HowTO: Setup an LDAP server and Client CentOS 6.2

[Sunil Tumma]

And is there in Windows client to integrate with CentOS openldap server.

 

[Stratus_ss]

Hi Sunil,

While I am sure that we are all willing to help you with your goal, no one will do your work for you. I would suggest researching your questions a bit, giving it a go and then asking specific questions with problems you may be having

good luck!

 

[Sunil Tumma]

Hi Stratus,

Sorry for the questions, the thing is this is the first time i am working on linux as well as on openldap. I have been searching in google from last three weeks. Finally i am able to configure the ldap server with help of your procedure and overlockers website.

Anyway my search is still running day and night to configure the openldap with strong global password policies and may be i require your help to do the needful for few more days.

Sorry for the trouble and thanks for the help till now.

Regards,
Sunil Tumma

 

[lonston]

[root@babin certs]# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
[root@babin certs]# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
[root@babin certs]# slaptest -u
<= str2entry: str2ad(): empty AttributeDescription
slaptest: bad configuration file!
[root@babin certs]#

Getting Error While Checking pls help

 

[lonston]

[root@babin /]# service slapd start
Checking configuration files for slapd: [FAILED]
<= str2entry: str2ad(): empty AttributeDescription
slaptest: bad configuration file!
[root@babin /]#

 

[Stratus_ss]

That usually indicates a typoo in one of the .ldif files you created. Go back and look for typoos or missing ":"

 

[Sunil Tumma]

Hi have configured the basic password policies on openldap server

cat password-policy.ldif

dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


The following policies set

* password expiration at 90 days
* password lockout on 5 failures and lockout duration of 15 mintues
* minimum password length of 8
* 3 earlier password in history


Imported with below command.

ldapadd -D "cn=Manager,dc=example,dc=in" -W -x -f password-policy.ldif


but the policies are not applying on the client system, is there any setting to be done on the client side. client side i am using centos 6.2

 

[Sunil Tumma]

The password policies problem has been resolved.

Password Policies using overlay has been configured successfully and tested on CentOS client machines. Thanks for the help and procedure provided on this forum.

Still working on Windows authentication via ldap server using pGina client software.

Regards,
Sunil Tumma

 

[Sunil Tumma]

Procedure Implementing Password Policies using Overlay

penLDAP with ppolicy

Overlays are dynamically configurable modules that provide additional functionality to OpenLDAP. The ppolicy overlay provides some useful functionalities for enforcing a password policy for the domain.

Requirement was the following

Account*should*be locked out after 5 failed authentication attempts.
Password expiration on 90 days
Minimum*password*length of 8

All our desktop's were authenticating the OpenLDAP server(example.in) which was setup on a CentOS box.*We were able to*achieve*the 99999 days password expiration using the default*shadowAccount*objectClass as given below.

# test, People, example.in
dn: uid=test,ou=People,dc=example,dc=in
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEMzOxxxxxxxxxx
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/test

But we couldn't find any way to implement the*password*expirartion and password*length*polcies using the default OpenLDAP*configuration. So I started my*experiment's*with ppolicy overlays.*The ppolicy overlays provides enhanced password management capabilities that are applied to non-rootdn bind attempts in OpenLDAP.

Installation

The password policy(ppolicy) and other overlays are included in the package*openldap-servers-overlays for Redhat/Centos servers. So we nee first install this package assuming openldap server and*dependencies*are already installed..

yum install*openldap-servers-overlays

The ppolicy module file should get installed at*/usr/lib64/openldap/ppolicy.la and schema file at /etc/openldap/schema/ppolicy.schema**on a 64 bit CentOS/Redhat server. The module file should be in*/usr/lib/openldap directory on an x86 server.



Server Configuartion

We need to*configure*the ppolicy overlays now. Add the following lines to*/etc/openldap/slapd.conf*in the respective sections.

include /etc/openldap/schema/ppolicy.schema

modulepath /usr/lib64/openldap
moduleload ppolicy.la

This is assuming that ppolicy overlay files are in respective locations. The ACL's*should be set such that*clients*bind to OpenLDAP server by self-authentication. We should not allow anonymous or rootdn binds to the server. The default*configuration*is to allow anonymous binds to server. So I added ACL as given below in the ACL section of*slapd.conf.

#ACL
access to attrs=userPassword
by self =xw
by anonymous auth
by * none

access to *
by self write
by * read

Next we need to add default password policy we are going to enforce on the domain. Add the following after the DB section in slapd.conf.

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=in"
ppolicy_use_lockout

This should complete the*configuration*of slapd.conf . You should be able to restart the LDAP server without any issues now.

Importing the password policy

Create a LDIF file with following content.

cat password-policy.ldif

dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

This sets the following policies

password expiration at 90 days
password lockout on 5 failures and lockout duration of 15 mintues
minimum*password*length of 8
3 earlier password in history

To import the policy run the following command.

ldapadd *-D "cn=Manager,dc=example,dc=in" -W -x *-f*password-policy.ldif

This ldapadd command should add to policy on authentication as LDAP*administrator.*We should be able to see the newly imported policy now when we do a ldapsearch.

ldapsearch *-x -D "cn=Manager,dc=example,dc=in" -W -b "dc=example,dc=in"

This completes the server*configuration.*

Client Side Configuration

On the LDAP clients in my case desktops we need make the following change in LDAP client*configuration*file*/etc/ldap.conf*assuming the*client*was*configured*to authenticate to our LDAP server before. Uncomment the pam_lookup_policy line which should be already there in*/etc/ldap.conf

pam_lookup_policy yes

Yes !! Now the password policy should be enforced for all non-rootdn authentication attempt

 

[Stratus_ss]

This is very useful information.

Can you format it with

 blocks so that it is easier to read?

 

[babinlonston]

Installed and All Works , But while i connect from client machine using su - babin its not login just empty terminal

 

[Stratus_ss]

the first place to look is

/var/log/secure

on the client machine. Usually login errors happen here. Next look at

/var/log/messages

Failing that, examine the ldap server itself for errors

 

[anurag.ampel]

Ldap Migration

Hi Stratus_ss,
I am Newbee, installed openldap by following your guide its successfully done at server side. Giving Output also.
but while doing same at client side i am not able to get any output..

Major task of doing this to migrate my ldap server i.e in CentOS 5.9 to CentOS 6.4..

My ldap server is configured with all schemas, with samba and nfs integration..
Could you suggest something in this Regards..

I am trying to figure out from 1 week but everytime some errors..

I really appreciates any suggestion.

Thanks in Advance

 

[Stratus_ss]

I dont mind helping but you havent given me a lot to go on.

Can the server query itself and get results?

If so what happens when the client queries the server?

 

[Stratus_ss]

It looks like you did not set the /etc/ldap.conf file or the /etc/openldap/ldap.conf correctly.

In the future can you please format the output with

 tags

 

[Stratus_ss]

so for the client,

is the firewall down on both boxes?

Additionally is there a reason you are using this guide, as it says in BIG BOLD that its deprecated and you should use the CentOS 6.3 guide

 

[anurag.ampel]

Ldap Migration

I really appreacite you help and suggestions..
Yes, Firewall is down..
And the reason to use this is I didn't find any perfect guide, second i follwed some of the blog and sites even though My server was not configured well. I was not getting any Output.
But when I tried this I got output at the server side. thats why.

If its there any please share and I really in need . Any suggestion gegarding Schema's..

Thanks in Advance..

 

[Stratus_ss]

Try this updated guide

 

[anurag.ampel]

Ldap Migration

Thank You,

I will update you soon.

Thanks

 

[Stratus_ss]

I am not really sure what you are asking of me.

If you need to make a change, remove the entries in question from your ldap schema, then create your ldif files and import them