RHEL 6.3 – LDAP Series – Part 1 : Implementation of LDAP Authentication
Other Learning Articles that you may like to read
Free Courses We Offer
Paid Training Courses we Offer
What is LDAP
LDAP ( Lightweight Directory Access Protocol) is client-server protocol which provides directory services to the client machines. Each LDAP server contain the data required to making up the LDAP database, commonly BDB ( Berkely DB), a high performance transactional database. LDAP manages it’s data in the form objects which are defined with several attributes.
Right now the current LDAP standard provides following basic types of object classes:
- Groups – unordered lists of individual objects or groups of objects
- Location – e.g. Country name and description
- Organisational Units – for Organisational classification of the directory
- People – Individual user login accounts in the directory
As mentioned earlier each object class supported by additional information in the form of attributes. And these attributes are paired together with the values that customizes each object as unique entity in the LDAP database.
e.g: for example the “user” object has an attribute named “commonName in short cn” which is having the user name as it’s value
In this post, I am providing the steps required to configure a LDAP Server ( RHEL 6.3 ) with basic LDAP configuration, and then later configure a ldap client to use the nscld authentication ( legecy for RHEL6.3). And we also discussed about sssd autentication which is out of scope for this document.
Configuration of LDAP Server
Check for the required LDAP Packages
[root@gurkulrhel1 ~]# rpm -qa|grep ldap
compat-openldap-2.3.43-2.el6.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-servers-sql-2.4.23-26.el6_3.2.x86_64
python-ldap-2.3.10-1.el6.x86_64
openldap-devel-2.4.23-26.el6_3.2.x86_64
krb5-server-ldap-1.9-33.el6.x86_64
bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64
openldap-servers-2.4.23-26.el6_3.2.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
php-ldap-5.3.3-14.el6_3.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
ldapjdk-4.18-6.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64[root@gurkulrhel1 ~]# cat /var/lib/ldap/DB_CONFIG
cat: /var/lib/ldap/DB_CONFIG: No such file or directory[root@gurkulrhel1 ~]# egrep -v “^#|^$” /usr/share/openldap-servers/DB_CONFIG.example
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
Initialize the DB_CONFIG Settings from default file
[root@gurkulrhel1 ~]# egrep -v “^#|^$” /usr/share/openldap-servers/DB_CONFIG.example > /var/lib/ldap/DB_CONFIG
Before Proceeding for futher configuration just stop the iptables first
# service iptables stop
Get the copy of sample slapd.conf and mke modifications as per our requirement
[root@gurkulrhel1 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /root/slapd.conf
Generate root password for LDAP cn=config configuration:
[root@gurkulrhel1 ~]# slappasswd
New password: <pasword>
Re-enter new password:<password>
{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <== note down this encrypted password [root@gurkulrhel1 ~]# vi /root/slapd.conf
And made below modifiations, under “database bdb” Sectionsuffix “dc=gurkulindia,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=my-domain,dc=com”
New password: <pasword>
Re-enter new password:<password>
{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <== note down this encrypted password [root@gurkulrhel1 ~]# vi /root/slapd.conf
And made below modifiations, under “database bdb” Sectionsuffix “dc=gurkulindia,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=my-domain,dc=com”
rootdn “cn=Manager,dc=gurkulindia,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q [root@gurkulrhel1 log]#
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q [root@gurkulrhel1 log]#
Stop the Slapd Service while you make modifications
# service slapd stop
Modify /root/slapd.conf to reflect the domain name and password
[root@gurkulrhel1 log]# cat /root/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args # Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap # moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “”
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args # Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap # moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “”
OpenLDAP Server “”
TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none # enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=my-domain,dc=com” read
by * none #######################################################################
# database definitions
####################################################################### database bdb
suffix “dc=gurkulindia,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=gurkulindia,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap # Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@gurkulrhel1 log]#
TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none # enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=my-domain,dc=com” read
by * none #######################################################################
# database definitions
####################################################################### database bdb
suffix “dc=gurkulindia,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=gurkulindia,dc=com”
rootpw {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap # Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@gurkulrhel1 log]#
Note :
In earlier versions, LDAP configuration used to done by the file slapd.conf file, where as in RHEL 6 the file level configuration become obsolete and now we have to dynamic configuration (cn=config) using the ldap backend tools like ldapadd/ldapdel/ldapmodify.
But Instead of using dynamic configuration from the basic setup, we are configuring slapd.conf file and converting it into dynamic configuration using ldaptest. As a prerequisite we will remove the all existing configuration as shown below.
Removing default ldap configuration data
[root@gurkulrhel1 ~]# rm -rf /etc/openldap/slapd.d/*[root@gurkulrhel1 ~]# rm -rf /var/lib/ldap/*
Initialize DB files for content in /var/lib/ldap directory
[root@gurkulrhel1 ~]# echo “” | slapadd -f /root/slapd.conf
The first database does not allow slapadd; using the first available one (2)
Convert the slapd.conf to cn=config model
root@gurkulrhel1 ~]# slaptest -f /root/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@gurkulrhel1 ~]# ls -l /etc/openldap/slapd.d/
total 8
drwxr-x— 3 root root 4096 Mar 24 20:52 cn=config
-rw——- 1 root root 1120 Mar 24 20:52 cn=config.ldif
total 8
drwxr-x— 3 root root 4096 Mar 24 20:52 cn=config
-rw——- 1 root root 1120 Mar 24 20:52 cn=config.ldif
Make sure ldap user has read & write permission under /etc/openldap/slapd.d and /var/lib/ldap directory.
[root@gurkulrhel1 ~]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chown -R ldap.ldap /var/lib/ldap
[root@gurkulrhel1 ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chown -R ldap.ldap /var/lib/ldap
Make sure slapi support enabled in /etc/sysconfig/ldap file
[root@gurkulrhel1 ~]# grep LDAPI /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
# – it doesn’t overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# – it isn’t overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
# – it doesn’t overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# – it isn’t overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
Start the slapd server
[root@gurkulrhel1 ~]# service slapd start
Starting slapd: [ OK ]
Starting slapd: [ OK ]
Test if the slapd backend configurations can be listed with an ldapsearch command.
[root@gurkulrhel1 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config |more
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0 :::::: SNIP the ouput :::: # # {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=gurkulindia,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=gurkulindia,dc=com
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0 # search result
search: 2
result: 0 Success # numResponses: 19
# numEntries: 18
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0 :::::: SNIP the ouput :::: # # {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=gurkulindia,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=gurkulindia,dc=com
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0 # search result
search: 2
result: 0 Success # numResponses: 19
# numEntries: 18
Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory
root@gurkulrhel1 ~]# slaptest -f /root/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
Making a change to slapd backend using ldapmodify.
The sample configuration steps mentioned above does not add a rootpw for cn=config, if the slapd backend configuration needs to be viewed/modified remotely, then a bind password is needed(so we can bind using cn=admin,cn=config. The following example shows how to add a rootpw for cn=config using the ldapi:// interface as root user.
[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <<< the encrypted password that we created using slappasswd earlier
[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q <<< the encrypted password that we created using slappasswd earlier
modifying entry “olcDatabase={0}config,cn=config” ^D
Now we will make some basic entries for domain, and organizational units, groups and people.
[root@gurkulrhel1 log]# cat > /root/domain.ldif
dn: dc=gurkulindia,dc=com
objectClass: top
objectClass: domain
dc: gurkulindia dn: ou=Groups,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: dc=gurkulindia,dc=com
objectClass: top
objectClass: domain
dc: gurkulindia dn: ou=Groups,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
^D
[root@gurkulrhel1 log]# [root@gurkulrhel1 cn=config]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/domain.ldif -W
Enter LDAP Password: <== enter the password you enabled for bdb database
Enter LDAP Password: <== enter the password you enabled for bdb database
adding new entry “dc=gurkulindia,dc=com”
adding new entry “ou=Groups,dc=gurkulindia,dc=com”
adding new entry “ou=People,dc=gurkulindia,dc=com”
adding new entry “ou=Groups,dc=gurkulindia,dc=com”
adding new entry “ou=People,dc=gurkulindia,dc=com”
Now we will add one sample user name “gurkuluser” and group named “redhat”, using the ldif file /root/user.ldif
[root@gurkulrhel1 cn=config]# cat > /root/user.ldif
dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q dn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q dn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500
[root@gurkulrhel1 cn=config]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/user.ldif -W
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=gurkuluser,ou=People,dc=gurkulindia,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=gurkulindia,dc=com”
Enter LDAP Password: <- enter the password we set for bdb databse
adding new entry “uid=gurkuluser,ou=People,dc=gurkulindia,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=gurkulindia,dc=com”
Gurkulrhel2 : LDAP CLient Configuration
Check for all required client Packages
[root@gurkulrhel2 log]# rpm -qa|grep ldap
pam_ldap-185-11.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
ldapjdk-4.18-6.el6.x86_64
[root@gurkulrhel2 log]#
pam_ldap-185-11.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
ldapjdk-4.18-6.el6.x86_64
[root@gurkulrhel2 log]#
REDHAT 6 support using two kinds of authentication procedures
Two Types of Authentication Services helps LDAP clients to allow logins:
1. SSSD ( System Security Services Daemon)
2. NSLCD based Authentication
Authentication Type 1 : SSSD ( system Security Services Daemon) : A service which provides access to different identity and authentication providers. SSSD uses the configuration information from /etc/sssd.conf for identity lookup and authentication. But inorder to user SSSD based LDAP authentication either TLS/SSL or LDAPS is required. If the LDAP server is used only as an identity provider an encrypted channel is not needed. Configuring LDAP client using SSSD (Recommended)
Required SSSD packages:
# yum install sssd sssd-client
Configure the system, using command-line
# authconfig –enableldap –enableldapauth –ldapserver=”gurkulrhel1″ –ldapbasedn=”dc=gurkulindia,dc=com” –enableldaptls –update
Or If you want to use menu based configuration(GUI) use the below command
System>Administration>Authentication (or execute authconfig-gtk from a terminal)
Or If you want to use menu based configuration(GUI) use the below command
System>Administration>Authentication (or execute authconfig-gtk from a terminal)
Important Note : If No Certificate servers available for TLS authentication you won’t be able to login using the ldapusers, and you will get following errors:::: Client login says access denied as below
login as: gurkuluser
gurkuluser@192.168.1.32’s password:
Access denied::: syslog will log below errors /var/log/messages Mar 24 11:10:48 gurkulrhel2 sssd: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[be[default]]: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[nss]: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[pam]: Starting up
Mar 24 11:10:59 gurkulrhel2 sssd[be[default]]: Could not start TLS encryption. TLS error -8157:Certificate extension not found.
gurkuluser@192.168.1.32’s password:
Access denied::: syslog will log below errors /var/log/messages Mar 24 11:10:48 gurkulrhel2 sssd: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[be[default]]: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[nss]: Starting up
Mar 24 11:10:48 gurkulrhel2 sssd[pam]: Starting up
Mar 24 11:10:59 gurkulrhel2 sssd[be[default]]: Could not start TLS encryption. TLS error -8157:Certificate extension not found.
Authentication Type 2 : Configuring LDAP client using nslcd.The nss-pam-ldapd provides the nss-pam-ldapd daemon (nslcd) which uses a directory server to look up name service information on behalf of a lightweight nsswitch module. The authentication part is handled by pam_ldap ( nss_ldap from padl.com ).
Currently nss-pam-ldapd’s own pam_ldap is disabled.nslcd uses configuration information from /etc/nslcd.conf file and pam_ldap uses /etc/pam_ldap.conf file(If authconfig is used, both the files are updated automatically).
Install Required Packages :
# yum install nss-pam-ldapd pam_ldap
Edit /etc/sysconfig/authconfig, change “FORCELEGACY” option to “yes”, as below
Authconfig will try to use sssd by default, in order to configure nslcd, enable FORCELEGACY option in authconfig as shown below.
FORCELEGACY=yes
or you can enable this parameter from command line , using
# authconfig –enableforcelegacy –update
Finally enable ldap authentication for the client using the command
or you can enable this parameter from command line , using
# authconfig –enableforcelegacy –update
Finally enable ldap authentication for the client using the command
[root@gurkulrhel1]# authconfig –enableldap –enableldapauth –ldapserver=ldapserver –ldapbasedn=”dc=gurkulindia,dc=com” –update
Starting nslcd: [ OK ]
Starting oddjobd: [ OK ]
Starting nslcd: [ OK ]
Starting oddjobd: [ OK ]
Restart the nslcd service.
[root@gurkulrhel2 log]# service nslcd restart
Stopping nslcd: [FAILED]
Starting nslcd: [ OK ]
Stopping nslcd: [FAILED]
Starting nslcd: [ OK ]
Confirm that server able to see the ldap users.
[root@gurkulrhel2 log]# getent passwd gurkuluser
gurkuluser:{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q:1250:1500:ldap user1:/home/gurkuluser:/bin/bash
Login from the client
login as: gurkuluser
gurkuluser@192.168.1.32’s password:
Creating home directory for gurkuluser.
[gurkuluser@gurkulrhel2 ~]$
gurkuluser@192.168.1.32’s password:
Creating home directory for gurkuluser.
[gurkuluser@gurkulrhel2 ~]$
If you want to know little more about LDAP jsut stay tuned with me, for the next post.
How to Stay Close to Us ?
You can simply subscribe for our free email posts from here
You can always stay close to us by connecting in Facebook, LinkedIn , twitter and Google + social networks. We are also managing the unixbook as a writing space for you. And We have very active Facebook’s just-UNIX-no-noise group and Linked in Enterprise UNIX administration group, for active discussions.
We always love to hear your comments and feedback.
Nice writeup.
HI ,
I am getting below error,please some one help me ..
ldap_bind: Invalid credentials (49)
venu, i have mentioned the troubleshooting procedures here http://gurkulindia.com/main/2013/04/rhel-6-3-ldap-series-part-4-troubleshooting/ , for various ldap authentication issues.
Hi,
How to give the full permission to change the password to ldap user ? Please help me .
ldapmodify -Y EXTERNAL -H ldapi:///
it’s take too much time
How to Solve This
[root@ldap migrationtools]# ldapadd -x -h localhost -D cn=Manager,dc=example,dc=com -f /root/user.ldif -W
Enter LDAP Password:
ldapadd: attributeDescription “dn”: (possible missing newline after line 19, entry “uid=gurkuluser,ou=People,dc=example,dc=com”?)
adding new entry “uid=gurkuluser,ou=People,dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: gidNumber: value #1 invalid per syntax
please Check if there are any typos in the user.dif file, because the error says invalid syntax with the parameter “gidNumber”
I get the following error when adding the domain i.e.
[root@ldap ~]# ldapadd -x -h localhost -D cn=Manager,dc=testdom,dc=com -f /root/domain.ldif -W
Enter LDAP Password:
adding new entry “dc=testdom,dc=com”
ldap_add: Type or value exists (20)
additional info: objectClass: value #0 provided more than once
my domain.ldif file conains this:
dn: dc=testdom,dc=com
objectClass: top
objectClass: domain
dc: testdom dn: ou=Groups,dc=testdomdc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=testdom,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
Can you advise?
Thanks
Kman
Hello, it seems some content from the file  domain.ldif  had duplicate entries please doble check.
Seems there’s an error in the procedure. The step “Initialize the DB_CONFIG Settings from default file” builds the /var/lib/ldap/DB_CONFIG file, but the step “Removing default ldap configuration data” deletes it.
Also, the step “Now we will make some basic entries for domain, and organizational units named  groups and people.” is missing some line breaks.
Hi Tim, Corrected it.
How to fix this problem?
I am having same problem.
Hi Hashmath, can you tell me which problem you are referring?
[root@ldap06 ~]# ldapadd -x -h localhost -D cn=Manager,dc=testdom,dc=com -f /root/domain.ldif -W
Enter LDAP Password:
adding new entry “dc=testdom,dc=comâ€
ldap_add: Type or value exists (20)
additional info: objectClass: value #0 provided more than once
my domain.ldif file conains this:
dn: dc=testdom,dc=com
objectClass: top
objectClass: domain
dc: testdom dn: ou=Groups,dc=testdomdc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=testdom,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
Thanks,
Hashmath.
Hi Hasmath, can you try the command after removing below 3 lines from the top of your ldif file ?
dn: dc=testdom,dc=com
objectClass: top
objectClass: domain
After openldap configuration i am facing following issue
[root@ldap01 ldap]# Â ldapsearch -x -b “cn=config” -D “cn=admin,cn=config” -w config -h localhost dn -LLL | grep -v ^$
ldap_bind: Invalid credentials (49)
[root@rldap01 ldap]#
Â
when I am trying to add olcRootPW following by instruction – it is giving me an ERROR ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
Could you please help to solve this ERROR
My OS Version is – Red Hat Enterprise Linux Server release 6.4 (Santiago)
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
modifying entry “olcDatabase={0}config,cn=configâ€
ERROR
modifying entry “olcDatabase={0}config,cn=config”
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcRootPW: no equality matching rule
I suspect there might be issues with the step “Modify /root/slapd.conf to reflect the domain name and password” .. please do verify the file again and also make sure the verification was good with the below command.
“ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config”
Ideally the olcRootPW should show the default password here
Missing required extension
Your install of PHP appears to be missing LDAP support.
Please install LDAP support before using phpLDAPadmin.
(Dont forget to restart your web server afterwards)
I am new to a company and i got a task to setup a linux domain for users authentication and management. i went through different articles and finally decided to configure openldap. i have seen different methods to create it and i tried almost all of them also the method just described above. none of them was a success.
Actually i am totally confused that which method will give a positive output. I need to create it as soon as possible..
server in RHEL6 and the client Fedora20 please help !
Hi All,
i getting some error on openldap client side. please assist. when i run ldapsearch command on client side it give me an error : ldap_sasl_bind(simple) can’t contact ldap server (-1). i am using nslcd authentication. i am not using TLS or certificate. its just a simple authentication.
Machine : Fedora 20
[root@client ~]# systemctl -l status nslcd.service
nslcd.service – Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled)
Active: active (running) since Mon 2014-08-25 16:54:35 IST; 3min 12s ago
Process: 19065 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 19066 (nslcd)
CGroup: /system.slice/nslcd.service
ââ€â€Ã¢â€â‚¬19066 /usr/sbin/nslcd
Aug 25 16:54:24 client.example.com systemd[1]: Unit nslcd.service entered failed state.
Aug 25 16:54:24 client.example.com systemd[1]: Starting Naming services LDAP client daemon….
Aug 25 16:54:35 client.example.com systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Aug 25 16:54:35 client.example.com nslcd[19066]: version 0.8.13 starting
Aug 25 16:54:35 client.example.com nslcd[19066]: accepting connections
Aug 25 16:54:35 client.example.com systemd[1]: Started Naming services LDAP client daemon..
Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Connection timed out
Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] no available LDAP server found: Can’t contact LDAP server: Connection timed out
Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Transport endpoint is not connected
Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] no available LDAP server found: Can’t contact LDAP server: Transport endpoint is not connected
Thanks in Advance
Deepak
Hi Ramdev, very nicely explained the article. but i am facing below mentioned issue.
1. i have followed the steps as mentioned in article but not getting : getent command output.
kindly let me know the reason & solution.
[root@ldapmaster ~]# getent passwd jeevetha
[root@ldapmaster ~]# nothing getting.
slapcat output:-
[root@ldapmaster ~]# slapcat
The first database does not allow slapcat; using the first available one (2)
dn: dc=shiva,dc=com
objectClass: top
objectClass: domain
dc: shiva
structuralObjectClass: domain
entryUUID: 3abc86ec-d820-1033-9ae9-67219d7b460e
creatorsName: cn=Manager,dc=shiva,dc=com
createTimestamp: 20140924102102Z
entryCSN: 20140924102102.323033Z#000000#000#000000
modifiersName: cn=Manager,dc=shiva,dc=com
modifyTimestamp: 20140924102102Z
dn: ou=Groups,dc=shiva,dc=com
objectClass: top
objectClass: organizationalUnit
ou:: R3JvdXBzIA==
structuralObjectClass: organizationalUnit
entryUUID: 3abe5cc4-d820-1033-9aea-67219d7b460e
creatorsName: cn=Manager,dc=shiva,dc=com
createTimestamp: 20140924102102Z
entryCSN: 20140924102102.335061Z#000000#000#000000
modifiersName: cn=Manager,dc=shiva,dc=com
modifyTimestamp: 20140924102102Z
dn: ou=People,dc=shiva,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: 3abf04d0-d820-1033-9aeb-67219d7b460e
creatorsName: cn=Manager,dc=shiva,dc=com
createTimestamp: 20140924102102Z
entryCSN: 20140924102102.339363Z#000000#000#000000
modifiersName: cn=Manager,dc=shiva,dc=com
modifyTimestamp: 20140924102102Z
dn: uid=jeevetha,ou=People,dc=shiva,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jeevetha
cn: ldap user1
homeDirectory: /home/jeevetha
userPassword:: e1NTSEF9d1F2L1Y3eE84WVJvR2xWK0l3dUNMOGZobnhSb2RKZS8=
structuralObjectClass: inetOrgPerson
entryUUID: 14449e80-d822-1033-9aec-67219d7b460e
creatorsName: cn=Manager,dc=shiva,dc=com
createTimestamp: 20140924103416Z
entryCSN: 20140924103416.777242Z#000000#000#000000
modifiersName: cn=Manager,dc=shiva,dc=com
modifyTimestamp: 20140924103416Z
dn: cn=redhat,ou=Groups,dc=shiva,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500
structuralObjectClass: posixGroup
entryUUID: 1448e7ce-d822-1033-9aed-67219d7b460e
creatorsName: cn=Manager,dc=shiva,dc=com
createTimestamp: 20140924103416Z
entryCSN: 20140924103416.805334Z#000000#000#000000
modifiersName: cn=Manager,dc=shiva,dc=com
modifyTimestamp: 20140924103416Z