Sunday, July 3, 2011

RHEL6 openldap server configuration step by step

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g


Step 3: We now  set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Time to test our configuration

# slaptest -u

config file testing succeeded

Step 8:  Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x  -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit

now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
Set:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x ”cn=mani”  -b ”dc=mycompany,dc=com”


If the test is successful your done :)

************************All The Best*******************regards cnuvasan

24 comments:

  1. Hello

    Firstly let me say thanks for some great post on your site.
    I am trying to setup open LDAP on RHEL6 and have been following your steps.
    All seems to be going well until I get to Step 9. Please see the below.

    ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN

    Any help would be most appreciated.

    Best regards

    ReplyDelete
    Replies
    1. try this
      ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif


      use single coats instead of double coats .....

      Delete
    2. Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:

      Try this instead:
      # vi base.ldif
      dn: dc=example,dc=com
      dc: example
      objectClass: top
      objectClass: domain

      dn: ou=People,dc=example,dc=com
      ou: People
      objectClass: top
      objectClass: organizationalUnit

      dn: ou=Group,dc=example,dc=com
      ou: Group
      objectClass: top
      objectClass: organizationalUnit


      PS: Thanks for an AWESOME TUTORIAL!

      Delete
    3. thanks for perfect note on ldap.

      Delete
    4. I cant start slapd service. its shows FAILD.please reply me

      Delete
  2. I've already configured this and working fine, but I'm unable to change the ldap password from client side do you have any idea about how to do it?

    ReplyDelete
  3. Another edit: on RHEL6 my DB_CONFIG.example was in:

    /usr/share/openldap-servers/DB_CONFIG.example

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Running this command ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif

    gives error : Invalid Credentials (49)

    ReplyDelete
    Replies
    1. hi all ---

      when i am running this command --

      #ldapsearch -x -b "dc=example,dc=com"
      ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

      this message display.

      please give me solution ...

      Delete
    2. Run this command

      #ldapsearch -h ldapserverIP(eg. 192.168.1.10) -x -b "dc=example,dc=com"

      Delete
    3. address for download certificate on client side

      Delete
  6. Hey
    how if the url is "www.education.edu.au"?

    how do we change it?

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. how can make certificates ready on my ftp, for client authentication?

    ReplyDelete
  9. [root@centos6 ~]# ldapadd -x -W -D "cn=Manager,dc=sam,dc=com" -f base.ldif
    Enter LDAP Password:
    ldapadd: attributeDescription "dn": (possible missing newline after line 8, entry "dc=sam,dc=net"?)
    ldapadd: attributeDescription "dn": (possible missing newline after line 9, entry "dc=sam,dc=net"?)
    adding new entry "dc=sam,dc=net"
    ldap_add: Type or value exists (20)
    additional info: objectClass: value #0 provided more than once

    ReplyDelete
    Replies
    1. Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:

      Try this instead:
      # vi base.ldif
      dn: dc=example,dc=com
      dc: example
      objectClass: top
      objectClass: domain

      dn: ou=People,dc=example,dc=com
      ou: People
      objectClass: top
      objectClass: organizationalUnit

      dn: ou=Group,dc=example,dc=com
      ou: Group
      objectClass: top
      objectClass: organizationalUnit

      Delete
  10. how to integrate mani ldap user with xp client login, i know the pgina toools . Can you tell me exactly how to use this tool to login mani user from xp client.

    ReplyDelete
  11. Hi everybody.

    I have followed these steps and installed openldap, i am able to add users and groups. I can also able to search the users & groups.

    But when i try to search using -W (or) -w mypass
    it is showing the following error
    "ldap_bind: Invalid credentials (49)"

    Even if i try to change the password it is showing the same error.

    Followed this URL : http://www.ezylinux.com/en/red-hat-6-how-to-fixes-ldapadd-ldap_bind-invalid-credentials-49/

    Not solved. Can anyone help me out.

    ReplyDelete
  12. Proper step To Configure LDap Server Successfull done...

    Step by Step Installation and Configuration Open LDAP Server
    Software: RHEL 6.2 Server
    System name: ldap.sms.com
    Domain name: sms.com
    System IP: 192.168.1.5
    Note: Use your domain name and IP instead of sms.com
    Step #1. Requirements
    compat-openldap.i386 0:2.1.30-6.4E
    openldap-clients.i386 0:2.2.13-6.4E
    openldap-devel.i386 0:2.2.13-6.4E
    openldap-servers.i386 0:2.2.13-6.4E
    openldap-servers-sql.i386 0:2.2.13-6.4E
    You can install them using the command:
    yum install *openldap* -y
    Step #2. Start the service
    [root@ldap ~]# chkconfig --levels 35 ldap on
    [root@ldap ~]# service slapd start
    Prepare customized configuration file in slapd.example.conf:
    cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.example.conf

    Step #3. Update /etc/openldap/slapd.example.conf for the root password
    [root@ldap ~]# vi /etc/openldap/slapd.example.conf
    database bdb
    suffix "dc=sms,dc=com"
    rootdn "cn=root,dc=sms,dc=com"
    rootpw secret









    Step #4 . Import all users in to the LDAP

    1) Adding the Organization

    vi parent.ldif

    # Root entry
    dn: dc=mumbai,dc=com
    objectclass: dcObject
    objectclass: organization
    o: Munbai Company
    dc: mumbai

    # Add an Organization Role

    dn: cn=root,dc=mumbai,dc=com
    objectclass: organizationalRole
    cn: root



    2) Adding The Orgnizational unit

    vi ou.ldif

    dn: ou=BANGALORE,dc=mumbai,dc=com
    ou: BANGALORE
    objectClass: organizationalUnit


    dn: ou=CALCUTTA,dc=mumbai,dc=com
    ou: CALCUTTA
    objectClass: organizationalUnit









    3) Adding Users to Ldap Directory

    vi users.ldif

    dn: uid=,ou= BANGALORE,dc=mumbai,dc=com
    uid: sajeesh.prabhakar
    objectClass: top
    objectClass: person
    objectClass: inetOrgPerson
    ou: BANGALORE
    givenName: SAJEESH
    sn: PRABHAKAR
    cn: MUM/PROJ/SAJEESH PRABHAKAR
    mail: sajeesh.prabhakar@mumbai.com





    dn: uid=pankaj.patil,ou= CALCUTTA,dc=mumbai,dc=com
    uid: pankaj.patil
    objectClass: top
    objectClass: person
    objectClass: inetOrgPerson
    ou: CALCUTTA
    givenName: Pankaj
    sn: patil
    cn: MUM/PROJ/pankaj patil
    mail: pankaj.patil@mumbai.com


    Make sure service is not running:
    service slapd stop
    Clean up configuration:
    rm -rf /etc/openldap/slapd.d/*
    Clean up content:
    rm -rf /var/lib/ldap/*
    Copy the file:
    cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    Initialize DB files for content in /var/lib/ldap directory:
    echo "" | slapadd -f /etc/openldap/slapd.example.conf
    This is required, otherwise you will get this error:
    bdb_db_open: database "dc=example,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
    Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory:
    slaptest -f /etc/openldap/slapd.example.conf -F /etc/openldap/slapd.d
    Initialize LDAP DB with initial content:
    slapadd -l parent.ldif

    Set permissions:
    chown -R ldap:ldap /var/lib/ldap
    chown -R ldap:ldap /etc/openldap/slapd.d



    Test initial configuration
    Start server:
    service slapd restart
    List the content by request from client:
    ldapsearch -x -b 'dc=example,dc=com'

    This is Command For adding ldap Entry of ( ou & Users )
    ldapadd -x -D 'cn=root,dc=sms,dc=com' -W –f ou.ldif
    ldapadd -x -D 'cn=root,dc=sms,dc=com' -W -f users.ldif
    List again
    ldapsearch -x -b 'dc=example,dc=com'


    ReplyDelete
  13. I cant start slapd service. its shows error like this..
    #service slapd start
    Checking configuration file or slapd:
    bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
    Performing database recovery to activate new settings.
    bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
    config file testing succeeded
    Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits

    ReplyDelete
  14. I cant start slapd service. its shows error like this..
    #service slapd start
    Checking configuration file or slapd:
    bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
    Performing database recovery to activate new settings.
    bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
    config file testing succeeded
    Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits

    Please solve this problem

    ReplyDelete
  15. tell me how to login ldap user in xp client mechine.. please give the nice documents ....

    ReplyDelete
  16. Dear Sir, When I put this Cooand ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif >>>>>>>> Asking LDAP Password Which password will put hear pls help

    ReplyDelete