LDAP known as Light Weight Directory Access Protocol is a protocol used for accessing X.500 service containers within an enterprise known from a directory. Those who are familiar with Windows Server Administration can think of LDAP as being very similar in nature to Active Directory. It is even a widely used concept of intertwining Windows workstations into an OpenLDAP CentOS enterprise. On the other spectrum, a CentOS Linux workstation can share resources and participate with the basic functionality in a Windows Domain.
Deploying LDAP on CentOS as a Directory Server Agent, Directory System Agent, or DSA (these acronyms are all one and the same) is similar to older Novell Netware installations using the Directory Tree structure with NDS.
LDAP was basically created as an efficient way to access X.500 directories with enterprise resources. Both X.500 and LDAP share the same characteristics and are so similar that LDAP clients can access X.500 directories with some helpers. While LDAP also has its own directory server called slapd. The main difference between LDAP and DAP is, the lightweight version is designed to operate over TCP.
While DAP uses the full OSI Model. With the advent of the Internet, TCP/IP and Ethernet prominence in networks of today, it is rare to come across a Directory Services implantation using both DAP and native X.500 enterprise directories outside specific legacy computing models.
The main components used with openldap for CentOS Linux are −
openldap | LDAP support libraries |
---|---|
openldap-server | LDAP server |
openldap-clients | LDAP client utlities |
openldap-devel | Development libraries for OpenLDAP |
compay-openldap | OpenLDAP shared libraries |
slapd | Directory server daemon of OpenLDAP |
slurpd | Used for LDAP replication across an enterprise domain |
Note − When naming your enterprise, it is a best practice to use the .local TLD. Using a .net or .com can cause difficulties when segregating an online and internal domain infrastructure. Imagine the extra work for a company internally using acme.com for both external and internal operations. Hence, it can be wise to have Internet resources called acme.com or acme.net. Then, the local networking enterprise resources is depicted as acme.local. This will entail configuring DNS records, but will pay in simplicity, eloquence and security.
Install the openldap, openldap-servers, openldap-clients and migrationstools from YUM.
[root@localhost]# yum -y install openldap openldap-servers openldap-clients migration tools Loaded plugins: fastestmirror, langpacks updates | 3.4 kB 00:00:00 updates/7/x86_64/primary_db | 2.2 MB 00:00:05 Determining fastest mirrors (1/2): extras/7/x86_64/primary_db | 121 kB 00:00:01 (2/2): base/7/x86_64/primary_db | 5.6 MB 00:00:16 Package openldap-2.4.40-13.el7.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package openldap-clients.x86_64 0:2.4.40-13.el7 will be installed ---> Package openldap-servers.x86_64 0:2.4.40-13.el7 will be installed --> Finished Dependency Resolution base/7/x86_64/group_gz | 155 kB 00:00:00 Dependencies Resolved =============================================================================== =============================================================================== Package Arch Version Repository Size =============================================================================== =============================================================================== Installing: openldap-clients x86_64 2.4.40-13.el7 base 188 k openldap-servers x86_64 2.4.40-13.el7 base 2.1 M Transaction Summary =============================================================================== =============================================================================== Install 2 Packages Total download size: 2.3 M Installed size: 5.3 M Downloading packages: Installed: openldap-clients.x86_64 0:2.4.40-13.el7 openldap-servers.x86_64 0:2.4.40-13.el7 Complete! [root@localhost]#
Now, let's start and enable the slapd service −
[root@centos]# systemctl start slapd [root@centos]# systemctl enable slapd
At this point, let's assure we have our openldap structure in /etc/openldap.
root@localhost]# ls /etc/openldap/ certs check_password.conf ldap.conf schema slapd.d [root@localhost]#
Then make sure our slapd service is running.
root@centos]# netstat -antup | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1641/slapd tcp6 0 0 :::389 :::* LISTEN 1641/slapd [root@centos]#
Next, let's configure our Open LDAP installation.
Make sure our system ldap user has been created.
[root@localhost]# id ldap uid=55(ldap) gid=55(ldap) groups=55(ldap) [root@localhost]#
Generate our LDAP credentials.
[root@localhost]# slappasswd New password: Re-enter new password: {SSHA}20RSyjVv6S6r43DFPeJgASDLlLoSU8g.a10 [root@localhost]#
We need to save the output from slappasswd.
Step 1 − Configure LDAP for domain and add administrative user.
First, we want to set up our openLDAP environment. Following is a template to use with the ldapmodify command.
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=vmnet,dc=local dn: olcDatabase = {2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=vmnet,dc=local dn: olcDatabase = {2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: <output from slap
Make changes to: /etc/openldap/slapd.d/cn=config/olcDatabase = {1}monitor.ldif with the ldapmodify command.
[root@localhost]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/rdc/Documents/db.ldif SASL/EXTERNAL authentication started SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase = {2}hdb,cn=config" modifying entry "olcDatabase = {2}hdb,cn=config" modifying entry "olcDatabase = {2}hdb,cn=config" [root@localhost cn=config]#
Let's check the modified LDAP configuration.
root@linux1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif [root@centos]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 a163f14c dn: olcDatabase = {2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: 1bd9aa2a-8516-1036-934b-f7eac1189139 creatorsName: cn=config createTimestamp: 20170212022422Z olcSuffix: dc=vmnet,dc=local olcRootDN: cn=ldapadm,dc=vmnet,dc=local olcRootPW:: e1NTSEF1bUVyb1VzZTRjc2dkYVdGaDY0T0k = entryCSN: 20170215204423.726622Z#000000#000#000000 modifiersName: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170215204423Z [root@centos]#
As you can see, our LDAP enterprise modifications were successful.
Next, we want to create an self-signed ssl certificate for OpenLDAP. This will secure the communication between the enterprise server and clients.
Step 2 − Create a self-signed certificate for OpenLDAP.
We will use openssl to create a self-signed ssl certificate. Go to the next chapter, Create LDAP SSL Certificate with openssl for instructions to secure communications with OpenLDAP. Then when ssl certificates are configured, we will have completed our OpenLDAP enterprise configuration.
Step 3 − Configure OpenLDAP to use secure communications with certificate.
Create a certs.ldif file in vim with the following information −
dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/yourGeneratedCertFile.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/youGeneratedKeyFile.pem
Next, again, use the ldapmodify command to merge the changes into the OpenLDAP configuration.
[root@centos rdc]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif SASL/EXTERNAL authentication started SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" [root@centos]#
Finally, let's test our OpenLADP configuration.
[root@centos]# slaptest -u config file testing succeeded [root@centos]#
Step 4 − Set up slapd database.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG && chown ldap:ldap /var/lib/ldap/*
Updates the OpenLDAP Schema.
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Finally, create the enterprise schema and add it to the current OpenLDAP configuration.
Following is for a domain called vmnet.local with an LDAP Admin called ldapadm.
dn: dc=vmnet,dc=local dc: vmnet objectClass: top objectClass: domain dn: cn=ldapadm ,dc=vmnet,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou = People,dc=vmnet,dc=local objectClass: organizationalUnit ou: People dn: ou = Group,dc=vmnet,dc=local objectClass: organizationalUnit ou: Group
Finally, import this into the current OpenLDAP schema.
[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f ./base.ldif Enter LDAP Password: adding new entry "dc=vmnet,dc=local" adding new entry "cn=ldapadm ,dc=vmnet,dc=local" adding new entry "ou=People,dc=vmnet,dc=local" adding new entry "ou=Group,dc=vmnet,dc=local" [root@centos]#
Step 5 − Set up an OpenLDAP Enterprise Users.
Open vim or your favorite text editor and copy the following format. This is setup for a user named "entacct" on the "vmnet.local" LDAP domain.
dn: uid=entacct,ou=People,dc=vmnet,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: entacct uid: entacct uidNumber: 9999 gidNumber: 100 homeDirectory: /home/enyacct loginShell: /bin/bash gecos: Enterprise User Account 001 userPassword: {crypt}x shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7
Now import the above files, as saved, into the OpenLdap Schema.
[root@centos]# ldapadd -x -W -D "cn=ldapadm,dc=vmnet,dc=local" -f entuser.ldif Enter LDAP Password: adding new entry "uid=entacct,ou=People,dc=vmnet,dc=local" [root@centos]#
Before the users can access the LDAP Enterprise, we need to assign a password as follows −
ldappasswd -s password123 -W -D "cn=ldapadm,dc=entacct,dc=local" -x "uid=entacct ,ou=People,dc=vmnet,dc=local"
-s specifies the password for the user
-x is the username to which password updated is applied
-D is the *distinguished name" to authenticate against LDAP schema.
Finally, before logging into the Enterprise account, let's check our OpenLDAP entry.
[root@centos rdc]# ldapsearch -x cn=entacct -b dc=vmnet,dc=local # extended LDIF # # LDAPv3 # base <dc=vmnet,dc=local> with scope subtree # filter: cn=entacct # requesting: ALL # # entacct, People, vmnet.local dn: uid=entacct,ou=People,dc=vmnet,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: entacct uid: entacct uidNumber: 9999 gidNumber: 100 homeDirectory: /home/enyacct loginShell: /bin/bash gecos: Enterprise User Account 001 userPassword:: e2NyeXB0fXg= shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7
Converting things like /etc/passwd and /etc/groups to OpenLDAP authentication requires the use of migration tools. These are included in the migrationtools package. Then, installed into /usr/share/migrationtools.
[root@centos openldap-servers]# ls -l /usr/share/migrationtools/ total 128 -rwxr-xr-x. 1 root root 2652 Jun 9 2014 migrate_aliases.pl -rwxr-xr-x. 1 root root 2950 Jun 9 2014 migrate_all_netinfo_offline.sh -rwxr-xr-x. 1 root root 2946 Jun 9 2014 migrate_all_netinfo_online.sh -rwxr-xr-x. 1 root root 3011 Jun 9 2014 migrate_all_nis_offline.sh -rwxr-xr-x. 1 root root 3006 Jun 9 2014 migrate_all_nis_online.sh -rwxr-xr-x. 1 root root 3164 Jun 9 2014 migrate_all_nisplus_offline.sh -rwxr-xr-x. 1 root root 3146 Jun 9 2014 migrate_all_nisplus_online.sh -rwxr-xr-x. 1 root root 5267 Jun 9 2014 migrate_all_offline.sh -rwxr-xr-x. 1 root root 7468 Jun 9 2014 migrate_all_online.sh -rwxr-xr-x. 1 root root 3278 Jun 9 2014 migrate_automount.pl -rwxr-xr-x. 1 root root 2608 Jun 9 2014 migrate_base.pl
Step 6 − Finally, we need to allow access to the slapd service so it can service requests.
firewall-cmd --permanent --add-service=ldap firewall-cmd --reload
Configuring LDAP client access requires the following packages on the client: openldap, open-ldap clients, and nss_ldap.
Configuring LDAP authentication for client systems is a bit easier.
Step 1 − Install dependent packeges −
# yum install -y openldap-clients nss-pam-ldapd
Step 2 − Configure LDAP authentication with authconfig.
authconfig --enableldap --enableldapauth --ldapserver=10.25.0.1 -- ldapbasedn="dc=vmnet,dc=local" --enablemkhomedir --update
Step 3 − Restart nslcd service.
systemctl restart nslcd