HowTO: Setup an LDAP server and Client CentOS 6.2

[Stratus_ss]

THIS METHOD IS DEPRICATED

See CentOS 6.3 Guide for a better method



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^




PREAMBLE: OK, so I have been struggling with this for a while because of an "undocumented feature", or at least undocumented from what I could find. I have read 2 RHCE books thus far. Neither of them gave any indication as to what the problem was or how to fix it. I have spent more time that I would like to admit on this problem and thats why I thought I should lay out exactly what I did to get this working


On the Server

Step 1: first we need to install the required package:

yum install openldap-servers

Step2: Edit the database file to reflect your domain

vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

Use a handy sed substitution to globally change the defaults in the file

:%s/dc=my-domain,dc=com/dc=stratus,dc=local/g

Step 3: Set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of olcDatabase={2}bdb.ldif:

olcRootPW: password
olcTLSCertificateFile: /etc/pki/tls/certs/stratus_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/stratus_key.pem

Step 4: Now we have to specify the monitoring privileges

vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

again, we have to replace the default domain name with my domain:

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=stratus,dc=local/g

Step 5: Now its time for the Database Cache

Here we are updating the locate database incase the DB_CONFIG.example has moved. If it has not, the cp command below will give us a base database to work with

updatedb

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

We want to make sure the database has the proper permissions:

chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Set up a certificate for TLS.

First we need to edit /etc/sysconfig/ldap and change the following lines:

nano /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate. Feel free to extend the number of days the cert is good for

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/stratus_cert.pem -keyout /etc/pki/tls/certs/stratus_key.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. Now set the proper permissions on the files required for TLS

 chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
 chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Test The configuration

Issue the following command:

slaptest -u

It should return the following message if there are no syntax errors

config file testing succeeded

Step 8: Start the ldap server

service slapd start

To verify that this works you will need to modify /etc/openldap/ldap.conf and add the following:

TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem
URI ldap://127.0.0.1
BASE dc=stratus,dc=local

This seems to be a problem with RHEL 6. Thanks to Thomasz Cholewa at slashroot.eu for that tip. This was driving me crazy! Ultimately this little bug actually stumped me for almost a week.

You should now be able to search your database:

ldapsearch -x  -b ”dc=stratus,dc=local”

You should receive some output with at least the following:

# search result
search: 2

Step 9: Create a base.ldif

I usually put these in /etc/openldap/schema with the other ldifs. Mine looks like this

This is the base.ldif

nano /etc/openldap/schema/base.ldif

dn: dc=stratus,dc=local
dc: stratus
objectClass: top
objectClass: domain

dn: ou=People,dc=stratus,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=stratus,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit

And then add a group:

nano /etc/openldap/schema/group.ldif

dn: cn=thiddy,ou=Group,dc=stratus,dc=local
objectClass: posixGroup
objectClass: top
cn: thiddy
userPassword: password
gidNumber: 1000

Finally, we need to create a user:

nano /etc/openldap/schema/people.ldif

dn: uid=thiddy,ou=People,dc=stratus,dc=local
uid: thiddy
cn: thiddy thiddy
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/thiddy

After the files are created, add them into the LDAP database

ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f base.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f group.ldif
ldapadd -x -W -D ”cn=Manager,dc=stratus,dc=local” -f people.ldif

Verify that there are now users by re-running the ldapsearch command

ldapsearch -x -b "dc=stratus,dc=local"

On the client


Step 1: Install the required files

yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5

Step 2: Run the authentication GUI

(See the screen shot)

authconfig-gtk

Step 3: Edit /etc/pam_ldap.conf

For readability the comments have been removed. Note that the bindpw and rootbinddn are not strictly necessary

host 192.168.122.33
base dc=stratus,dc=local

bindpw password
rootbinddn cn=Manager,dc=stratus,dc=local

ssl start_tls
ssl on
tls_cacertfile /etc/pki/tls/certs/stratus_cert.pem

Step 4: Edit /etc/openldap/ldap.conf

Most of the file should be in place, but just in case this is what you are trying to achieve

URI ldaps://192.168.122.33
BASE dc=stratus,dc=local
TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem

Step 5: Edit /etc/pam.d/system-auth file

Append this line in order to have home directories created on first login

session required pam_mkhomedir.so skel=/etc/skel umask=0077

Step 6: Copy the cert.pem to client

Copy the stratus_cert.pem from teh server into /etc/pki/tls/certs/ on the client.

Step 7: Reboot

Most changes to pam require a reboot. You should now be able to authenticate to an ldap server that you just created!


EDIT Feb 2013:

Users can also use authconfig on the CLI to complete their task

authconfig --enableldap --enableldapauth --disablenis --enablecache \
          --ldapserver=ldap.stratus.local --ldapbasedn=dc=stratus,dc=local \
          --updateall

I have found this to work better (sometimes) than the gui authconfig

 

[Automata]

Thanks for the walkthrough. I've tried doing this myself in a virtual machine, but I had issues getting it going.

 

[Stratus_ss]

What issues did you have. I can walk you through it

p.s. did you note my user name

Also, coming soon will be a very thorough walkthrough of how to integrate a 389 Directory Server with Active Directory.

It took me a solid 3 weeks to wrap my head around it because I had to piece it together from 4 different guides...

 

[Automata]

I can't remember the issue specifically, but I think it was connecting from other clients. Plus, all the guides were written for the old format instead of the new one, which made things interesting.

 

[Stratus_ss]

Well you know where to find me if you have something specific. (you can hit me up on gmail chat too if you want it interactive style )

I wrote this because I was having problems with the clients as well which is an exam objective for the RHCE

 

[gangaskan]

damm, that is pretty intense to get LDAPS to work any other way of setting it up easier? webmin perhaps? (i know that is not an option on a exam however. )


so this is to setup a new domain, fresh from the factory? can i use this to replicate windows DC's ?

 

[Stratus_ss]

damm, that is pretty intense to get LDAPS to work any other way of setting it up easier? webmin perhaps? (i know that is not an option on a exam however. )


so this is to setup a new domain, fresh from the factory? can i use this to replicate windows DC's ?

Its actually not that bad at all. I will be releasing a HowTo using a directory server which gives you a gui to do it.

I am not sure what you mean by replicate a windows DCs.
Will this create a domain? Yes. Will this allow SSO? Yes. Will these become a DC? Yes.

 

[gangaskan]

Its actually not that bad at all. I will be releasing a HowTo using a directory server which gives you a gui to do it.

I am not sure what you mean by replicate a windows DCs.
Will this create a domain? Yes. Will this allow SSO? Yes. Will these become a DC? Yes.

i wrote that while i was tired

ok, basically i want to use it to process logins in a existing 03 native domain if need be.

 

[Stratus_ss]

i wrote that while i was tired

ok, basically i want to use it to process logins in a existing 03 native domain if need be.

So you want it to extend AD into the Linux/Unix domain? No this will not, but my next HowTo will.

There is some involvement getting AD to sync its passwords properly

 

[Stratus_ss]

So I have mostly completed the walkthrough which will extend the AD domain into the unix world here

 

[Automata]

Very good walkthroughs on both of these.

 

[ocle]

Do have a question for you? My ldapserver works fine with no problem and also setup the client just like yours but am havving issues. when i run getent passwd user nothing happens and also not able to login with the user already created on the ldap server. Need your help .
Thanks,
Ocle

 

[Stratus_ss]

What distro are you using? CentOS?

Did you follow my guide from scratch or did you piece it together elsewhere?

As root can you "su" to a user in the ldap database?

 

[ocle]

Thanks for getting back i appreciate it. Am using rhel 6.3 which is just like centos 6.2. Followed your guide from scratch. One thing i did not do is su - the user on the ldap database but i did getent passwd user and gave me /etc/passwd field of the user. I can search the ldap database and authenticate with my password with no problem.

 

[Stratus_ss]

If I have to guess (which I do) it sounds sort of like you have a problem with your certs.

I have found that getent is actually not an appropriate measure of connectivity.

Like I said as root, try and su to an ldap user. If that doesn't work your going to need to start posting your configs because other wise its just sort of guess work

 

[ocle]

No problem will do it when i get home around 4pm and will also post my config as well. Taking my rhce was just simple in terms of configuring the client.
Thanks,
Ocle

 

[ocle]

when i su - nana (user) su: user nana does not exist. please look at it and tell me what am doing wrong. i also used slaptest -u -> config file testing succeeded. Hope this helps
[root@ldapserver schema]# ldapsearch -x -b "dc=ocle,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=ocle,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ocle.com
dn: dc=ocle,dc=com
dc: ocle
objectClass: top
objectClass: domain

# People, ocle.com
dn: ou=People,dc=ocle,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# nana, People, ocle.com
dn: uid=nana,ou=People,dc=ocle,dc=com
uid: nana
cn: nana nana
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQ=
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/nana

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

 

[Stratus_ss]

can you post your pam_ldap.conf and ldap.conf files?

in the future please use

 tags when putting up output, it makes it easier to read

 

[ocle]

/etc/pam_ldap.conf
base dc=ocle,dc=com
uri ldap://192.168.1.32
ssl on
tls_cacertfile /etc/pki/tls/certs/slapdcert.pem
pam_password md5

/etc/openldap.conf
URI ldap://192.168.1.32
BASE dc=ocle,dc=com
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem

 

[Stratus_ss]

what happens if you run

ldapsearch -x

On the client, is there anything in /etc/openldap/cacerts ?