Sunday 3 July 2011

RHEL6 openldap server configuration step by step

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g


Step 3: We now  set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Time to test our configuration

# slaptest -u

config file testing succeeded

Step 8:  Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x  -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit

now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
Set:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x ”cn=mani”  -b ”dc=mycompany,dc=com”


If the test is successful your done :)

************************All The Best*******************regards cnuvasan

24 comments:

Stu said...

Hello

Firstly let me say thanks for some great post on your site.
I am trying to setup open LDAP on RHEL6 and have been following your steps.
All seems to be going well until I get to Step 9. Please see the below.

ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN

Any help would be most appreciated.

Best regards

keshant said...

try this
ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif


use single coats instead of double coats .....

siva said...

I've already configured this and working fine, but I'm unable to change the ldap password from client side do you have any idea about how to do it?

Scott D. Davis said...

Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:

Try this instead:
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit


PS: Thanks for an AWESOME TUTORIAL!

Scott D. Davis said...

Another edit: on RHEL6 my DB_CONFIG.example was in:

/usr/share/openldap-servers/DB_CONFIG.example

Unknown said...
This comment has been removed by the author.
Unknown said...

Running this command ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif

gives error : Invalid Credentials (49)

Unknown said...

hi all ---

when i am running this command --

#ldapsearch -x -b "dc=example,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

this message display.

please give me solution ...

Unknown said...

Run this command

#ldapsearch -h ldapserverIP(eg. 192.168.1.10) -x -b "dc=example,dc=com"

Unknown said...

address for download certificate on client side

Biggest Picture Collection said...

Hey
how if the url is "www.education.edu.au"?

how do we change it?

Rhey said...
This comment has been removed by the author.
Rhey said...

how can make certificates ready on my ftp, for client authentication?

vijay said...

thanks for perfect note on ldap.

sai said...

[root@centos6 ~]# ldapadd -x -W -D "cn=Manager,dc=sam,dc=com" -f base.ldif
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 8, entry "dc=sam,dc=net"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 9, entry "dc=sam,dc=net"?)
adding new entry "dc=sam,dc=net"
ldap_add: Type or value exists (20)
additional info: objectClass: value #0 provided more than once

sai said...

how to integrate mani ldap user with xp client login, i know the pgina toools . Can you tell me exactly how to use this tool to login mani user from xp client.

Srikanth said...

Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:

Try this instead:
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Srikanth said...

Hi everybody.

I have followed these steps and installed openldap, i am able to add users and groups. I can also able to search the users & groups.

But when i try to search using -W (or) -w mypass
it is showing the following error
"ldap_bind: Invalid credentials (49)"

Even if i try to change the password it is showing the same error.

Followed this URL : http://www.ezylinux.com/en/red-hat-6-how-to-fixes-ldapadd-ldap_bind-invalid-credentials-49/

Not solved. Can anyone help me out.

Test said...

Proper step To Configure LDap Server Successfull done...

Step by Step Installation and Configuration Open LDAP Server
Software: RHEL 6.2 Server
System name: ldap.sms.com
Domain name: sms.com
System IP: 192.168.1.5
Note: Use your domain name and IP instead of sms.com
Step #1. Requirements
compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E
You can install them using the command:
yum install *openldap* -y
Step #2. Start the service
[root@ldap ~]# chkconfig --levels 35 ldap on
[root@ldap ~]# service slapd start
Prepare customized configuration file in slapd.example.conf:
cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.example.conf

Step #3. Update /etc/openldap/slapd.example.conf for the root password
[root@ldap ~]# vi /etc/openldap/slapd.example.conf
database bdb
suffix "dc=sms,dc=com"
rootdn "cn=root,dc=sms,dc=com"
rootpw secret









Step #4 . Import all users in to the LDAP

1) Adding the Organization

vi parent.ldif

# Root entry
dn: dc=mumbai,dc=com
objectclass: dcObject
objectclass: organization
o: Munbai Company
dc: mumbai

# Add an Organization Role

dn: cn=root,dc=mumbai,dc=com
objectclass: organizationalRole
cn: root



2) Adding The Orgnizational unit

vi ou.ldif

dn: ou=BANGALORE,dc=mumbai,dc=com
ou: BANGALORE
objectClass: organizationalUnit


dn: ou=CALCUTTA,dc=mumbai,dc=com
ou: CALCUTTA
objectClass: organizationalUnit









3) Adding Users to Ldap Directory

vi users.ldif

dn: uid=,ou= BANGALORE,dc=mumbai,dc=com
uid: sajeesh.prabhakar
objectClass: top
objectClass: person
objectClass: inetOrgPerson
ou: BANGALORE
givenName: SAJEESH
sn: PRABHAKAR
cn: MUM/PROJ/SAJEESH PRABHAKAR
mail: sajeesh.prabhakar@mumbai.com





dn: uid=pankaj.patil,ou= CALCUTTA,dc=mumbai,dc=com
uid: pankaj.patil
objectClass: top
objectClass: person
objectClass: inetOrgPerson
ou: CALCUTTA
givenName: Pankaj
sn: patil
cn: MUM/PROJ/pankaj patil
mail: pankaj.patil@mumbai.com


Make sure service is not running:
service slapd stop
Clean up configuration:
rm -rf /etc/openldap/slapd.d/*
Clean up content:
rm -rf /var/lib/ldap/*
Copy the file:
cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Initialize DB files for content in /var/lib/ldap directory:
echo "" | slapadd -f /etc/openldap/slapd.example.conf
This is required, otherwise you will get this error:
bdb_db_open: database "dc=example,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory:
slaptest -f /etc/openldap/slapd.example.conf -F /etc/openldap/slapd.d
Initialize LDAP DB with initial content:
slapadd -l parent.ldif

Set permissions:
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d



Test initial configuration
Start server:
service slapd restart
List the content by request from client:
ldapsearch -x -b 'dc=example,dc=com'

This is Command For adding ldap Entry of ( ou & Users )
ldapadd -x -D 'cn=root,dc=sms,dc=com' -W –f ou.ldif
ldapadd -x -D 'cn=root,dc=sms,dc=com' -W -f users.ldif
List again
ldapsearch -x -b 'dc=example,dc=com'


Unknown said...

I cant start slapd service. its shows error like this..
#service slapd start
Checking configuration file or slapd:
bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
Performing database recovery to activate new settings.
bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
config file testing succeeded
Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits

Unknown said...

I cant start slapd service. its shows error like this..
#service slapd start
Checking configuration file or slapd:
bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
Performing database recovery to activate new settings.
bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
config file testing succeeded
Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits

Please solve this problem

sai said...

tell me how to login ldap user in xp client mechine.. please give the nice documents ....

Unknown said...

I cant start slapd service. its shows FAILD.please reply me

Anil jaiswar said...

Dear Sir, When I put this Cooand ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif >>>>>>>> Asking LDAP Password Which password will put hear pls help