HowTO: Setup an LDAP Server CentOS 6.3

[Stratus_ss]

First of all let me say that things seem to have changed in a few packages since I originally wrote this guide

After several users complained about TLS/LDAPS support not working using the original method for CentOS 6.2, I started looking into it. I found that slapd would go into an endless loop opening and closing the cert file that we generated.

With the help of serveroomhell we managed to track down a workable solution.

To be honest I am a little ashamed of myself for not fixing this guide sooner as the method for TLS is very similar to the 389 Directory Server Guide I wrote earlier

At any rate I will be reconstructing the guide in its fixed state here.

I have found the steps to be reduced from the original guide, but I have run through these numerous times to ensure that they do in fact work. I even went so far as to block everything but 22 and 636 on the firewall

On the Server

Step 1: first we need to install the required package:

yum install openldap-servers openldap-clients

Step2: Create the certs.

In this step you can just run the following script, altering it for your own domain. This is the crucial step for TLS, and has changed since CentOS/RHEL 6.

#!/bin/bash
#Change to the directory and clear out the old certs
cd /etc/openldap/certs
rm -rf *
#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help
#automate the process. This will be the password for your certificate. Change this as appropriate
echo "password" > /etc/openldap/certs/password
export PATH=/usr/bin/:$PATH
echo falkdjfdajkhfaksj >> noise.txt

#Associate the password with the certificates which will be generated in the current directory
certutil -N -d . -f /etc/openldap/certs/password
certutil -G -d . -z noise.txt -f /etc/openldap/certs/password

#Generate a CA certificate for the 389 server
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

#anwsers are Y, <enter accepting defaults>, Y
#This builds the server cert
certutil -S -n "OpenLDAP Server" -s "cn=ldap.stratus.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

#This exports the cacert in case you need it
pk12util -d . -o cacert.p12 -n "CA certificate"

#This exports the server-cert which you will need on the windows AD
pk12util -d . -o servercert.p12 -n "OpenLDAP Server"

#This exports the CA cert for ldap clients
certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem

#Make the files in here readable
chmod 644 *

#Set the system to use LDAPS
sed -i 's/SLAPD_LDAPS=no/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap

#Add a firewall exception in case the user has not configured their firewall properly
iptables -I INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT
/etc/init.d/iptables save

#Restart slapd to make the changes take effect
/etc/init.d/slapd restart

Step 3: Now its time for the Database Cache

Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with

updatedb

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

We want to make sure the database has the proper permissions:

chown -Rf ldap:ldap /var/lib/ldap/

Step 4: Test The configuration

Issue the following command:

slaptest -u

It should return the following message if there are no syntax errors

config file testing succeeded

To verify that LDAPS works you will simply try an ldapsearch

NOTE: You may have to do the client side setup in order for this to work properly

ldapsearch -x -H "ldaps://ldap.stratus.local"

You should receive some output with at least the following:

# search result
search: 2

Step 5: Edit the database file to reflect your domain

vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

Use a handy sed substitution to globally change the defaults in the file

:%s/dc=my-domain,dc=com/dc=stratus,dc=local/g

and add your password

olcRootPW: password

Alternatively you can create a hashed password

slappasswd

This will give you an SHA password that you can put in place of a plain text password

Step 6: Create a base.ldif

I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this

This is the base.ldif

nano /etc/openldap/schema/base.ldif

dn: dc=stratus,dc=local
dc: stratus
objectClass: top
objectClass: domain

dn: ou=People,dc=stratus,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=stratus,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit

And then add a group:

nano /etc/openldap/schema/group.ldif

dn: cn=thiddy,ou=Group,dc=stratus,dc=local
objectClass: posixGroup
objectClass: top
cn: thiddy
userPassword: password
gidNumber: 1000

Finally, we need to create a user:

nano /etc/openldap/schema/people.ldif

dn: uid=thiddy,ou=People,dc=stratus,dc=local
uid: thiddy
cn: thiddy thiddy
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/thiddy

After the files are created, add them into the LDAP database

ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f base.ldif
ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f group.ldif
ldapadd -x -W -D "cn=Manager,dc=stratus,dc=local" -f people.ldif

Verify that there are now users by re-running the ldapsearch command

ldapsearch -x -b "dc=stratus,dc=local"

IMPORTANT NOTE: there must be a new line between each section in your schema! if you get errors it is likely that there was a problem cutting and pasting directly from this guide. Try typing it in manually

IMPORTANT NOTE2: make sure that the double quotes around the commands are correct or you will get an Invalid DN error

 

[Stratus_ss]

On the client


Step 1: Install the required files

yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd

Step 2: Run the authentication TUI

authconfig-tui

At one point you will be asked to copy over the cacert from the server to the client

Make sure to choose the following options

Use LDAP
Use Shadow
Use LDAP Auth
Local Auth Sufficient

Use TLS
ldaps://ldap.stratus.local
dc=stratus,dc=local

Step 3: Edit /etc/pam.d/system-auth file

Append this line in order to have home directories created on first login

session required pam_mkhomedir.so skel=/etc/skel umask=0077

Step 4: Reboot

Most changes to pam require a reboot. You should now be able to authenticate to an ldap server that you just created!

I have found this to work better (sometimes) than the gui authconfig

 

[Stratus_ss]

reserved

 

[Stratus_ss]

Alright I think this is basically done, go ahead and rip it apart

 

[heshammhafez]

Thanks alot for your efforts and will give try and see, please regarding the above script I will only edit this line
certutil -S -n "OpenLDAP Server" -s "cn=ldap.stratus.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password

 

[serveroomhell]

One thing I had trouble with was gettting sudo to work properly when logged in with a LDAP user. I ended up working with the info in the following serverfault post to get things working...

http://serverfault.com/questions/32...-for-user-authentication-in-the-most-secure-a

Also, since none of my servers have GUIs, I was unable to use the "authconfig-tui" command to configure LDAP on the client. authconfig didn't seem to go far enough either so I ended up just writing a script that spit all of the configurations needed into the /etc/sssd/sssd.conf file. Ugly Ugly solution I know but it works.

 

[Stratus_ss]

One thing I had trouble with was gettting sudo to work properly when logged in with a LDAP user. I ended up working with the info in the following serverfault post to get things working...

http://serverfault.com/questions/32...-for-user-authentication-in-the-most-secure-a

Also, since none of my servers have GUIs, I was unable to use the "authconfig-tui" command to configure LDAP on the client. authconfig didn't seem to go far enough either so I ended up just writing a script that spit all of the configurations needed into the /etc/sssd/sssd.conf file. Ugly Ugly solution I know but it works.

authconfig-tui stands for "terminal UI" it should work fine on systems without GUIs/X server running (I tested this via an ssh session)

 

[serveroomhell]

doh! for some reason I thought that was the "Authentication Manager" or whatever it is called GUI.

I wish I could find a way to get the "authconfig" command to do everything I need so that my script wasn't as ugly. Ultimately I'd like to have chef or puppet do all of this for me.

 

[Stratus_ss]

doh! for some reason I thought that was the "Authentication Manager" or whatever it is called GUI.

I wish I could find a way to get the "authconfig" command to do everything I need so that my script wasn't as ugly. Ultimately I'd like to have chef or puppet do all of this for me.

I am working through CFEngine right now. I will post a walkthrough of how to get that going through CFEngine promises.

Honestly I have never really used authconfig specifically, though I am sure it can do everything you want with the proper flags.

Other than that, how did it work out for you?

 

[heshammhafez]

I don't believe it, IT WORKED
finally I can query ldap server using -ZZ and ldaps WoW
all thanks and gratitude goes to Stratus_ss and every one participated in solving this weird bug.

 

[Stratus_ss]

Glad we got you sorted.

Have fun and good luck

 

[Stratus_ss]

doh! for some reason I thought that was the "Authentication Manager" or whatever it is called GUI.

I wish I could find a way to get the "authconfig" command to do everything I need so that my script wasn't as ugly. Ultimately I'd like to have chef or puppet do all of this for me.

Working closer to this goal, I am posting up the aide output from running authconfig-tui on a client.

Find that below

changed: /etc
changed: /etc/rc.d/rc1.d
changed: /etc/rc.d/rc1.d/K88nslcd
changed: /etc/rc.d/rc1.d/K88sssd
changed: /etc/rc.d/rc1.d/K84wpa_supplicant
changed: /etc/rc.d/rc1.d/K74nscd
changed: /etc/rc.d/rc6.d
changed: /etc/rc.d/rc6.d/K88nslcd
changed: /etc/rc.d/rc6.d/K88sssd
changed: /etc/rc.d/rc6.d/K84wpa_supplicant
changed: /etc/rc.d/rc6.d/K74nscd
changed: /etc/rc.d/rc4.d
changed: /etc/rc.d/rc4.d/K88nslcd
changed: /etc/rc.d/rc4.d/K84wpa_supplicant
changed: /etc/rc.d/rc4.d/K74nscd
changed: /etc/rc.d/rc0.d
changed: /etc/rc.d/rc0.d/K88nslcd
changed: /etc/rc.d/rc0.d/K88sssd
changed: /etc/rc.d/rc0.d/K84wpa_supplicant
changed: /etc/rc.d/rc0.d/K74nscd
changed: /etc/rc.d/rc3.d
changed: /etc/rc.d/rc3.d/K88nslcd
changed: /etc/rc.d/rc3.d/K84wpa_supplicant
changed: /etc/rc.d/rc3.d/K74nscd
changed: /etc/rc.d/rc5.d
changed: /etc/rc.d/rc5.d/K88nslcd
changed: /etc/rc.d/rc5.d/K84wpa_supplicant
changed: /etc/rc.d/rc5.d/K74nscd
changed: /etc/rc.d/rc2.d
changed: /etc/rc.d/rc2.d/K88nslcd
changed: /etc/rc.d/rc2.d/K88sssd
changed: /etc/rc.d/rc2.d/K84wpa_supplicant
changed: /etc/rc.d/rc2.d/K74nscd
changed: /etc/sysconfig/authconfig
changed: /etc/openldap
changed: /etc/openldap/ldap.conf
changed: /etc/group
changed: /etc/sssd
changed: /etc/passwd-
changed: /etc/gshadow
changed: /etc/nsswitch.conf
changed: /etc/pam.d
changed: /etc/pam.d/system-auth-ac
changed: /etc/pam.d/fingerprint-auth-ac
changed: /etc/pam.d/smartcard-auth-ac
changed: /etc/pam.d/password-auth-ac
changed: /etc/nslcd.conf
changed: /etc/group-
changed: /etc/pam_ldap.conf
changed: /etc/gshadow-
changed: /usr/sbin
changed: /usr/lib/cups/filter
changed: /usr/libexec
changed: /usr/libexec/gnome-applets
changed: /usr/libexec/polkit-1
changed: /usr/libexec/openssh
changed: /usr/libexec/gnome-screensaver
changed: /usr/libexec/getconf
changed: /usr/libexec/awk
changed: /usr/libexec/pulse
changed: /usr/libexec/gstreamer-0.10
changed: /usr/libexec/gcc/x86_64-redhat-linux/4.4.4
changed: /usr/libexec/utempter
changed: /usr/lib64
changed: /usr/lib64/sa
changed: /usr/lib64/nss/unsupported-tools
changed: /usr/lib64/perl5/CORE
changed: /usr/lib64/gnome-session/helpers
changed: /usr/lib64/pm-utils/bin
changed: /usr/lib64/firefox
changed: /usr/lib64/gettext
changed: /usr/lib64/vte
changed: /usr/lib64/festival/etc
changed: /usr/lib64/nspluginwrapper
changed: /usr/lib64/libv4l
changed: /usr/lib64/xulrunner-2
changed: /usr/bin
changed: /root/Desktop
changed: /root/.local/share/gvfs-metadata/home
changed: /root/.gconfd/saved_state
changed: /lib/udev
changed: /lib64
changed: /lib64/dbus-1
changed: /bin
changed: /sbin

added: /etc/rc.d/rc4.d/S26sssd
added: /etc/rc.d/rc3.d/S26sssd
added: /etc/rc.d/rc5.d/S26sssd
added: /etc/openldap/cacerts
added: /etc/sssd/sssd.conf
added: /var/log/sssd/sssd.log
added: /var/log/sssd/sssd_nss.log
added: /var/log/sssd/sssd_pam.log
added: /var/log/sssd/sssd_default.log

removed: /etc/rc.d/rc4.d/K88sssd
removed: /etc/rc.d/rc3.d/K88sssd
removed: /etc/rc.d/rc5.d/K88sssd

I am going to sort through these eventually and find what files are needed to be pushed/changed by a central config management system

 

[rhaessner]

Thank you very much for this description. In principle everything works fine with one exception. For the users it is not possible to change their own passwords.
Service side appears the
slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
in /var/log/ldap.log, client side the message
use xyz not in /etc/passwd

Both error messages result in many hits doing a google search, but none of them seem to be helpful.

 

[chhym]

How did you get the log file output working?
I am having a few issues and I really would like to see whats going on via a logfile!

 

[Stratus_ss]

The log files you should be interested in are

/var/log/messages
/var/log/audit/*
/var/log/secure

 

[chylarides]

I'm trying to setup access so that only people who belong to the ldap group "operations" are permitted to login. However I'm having trouble. Am I missing something? This is my current sssd.conf file:

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=example,dc=com
ldap_group_member = uniquemember
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap01.example.com/
ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap
ldap_access_filter = memberOf=cn=operations,ou=Group,dc=example,dc=com
ldap_access_order = filter, host, authorized_service
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]





But all it fails (when i remove the access_provider, ldap_access_filter, and ldap_access_order I can login). Here are the logs
/var/log/secure log:
Mar 8 15:41:43 db01 sshd[2215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=chylarides
Mar 8 15:41:44 db01 sshd[2215]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=chylarides
Mar 8 15:41:44 db01 sshd[2215]: pam_sss(sshd:account): Access denied for user chylarides: 6 (Permission denied)
Mar 8 15:41:44 db01 sshd[2215]: Failed password for chylarides from 10.1.1.1 port 64494 ssh2
Mar 8 15:41:44 db01 sshd[2216]: fatal: Access denied for user chylarides by PAM account configuration


/var/log/audit/audit.log:

type=CRYPTO_KEY_USER msg=audit(1362776192.325:333): user pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5e:b7:29:e7:1e:a1:cc:f2:dd:2c:67:48:3f:4f:ba:c9 direction=? spid=2324 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1362776192.325:334): user pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=58:25:25:e2:d8:f7:59:7c:b7:7d:66:4b:14:ed:16:ac direction=? spid=2324 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1362776192.327:335): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=2324 suid=74 rport=65335 laddr=10.13.13.246 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1362776192.328:336): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=2324 suid=74 rport=65335 laddr=10.13.13.246 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=USER_AUTH msg=audit(1362776192.428:337): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="chylarides" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1362776194.484:338): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="chylarides" exe="/usr/sbin/sshd" hostname=10.1.1.12 addr=10.1.1.12 terminal=ssh res=success'
type=USER_ACCT msg=audit(1362776194.594:339): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="chylarides" exe="/usr/sbin/sshd" hostname=10.1.1.12 addr=10.1.1.12 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1362776194.594:340): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="chylarides" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1362776194.595:341): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=2324 suid=74 rport=65335 laddr=10.13.13.246 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1362776194.595:342): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5e:b7:29:e7:1e:a1:cc:f2:dd:2c:67:48:3f:4f:ba:c9 direction=? spid=2323 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1362776194.595:343): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=58:25:25:e2:d8:f7:59:7c:b7:7d:66:4b:14:ed:16:ac direction=? spid=2323 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=? res=success'
type=USER_LOGIN msg=audit(1362776194.595:344): user pid=2323 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="chylarides" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.12 terminal=ssh res=failed'

 

[ramkump]

Extra Config

Good thread works great

dont forget to

chkconfig --level 345 slapd on

TLS_REQCERT never
(put this is /etc/openldap/ldap.conf (bypass cert check)

Update nsswitch for ldap

copy the pem file to /etc/openldap/cacerts directory

then run a getent passwd command for in this case thiddy

 

[Stratus_ss]

Good thread works great

dont forget to

chkconfig --level 345 slapd on

TLS_REQCERT never
(put this is /etc/openldap/ldap.conf (bypass cert check)

Update nsswitch for ldap

copy the pem file to /etc/openldap/cacerts directory

then run a getent passwd command for in this case thiddy

You shouldn't have to do anything with the nsswitch and you dont need to copy the pem file, because it is created there by the script in the first post.

The chkconfig is a good suggestion, as for the TLS_REQCERT that is a matter of personal preference but is also a valid suggestion... Thanks!

 

[ramkump]

Desktop

Thanks, by the way im able to su the users from ssh with no issues, but keep getting "Authentication failure " when logging in through gnome has anyone seen this I am missing a trick?

And cant change the ldap users passwords


Changing password for user jon
System is offline, password change not possible

Added these but no luck

olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=test,dc=local" write
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=test,dc=local" write
by * read

Any ideas anyone?

Thanks

 

[Stratus_ss]

There is an adjustment to pam that is required to login to a GUI.

In the days of Gnome 2 you used to have to do this:

For users who login using X /etc/pam.d/gdm has to be modified so GDM will use LDAP.

auth     sufficient     pam_ldap.so
auth     required       pam_nologin.so
auth     required       pam_env.so
auth     required       pam_unix_auth.so

account  sufficient     pam_ldap.so
account  required       pam_unix_acct.so

password required       pam_ldap.so

session  sufficient     pam_ldap.so
session  required       pam_unix_session.so

That and /tmp permissions can cause problems on login