Ldap Installation and configuration in rhel 6

Ldap Installation & Configurations

Step 1 - Ldap installation:

Run the following command to install ldap

yum install *openldap* -y

or

yum install openldap openldap-clients openldap-servers -y


Step 2 - Assign ldap admin password

Run the following command to assign password for admin ldap

slappasswd

New password : password
re-enter new password : password

{SSHA}50UEVw19zeh7LT53hQH69znzj4OuSrHd


Step 3 - Add root user password hash in configuration file

Root user only have access to add user, groups, OU etc... Do the following in the olcDatabase={2}bdb.ldif file

cd /etc/openldap//slapd.d/cn\=config

vi olcDatabase\=\{2\}bdb.ldif

if olcRootPW doesn't exist create it add the password like below

olcRootPW: {SSHA}50UEVw19zeh7LT53hQH69znzj4OuSrHd

after that we need to made some changes in that file that mentioned below

change distinguished name (DN) of the olcSuffix to something appropriate.

olcSuffix: dc=test,dc=com
olcRootDN: cn:ldap,dc=test,dc=com



Step 4 - Modify RootDN in olcDatabase={2}


follow the steps below to add root dn

vi olcDatabase\=\{1\}monitor.ldif

modify the olcAccess line so the dn.base matches with olcRootDN from olcDtabase={2}

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=ldap,dc=test,dc=com" read by * none

Step 5 - Hide the HASH password from other users

edit the oclDatabase\=\{2\}bdb.ldif file

vi olcDatabase\=\{2\}bdb.ldif

and add the following details to last line

olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=ldap,dc=test,dc=com" write by anonymous auth by * none 

olcAccess: {1}to * by dn.base="cn=ldap,dc=test,dc=com" write by self write by * read

These line only allow the users to read or write users own passwords.

Step 5 - Start the ldap service

service slapd start

May be you will get error like below

581cb279 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"

581cb279 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"

Just ignore for this time.

make sure to turn on it automatically at restart

chkconfig slapd on

Step 6 Creating DN entry in ldap tree by manually

An LDAP directory is analogous to a tree. Nodes in this tree are
called LDAP "entries" and may represent users, groups, organizational
units, domain controllers, or other objects. The attributes in each
entry are determined by the LDAP schema. In this tutorial we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default).In order to build our LDAP tree we must first create the root entry. 

Root entries are usually a special type of entrycalled a domain controller (DC).  

Because we are assuming that the organization is called something, and that the domain is "test.com," we will create a domain controller LDAP entry called dc=test,dc=com. Again, you will need to replace "test" with your organization's domain name.  

Also note that dc=test,dc=com is what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry.

create a file test.ldif in /tmp and add the below mentioned line.

cd /tmp

vi test.ldif

dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
dc: test
o : test



Step 7 Add the content to LDAP

Run the following commands to add that we create ldif file to LDAP tree
ldapadd -f test.ldif -D cn=ldap,dc=test,dc=com -w password
now the content will added to the ldap. Make sure that it's entered correctly or not with following command
ldapsearch -x -LLL -b dc-test,dc=com

it will show the result like below

dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
dc: test
o : test



Step 8 Allow or disable the firewall

by default rhel have enable the iptables you can allow the ldap port to access or you can just disable to move on

for disabling run the folowing command.

service iptables stop
chkconfig iptables off

if you want to then do the following.

iptables -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT

service iptables save



Step 9 - Adding OU in ldap tree

add temprory file in tmp and you can delete once it added to ldap tree 

cd /tmp
vi users/ldif

and add the following line

dn: ou=Users,dc=test,dc=com
objectClass: organizationalUnit
ou: Users

Now add the content to ldap
ldapadd -f users.ldif -D cn=ldap,dc=test,dc=com -w password



Step 10 - Add users to ldap

Same as step 9

cd /tmp
vi testuser.ldif

add the following line

dn: cn=test user,ou=Users,dc=test,dc=com
cn: test
sn: user
objectClass: inetOrgPerson
userPassword: test123
uid: testuser

now add the content to ldap tree

ldapadd -f testuser.ldif -D cn=ldap,dc=tes,dc=com -w password



Step 11 - Add group to ldap

same as step 9 and 10

cd /tmp
vi testgroup.ldif

now add the following lines

dn: cn=testgroup,ou=Users,dc=test,dc=com
cn: testgroup
objectClass: groupOfNames
member: cn=test user,ou=Users,dc=test,dc=com

now add to ldap

ldapadd -f testgroup.ldif -D cn=ldap,dc=tes,dc=com -w password



Step 12 - Add user to group in ldap

same as above 

cd /tmp
vi addusertogroup.ldif

add the following lines

dn: cn=testgroup,ou=Users,dc=test,dc=com
changetype: modify
add: member
member: cn=test user,ou=Users,dc=test,dc=com

now add to ldap

ldapadd -f addusertogroup.ldif -D cn=ldap,dc=tes,dc=com -w password

that's all to configure basic openldap ....