Configuring LDAP Server & Clients in RHEL 6/CentOS Using OpenLDAP


LDAP, as we know it is a directory protocol that we use for user authentication. LDAP offers a lot of features that make it indispensable for Linux Admins. Having a central LDAP server makes user-management quite easy & less tedious. Imagine, setting hundreds of users on hundreds of servers 😉 With a working LDAP server in place, all such user-management activities become very easy for an Admin. Adding or deleting users is much less problematic & more robust using LDAP.

In this tutorial, I will demonstrate how we can set-up LDAP server & its clients on Linux using OpenLDAP.

Lab Description : – 

LDAP Server : – server.shashank.com(192.168.0.123)

LDAP Client : – client.shashank.com(192.168.0.125)

LDAP Server-side Configuration.

Install below packages on LDAP Server.

openldap.x86_64
openldap-clients.x86_64
openldap-servers.x86_64
migrationtools.noarch

Delete the contents of  /etc/openldap/slapd.d/ directory. You may move the contents to some other location for safety.

Start slapd service.

service slapd start

Run slappasswd command & choose a password. Copy the hashed password from the output.

Now copy /usr/share/openldap-servers/slapd.conf.obsolete file to /etc/openldap/slapd.conf

Now edit the /etc/openldap/slapd.conf file & move to database definitions. Make the suitable changes like suffix & rootdn. Paste the copied hashed password against rootpw. Below is my slapd.conf file showing the database definitions section. Notice the highlighted areas.

Slapd.conf Configuration.

Slapd.conf Configuration.

Go to usr/share/migrationtools directory.

[root@server ~]# cd /usr/share/migrationtools/
[root@server migrationtools]#

Edit the migrate_common.ph file with the below content.

$Default DNS domain $DEFAULT_MAIL_DOMAIN = "shashank.com";
$Default base $DEFAULT_BASE = "dc=shashank,dc=com";
$EXTENDED_SCHEMA = 1;

We will now build the base of LDAP tree. For this, execute migrate_base.pl script.

[root@server migrationtools]# ./migrate_base.pl > /etc/openldap/base.ldif

Now execute the migrate_password script which will migrate all local users to LDAP users in the ldif file. You may wish to filter only those users who you would want to be a part of LDAP authentication. passwd file contains all the users including service accounts. Make sure you filter out those accounts in a separate file and pass that as first argument to below script.

[root@server migrationtools]# ./migrate_passwd.pl /etc/passwd /etc/openldap/LDAPusers.ldif

Now issue below command to populate the tree with LDAP base. It will ask for the SLAPD password.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/base.ldif

Now that we have the required LDAP skeleton, we can now populate the tree with LDAP users. Issue below command. You will see that objects are being added to LDAP.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/LDAPusers.ldif

Restart slapd service. If everything is OK, you can then see your LDAP server working.

LDAP Client-side Configuration.

Install these packages.

openldap.x86_64
openldap-clients.x86_64

Issue below command. This also enable auto-creation of home-directories when LDAP user logs-in for the first time. Make sure of the double hyphens here. Wrong syntax is quite likely to happen. Double check the syntax.

[root@client migrationtools]# authconfig --enableldap --enableldapauth --ldapserver=IP_addr_of_LDAP_server --ldapbasedn="dc=shashank,dc=com" --enablemkhomedir --update

Test LDAP Client by logging into LDAP accounts.

Verifying LDAP Client

Verifying LDAP Client

Restart nslcd & nscd services. (In case you have caching DNS server)

Caveats – Sometimes you may not be able to login to client machines with LDAP id even after performing above client side steps. In that case, try restarting nslcd & nscd services (in case of cached DNS). Also, issue authconfig-tui command to check if details are correct. Restart nslcd & nscd services. It will work 😉 🙂

Advertisements

4 thoughts on “Configuring LDAP Server & Clients in RHEL 6/CentOS Using OpenLDAP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s