Minimal LDAP Configuration On RHEL6 in Stages and Details

2/25/12 Minimal LDAP configaion on RHEL6 in age and deail - SpecLog
1/13 peclog.com/conen/Minimal_LDAP_configaion_on_RHEL6_in_age_and_deail
Minimal LDAP configaion on RHEL6 in age
and deail
From SpectLog
: ldap
This page gives rather extensively detailed commands to set up LDAP server and client Ior user authentication. The
stages are redundant meaning that intermediate conIiguration is overridden by the Iinal changes. However, all
intermediate stages are useIul to get simple things working beIore moving Iorward.
Conen
1 Note about slapd.conI Iile and slapd.d directory (dinamic or cnconIig) conIiguration
2 Stage 0: Installing and setting up LDAP server and client
2.1 Install and set up OpenLDAP server
2.2 Prepare conIiguration Iile Ior conversion into dynamic conIiguration back-end (cnconIig)
2.3 Install and set up OpenLDAP client
2.4 Prepare initial content Iiles Ior LDAP server
2.5 Clean up previous LDAP content and conIiguration and reinitialize them
2.6 Test initial conIiguration
3 Prepare LDIF Iiles and add single test user and group to LDAP
3.1 In regular /etc/passwd and /etc/group Iiles create test user and group Ior migration
3.2 Prepare tools Ior migration oI user and group data to LDAP
3.3 Migrate single test user and group Irom /etc/passwd and /etc/group Iiles into corresponding
LDIF Iormat
4 Stage 1: ConIigure authentication through LDAP without encrypted connection
5 Stage 2: Enable encrypted connection
5.1 Allow read/write access to dynamic cnconIig conIiguration
5.2 ConIigure LDAP to use encrypted connection
5.3 ConIigure LDAP server to use ldaps:// URI scheme exclusively
5.4 Make corresponding changes on LDAP client side and test everything
6 Test: Trying to use auth conIiguration with sssd service (instead oI nslcd) which does not work
7 Stage 3: Creating CA certiIicate to avoid using selI-signed LDAP server certiIicates
8 Final client conIiguration: Using sssd service (instead oI nslcd) Ior LDAP authentication
9 Troubleshooting
10 ReIerences
11 Feedback
Noe abo slapd.conf file and slapd.d dieco (dinamic o
cn=config) configaion
Content oI ///.. provides example conIiguration described in
. man page which is legacy conIiguration approach. Current way oI conIiguring OpenLDAP is to
use dynamic conIiguration (=) described in slapd-conIig man page.
Dynamic = conIiguration should be modiIiable by regular LDAP commands. However, it is prohibited
by deIault conIiguration (at least on RHEL6 it was impossible). Manual LDIF Iile changes under .
directory seems to be even worse option than converting the sample ///..
Iile. ThereIore, instead oI using = directly Irom the beginning, conversion Irom . Iile is
used initially. As soon as the initial dynamic LDAP conIiguration is set, small modiIication to LDIF Iiles in
. directory is required to allow subsequent changes through dynamic request using LDAP client utilities.
Sage 0: Inalling and eing p LDAP ee and clien
Inall and e p OpenLDAP ee
Install the packages:
-
Add the Iollowing lines to /// Iile:
-A INPUT - -- NEW - - -- 389 - ACCEPT
Restart the Iirewall:

Make sure service can run:

Pepae configaion file fo coneion ino dnamic configaion back-end
(cn=config)
Make sure service is not running:

Prepare customized conIiguration Iile in ..:
///.. ..
Generate root password Ior LDAP = conIiguration:

For example, password "" generated "SSHAR6JBEX1YDWYZ8GUFQZKN".
ModiIy the deIaults in ///..:
Set to hashed password above.
Substitute "=M,=-,=" Ior
"=,=,=".
Substitute "=-,=" Ior "=,=".
Inall and e p OpenLDAP clien
Install the package:
-
ConIigure the clients through ///.. Providing base DN is not necessary as it is
=,= by deIault. However, deIault URI reIers to which has to be changed.
BASE =, =
URI ://..
Pepae iniial conen file fo LDAP ee
This section provides content oI initial LDAP database in LDIF Iormat.
Create .. Iile with the Iollowing content:
# R
: =,=
: O
:
: E C
:
Create ... Iile with the Iollowing content:
# A DN
: =,=,=
: R
:
# B DN
: =,=,=
:
:
: U
:
# B DN
: =,=,=
:
:
: U
:
Clean p peio LDAP conen and configaion and einiialie hem
This section can be used repeatedly to re-set conIiguration, re-initialize LDAP content and start over again.
Make sure service is not running:

Clean up conIiguration:
- ///./*
Clean up content:
- ////*
Copy the Iile:
////--*/DB_CONFIG. ////DB_CONFIG
Initialize DB Iiles Ior content in /// directory:
"" - ///..
This is required, otherwise you will get this error:
__: "=,=": _(////2.) : N (2).
Convert conIiguration Iile into dynamic conIiguration under ///. directory:
- ///.. -F ///.
Initialize LDAP DB with initial content:
- ..
- ...
- ...
- ...
Set permissions:
-R : ///
-R : ///.
Te iniial configaion
Start server:

List the content by request Irom client:
- - '=,='
Load the the rest oI LDAP database content Irom LDIF:
- -D '=,=,=' -W - ...
- -D '=,=,=' -W - ...
List again
- - '=,='
Pepae LDIF file and add ingle e e and gop o LDAP
In egla /etc/passd and /etc/group file ceae e e and gop fo
migaion
While it is possible to use existing users and groups Irom // and //, it is better to
create a special user. RHEL and Fedora have range oI UID and GID Ior automatic selection which is conIigured in
//. Iile by UIDMIN/UIDMAX and GIDMIN/GIDMAX variables. Choosing UID and
GID above the ranges makes it saIer to assume that they are not used.
Create user "" speciIying UID and GID explicitly:
-- 100000
-- 100000 -- 100000

Pepae ool fo migaion of e and gop daa o LDAP
Install tools to migrate user data to LDAP:

Set deIaults used by migration tools in ////_. Iile:
DeIault DNS domain
$DEFAULT_MAIL_DOMAIN = ".";
DeIault base
$DEFAULT_BASE = "=,=";
Naming context Ior user data according to users.example.com.ldiI Iile above
$NAMINGCONTEXT'' = "=";
Naming context Ior group data according to groups.example.com.ldiI Iile above
$NAMINGCONTEXT'' = "=";
Migae ingle e e and gop fom /etc/passd and /etc/group file ino
coeponding LDIF foma
Extract single conIiguration lines Irom // and // Iiles Ior "" user and group
// > ..
// > ..
Convert user line into LDIF Iormat
////_. .. ..
////_. .. ..
Import it to LDAP database
- -D "=,=,=" -W - ..
- -D "=,=,=" -W - ..
Check the output
- - '=,='
Delete the user leaving its home directory to avoid two sources (deleting group explicitly may not be necessary)

Sage 1: Confige ahenicaion hogh LDAP iho
encped connecion
ReIerence link:
http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-
843917/#post4157216
Login to test client machine:
@1..
Make sure there is not "" user conIigured on this client machine:

// //
ConIigure LDAP client through ///. Iile (see appropriate section).
Set this Ilag FORCELEGACY in /// Iile to use nslcd server which does not
Iorce to use encrypted connection:
FORCELEGACY=
ConIigure:
-- -- --=.. --="=,=" --
Test by checking that LDAP returns data Ior "" user:

Create home directory Ior the user on the test client machine (assuming network mounted home directories are not
conIigured):
//
-R : //
Generate password hash (LDAP supports diIIerent hashes, use the one provided by its own utility)
Create request (LDIF) in ... Iile which modiIies the P

attribute oI user entry:
: =,=,=,=
:
: P
P: SSHAR6JBEX1YDWYZ8GUFQZKN
Run the request
-D '=,=,=' -W - ...
Test login in
@1..
Sage 2: Enable encped connecion
This time LDAP = conIiguration database is modiIied dynamically using LDAP utilities (instead oI
converting . Iile).
Allo ead/ie acce o dnamic cn=config configaion
Stop the server:

Enable IPC interIace to the server by setting Ilag SLAPDLDAPI in /// Iile:
SLAPD_LDAPI=
Comment out all lines with attribute A in
///./\=/D\=\0\. and add
the Iollowing one below them:
A: 0 * .=N=0+N=0,=,=,= *
Test conIiguration:
-
Start the server:

Confige LDAP o e encped connecion
Make sure the LDAP service is running:

Query content oI = tree to test connection:
-LLL -Y EXTERNAL -H :/// - =
Create request (LDIF) in ... Iile which adds properties in LDAP
conIiguration Ior certiIicate and key Iiles:
: =
:
: TLSCF
TLSCF: /////.
-
: TLSCKF
TLSCKF: /////.
-
Send the request to modiIy conIiguration entities:
-Y EXTERNAL -H :/// - ...
Confige LDAP ee o e ldaps:// URI cheme ecliel
Stop the service:

Change /// Iile to enable SLAPD_LDAPS and disable SLAPD_LDAP Ilags:
SLAPD_LDAP=
SLAPD_LDAPS=
Generate selI-signed certiIicate:
- -509 - - /////. - /////. - 365
Set permissions:
-R : /////. /////.
-R 750 /////.
ModiIy Iirewall in /// to open LDAPS:
Start the server:

Make coeponding change on LDAP clien ide and e eehing
ModiIy client to use LDAPS to test clients:
URI ://..
TLS_REQCERT
Check connection by the client:
- - '=,='
ModiIy (LDAP nameservice daemon) service connects using :// URI scheme:
_
://../
Restart service:

Check credentials returned by LDAP

Te: Ting o e ah configaion ih sssd eice (inead of
nslcd) hich doe no ok
This section is just a demo test which should Iail.
ReIerence link:
http://slashroot.eu/2011/06/13/rhel6-and-ldap-server-with-ssl/
Set this Ilag FORCELEGACY in /// Iile to use service instead oI
service:
FORCELEGACY=
Re-conIigure by the same command:
-- -- --=.. --="=,=" --
Make sure the Iollowing parameter are set in ///. conIiguration Iile:
_ = ://../
Try to get credentials returned by LDAP by the same " " command. The
/// will show the Iollowing error:
[[]]: LDAP : :14090086:SSL :SSL3_GET_SERVER_CERTIFICATE:
The problem is that the LDAP certiIicate is selI-signed which can be conIirmed by its veriIication:
@..://///. /
//.
Sage 3: Ceaing CA ceificae o aoid ing elf-igned LDAP
ee ceificae
Go through the procedure to create CA certiIicate, create LDAP server certiIicate and install CA certiIicate on
client machine:
Create CertiIicate Authority (CA) instead oI using selI-signed CertiIicates
Login to LDAP server host:
..
It is assumed that:
generated server key Iile /////... is located on
server host (..);
generated server CA-signed certiIicate Iile ////... is located
on CA host (..).
Overwrite old LDAP server certiIicate Iiles with the new one (instead oI changing the paths to them in LDAP
conIiguration):
/////... /////.
..:////... /////.
VeriIy certiIicate to be sure it is not selI-signed:
/////.
Restart LDAP server:

Final clien configaion: Uing d eice (inead of nlcd) fo
LDAP ahenicaion
Note that CA certiIicate installation Ior sssd service (and LDAP clients) is simpler than Ior OpenSSL client utilities.
Simply copy CA certiIicate into /etc/openldap/cacerts directory where it is expected:
..:///CA/. ///
In order to allow simpler commands Ior certiIicate veriIication, install CA certiIicate properly Ior OpenSSL as well:
Create CertiIicate Authority (CA) instead oI using selI-signed CertiIicates
Get LDAP server certiIicate and veriIy it:
..://///. //.
//.
ConIirm in ///. Iile that service uses the same directory with certiIicates and
connects via :// schema:
__ = ///
_ = ://../
Make sure once again that FORCELEGACY in /// Iile is unset:
FORCELEGACY=
Re-conIigure by the same command:
-- -- --=.. --="=,=" --
Check credentials returned by LDAP:

Toblehooing
Run one oI these utilities (Irom package) on the LDAP server to conIirm client connection:
- - - 0
- - - 0
This allows to monitor whether connections are made at all, which port is being connected to, whether inIormation
is encrypted or not (based on the data dumps).
Use utility to scan server ports Irom client:
..
From these points the rest oI things should be checked:
proper CA and server certiIicates deployment;
Iirewall conIiguration;
ports (URI schemes) used by server and client conIiguration;
etc.
Refeence
OIIicial documentation: http://docs.redhat.com/docs/en-
US/RedHatEnterpriseLinux/6/html/DeploymentGuide/ch-DirectoryServers.html
Guide less sophisticated in details: http://www.salsaunited.net/blog/?p74
Feedback
Annymous comments may be submitted by the Iorm below and listed on Talk:Minimal LDAP conIiguration on
RHEL6 in stages and details page.
Name (required):
Comment:
Sbmi
Retrieved Irom "http://spectlog.com/content/index.php?
titleMinimalLDAPconIigurationonRHEL6instagesanddetails&oldid280"
Category: Red Hat Linux

Minimal LDAP Configuration On RHEL6 in Stages and Details

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Minimal LDAP Configuration On RHEL6 in Stages and Details

Загружено:

Авторское право:

Доступные форматы

2/25/12 Minimal LDAP configaion on RHEL6 in age and deail - SpecLog

2/25/12 Minimal LDAP configaion on RHEL6 in age and deail - SpecLog

Create request (LDIF) in ... Iile which modiIies the P

Вам также может понравиться