd: [FAILED]
Starting NFS daemon:

Error log showed this : –

[root@server ~]# dmesg | grep nfs
[ 26.527173] FS-Cache: Netfs 'nfs' registered for caching
[ 27.574444] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[ 448.380948] svc: failed to register nfsdv2 RPC service (errno 110).
[ 508.498842] svc: failed to register nfsaclv2 RPC service (errno 110).
[ 809.057252] nfsd: last server has exited, flushing export cache
[ 1169.683243] svc: failed to register nfsdv2 RPC service (errno 97).
[ 1169.712310] svc: failed to register nfsaclv2 RPC service (errno 97).
[ 1470.200560] nfsd: last server has exited, flushing export cache

Below are the steps how I fixed this issue.

Since NFS service depends on rpcbind service, first step was to check rpcbind status. Got this when checked.

[root@server ~]# service rpcbind status
rpcbind dead but pid file exists

I then tried it bring it up. No luck 😦 It does show OK, but it wouldn’t start!

[root@server ~]# service rpcbind start
Starting rpcbind: [ OK ]

Also, saw this : –

[root@server ~]# rpcinfo -p
rpcinfo: can't contact portmapper: RPC: Remote system error

So, drilling deep into the logs, I found that server couldn’t get UID of rpc.

[root@server ~]# cat /var/log/messages | grep -i rpcbind
Feb 18 17:03:09 server kernel: [602777.346862] xs_local_setup_socket: unhandled error (111) connecting to /var/run/rpcbind.sock
Feb 18 17:08:21 server rpcbind: cannot get uid of 'rpc': Success

But rpc ID was present on the system.

[root@server ~]# id -a rpc
uid=32(rpc) gid=32 groups=32

Then, why on earth would it show above error log about missing UID? Going further deep, I found that rpc ID was not present in the password file.

[root@server ~]# cat /etc/passwd | grep -i rpc
[root@server ~]# 

So, that was the catch 😉 I edited the passwd file with below contents.

rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

Now both rpcbind service & NFS service are up 😀 🙂 😉

[root@server ~]# vi /etc/passwd
[root@server ~]# service rpcbind start
Starting rpcbind: [ OK ]
[root@server ~]# service rpcbind status
rpcbind (pid 64975) is running...
[root@server ~]# service nfs status
rpc.svcgssd is stopped
rpc.mountd dead but subsys locked
nfsd dead but subsys locked
[root@server ~]# service nfs start
Starting NFS services: [ OK ]
Starting NFS mountd: [ OK ]
Starting NFS daemon: [ OK ]
Starting RPC idmapd: [ OK ]