March 13, 2014

Using OpenLDAP as Authentication Directory Service in RHEL 6

Installing OpenLDAP

$ yum install -y openldap openldap-clients openldap-servers

Configure OpenLDAP

Modify domain (olcSuffix) and the LDAP super username (olcRootDN).

$ egrep "Suffix|Root" olcDatabase\=\{2\}bdb.ldif 
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com

Set password for the LDAP super user. To create password use slappasswd.

$ slappasswd 
New password: <redhat>
Re-enter new password: <redhat>
{SSHA}VG9HSAjxn19Qb3+gveyC2H5DlFRMIACD

And add password to configuration file.

$ grep olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX

Create OpenLDAP Schema

Creat an empty text file /root/example.com.ldif, with

$ service slapd start

Configure OpenLDAP

# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example

# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

# Base DN for users
dn: ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: users

# Base DN for groups
dn: ou=groups,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: groups

Add this.

$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /root/example.com.ldif 
Enter LDAP Password: <redhat>
adding new entry "dc=example,dc=com"

adding new entry "cn=admin,dc=example,dc=com"

adding new entry "ou=users,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

Verify add with search.

$ ldapsearch -x -b 'dc=example,dc=com'

Add User and Group OpenLDAP

# cat student.passwd.ldif
dn: uid=student,ou=users,dc=example,dc=com
uid: student
cn: student
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 16128
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: 15770
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/student
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.passwd.ldif 
Enter LDAP Password: 
adding new entry "uid=student,ou=users,dc=example,dc=com"
# cat student.group.ldif 
dn: cn=student,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: student
userPassword: {crypt}x
gidNumber: 501
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.group.ldif 
Enter LDAP Password: 
adding new entry "cn=student,ou=groups,dc=example,dc=com"

Configure Client Authentication through LDAP

$ yum install openldap-clients

You can configure this graphically

or you can do it via command line tool authconfig.

$ authconfig --enableldap --enableldapauth --ldapserver=192.168.122.10 --ldapbasedn="dc=example,dc=com" --disableldaptls --update
Starting sssd:                                             [  OK  

Test

$ getent passwd student
student:*:501:501:student:/home/student:/bin/bash

Reference

No comments: