1,760
edits
Changes
→e. verify the contents of ldif.ldapuser
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.
In this lab, you set the instruction is for setting up and configure an LDAP server with the base context of "dc=nad810,dc=com". Replace this with your own base context. After setting up the OpenLDAP server and , you need to configure the LDAP clients to use the user account information stored in the LDAP server to perform user authenicationon the client machine. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall.
* openldap-servers
* nss_ldap
* migrationtools (for Fedora 10)Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap
#Create an OpenLDAP database
#Create an OpenLDAP “root” password and edit the OpenLDAP main database configuration file /etc/openldap/slapd.confd/cn=config/olcDatabase={2}hdb.ldif#Start the OpenLDAP server daemon- slapd.service#Create an a base LDIF file for importing to the OpenLDAP database#Create a user account LDIF file for importing to the OpenLDAP database#Import an the LDIF file files into the OpenLDAP database
===(1) Create an /verify the directory for OpenLDAP databasefiles===<pre> mkdir /var/lib/ldap/ chown ldap.ldap /var/lib/ldap chmod 700 /var/lib/ldap</pre>The directory listing of /var/lib/ldap should be:<pre>[root@localhost cn=config]# ls -ldZ /var/lib/ldapdrwx------. ldap ldap system_u:object_r:slapd_db_t:s0 /var/lib/ldap</pre>
slappasswd
New password: [nad810secret]
Re-enter new password: [nad810secret]
{SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx FavfvViq/edEw8x4TV6y7w1L2llXzZzz <-- Copy this to the slapdolcDatabase={2}hdb.conf ldif file</pre>
Add/Modify the slapdolcDatabase={2}hdb.conf ldif file to show have the following: <pre> database bdb suffix “dc olcSuffix: dc=nad810,dc=com”com rootdn “cn olcRootDN: cn=Manager,dc=nad810,dc=com”com rootpw olcRootPW: {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0QxFavfvViq/edEw8x4TV6y7w1L2llXzZzz directory </var/lib/ldap/nad810pre>Do not change other lines.com
===(3) Start the OpenLDAP server daemonslapd.service===<pre> systemctl start slapd.service</pre>
<pre>
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
</pre>
You should get something similar to the following:
# extended LDIF
#
# numResponses: 2
# numEntries: 1
</pre>
===(4)Create an LDIF file files for importing to the OpenLDAP database=== a. add an user called “ldapuser” useradd -g users ldapuser passwd ldapuser b. extract ====create the passwd entry of ldapuser from /etc/passwd to a base context LDIF file called "entryfor the nad810.ldapuser"com domain==== grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser c. extract the passwd entry of root from /etc/passwd to Create a file called "entryldif.root" grep root /etc/passwd > /etc/openldap/entry.root d. convert the entries for the "ldapuserbase" and "root" to LDIF format (ldif.ldapuser and ldif.root): (Note that "\" at the end of the line is used to tell the shell that the next line as a continuation of add the current line) For ldapuser: /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl with /usr/share/migrationtools/migrate_passwd.pl For root: /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/entry.root /etc/openldap/ldif.root For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl with /usr/share/migrationtools/migrate_passwd.pl e. edit ldif.ldapuser (change dc=pad1 to dc=nad810) dn: uid=ldapuser,ou=People,dc=padl,dc=com uid: ldapuser cn: ldapuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 12821 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 100 homeDirectory: /home/ldapuser f. edit ldif.root (change dc=pad1 to dc=nad810) dn: uid=root,ou=People,dc=padl,dc=com uid: root cn: root objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$3gRCMQww$8OCADPFZLjFr6DiFUi8Nn1 shadowLastChange: 12759 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecosfollowing lines: root
<pre>
dn: dc=nad810,dc=com
dc: nad810
</pre>
(Make sure that you have a blank line before the 2nd "dn:" line)
====a. add an user called “ldapuser” ====
useradd -g users ldapuser
passwd ldapuser
====b. extract the passwd entry for ldapuser ===
Run the following command to extract the password entry from /etc/passwd to a file called "entry.ldapuser" to your current working directory:
<pre>
grep ldapuser /etc/passwd > entry.ldapuser
</pre>
====c. Convert password entry to LDIF formation====
Modify the migration tools configuration file to use our base context "dc=nad810,dc=com".
Back up the file /usr/share/migrationtools/migrate_common.ph and edit:
Line 71: $DEFAULT_MAIL_DOMAIN = "padl.com"; to "nad810.com"
Line 74: $DEFAULT_BASE = "dc=padl,dc=com"; to "dc=nad810,dc=com"
Line 90: $EXTENDED_SCHEMA = 0; to 1
====d. convert the entries for the "ldapuser" to LDIF format (5ldif.ldapuser) Import LDIF files into the OpenLDAP database====
/usr/share/openldap/migration/migrate_passwd.pl entry.ldapuser ldif.ldapuser
====e. verify the contents of ldif.ldapuser====
<pre>
[root@localhost ~]# cat ldif.ldapuser
dn: uid=ldapuser,ou=People,dc=nad810,dc=com
uid: ldapuser
cn: ldapuser
sn: ldapuser
mail: ldapuser@nad810.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$3/pjdd7S$9JiLgnXtnnO5y0ZTUXYW9mQXCA/ShjaxzjPUu3MhthGPkwQlmqIimGl8YQl3kLb4a15c81uGZ4vsXoBPFJbGl.
shadowLastChange: 16769
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/ldapuser
</pre>
===(5) Import LDIF files into the OpenLDAP database===
<pre>
ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.base
ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser
</pre>
To test the OpenLDAP database:
ldapsearch -x -b 'dc=nad810,dc=com' '(objectclass=*)'
===(6) Use the sample database configure file ===
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
systemctl restart slapd.service
==Part 2 - Setup and configure OpenLDAP Client==
====Edit the client configuration file /etc/ldap.conf====
1.- Find the line starts with the word "'''host'''" and set the IP address to the appropriate value. -> Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server. 2.- Find the line starts with the word "'''base'''" and set the context to your base directory -> For the purpose of this lab, set it to:base dc=nad810,dc=com 3.- Find the line starting with "'''uri ldap://'''", if your client is the same machine than your server, leave 127.0.0.1, otherwise set it to the IP of the OpenLDAP server.
====Edit the name service switch configuration file /etc/nsswitch.conf====
Enable LDAP for user authentication.
NesTutorial for Dummy..
and now, config ldap client in GUI mode, lets do this..
authconfig-tui
====Test your OpenLDAP client with the ldapsearch command====
ldapsearch -x 'uid=ldapuser'
= To Complete the Lab =
