Configuring LDAP Server & Clients in RHEL 6/CentOS Using OpenLDAP


LDAP, as we know it is a directory protocol that we use for user authentication. LDAP offers a lot of features that make it indispensable for Linux Admins. Having a central LDAP server makes user-management quite easy & less tedious. Imagine, setting hundreds of users on hundreds of servers 😉 With a working LDAP server in place, all such user-management activities become very easy for an Admin. Adding or deleting users is much less problematic & more robust using LDAP.

In this tutorial, I will demonstrate how we can set-up LDAP server & its clients on Linux using OpenLDAP.

Lab Description : – 

LDAP Server : – server.shashank.com(192.168.0.123)

LDAP Client : – client.shashank.com(192.168.0.125)

LDAP Server-side Configuration.

1. Install required packages.

Install below packages on your LDAP Server.

openldap.x86_64
openldap-clients.x86_64
openldap-servers.x86_64
migrationtools.noarch

2. Empty the OpenLDAP configuration directory.

Delete the contents of  /etc/openldap/slapd.d/ directory. You may move the contents to some other location for safety.

3. Start slapd service.

service slapd start

4. Add a password for OpenLDAP.

Run slappasswd command & choose a password. Copy the hashed password from the output.

5. Copy slapd.conf configuration file from existing template.

Now copy /usr/share/openldap-servers/slapd.conf.obsolete file to /etc/openldap/slapd.conf

6. Edit slapd.conf configuration file.

Now edit the /etc/openldap/slapd.conf file & move to database definitions. Make the suitable changes like suffix & rootdn. Paste the copied hashed password (step # 4) against rootpw. Below is my slapd.conf file showing the database definitions section. Notice the highlighted areas.

Slapd.conf Configuration.

Slapd.conf Configuration.

7. Go to usr/share/migrationtools directory.

This directory contains perl scripts that we will use to build LDAP tree & migrate our existing local users to LDAP.

[root@server ~]# cd /usr/share/migrationtools/
[root@server migrationtools]#

8. Edit the migrate_common.pl file

This migrate_common.pl perl script is used to define our domains. We need to edit this file with the below content. Choose your values accordingly.

$Default DNS domain $DEFAULT_MAIL_DOMAIN = "shashank.com";
$Default base $DEFAULT_BASE = "dc=shashank,dc=com";
$EXTENDED_SCHEMA = 1;

9. Build LDAP tree.

We will now build the base of LDAP tree. For this, execute migrate_base.pl script. You can see below that this script is redirecting the output to a file called base.ldif which will act as Base Node for LDAP.

[root@server migrationtools]# ./migrate_base.pl > /etc/openldap/base.ldif

9. Migrate your local users to OpenLDAP database.

Now execute the migrate_password script which will migrate all local users to LDAP users in the LDAPusers.ldif file. You may wish to filter out only those users who you would want to be a part of LDAP authentication, before executing this script. passwd file contains all the users including service accounts. Make sure you filter out those accounts in a separate file and pass that as first argument to below script.

[root@server migrationtools]# ./migrate_passwd.pl /etc/passwd /etc/openldap/LDAPusers.ldif

10. Populate LDAP base with required data.

Now issue below command to populate the tree with LDAP base. It will ask for the SLAPD password (The one you created in step #4). Again, choose appropriate CN/DC.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/base.ldif

11. Populate the whole LDAP tree with user data.

Now that we have the required LDAP skeleton, we can now populate the tree with LDAP users. Issue below command. You will see that objects are being added to LDAP.

[root@server migrationtools]# ldapadd -x -c -D "cn=Manager,dc=shashank,dc=com" -W -f /etc/openldap/LDAPusers.ldif

Restart slapd service. If everything is OK, you will then see your LDAP server working.

LDAP Client-side Configuration.

1. Install required packages.

openldap.x86_64
openldap-clients.x86_64

2. Enable LDAP authentication.

Issue below command. This also enable auto-creation of home-directories when LDAP user logs-in for the first time. Make sure of the double hyphens here. Wrong syntax is quite likely to happen. Double check the syntax.

[root@client migrationtools]# authconfig --enableldap --enableldapauth --ldapserver=IP_addr_of_LDAP_server --ldapbasedn="dc=shashank,dc=com" --enablemkhomedir --update

3. Test LDAP Client by logging into LDAP accounts.

Verifying LDAP Client

Verifying LDAP Client

4. Restart nslcd & nscd services. (In case you have caching DNS server)

Caveats – Sometimes you may not be able to login to client machines with LDAP id even after performing above client side steps. In that case, try restarting nslcd & nscd services (in case of cached DNS). Also, issue authconfig-tui command to check if details are correct. Restart nslcd & nscd services. It will work 😉 🙂

Advertisements

4 thoughts on “Configuring LDAP Server & Clients in RHEL 6/CentOS Using OpenLDAP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s