Installation and Configuration OpenLDAP with DNS on CentOS 7
Installation and Configuration of OpenLDAP Server with DNS Server on CentOS 7
Installation and Configuration of DNS Server for OpenLDAP Server Click on >>Read.
OpenLDAP means open source Lightweight Directory Access Protocol. The basic purpose of OpenLDAP is centralized the network resource for example User Access its personal home folders and files from Linux machine in our case CentOS Linux 7 by use of Network File Sharing (NFS) Server. OpenLDAP work as a directory service to store the user id's, user password, computers and etc. For communication OpenLDAP use a TCP port 389. Most of the corporate sectors use OpenLDAP in their infrastructure for Linux System Administration Team, Linux Database Administration Team and DevOps Team to secure their work.
DNS stands for Domain Name System and use a TCP and UDP Port 53. The purpose of DNS in OpenLDAP is to store the computer records in forward and reverse lookup zone file for centralized authentication environment. DNS help to locate computers and applications (inside operating systems) by use of IP and Name.
Requirement of this LAB Environment
S.no | Machines | Packages | Name/IP Address |
1. | Server | OpenLDAP Server and Bind "DNS Server" | LDAP-DNS/192.168.10.215 |
2. | Client | OpenLDAP Clients and NSS Pam LDAPD | Linux2/192.168.10.216 |
Installation and Configuration of DNS Server for OpenLDAP Server Click on >>Read.
To Check the Host Name and IP configuration files of OpenLDAP Server type the below commands.
cat /etc/hostnamecat /etc/sysconfig/network-scripts/ifcfg-ens33
To check the hosts file of OpenLDAP Server type the below command.
cat /etc/hosts
In the above image you can see that Host name and Full Qualified Domain Name (Host Name + Domain Name) has written with IP Address. This line is require in hosts file of OpenLDAP Server that is also a DNS Server, In client machine no need to edit Host name and Full Qualified Domain Name (Host Name + Domain Name) with IP address because in client side DNS Server use to resolve client Host Name with IP Address or IP Address with Host name.
To install OpenLDAP package with migration tools in CentOS Linux 7 machine type the below command.
yum -y install openldap* migrationtools
OpenLDAP Server package has successfully installed on CentOS Linux 7 machine.
To create OpenLDAP Administration password type the below command. This is the root password for OpenLDAP in CentOS 7.
slappasswd
After type slappasswd command enter your desire password twice and copy the encrypted password. This encrypted password will edit in configuration file of OpenLDAP.
For trust relationship between client and server machine create a Self Signed Certificate on OpenLDAP Server. Type the below command to create a Self Signed Certificate for 1 year, you can set the period of this certificate means years as per your requirement.
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/openldap.pem -keyout /etc/pki/tls/certs/openldapkey.pem -days 365
Set the Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name and Email Address to full fill the Certificate requirement.
To Verify the Certificate has created type the below command.
ll /etc/pki/tls/certs/*.pem
The result of list the Self Signed certificate file with key is shown below.
To Configure the main configuration file of OpenLDAP Database "olcDatabase={2}hdb.ldif" that available in "/etc/openldap/slapd.d/cn=config" directory by use of vi editor.
First use cd command to enter in the directory "/etc/openldap/slapd.d/cn=config".
cd /etc/openldap/slapd.d/cn=config
Then use vi editor to edit the main configuration file of OpenLDAP Database "olcDatabase={2}hdb.ldif".
vi olcDatabase={2}hdb.ldif
In this configuration file edit the below lines as per your environment. pakistan.local is the domain name of this lab environment, you must set your domain name in the below lines.
olcSuffix: dc=pakistan,dc=localolcRootDN: cn=Manager,dc=pakistan,dc=local
Also Add the below lines at the end of Configuration File. These lines include the encrypted password of OpenLDAP root user, Self Signed certificate file path and Self Signed certificate key file path.
olcRootPW: {SSHA}oRziaj3hPpcqbF0qbiGbT4imbSELUifTolcTLSCertificateFile: /etc/pki/tls/certs/openldap.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/openldapkey.pem
To Monitor the OpenLDAP Server set the Domain Name in OpenLDAP Monitoring Database file "olcDatabase={1}monitor.ldif". Use vi editor to edit the "olcDatabase={1}monitor.ldif" file that available in "/etc/openldap/slapd.d/cn=config" directory.
vi olcDatabase={1}monitor.ldif
Set the Domain Name pakistan.local that is showing in RED underline, you must set your Domain Name.
Type the below command to verify the OpenLDAP Server configuration. If checksum error occurs just ignore it.
slaptest -u
OpenLDAP service slapd run by use of ldap user by default, if you start OpenLDAP service slapd by use of root user it will give errors of incorrect permissions.
To Start the OpenLDAP service slapd give permissions to ldap user.
First Copy the "DB_CONFIG.example" file that available in "/usr/share/openldap-servers/DB_CONFIG.example" directory to "DB_CONFIG" file in "/var/lib/ldap/DB_CONFIG" directory. By default "DB_CONFIG" file is not available in "/var/lib/ldap/" directory. Type the below command to copy the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Then give the permissions to ldap user of "/var/lib/ldap/" directory by use of below command.
chown -R ldap:ldap /var/lib/ldap/
To Configure the Firewall "Firewalld" and SELinux in OpenLDAP Server Click on >>Read.
You can disable the Firewall "Firewalld" and SELinux in OpenLDAP Server.
To disable the Firewall "Firewalld", First stop Firewall "Firewalld" then disable Firewall "Firewalld". To stop and disable the Firewall "Firewalld" type the below command.
systemctl stop firewalldsystemctl disable firewalld
To Check the status of Firewall "Firewalld" type the below command.
systemctl status firewalld
To disable SELinux temporary type the below command.
setenforce 0
Above mention command disable SELinux temporary means after reboot the CentOS Linux operating system SELinux enforcing automatically. To Permanent disable SELinux edit "config" file of SELinux that available in "/etc/selinux/config" directory.
In above image SELinux is in Enforcing mode, You can disabled by edit below line.
SELINUX=disabled
Prefer method is to enable Firewall "Firewalld" and SELinux.
Allow Firewall "Firewalld" rules and Configure SELinux for OpenLDAP Server click on >>Read or Disable Firewall "Firewalld" and Disable SELinux then Start OpenLDAP service "slapd", to start OpenLDAP service "slapd" on CentOS Linux 7 type the below command.
systemctl start slapd
Check the status of OpenLDAP service "slapd" type the below command.
systemctl status slapd
To grep the result OpenLDAP port 389 type the below command.
netstat -antup | grep -i 389
To configure the schema of OpenLDAP server on CentOS Linux 7 type the below commands.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Configure "migrate_common.ph" file that available in "/usr/share/migrationtools/migrate_common.ph" directory to migrate local users to OpenLDAP users in CentOS Linux 7.
Use cd command to enter in the "/usr/share/migrationtools/" directory then use vi editor to edit the "migrate_common.ph" file.
cd /usr/share/migrationtools/vi migrate_common.ph
Type ":se nu" to show the file with line numbers.
Edit the below lines in "migrate_common.ph" file. pakistan.local is the domain name of this lab environment, you must set your domain name and change the extended schema from 0 to 1.
Line Number: 71$DEFAULT_MAIL_DOMAIN = "pakistan.local";Line Number: 74$DEFAULT_BASE = "dc=pakistan,dc=local";Line Number: 90$EXTENDED_SCHEMA = 1;
To authenticate OpenLDAP users create "base.ldif" file in "/root/base.ldif" directory by use of vi editor, you can create the file by touch command then edit the file by use of vi editor.
vi /root/base.ldif
Edit the below lines in "base.ldif" file.
dn: dc=pakistan,dc=localobjectClass: topobjectClass: dcObjectobjectclass: organizationo: pakistan localdc: pakistandn: cn=Manager,dc=pakistan,dc=localobjectClass: organizationalRolecn: Managerdescription: Directory Managerdn: ou=People,dc=pakistan,dc=localobjectClass: organizationalUnitou: Peopledn: ou=Group,dc=pakistan,dc=localobjectClass: organizationalUnitou: Group
Create Local user then migrate local users to OpenLDAP users. To create local users and set their passwords type below commands.
useradd user1useradd user2passwd user1passwd user2
Check the local users "user1 and user2" has created type the below command. Here user "owais" has already created during the installation of CentOS Linux 7.
cat /etc/passwd
To check the group of local users type the below command.
cat /etc/group
User1 and User2 is not add in any group but user "owais" have a group name "owais" because this user create during the installation of CentOS Linux 7.
To grep the users password and group to temporary password and group files that will create during the grep process then migrate data of users password and group from temporary files to OpenLDAP users and groups files respectively by use of below commands. The OpenLDAP users and groups files also create during the migration process.
grep ":10[0-9][0-9]" /etc/passwd > /root/passwdgrep ":10[0-9][0-9]" /etc/group > /root/group./migrate_passwd.pl /root/passwd /root/users.ldif./migrate_group.pl /root/group /root/groups.ldif
To check the current path of user type below command.
pwd
To import the LDAP Data Interchange Format ".ldif" files base.ldif, users.ldif and groups.ldif to OpenLDAP Database type the below commands.
ldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/base.ldifldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/users.ldifldapadd -x -W -D "cn=Manager,dc=pakistan,dc=local" -f /root/groups.ldif
To Check user "user1" in OpenLDAP Database type the below command.
ldapsearch -x cn=user1 -b dc=pakistan,dc=local
To check All users in OpenLDAP Database type below command.
ldapsearch -x -b 'dc=pakistan,dc=local' '(objectclass=*)'
OpenLDAP Server configuration on CentOS Linux 7 has completed.
To Authenticate CentOS Linux 7 client Machine from OpenLDAP Server click on >>Read.
Thanks for Read this Article
Comments
Post a Comment