HowTO: Setup an LDAP server and Client CentOS 6.2

[serveroomhell]

I am hitting the 100% CPU issue myself... I was wondering why my vmware alarms kept going off!

Anyways, I found this at serverfault. What he describes sounds familiar but his solution doesn't seem to make sense for me since my certs are already in /etc/pki.

What exactly is with the certs found in the /etc/openldap/certs directory anyways? I've never seen that format before.

http://serverfault.com/questions/471606/slapd-2-4-23-hangs-on-ldaps-connections

Figured it out. Apparently openldap loads the certs differently depending on where they are in the directory structure. If they are in the /etc/openldap/certs dir - it treats them as MozNSS and afterwards fails spectacularly to load anything at all. If they are in /etc/pki, it uses OpenSSL and loads everything just fine

 

[Stratus_ss]

This is exactly what I was trying to track down.

I honestly thing there is a bug. I have done about 5 different methods from following the OpenLDAP Administrators Guide/TLS Guide to the letter, to completely relying on the old slapd.conf method.

So far I have had no success, I am ready to call this a big bug, I may try compiling from source, but honestly I will probably just bring up a 389 server instead as I havent had problems doing TLS on it for whatever reason (different build flags maybe?)

 

[serveroomhell]

I was able to get ldaps to work by playing ball with the annoying Moznss certs that openldap is moving to (i guess). Note that the following assumes default values for the olcTLS bits inside of /etc/openldap/slap.d/cn=config.ldif file. if you have changed those previously then set them back to the following.

olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password

These commands create a self signed CA and a server cert. The CA cert is exported for use by the client.

  # cd /etc/openldap/certs
  # rm *
  # echo wadnwqpmcodwqomcweswecxlmwcwedcawcma >>noise
  # echo yourpasswordhere >> password
  # certutil -N -d . -f password
  # certutil -G -d . -z noise -f password
  # certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise -f password
  # certutil -S -n "OpenLDAP Server" -s "cn=ldap.FQDN.local,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise -f password
  # certutil -d . -L -n "CA certificate" -a > /etc/openldap/certs/cacert.pem
  # chmod 644 *

then I opened /etc/openldap/ldap.conf and changed "TLS_CACERTDIR /etc/openldap/certs" to "TLS_CACERT /etc/openldap/certs/cacert.pem"

Finally I opened /etc/sysconfig/ldap and set "SLAPD_LDAPS" to yes and restarting slapd

I was then able to run the following and get results, when previously it would hang every time.

# ldapsearch -x -H "ldaps://ldap.FQDN.local"

 

[Stratus_ss]

I guess it would make sense that that is the appropriate way to create a cert. That is the procedure for doing a 389 server. I will give this a go, and if/when it works I will post a new guide for 6.3 giving you appropriate credit

by-the-by, do you have a source or was this something you came to via reading a manual or something

 

[serveroomhell]

I had set up a 389 DS a few months back so the .db files looked vaguely familiar.

I ended up using the RedHat 389 guide to figure out the commands.

https://access.redhat.com/knowledge...2/html/Administration_Guide/Managing_SSL.html

 

[Stratus_ss]

ah,

I just went over my own and the script I had there. I am going to modify the script, give it a go and see what happens

 

[serveroomhell]

I ended up using SSSD for the client side of things. I can post a quick run through of that if desired. I don't want to confuse people if the original solution is working properly though.

According to some forum banter, SSSD is now RedHat's preferred method of ldap auth.

 

[Stratus_ss]

i am working on the guide. using sssd and nscd... feel free to chime in when i get it done

 

[Sunil Tumma]

Hi,

I have recently installed and configured openldap server on Centos 6.2 as per the procedure and also done the client-end confiruation on Centos client machine.

I am unable to login using openldap server from centos client machine.
error:- authentication failed

And I have also tried login using openldap server in Windows with pGina.
error:- Aithentication via ldap is failed.

Need your help!!!

If you need any details please revert.

Regards,
Sunil Tumma

 

[Stratus_ss]

Please see the updated guide

Since there were some changes to the openldap packages, the guide needed to be redone (hence having in very big bold letters at the start of the guide, that it is deprecated)

 

[Sunil Tumma]

Thanks for your reply.

I have not configured the TLS option. Does this make any issue's.

 

[Sunil Tumma]

I am able to search with the below command on the server and client machine. Below result from the client machine.

[root@ESS-SAG-LT-013 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=ess,dc=net,dc=in> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success

# numResponses: 17
# numEntries: 16
[root@ESS-SAG-LT-013 ~]#

 

[Sunil Tumma]

and also how do i check login via ldap using terminal mode on the client machine

 

[Stratus_ss]

and also how do i check login via ldap using terminal mode on the client machine

after you have created a user that does not exist on the local machine, reboot and then, after you log in, try changing into that user (su - <username>)

 

[Sunil Tumma]

here is the result

[root@ESS-SAG-LT-013 ~]# su sunil
Creating directory '/home/sunil'.
[sunil@ESS-SAG-LT-013 root]$

 

[Sunil Tumma]

here is the result

[root@ESS-SAG-LT-013 ~]# su sunil
Creating directory '/home/sunil'.
[sunil@ESS-SAG-LT-013 root]$

but he didn't ask me the password

 

[heshammhafez]

because you are using the root user

 

[Sunil Tumma]

Hi am able to search the user with below command on client machine(Centos)

ldapsearch -x
[root@ESS-SAG-LT-013 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=ess,dc=net,dc=in> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 0 Success

# numResponses: 17
# numEntries: 16
[root@ESS-SAG-LT-013 ~]#

and also able to see the users in passwd file with below command(Centos)

getent passwd

[root@ESS-SAG-LT-013 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
test2:x:20209:0:test1:/home/test2:/bin/bash
root:x:0:0:root:/root:/bin/bash
operator:x:11:0perator:/root:/sbin/nologin
test3:x:501:501:test3:/home/test3:/bin/bash
test4:x:502:502:test4:/home/test4:/bin/bash

but i am unable to login with the ldap users and unable to switch user with ldap users
Error :- system error

 

[Sunil Tumma]

I have successfully installed a Centos 6.2 box, which authenticates to a non-encrypted LDAP server. Trying the same thing with a 6.2 client, however, does not work. The client can talk to the server, and return user information ("getent passwd username" works), but users can't log in from the console, or via ssh. Any ideas about what is the issue.

 

[Sunil Tumma]

Hi,

The problem has been resolved. Now i am able to login via ldap.

One more questions.

How do i implement password policies on ldap server for users and groups.
I want to create below policies
1) Password Complexity
2) Password policy
3) Account lockout policy
4) Account expiry policy
5) Account disable policy
and want to implement folder level permissions, like we do in Microsoft Windows Server(Windows Active Directory).

Regards,
Sunil Tumma