Friday, 4 November 2016

Ldap Installation and configuration in rhel 6

Ldap Installation & Configurations

 Step 1 - Ldap installation:

 Run the following command to install ldap

 yum install *openldap* -y

 or

 yum install openldap openldap-clients openldap-servers -y
Step 2 - Assign ldap admin password

 Run the following command to assign password for admin ldap

 slappasswd

 New password : password
re-enter new password : password

 {SSHA}50UEVw19zeh7LT53hQH69znzj4OuSrHd
Step 3 - Add root user password hash in configuration file

 Root user only have access to add user, groups, OU etc... Do the following in the olcDatabase={2}bdb.ldif file

 cd /etc/openldap//slapd.d/cn\=config

 vi olcDatabase\=\{2\}bdb.ldif

 if olcRootPW doesn't exist create it add the password like below

 olcRootPW: {SSHA}50UEVw19zeh7LT53hQH69znzj4OuSrHd

 after that we need to made some changes in that file that mentioned below

 change distinguished name (DN) of the olcSuffix to something appropriate.

 olcSuffix: dc=test,dc=com
olcRootDN: cn:ldap,dc=test,dc=com

Step 4 - Modify RootDN in olcDatabase={2}


follow the steps below to add root dn

 
vi olcDatabase\=\{1\}monitor.ldif


modify the olcAccess line so the dn.base matches with olcRootDN from olcDtabase={2}
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=ldap,dc=test,dc=com" read by * none




Step 5 - Hide the HASH password from other users


edit the oclDatabase\=\{2\}bdb.ldif file


vi olcDatabase\=\{2\}bdb.ldif






and add the following details to last line


                      





olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=ldap,dc=test,dc=com" write by anonymous auth by * none 



olcAccess: {1}to * by dn.base="cn=ldap,dc=test,dc=com" write by self write by * read










These line only allow the users to read or write users own passwords.










Step 5 - Start the ldap service






service slapd start






May be you will get error like below







581cb279 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"





581cb279 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"






Just ignore for this time.






make sure to turn on it automatically at restart






chkconfig slapd on










Step 6 Creating DN entry in ldap tree by manually




An LDAP directory is analogous to a tree.  Nodes in this tree are
 called LDAP "entries" and may represent users, groups, organizational
 units, domain controllers, or other objects.  The attributes in each
 entry are determined by the LDAP schema.  In this tutorial we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default).In order to build our LDAP tree we must first create the root entry. 



Root entries are usually a special type of entrycalled a domain controller (DC).   



Because we are assuming that the organization is called something, and that the domain is "test.com," we will create a domain controller LDAP entry called dc=test,dc=com. Again, you will need to replace "test" with your organization's domain name.  



Also note that dc=test,dc=com is what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry.






create a file test.ldif in /tmp and add the below mentioned line.






cd /tmp


vi test.ldif




dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
dc: test
o : test








Step 7 Add the content to LDAP




Run the following commands to add that we create ldif file to LDAP tree


ldapadd -f test.ldif -D cn=ldap,dc=test,dc=com -w password


now the content will added to the ldap. Make sure that it's entered correctly or not with following command


ldapsearch -x -LLL -b dc-test,dc=com




it will show the result like below




dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
dc: test
o : test








Step 8 Allow or disable the firewall




by default rhel have enable the iptables you can allow the ldap port to access or you can just disable to move on




for disabling run the folowing command.




service iptables stop


chkconfig iptables off




if you want to then do the following.




iptables -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT




service iptables save








Step 9 - Adding OU in ldap tree




add temprory file in tmp and you can delete once it added to ldap tree 




cd /tmp


vi users/ldif




and add the following line




dn: ou=Users,dc=test,dc=com
objectClass: organizationalUnit
ou: Users




Now add the content to ldap


ldapadd -f users.ldif -D cn=ldap,dc=test,dc=com -w password








Step 10 - Add users to ldap




Same as step 9




cd /tmp


vi testuser.ldif




add the following line




dn: cn=test user,ou=Users,dc=test,dc=com
cn: test
sn: user
objectClass: inetOrgPerson
userPassword: test123
uid: testuser




now add the content to ldap tree




ldapadd -f testuser.ldif -D cn=ldap,dc=tes,dc=com -w password








Step 11 - Add group to ldap




same as step 9 and 10




cd /tmp


vi testgroup.ldif




now add the following lines




dn: cn=testgroup,ou=Users,dc=test,dc=com
cn: testgroup
objectClass: groupOfNames
member: cn=test user,ou=Users,dc=test,dc=com




now add to ldap




ldapadd -f testgroup.ldif -D cn=ldap,dc=tes,dc=com -w password








Step 12 - Add user to group in ldap




same as above 




cd /tmp


vi addusertogroup.ldif




add the following lines




dn: cn=testgroup,ou=Users,dc=test,dc=com
changetype: modify
add: member
member: cn=test user,ou=Users,dc=test,dc=com




now add to ldap




ldapadd -f addusertogroup.ldif -D cn=ldap,dc=tes,dc=com -w password




that's all to configure basic openldap ....


















at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)









Permanent hostname setup for RHEL7 



 Step 1   Set the host name on NMTUI  tool like following   nmtui      set host name       then save and exit   Step 2   add the following l...