Installation and Configuration OpenLDAP with DNS on CentOS 7

Installation and Configuration of OpenLDAP Server with DNS Server on CentOS 7

OpenLDAP means open source Lightweight Directory Access Protocol. The basic purpose of OpenLDAP is centralized the network resource for example User Access its personal home folders and files from Linux machine in our case CentOS Linux 7 by use of Network File Sharing (NFS) Server. OpenLDAP work as a directory service to store the user id's, user password, computers and etc. For communication OpenLDAP use a TCP port 389. Most of the corporate sectors use OpenLDAP in their infrastructure for Linux System Administration Team, Linux Database Administration Team and DevOps Team to secure their work.

DNS stands for Domain Name System and use a TCP and UDP Port 53. The purpose of DNS in OpenLDAP is to store the computer records in forward and reverse lookup zone file for centralized authentication environment. DNS help to locate computers and applications (inside operating systems) by use of IP and Name.

Requirement of this LAB Environment

S.no	Machines	Packages	Name/IP Address
1.	Server	OpenLDAP Server and Bind "DNS Server"	LDAP-DNS/192.168.10.215
2.	Client	OpenLDAP Clients and NSS Pam LDAPD	Linux2/192.168.10.216

Installation and Configuration of DNS Server for OpenLDAP Server Click on >>Read.

To Check the Host Name and IP configuration files of OpenLDAP Server type the below commands.

cat /etc/hostname
cat /etc/sysconfig/network-scripts/ifcfg-ens33

installation and configuration of openldap server with dns server on centos7

To check the hosts file of OpenLDAP Server type the below command.

cat /etc/hosts

In the above image you can see that Host name and Full Qualified Domain Name (Host Name + Domain Name) has written with IP Address. This line is require in hosts file of OpenLDAP Server that is also a DNS Server, In client machine no need to edit Host name and Full Qualified Domain Name (Host Name + Domain Name) with IP address because in client side DNS Server use to resolve client Host Name with IP Address or IP Address with Host name.

To install OpenLDAP package with migration tools in CentOS Linux 7 machine type the below command.

yum -y install openldap* migrationtools

OpenLDAP Server package has successfully installed on CentOS Linux 7 machine.

To create OpenLDAP Administration password type the below command. This is the root password for OpenLDAP in CentOS 7.

slappasswd

After type slappasswd command enter your desire password twice and copy the encrypted password. This encrypted password will edit in configuration file of OpenLDAP.

For trust relationship between client and server machine create a Self Signed Certificate on OpenLDAP Server. Type the below command to create a Self Signed Certificate for 1 year, you can set the period of this certificate means years as per your requirement.

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/openldap.pem -keyout /etc/pki/tls/certs/openldapkey.pem -days 365

Set the Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name and Email Address to full fill the Certificate requirement.

To Verify the Certificate has created type the below command.

ll /etc/pki/tls/certs/*.pem

how install and configure openldap server with dns server on centos 7

The result of list the Self Signed certificate file with key is shown below.

To Configure the main configuration file of OpenLDAP Database "olcDatabase={2}hdb.ldif" that available in "/etc/openldap/slapd.d/cn=config" directory by use of vi editor.

First use cd command to enter in the directory "/etc/openldap/slapd.d/cn=config".

cd /etc/openldap/slapd.d/cn=config

Then use vi editor to edit the main configuration file of OpenLDAP Database "olcDatabase={2}hdb.ldif".

vi olcDatabase={2}hdb.ldif

In this configuration file edit the below lines as per your environment. pakistan.local is the domain name of this lab environment, you must set your domain name in the below lines.

olcSuffix: dc=pakistan,dc=local
olcRootDN: cn=Manager,dc=pakistan,dc=local

Also Add the below lines at the end of Configuration File. These lines include the encrypted password of OpenLDAP root user, Self Signed certificate file path and Self Signed certificate key file path.

olcRootPW: {SSHA}oRziaj3hPpcqbF0qbiGbT4imbSELUifT
olcTLSCertificateFile: /etc/pki/tls/certs/openldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/openldapkey.pem

To Monitor the OpenLDAP Server set the Domain Name in OpenLDAP Monitoring Database file "olcDatabase={1}monitor.ldif". Use vi editor to edit the "olcDatabase={1}monitor.ldif" file that available in "/etc/openldap/slapd.d/cn=config" directory.

vi olcDatabase={1}monitor.ldif

Set the Domain Name pakistan.local that is showing in RED underline, you must set your Domain Name.

Type the below command to verify the OpenLDAP Server configuration. If checksum error occurs just ignore it.

slaptest -u

OpenLDAP service slapd run by use of ldap user by default, if you start OpenLDAP service slapd by use of root user it will give errors of incorrect permissions.

To Start the OpenLDAP service slapd give permissions to ldap user.

First Copy the "DB_CONFIG.example" file that available in "/usr/share/openldap-servers/DB_CONFIG.example" directory to "DB_CONFIG" file in "/var/lib/ldap/DB_CONFIG" directory. By default "DB_CONFIG" file is not available in "/var/lib/ldap/" directory. Type the below command to copy the file.

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Then give the permissions to ldap user of "/var/lib/ldap/" directory by use of below command.

chown -R ldap:ldap /var/lib/ldap/

To Configure the Firewall "Firewalld" and SELinux in OpenLDAP Server Click on >>Read.

You can disable the Firewall "Firewalld" and SELinux in OpenLDAP Server.

To disable the Firewall "Firewalld", First stop Firewall "Firewalld" then disable Firewall "Firewalld". To stop and disable the Firewall "Firewalld" type the below command.

systemctl stop firewalld
systemctl disable firewalld

To Check the status of Firewall "Firewalld" type the below command.

systemctl status firewalld

To disable SELinux temporary type the below command.

setenforce 0

Above mention command disable SELinux temporary means after reboot the CentOS Linux operating system SELinux enforcing automatically. To Permanent disable SELinux edit "config" file of SELinux that available in "/etc/selinux/config" directory.

In above image SELinux is in Enforcing mode, You can disabled by edit below line.

SELINUX=disabled

Prefer method is to enable Firewall "Firewalld" and SELinux.

Allow Firewall "Firewalld" rules and Configure SELinux for OpenLDAP Server click on >>Read or Disable Firewall "Firewalld" and Disable SELinux then Start OpenLDAP service "slapd", to start OpenLDAP service "slapd" on CentOS Linux 7 type the below command.

systemctl start slapd

Check the status of OpenLDAP service "slapd" type the below command.

systemctl status slapd

To grep the result OpenLDAP port 389 type the below command.

netstat -antup | grep -i 389

To configure the schema of OpenLDAP server on CentOS Linux 7 type the below commands.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Configure "migrate_common.ph" file that available in "/usr/share/migrationtools/migrate_common.ph" directory to migrate local users to OpenLDAP users in CentOS Linux 7.

Use cd command to enter in the "/usr/share/migrationtools/" directory then use vi editor to edit the "migrate_common.ph" file.

cd /usr/share/migrationtools/
vi migrate_common.ph

how install and configure openldap with dns on centos 7

Type ":se nu" to show the file with line numbers.

Edit the below lines in "migrate_common.ph" file. pakistan.local is the domain name of this lab environment, you must set your domain name and change the extended schema from 0 to 1.

Line Number: 71
$DEFAULT_MAIL_DOMAIN = "pakistan.local";
Line Number: 74
$DEFAULT_BASE = "dc=pakistan,dc=local";
Line Number: 90
$EXTENDED_SCHEMA = 1;

To authenticate OpenLDAP users create "base.ldif" file in "/root/base.ldif" directory by use of vi editor, you can create the file by touch command then edit the file by use of vi editor.

vi /root/base.ldif

Edit the below lines in "base.ldif" file.

dn: dc=pakistan,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: pakistan local
dc: pakistan

dn: cn=Manager,dc=pakistan,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=pakistan,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=pakistan,dc=local
objectClass: organizationalUnit
ou: Group

Create Local user then migrate local users to OpenLDAP users. To create local users and set their passwords type below commands.

useradd user1
useradd user2
passwd user1
passwd user2

Check the local users "user1 and user2" has created type the below command. Here user "owais" has already created during the installation of CentOS Linux 7.

cat /etc/passwd

To check the group of local users type the below command.

cat /etc/group

User1 and User2 is not add in any group but user "owais" have a group name "owais" because this user create during the installation of CentOS Linux 7.

To grep the users password and group to temporary password and group files that will create during the grep process then migrate data of users password and group from temporary files to OpenLDAP users and groups files respectively by use of below commands. The OpenLDAP users and groups files also create during the migration process.

grep ":10[0-9][0-9]" /etc/passwd > /root/passwd
grep ":10[0-9][0-9]" /etc/group > /root/group
./migrate_passwd.pl /root/passwd /root/users.ldif
./migrate_group.pl /root/group /root/groups.ldif

To check the current path of user type below command.

pwd

how install and configure openldap on centos 7

To import the LDAP Data Interchange Format ".ldif" files base.ldif, users.ldif and groups.ldif to OpenLDAP Database type the below commands.

ldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/base.ldif
ldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/users.ldif
ldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/groups.ldif