Saturday, 6 August 2016

Configuring openLDAP in CentOS 7

LDAP, or Lightweight Directory Access Protocol is a protocol for centrally managing related information. The most common & well known use of LDAP is as for centralized authentication. LDAP is a directory service. A directory service is a specialized database optimized for read access i.e. searching & browsing.
In LDAP information is managed in the form of entries that are arranged in a hierarchical structure. An entry is a collection of attributes that have a globally-unique Distinguished Name (DN).

With that clarified we'll start with LDAP configuration. I'll be explaining common terms as we come across them during the configuration.

I've used host instructor.example.com for my LDAP server configuration. There is no DNS so I'm using /etc/hosts file for name resolution. SElinux is in permissive mode & the firewall is turned off.

LDAP has many configuration files & the entries are case sensitive. One must be very cautious while editing the files.

Installation process:

Install the required packages:

yum install openldap openldap-clients openldap-servers migrationtools

Generate a LDAP password (in this case redhat)

slappasswd -s redhat -n > /etc/openldap/passwd

The encrypted password is in the file.

# cat /etc/openldap/passwd
{SSHA}YrzPc3BFXAcWhEgMVmhrQoZ03h5INxix

Generate a self signed certificate valid for 365 days:

openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..........................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com

Email Address []:

Modify the permissions/ownership of the certificates in /etc/openldap/certs directory:

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Now prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Verify the configuration:

#slaptest

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*


To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:

 ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)

        additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"


Schemas are packaging units & are used for referencing multiple objects together rather than having to reference the objects as individual entities.
Schemas consist of Objectclasses & attributes. Objectclasses contain sets of attributes & the attributes typically contain some data.


Now, create the /etc/openldap/changes.ldif file and paste the following lines. 
Replace olcRootPW with the encrypted password you created with slappasswd command

[root@instructor ~]# cat /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}YrzPc3BFXAcWhEgMVmhrQoZ03h5INxix

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none


Using the file created above, update the LDAP server configuration:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"


Create the /etc/openldap/base.ldif with the following content:

[root@instructor ~]# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit


Build the directory service structure:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

adding new entry "ou=Group,dc=example,dc=com"


Create a user for testing:

# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01

Now we migrate this user from local file to LDAP:

cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Import the user to the LDAP database:

# grep ":10[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif

adding new entry "uid=sa,ou=People,dc=example,dc=com"
adding new entry "uid=stack,ou=People,dc=example,dc=com"
adding new entry "uid=james,ou=People,dc=example,dc=com"
adding new entry "uid=test,ou=People,dc=example,dc=com"
adding new entry "uid=sftptest,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"

# grep ":10[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif

adding new entry "cn=sa,ou=Group,dc=example,dc=com"
adding new entry "cn=stack,ou=Group,dc=example,dc=com"
adding new entry "cn=libvirtd,ou=Group,dc=example,dc=com"
adding new entry "cn=james,ou=Group,dc=example,dc=com"
adding new entry "cn=test,ou=Group,dc=example,dc=com"
adding new entry "cn=sftpusers,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser1,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"

To test the configuration for ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=ldapuser01
# requesting: ALL
#
# ldapuser01, People, example.com
dn: uid=ldapuser01,ou=People,dc=example,dc=com
uid: ldapuser01
cn: ldapuser01
sn: ldapuser01
mail: ldapuser01@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGhWREtZSUtoJDRaajBqYlU3MzI3ZTJ3YkdmYW8uNkhQb2NZdmp
 hNGpzaHRpUEdkQ0pJU0dIenVFb2FEd2FMUUR3Mi5Ic3A1a1dJdVRSUzJTUTUxOFZsV0hJTFJmYWUu
shadowLastChange: 17019
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1007
gidNumber: 1008
homeDirectory: /home/guests/ldapuser01

# ldapuser01, Group, example.com
dn: cn=ldapuser01,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser01
userPassword:: e2NyeXB0fXg=
gidNumber: 1008

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


1 comment:

  1. On CENTOS 7 I had to change the following:
    sldaptest failed telling me to add "-u" parameter: so:

    # slaptest -u
    # cd /etc/openldap/
    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
    Entry /etc/openldap/certs/cert.pem failed because of permissions.
    First change `
    # sudo chmod 644 /etc/openldap/certs/priv.pem
    THEN
    # ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
    And restore:
    # sudo chmod 600 /etc/openldap/certs/priv.pem

    When Import the user to the LDAP database: I got “ldap_bind: Invalid credentials (49)”
    Then I gave up….
    Anybody a clue?

    ReplyDelete

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...