When i started to learn how to configure LDAP server i wasn’t able to find detailed and accurate step by step instructions,so i decided to post my experience.Instructions written here i have found on several forums/blogs,and this is one comprehensive guide,I hope you’ll find this usefull.
I used CENTos 7 as LDAP server and Fedora Server 21 as LDAP client
Let’s start to configure our server:
In this guide, we’ll look at how to Install FreeIPA Server on CentOS 7. Once you have FreeIPA running, your problems of having to manually manage user accounts/authentication on Linux Systems will come to an end. On your first log in using LDAP account, you’ll be asked to change your password: # ssh [email protected] The authenticity of. Ldapsearch with Active Directory on Redhat/CentOS. Out of Active Directory using Ldapsearch. Install the tools. LDAP authentication (Active Directory) Change.
First,install openldap and openlda-server packages:
Open /etc/openldap/slapd.d/cn=config.ldif file in your favorite editor and add following directives:
olcConnMaxPending
The olcConnMaxPending directive allows you to specify the maximum number of pending requests for an anonymous session.(default 100)
olcConnMaxPendingAuth
The olcConnMaxPendingAuth directive allows you to specify the maximum number of pending requests for an authenticated session (default 100)
olcIdleTimeout
The olcIdleTimeout directive allows you to specify how many seconds to wait before closing an idle connection. (default 0)
Add path to certificate files (we’ll create it shortly)
Content of cn=config.ldif file:
# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 = 45f2f7b5
dn: cn=config
objectClass: olcGlobal
cn: config
olcAllows: bind_v2 bind_anon_cred
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcIdleTimeout: 180
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /etc/openldap/ssl/slapdcert.pem
olcTLSCertificateKeyFile: /etc/openldap/ssl/slapdkey.pem
structuralObjectClass: olcGlobal
entryUUID: 3c0e2f98-967d-1034-9d0f-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.659444Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z
then,modify /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file.
Enter domain name (example.com) and user who will populate LDAP database (i used root user)
File content:
# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 acf4938f
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth” read by dn.base=”cn=root,dc=example,dc=com” read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 3c12350c-967d-1034-9d14-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.685866Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z
create admin password:
[root@server ~]$ slappasswd
New password:
Re-enter new password:
You’ll get password’s hashed output:
{SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f
Copy the final encrypted output ({SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f) for use in the
olcPW section in olcDatabase={2}hdb.ldif file in /etc/openldap/slapd.d/cn=config directory
Content of olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC-32 3f4c95ee
dn: olcDatabase={2}hdb
olcReadOnly: FALSE
olcRootDN: cn=root,dc=example,dc=com
olcSuffix: dc=example,dc=com
olcRootPW: {SSHA}vgcnr2E7rwMHPH65Cni5leHeBxooDG/f
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 3c123bba-967d-1034-9d15-7b34630a0dc0
creatorsName: cn=config
createTimestamp: 20150524162528Z
entryCSN: 20150524162528.686038Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150524162528Z
olcReadOnly
The olcReadOnly directive allows you to use the database in a read-only mode. It takes the following form:
olcReadOnly: boolean
It accepts either TRUE (enable the read-only mode), or FALSE (enable modifications of the database). The default option is FALSE.If you set olcReadOnly:TRUE (as i did) :),you’ll won’t be able to perform
LDAP database update (ldap_modify: Server is unwilling to perform (53))
olcRootDN
The olcRootDN directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory.It accepts a Distinguished Name (DN).(cn=root,dc=example,dc=com)
olcRootPW
The olcRootPW directive allows you to set a password for the user that is specified using the olcRootDN directive.(You’ll put here hashed password)
olcSuffix
The olcSuffix directive allows you to specify the domain for which to provide information.
now test configuration:in terminal (as root) type
slaptest -u
You should get next output
Checksum error won’t prevent server from running but it’s bit annoying.Here i found solution:
Note:i needed to modify tail command to produce fixed.ldif file:
tail -n +3 /tmp/olcDatabase={1}monitor.ldif > /tmp/fixed.ldif
(repeat this for remaining two files)
run slaptest -u again,you should get following output:
We configured LDAP server to use SSL keys but we still didn’t create any.
For testing purposes i created self-signing certificate.
Create /etc/openldap/ssl folder and generate keys:
This will create the certificate and provate keys in the /etc/openldap/ssl/ directory,make sure that the ldap user can read them.
[root@server ~]$ chown -Rf root:ldap /etc/openldap/ssl
[root@server ~]$ chmod -Rf 750 /etc/openldap/ssl
start slapd service and check if it listens on LDPAS ports
Before starting to build our LDAP database,we need to import schemas in order to avoid following errors:
adding new entry “dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif
Search & test the database:
ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts
Now build LDAP database,create empty file (base.ldif) and populate it with data
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=group,dc=example,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
now import it into database:
[root@server1 cn=config]# ldapadd -x -W -D “cn=root,dc=example,dc=com” -f ./base.ldif
Enter LDAP Password:
adding new entry “dc=example,dc=com”
adding new entry “ou=people,dc=example,dc=com”
adding new entry “ou=group,dc=example,dc=com”
Now migrate existing users (i only had one,root user)
First,modify migration scripts (migrate_common.ph) in /usr/share/migrationtoolst folder to use our example.com domain.
If you have no migrationtools folder install migration tools package:
yum install migrationtoools -y
Migration tools will create ldif file (people.ldif in our case) which will be used to populate LDAP database,
[root@server1 slapd.d]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif
and group:
[root@server1 slapd.d]# /usr/share/migrationtools/migrate_passwd.pl /etc/group group.ldif
Now import users & groups into LDAP server:
[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f people.ldif
[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f group.ldif
Test the LDAP database content:
[root@server1 slapd.d]# ldapsearch -xWD “cn=root,dc=example,dc=com” -b “dc=example,dc=com”
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# people, example.com
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
———output cut—————-
Now,we can add new user to group,(you can use people.ldif as a template)
create gordon.ldif file for new user gordon
dn: uid=gordon,ou=people,dc=example,dc=com
uid: gordon
cn: gordon gotham
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$TUAgiILnArH7dyF4$TpSEXoTAPMvQR3ipQWqaQ8gbAlHMB8udOaeRwePs3PkTK4ePuENozOZkVc8Qdjwe.vjvm4YOccIMdLF/MdsDk0
shadowLastChange: 16579
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/gordon
gecos: gordon gotham
The same is for group,content of file gordon-group.ldif,again,group.ldif can be used as a template:
gordon-group.ldif
dn: cn=gordon,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: gordon
userPassword: {crypt}x
gidNumber: 1003
Add new user and group to LDAP server:
[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f .don.ldif
Enter LDAP Password:
adding new entry “uid=gordon,ou=people,dc=example,dc=com”
[root@server1 slapd.d]# ldapadd -xWD “cn=root,dc=example,dc=com” -f gordon-group.ldif
Enter LDAP Password:
adding new entry “cn=gordon,ou=group,dc=exaple,dc=com”
Now,set password for user gordon: (i set 123456 as password)
[root@server1 slapd.d]# ldappasswd -xWD “cn=root,dc=example,dc=com” -s 123456 “uid=don,ou=people,dc=example,dc=com”
Enter LDAP Password:
Now we can set our LDAP client,but first,we need to make our cert available to client.
On the server i installed apache web server,created /var/www/html/inst folder and
copied cert key (slapdcert.pem) to inst folder
[root@server1 slapd.d]# yum install httpd -y
[root@server1 slapd.d]# systemctl start httpd
[root@server1 slapd.d]# mkdir /var/www/html/inst/
[root@server1 slapd.d]# cp /etc/openldap/ssl/slapdcert.pem /var/www/html/inst/
[root@server1 slapd.d]# chcon -R –reference=/var/www/html/ /var/www/html/inst
[root@server1 slapd.d]# firewall-cmd –zone=public –add-port=80/tcp –permanent
[root@server1 slapd.d]# firewall-cmd –reload
Now try to access server1 from the client
On the client,install openldap-clients nss-pam-ldapd and sssd packages and
run authconfig-gtk command
Enter LDAP base DN and LDAP server,click Download CA Certificate enter
http://server1.example.com/inst,click OK and Apply (of course,make sure that server1.example.com is resolveable from the client)
Now,we need to tell system to search for ldap server,
open /etc/nssswitch.conf file and add following directives:
We instruct our machine that,if user is not found in local file (/etc/passwd /etc/grpup),he look at the LDAP server
passwd: files ldap
shadow: files ldap
group: files ldap
save and close file
Restart sssd service,if you try now to log in to the terminal as su gordon,you won’t be able to do so
Hmm,what’s wrong now ?
See the log file:
[root@localhost cacerts]# tail -n 20 /var/log/messages
Could not start TLS encryption. TLS error -8172: Peers’s certificate issuer has been marked as not trusted by the user.
We have to add the CA certificate that signed the LDAP server’s cert to the client
First,from server1,copy slapdcert pem to /etc/openldap/cacerts/ folder (i used SCP) then
from the client,run /etc/pki/tls/misc/c_hash /etc/openldap/cacerts/slapdcert.pem
It will create 8 digit hex number and we have to create a symlink called that 8 digit number.0 pointing to the slapdcert.pem file.
[root@localhost cacerts]# ln -s /etc/openldap/cacerts/ /etc/openldap/cacerts/35157f9e.0
restart sssd service and try to log in as gordon
Yeah!,it finally works !!.
Centos Ldap Config
I'm following this OpenLDAP step by step tutorial: http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1Important: I'm working on CentOS 7
But when in the first part I try to start slapd with: systemctl start slapd, it throws me an error that I can't solve.
I looked for in web, StackOverflow and Server Fault but anyone has the same problem.
This is the error:
And here the stack trace or error when I check the systemctl status.
My question is: How can I do? Is there any solution? Or what is the guideline to follow for fix the problem?
How I can start to solve this?
NeilNeil3 Answers
Use CentOS OpenLDAP help page. It is very concise and no fluff. Prior to doing so - please revert all the config files to their original state. Can be confirmed via:
If above command shows any files modified - either remove and reinstall openldap-server or fetch files over from backup.
I also used that guide to set up OpenLDAP on CentOS 7. Once I only installed openldap-servers without the client and it completely failed; there were permissions issues and slapd failed to start, etc. I agree with others about starting over and following the directions exactly.
But even so, there are some issues in the guide that are helpful to have documented:
- If you copy-paste from the guide into the ldif files, be sure to fix any wrapped lines, they caused errors for me (
chdomain.ldifin particular). - In
basedomain.ldif,o: Server Worldanddc: Servershould be changed to the correct domain, otherwise you get this error:ldap_add: Naming violation (64) additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry
- The final
ldapaddcommand should also be changed to the correct domain or else you will get invalid credentials errors.
Those errors really weren't intuitive, but I was able to complete the guide and configure OpenLDAP.
You have some kind of error in your configuration files. At the very least, you made an error when creating your initial config file and likely changed what's stated in the tutorial:
Centos 7 Ldap Client
The tutorial states:
but OpenLDAP tries to create /openldap/slapd.pid, which can't work as /openldap won't exist as a directory.
Start over from scratch.
Sven