Openldap server configuration without ldap migration

tool

OpenLdap
LDAP Directory Server Installation and configuration. Description: Lightweight Directory
Access Protocol (LDAP) is a means of serving data on individuals, system users, network devices
and systems over the network for e-mail clients, applications requiring authentication or
information.

Uses Of OpenLdap
1- LDAP not only keeps a list of users, you can use it as storage for your files.
2- It can be used for authenticating users as we mentioned above.
3- LDAP can be used as a yellow pages directory service for an organization to provide
information about users or employees, departments, contact information, phone numbers,
addresses, private data or whatever.

What is my setup?

Server: Centos-7 www.linuxpert.com 172.16.10.7/16

Tasks we will be doing

Install software packages for OpenLDAP
Configure LDAP & logging
Set up firewall rules
Do a first import of an ldif file
Verify our first import
Create ldap users
Manualy
LdapAdmin.exe

Installing OpenLDAP
1- Install The All Required Packages
# yum install -y openldap openldap-clients openldap-servers

2- Verify the installation using the below command

# rpm -qa | grep openldap

openldap-clients-2.4.40-13.el7.x86_64
openldap-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64

3- Now Configure OpenLDAP Server

# cd /etc/openldap/slapd.d/cn\=config

4- Find out which files you need to update using the below grep command

# grep my-domain *

olcDatabase={1}monitor.ldif: al,cn=auth" read by dn.base="cn=Manager,dc=my-

domain,dc=com" read by * none
olcDatabase={2}hdb.ldif:olcSuffix: dc=my-domain,dc=com

5- Open these two files in vi editor and change all occurrences of my-
domain to linuxpert. I opened them and changed it with the following vi
command ":%s/my-domain/linuxpert/"

# vim olcDatabase\=\{1\}monitor.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.

# CRC32 6ba73e26
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: d170f806-1d9c-1037-96e2-afed7615c980
creatorsName: cn=config
createTimestamp: 20170825045136Z
entryCSN: 20170825045136.003135Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170825045136Z
:%s/my-domain/linuxpert

:wq! (Save & Quit)

# vim olcDatabase\=\{2\}hdb.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.

# CRC32 d7a0a170
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: d17107f6-1d9c-1037-96e3-afed7615c980
creatorsName: cn=config
createTimestamp: 20170825045136Z
entryCSN: 20170825045136.003543Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170825045136Z

:%s/my-domain/linuxpert

:wq! (Save & Quit)

5- Generate a LDAP encrypted password for Manager user

# slappasswd

New password:
Re-enter new password:
{SSHA}PlOJU60HjF+WTt9/8L10fjPyTugQ79V

Copy the above password hash. We need to add it to one config files. Open up the following one
files and Look for line that starts with olcRootDN.

Add the following line next to this line in the above one files

# vim olcDatabase\=\{2\}hdb.ldif
olcRootDN: cn=Manager,dc=linuxpert,dc=com
olcRootPW: {SSHA}PbLFyieb9d0mPWSEbcfqRs0gMSutJXzE

:wq (Save & Quit)

6- Generate a X509 self sign certificate which is valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout

/etc/pki/CA/private/cakey.pem -days 365

Generating a 2048 bit RSA private key

...............................................+++
...........+++
writing new private key to '/etc/pki/CA/private/cakey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:NEW DELHI
Locality Name (eg, city) [Default City]:DELHI
Organization Name (eg, company) [Default Company Ltd]:Mauryanpentool.com
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:www.linuxpert.com
Email Address []:ashutoshsmaurya@gmail.com

# cd /etc/pki/CA/
# chown ldap:ldap cacert.pem
# cd /etc/pki/CA/private/
# chown ldap:ldap cakey.pem
# chmod 600 cakey.pem

7- Add certificate file in "olcDatabase={2}bdb.ldif"

# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

olcRootDN: cn=Manager,dc=linuxpert,dc=com
olcRootPW: {SSHA}PbLFyieb9d0mPWSEbcfqRs0gMSutJXzE
olcTLSCertificateFile: /etc/pki/CA/cacert.pem
olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem

:wq (Save & Quit)

7- Copy database config file

Copy DB_CONFIG.example from /usr/share/openldap-servers to /var/lib/ldap and set correct

permissions as shown below

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap.ldap /var/lib/ldap

8- Enable LDAPS

# vim /etc/sysconfig/slapd

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

:wq (Save & Quit)

9- Configure LDAP Logging

now let’s set up logging. Open /etc/rsyslog.conf

# vim /etc/rsyslog.conf

# Add the below line

# Ldap Log
local4.* /var/log/slapd/slapd.log

:wq (Save & Quit)

# mkdir /var/log/slapd
# chmod 755 /var/log/slapd
# chown ldap.ldap /var/log/slapd

10- Ldap server uses the following ports. We need to add firewalled rules to
allow connections on port 389 (LDAP) and 636 (LDAPS Add the below
Firewalled rule).

# firewall-cmd --permanent --add-port=389/tcp

# firewall-cmd --permanent --add-port=636/tcp
# firewall-cmd –reload

11- Restart Services

# systemctl restart rsyslog

# systemctl restart firewalld
# systemctl start slapd
# systemctl enable slapd

12- Set up first import using ldapadd (Create a file named firstimport.ldif)

# vim firstimport.ldif

dn: dc=linuxpert,dc=com
dc: linuxpert
o: linuxpert
objectclass: dcobject
objectclass: organization

# ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f firstimport.ldif

Enter LDAP Password:

adding new entry "dc=linuxpert,dc=com"

Enter the admin password that you created earlier when asked. This command will add the root
entry to the ldap server.

-x : use simple authentication instead of SASL

-D : binddn, the distinguished name to bind to the ldap directory
-W : prompt for authentication instead of entering password in the command line
-f : read information from the given file instead of the standard input

13- Verify import using ldapsearch

Now that we have added a single entry, we will verify it by querying the ldap server as below
# ldapsearch -x -b dc=linuxpert,dc=com

# extended LDIF
#
# LDAPv3
# base <dc=linuxpert,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# linuxpert.com
dn: dc=linuxpert,dc=com
dc: linuxpert
o: linuxpert
objectClass: dcObject
objectClass: organization

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

If you want to see the actual query output without comments and ldap version information use -
LLL option as shown below.

# ldapsearch -x -LLL -b dc=linuxpert,dc=com

dn: dc=linuxpert,dc=com
dc: linuxpert
o: linuxpert
objectClass: dcObject
objectClass: organization

14- Add schema file

Note- Schema file by default added in rhel-6 & Centos-6 and you can check in this location "# ls
/etc/openldap/slapd.d/cn\=config/cn\=schema/") and no need to add this file in rhel-6 &
centos-6.

# cd /etc/openldap/schema

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"

# cd

Note- You can add schema files according to your need

15- LDAP Users Management

1- Use Manually (Command’s)

2- Use LDAPADMIN.EXE (Windows Software)

First Use Manually

Add OU (organizational units)-

# vim usersou.ldif

dn: ou=users,dc=linuxpert,dc=com
ObjectClass: organizationalUnit
ou: users
dn: ou=groups,dc=linuxpert,dc=com
ObjectClass: organizationalUnit
ou: groups

:wq (Save & Quit)

Now add it to LDAP using the below command

# ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f usersou.ldif

Enter LDAP Password:

adding new entry "ou=users,dc=linuxpert,dc=com"

adding new entry "ou=groups,dc=linuxpert,dc=com"

We shall add a user to the newly created users organizational unit. Create a file named users.ldif
and enter the below content.
Add user

# vim users.ldif

dn: cn=ashu,ou=groups,dc=linuxpert,dc=com
cn: ashu
objectClass: top
objectClass: posixGroup
gidNumber: 5000

dn: uid=ashu,ou=users,dc=linuxpert,dc=com
cn: Ashu Linux
givenName: Ashu
sn: Linux
uid: ashu
uidNumber: 5003
gidNumber: 5003
homeDirectory: /home/ashu
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {CRYPT}*

:wq (Save & Quit)

# ldapadd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -f users.ldif

Enter LDAP Password:

adding new entry "cn=ashu,ou=groups,dc=linuxpert,dc=com"

adding new entry "uid=ashu,ou=users,dc=linuxpert,dc=com"

Set up password for the newly created user using the below command

# ldappasswd -x -D "cn=Manager,dc=linuxpert,dc=com" -W -S
"uid=ashu,ou=users,dc=linuxpert,dc=com"
New password: *******
Re-enter new password: ******
Enter LDAP Password: ***************

We are done adding an user and his primary group. Query LDAP for users Lets query the user
we created in the previous step. You can use any of the user fields to query ldap. Try the
following search commands.

# ldapsearch -x -LLL "uid=ashu" -b "ou=users,dc=linuxpert,dc=com"

dn: uid=ashu,ou=users,dc=linuxpert,dc=com
cn: Ashu Linux
givenName: Ashu
sn: Linux
uid: ashu
uidNumber: 5003
gidNumber: 5003
homeDirectory: /home/ashu
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword:: e1NTSEF9NnBrV1pGUlVTT1JDVjVzMkFtdzdhUWtUM2FzUjdDQVM=

OR

# ldapsearch -x -LLL "cn=Ashu Linux" -b "ou=users,dc=linuxpert,dc=com"

dn: uid=ashu,ou=users,dc=linuxpert,dc=com

cn: Ashu Linux

givenName: Ashu

sn: Linux

uid: ashu

uidNumber: 5003
gidNumber: 5003

homeDirectory: /home/ashu

objectClass: top

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

loginShell: /bin/bash

userPassword:: e1NTSEF9NnBrV1pGUlVTT1JDVjVzMkFtdzdhUWtUM2FzUjdDQVM=

Search All User

# ldapsearch -x -LLL "cn=*" -b "ou=users,dc=linuxpert,dc=com"

Delete Ldap User-

# ldapdelete -W -D "cn=Manager,dc=linuxpert,dc=com"
"uid=user1,ou=users,dc=linuxpert,dc=com"

Enter LDAP Password:

Use LDAPADMIN.EXE @Windows

Ldap Admin is a free Windows LDAP client and administration tool for LDAP directory
management. This application lets you browse, search, modify, create and delete objects on
LDAP server. It also supports more complex operations such as directory copy and move
between remote servers and extends the common edit functions to support specific object types
(such as groups and accounts).

First Download Ldapadmin.exe file below mention url

http://www.ldapadmin.org/download/ldapadmin.html

Run LdapAdmin.exe File

Now open ldap admin

Click to start and click connect

Click to New Connection-

Enter the LDAP Server details

Click Test Connection

Click Ok  Ok
Now you can see the Ldap Server
Double click the LDAP Server
Create new user-> Right Click on OU Users -> New  User- >
Right Click uid=user1  Set password

Right Click OU=Groups ->> New --> Group

Click to add button and add user1 -> ok ->ok

Now u can see the user1 ..

Search the command Line

# ldapsearch -x -LLL "cn=*" -b "ou=users,dc=linuxpert,dc=com"

LDAP Server Configuration Successfully Done.

-Ashutosh

Reference- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-
ldap-pam.html