LDAP is Opensource protocol for Directory management and authentication Services Like :
NIS , AD , IPA :
LDAP stands for : LightWeight Directory Access Protocol
Step 1: Installing OpenLdap
[root@Xpert ~]# yum install openldap-servers openldap-clients openldap migrationtools
NIS , AD , IPA :
LDAP stands for : LightWeight Directory Access Protocol
Step 1: Installing OpenLdap
[root@Xpert ~]# yum install openldap-servers openldap-clients openldap migrationtools
Step 2: Configuring Ldap server have many steps
i) setting password
[root@Xpert ~]# slappasswd -s redhat -n >/etc/openldap/password
ii) Generating CRT for certificate file and Verification
[root@Xpert ~]# slappasswd -s redhat -n >/etc/openldap/password
iii) Generating CRT and Private key
[root@Xpert ~]# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.......................+++
......................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:RAJ
Locality Name (eg, city) [Default City]:JAIPUR
Organization Name (eg, company) [Default Company Ltd]:LWOrganizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:desktop87.example.com
Email Address []:
iv) Check the created files and change the owner and permission
[root@Xpert certs]# cd /etc/openldap/certs/
[root@Xpert certs]# ls
cert8.db cert.pem key3.db password priv.pem secmod.db
[root@Xpert certs]# chown ldap:ldap *
[root@Xpert certs]# chmod 600 priv.pem
v) Prepare Ldap Database and generate database files
[root@Xpert certs]# cp /usr/share/openldap-server/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@Xpert certs]# slaptest
57ce90a9 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
57ce90a9 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
Note: Don't worry about Error
vi) Change ownership and group
[root@Xpert certs]# chown ldap:ldap /var/lib/ldap/*
Step 3 : Start the Service of ldap
[root@desktop87 certs]# systemctl restart slapd
[root@desktop87 certs]# systemctl enable slapdCreated symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Some Additional and Most important steps
i) To start ldap server add cosine & nis LDAP schema.
[root@Xpert certs]# cd /etc/openldap/schema/
[root@Xpert schema]#
[root@Xpert schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@Xpert schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ii)
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}qhdZdZY1hCHJrON1OWRpChqIE3YtnZDT
Note: This file will look like
[root@Xpert schema]# cat /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}qhdZdZY1hCHJrON1OWRpChqIE3YtnZDT # previously generated password (see above)
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
iii) Send configuration to Slapd server
[root@Xpert schema]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
iv) Create the /etc/openldap/base.ldif file and paste the following lines:
This file will look like this
[root@Xpert schema]# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
v) Building the Structure of Directory Services
[root@Xpert schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
vi) Creating Users
[root@Xpert schema]# mkdir /home/guests
[root@Xpert schema]# useradd -d /home/guests/ldapuser1 ldapuser1
[root@Xpert schema]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
Note: you can create no of users
Account Migration :
==============
Go to Directory given below
[root@Xpert schema]# cd /usr/share/migrationtools/
[root@Xpert migrationtools]# ls
migrate_aliases.pl migrate_automount.pl migrate_networks.pl
migrate_all_netinfo_offline.sh migrate_base.pl migrate_passwd.pl
migrate_all_netinfo_online.sh migrate_common.ph migrate_profile.pl
migrate_all_nis_offline.sh migrate_fstab.pl migrate_protocols.pl
migrate_all_nis_online.sh migrate_group.pl migrate_rpc.pl
migrate_all_nisplus_offline.sh migrate_hosts.pl migrate_services.pl
migrate_all_nisplus_online.sh migrate_netgroup_byhost.pl migrate_slapd_conf.pl
migrate_all_offline.sh migrate_netgroup_byuser.pl
migrate_all_online.sh migrate_netgroup.pl
============
Note: Edit the file migrate_common.ph and change given line
i) setting password
[root@Xpert ~]# slappasswd -s redhat -n >/etc/openldap/password
ii) Generating CRT for certificate file and Verification
[root@Xpert ~]# slappasswd -s redhat -n >/etc/openldap/password
iii) Generating CRT and Private key
[root@Xpert ~]# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.......................+++
......................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:RAJ
Locality Name (eg, city) [Default City]:JAIPUR
Organization Name (eg, company) [Default Company Ltd]:LWOrganizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:desktop87.example.com
Email Address []:
iv) Check the created files and change the owner and permission
[root@Xpert certs]# cd /etc/openldap/certs/
[root@Xpert certs]# ls
cert8.db cert.pem key3.db password priv.pem secmod.db
[root@Xpert certs]# chown ldap:ldap *
[root@Xpert certs]# chmod 600 priv.pem
v) Prepare Ldap Database and generate database files
[root@Xpert certs]# cp /usr/share/openldap-server/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@Xpert certs]# slaptest
57ce90a9 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
57ce90a9 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
Note: Don't worry about Error
vi) Change ownership and group
[root@Xpert certs]# chown ldap:ldap /var/lib/ldap/*
Step 3 : Start the Service of ldap
[root@desktop87 certs]# systemctl restart slapd
[root@desktop87 certs]# systemctl enable slapdCreated symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Some Additional and Most important steps
i) To start ldap server add cosine & nis LDAP schema.
[root@Xpert certs]# cd /etc/openldap/schema/
[root@Xpert schema]#
[root@Xpert schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@Xpert schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ii)
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}qhdZdZY1hCHJrON1OWRpChqIE3YtnZDT
Note: This file will look like
[root@Xpert schema]# cat /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}qhdZdZY1hCHJrON1OWRpChqIE3YtnZDT # previously generated password (see above)
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
iii) Send configuration to Slapd server
[root@Xpert schema]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
iv) Create the /etc/openldap/base.ldif file and paste the following lines:
This file will look like this
[root@Xpert schema]# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
v) Building the Structure of Directory Services
[root@Xpert schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
vi) Creating Users
[root@Xpert schema]# mkdir /home/guests
[root@Xpert schema]# useradd -d /home/guests/ldapuser1 ldapuser1
[root@Xpert schema]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
Note: you can create no of users
Account Migration :
==============
Go to Directory given below
[root@Xpert schema]# cd /usr/share/migrationtools/
[root@Xpert migrationtools]# ls
migrate_aliases.pl migrate_automount.pl migrate_networks.pl
migrate_all_netinfo_offline.sh migrate_base.pl migrate_passwd.pl
migrate_all_netinfo_online.sh migrate_common.ph migrate_profile.pl
migrate_all_nis_offline.sh migrate_fstab.pl migrate_protocols.pl
migrate_all_nis_online.sh migrate_group.pl migrate_rpc.pl
migrate_all_nisplus_offline.sh migrate_hosts.pl migrate_services.pl
migrate_all_nisplus_online.sh migrate_netgroup_byhost.pl migrate_slapd_conf.pl
migrate_all_offline.sh migrate_netgroup_byuser.pl
migrate_all_online.sh migrate_netgroup.pl
============
Note: Edit the file migrate_common.ph and change given line
$DEFAULT_MAIL_DOMAIN = "example.com"; $DEFAULT_BASE = "dc=example,dc=com";
============================
[root@Xpert migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > passwd
[root@Xpert migrationtools]# ./migrate_passwd.pl passwd users.ldif
[root@Xpert migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=linux,ou=People,dc=example,dc=com"
adding new entry "uid=me,ou=People,dc=example,dc=com"
adding new entry "uid=you,ou=People,dc=example,dc=com"
adding new entry "uid=cloud,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"
[root@Xpert migrationtools]# grep ":10[0-9][0-9]" /etc/group > group
[root@Xpert migrationtools]# ./migrate_group.pl group groups.ldif
[root@Xpert migrationtools]# ./migrate_group.pl group groups.ldif
[root@Xpert migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=linux,ou=Group,dc=example,dc=com"
adding new entry "cn=me,ou=Group,dc=example,dc=com"
adding new entry "cn=technical,ou=Group,dc=example,dc=com"
adding new entry "cn=you,ou=Group,dc=example,dc=com"
adding new entry "cn=tech,ou=Group,dc=example,dc=com"
adding new entry "cn=cloud,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser1,ou=Group,dc=example,dc=com"
Note: Now you can create Ldap CLient and connect with the users
If anyone want to do RHCE Training in Jaipur, please visit on - http://www.rhce.co.in/
No comments:
Post a Comment