LFCS – Creating OpenLDAP Server on CentOS 7

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
Adding Lightweight Directory Access Protocol (LDAP) to a server is not required for the LFCS exam, but it does require you to authenticate users using LDAP. To be able to perform that function, you need LDAP on your test system.

You may not want to know how to do this procedure, but it never hurts to have an understanding of the process.

This process is not a simple one. I wouldn't say it is difficult, just a little detailed. Make sure you do not skip steps. In my next article, we will be using the LDAP server to authenticate users from other systems by the server. The users and groups will be centralized on a single server and not by each system. The process is what most people term 'logging into the network'.

What is LDAP

The type of LDAP used on Linux is the OpenLDAP type. The Protocol allows for a distributed database on a server or multiple servers. The database is optimized for reading, which includes searching. Writing data to the database is usually not a common occurrence.

In the case of a network, the database will contain user and group information. Adding users or groups is not something performed on a common basis.

OpenLDAP can be used to store other types of information in the database. Employee information such as phone number, address, etc. A list of Domain Name Service (DNS) names of websites or networked systems. Keep in mind that the database should not often be written to, only used mainly for reading.

In a network, the reason is for a central storage location for the ‘/etc/passwd’, the list of users, and '/etc/group', the database of groups. If a user is added to a group in a non-LDAP network, it only occurs on one machine. If a user changes their password on a single machine, then their old password remains on the other systems. By using LDAP, all settings, like these, are changed in one place but affect all systems.

LDAP Installation

The first thing we need to do is to set up the system with a Fully Qualified Domain Name (FQDN). An FQDN is just like a Domain Name, such as ‘Server1.Linux.Org’. In this case, our network is ‘Linux.Org’ while the specific system is ‘Server1’.

NOTE: For your system, use any FQDN you prefer that is valid.

To see your current Hostname, use the ‘hostname’ command. If you want to change the Hostname, use the command ‘hostnamectl set-hostname <new-name>’.

On your server, you need to use the command ‘ifconfig’ to determine your IP Address. The server will be named ‘server1’ with an IP Address of ‘192.168.56.103’.

Edit the ‘/etc/hosts’ file and add a line for your system. The entry for my ‘server1’ would be:

192.168.56.103 server1.linux.org server1

Reboot your system for the changes to take effect.

Now, if I use the command ‘hostname -f’ for the FQDN my response should be correct. I can also use the command ‘dnsdomainname’ to get a response of ‘linux.org’.

I can now ping my first system with ‘server1’, ‘server1.linux.org’ or ‘192.168.56.103’.

To install OpenLDAP for CentOS, use the command:

Code:
sudo yum install openldap openldap-clients openldap-servers migrationtools.noarch

The port is not automatically opened. To open Port 389, use the command: ‘firewall-cmd --permanent --add-service=ldap’.

Now that LDAP is installed, we can configure the service for use.

Configuring LDAP Service

At a command-line prompt, we will be copying an example to be used as a configuration file. Make sure you have Root permissions ('sudo su').

The command to copy the file is:

Code:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Be sure you do not keep the ‘.example’ suffix on the file. Execute the command ‘ls /var/lib/ldap’ and you should only see the ‘DB_CONFIG’ file that you just copied to the folder.

Databases need to be created to start using. To create the databases, run the command ‘slaptest’. An error should be generated, but when you run ‘ls /var/lib/ldap’ again, it should contain more files, which are the databases. The databases created should be:

alock
__db.001
__db.002
__db.003


Of course, the ‘DB_CONFIG’ file will be present as well. All of the files are owned by the user and group ‘root’, which you can see by running ‘ls -l /var/lib/ldap’. We need to change the user and group ownership to the user ‘ldap’ and the group ‘ldap’. You can see that the system user account was created with the command ‘cat /etc/passwd | grep ldap'. You can tell it is a system account since the UID number is below 1000. The group can be seen with the command 'cat /etc/group | grep ldap'.

So, to make the change you run the command:

Code:
chown ldap.ldap /var/lib/ldap/*

Now that the databases are owned by the 'ldap' user and group, the service can be started. To start the service and enable it to automatically start at system startup, perform the following:

Code:
systemctl start slapd
systemctl enable slapd

You can check the status of the service with the command 'systemctl status slapd'. It should say 'active' and 'running'. Keep in mind that the 'slapd' service is the OpenLDAP Server Daemon.

Now that the service is running with a basic configuration, it is time to configure the databases.

Configure LDAP Databases

For LDAP, you can use LDIF files to add information to the database about what information needs to be stored. We will set up the basic database entries for storing user information. There are two file sets that we will use ‘cosine.ldif’, ‘cosine.schema’, ‘nis.ldif’ and ‘nis.schema’.

NOTE: This is a basic LDAP set up just to let you add Users with personal information to allow you to perform adding Users to an LDAP database. If you need more information, please look at openldap.org. You can look around other places on the Internet as well. Getting in too deep is beyond the scope of the LDAP Certification.

To add the schema information to the OpenLDAP Database, you need to add the entries from the LDIF files to the database. Switch to the folder ‘/etc/openldap/schema’ and then use the commands:

Code:
ldapadd -Y EXTERNAL -H ldapi:/// -D “cn=config” -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D “cn=config” -f nis.ldif

Be sure to type in the command and not copy/paste it. The double-quotes are not the same in a Terminal and will give an error.

The ‘-Y’ is used to specify the file to use with the password. ‘EXTERNAL’ specifies that we are using the password associated with the current user (root). The ‘-H’ allows you to list the URI Address for LDAP, here we use the address ‘ldapi:///’. The parameter ‘-D’ is the Distinguished Name in which to place the added schema information. The final parameter, ‘-f’, lists the LDIF file to use to add to the database.

Switch to the Home folder, ‘cd ~’. Create a file named ‘start.ldif’ with the command ‘touch start.ldif’. Open and paste the following into the file:

Code:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=linux,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=manager,dc=linux,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <yourpasswordhash>

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 0

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=linux,dc=org" read by * none

Make sure to go through the file and replace the FQDN of 'linux.org' to match the FQDN that you are using on your server.

There is a line that contains ‘<yourpasswordhash>’. We need to create a hash for the password that will be used for LDAP. In my example, I will use ‘Password1’. Change your password accordingly.

To create a hash file with the password, we will use the command:

Code:
slappasswd -s Password1 -n >> passwdhash

Go down to the line that states ‘olcRootPW: <yourpasswordhash>’ in the ‘vi’ editor, and remove ‘<yourpasswordhash>’. Place the cursor after the color :)) and press Escape, ‘r’, press space bar and then type the file name of the hash (passwdhash). Finally, press the Enter key and the hash should be imported to your cursor position. Save the file :)w) and quit the editor :)q), enter the commands after pressing the Escape key.

NOTE: Make sure the hash entry is on the same line as the ‘olcRootPW: ’.

Now, we need to use the 'start.ldif' file and create the needed entries in the LDAP Databases. We need the entries we used to modify the existing entries in the database. We will use the 'ldapmodify' command as follows:

Code:
ldapmodify -Y EXTERNAL -H ldapi:/// -f start.ldif

Create Database Structure

We need to create a file called 'form.ldif' and place the following into it:

Code:
dn: dc=linux,dc=org
dc: linux
objectClass: top
objectClass: domain

dn: ou=people,dc=linux,dc=org
ou: people
objectClass: top
objectClass: organizationalUnit

dn: ou=group,dc=linux,dc=org
ou: group
objectClass: top
objectClass: organizationalUnit

Now that the database is created, we need to set up the structure within the database to be used by LDAP.

Again, change the FQDN to match the one you chose. This is creating a basis for the database to be ‘linux’ with two sub-entries. One entry is ‘people and the other is ‘group’. We will be storing users and groups within the database for LDAP to use to manage system-wide accounts for users and groups.

To add the form we created, we use the command:

Code:
ldapadd -x -W -D “cn=Manager,dc=linux,dc=org” -f form.ldif

The '-x' is standard authentication. The '-W' will cause you to be prompted for the password, the one for which you made the hash (Password1). The '-D' is the directory structure in the database to which we are adding. The '-f' is the LDIF we are adding to the database.

At this point, the database is ready. We will test it a little next. If you have any severe issues that cause problems with the database, you may need to remove OpenLDAP and start over. Make sure everything is typed exactly as stated throughout the article. There is a section at the end for ‘Removing OpenLDAP’.

Create Test Users and Groups in LDAP

Hopefully, you made it to this point without any trouble. If not, I'm sorry. I mistyped something and messed up the database when creating it. I had to remove everything and start over.

Now, for some test Users and Groups.

Let’s make a Group first. We will create ‘testgroup’ in the organizational group called ‘group’. Create a file called ‘group.ldif’ in your Home folder and paste in the following:

Code:
dn: cn=testgroup,ou=group,dc=linux,dc=org
objectClass: posixGroup
cn: testgroup
gidNumber: 4000

Be sure to change your FQDN name as needed. You can change the ‘testgroup’ name as well. We will give the group a GID of 4000.

After you have the file created, open a Terminal and enter in the command:

Code:
ldapadd -x -W -D “cn=Manager,dc=linux,cd=org” -f group.ldif

You should get a message ‘adding new entry…..’. We now have a new group.

Let’s look into adding a user.

Switch to the folder ‘/usr/share/migrationtools’. We now need to edit the file ‘migrate_common.ph’. Perform a search and find ‘MAIL_DOMAIN’ and you should see the following:

Code:
$DEFAULT_MAIL_DOMAIN = “padl.com”;

#Default base
$DEFAULT_BASE = “dc=padl,dc=com”;

The FQDN needs to be changed to the FQDN you set. Make sure you change BOTH lines.

Now, we need to select a user to migrate from our system and add the user to LDAP. For my system, I will use ‘Test’. I need to pull out the information to a second file with the command:

Code:
grep Test /etc/passwd >> /home/jarret/test

If you ‘cat’ out the ‘test’ file, it should simply be a single line containing the information for the user ‘Test’.

We need this file to create a user template for adding other users. From your home folder, run the command:

Code:
/usr/share/migrationtools/migrate_passwd.pl test user.ldif

The ‘test’ file is being input for information and a new LDIF file is created called ‘user.ldif’ which contains the information for adding the user ‘Test’ as follows:

Code:
dn: uid=Test,ou=People,dc=linux,dc=org
uid: Test
cn: Test
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 4000
homeDirectory: /home/Test

You can change the ‘uid=Test’, ‘cn: Test’ and ‘homeDirectory’ to a different username. Change the uid number to 4000. The ‘gidNumber’ can be set to 4000 to add this user to the ‘testgroup’ that has a ‘gidNumber’ of 4000. The new user can be added with the command:

Code:
ldapadd -x -W -D “cn=Manager,dc=linux,cd=org” -f user.ldif

Any valid username can be used to set up the new user from this template. If the addition is successful, you should see a message ‘adding new entry …..’.

Removing OpenLDAP

If a major error is made or you simply want to perform installing LDAP again, the following commands will completely remove LDAP:

Code:
systemctl stop slapd
systemctl disable slapd
yum -y remove openldap-servers openldap-clients
rm -rf /var/lib/ldap
userdel ldap
rm -rf /etc/openldap

Conclusion

This should give you a basic understanding of setting up LDAP and getting it ready for the article on LDAP Authentication.

There should be another article on setting up LDAP on Ubuntu systems. If you plan on using Ubuntu or taking the LFCS Ubuntu test, read that article.

As stated before, setting up LDAP is not covered on the exam, only authentication of users by LDAP.
 
Last edited:


I found that 'gidNumber' on the test user was set to 1002 and not 4000. I changed it. For anyone who is following these exactly, you will need to create another user (test2) and use the proper gidNumber.
 

Members online


Top