Configuring LDAP based authentication in RHEL7

WHat is LDAP?

LDAP: Light weight Directory Access Protocol

This authentication will allow client machine to access any centralized   data/service from different places.

Keeping services/data centralized is very simple to maintain and Grant/Deny permission centrally.

 

Installing Openldap:

[root@server ~]# yum -y install openldap*

 

Make sure that SELinux should not deny LDAP. So for that we have to enable the below Boolean values in both server and client.

[root@server ~]# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Now enable ldap permanently in this session and start the ldap service

[root@server ~]# systemctl enable slapd
[root@server ~]# systemctl start slapd

Since ldap service is running ldap user should be the owner for /var/lib/ldap directory. By default this will be modified by root user as its administrator.
So, we have to change owner and group as ldap user. Before that make a copy of configuration file for slapd into /var/lib/ldap with the DB_CONFIG name.

Note: slapd configuration file will be available under /usr/share/openldap-servers/DB_CONFIG.example

 

[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’? y

Now change the owenr as ldap user recursively to that directory.

 

[root@server ~]# chown -R ldap:ldap /var/lib/ldap

 

Now set password for ldap admin use and take a copy of create password for future use.

[root@server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

 

LDAP configuration files are available under /etc/openldap/slapd.d/.
We need to update the “olcSuffix” and “olcRootDN” varialbles.

olcSuffix: Its domain for the LDAP Server to provided the information.
olcRootDN: This is administrator user entry who has all the permission to do operation like root (Root Distinguished Name)

olcRootPW: Password of above user.

 

Above entries should be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file.
Note: Updating the entries manually is nont adviseable. So, we are going to create a ldif file and update it using ldapmodify command.

 

Now creare ldaprootpasswd.ldif file with following contents:

[root@server cn=config]# vi db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

save and exit.

once file created with above content execute the below command

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@server cn=config]#

 

Do changes in /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file to restrict monitor access to only ldap root user.

 

[root@server ~]# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=lbcdomain,dc=com" read by * none

 

save and exit from the file.

once created file with above content send configuration to ldap server by usinf ldapmodify command.

 

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

[root@server cn=config]#

 

Creating LDAP Certificate:

now will create certifiate and private key with ldap server self signed by using below command in /etc/openldap/certs/ directory

[root@server cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lbcdomainldapcert.pem -keyout /etc/openldap/certs/lbcdomainldapkey.pem -days 365
Generating a 2048 bit RSA private key
..........................................................................................................................................................................................................................+++
................+++
writing new private key to '/etc/openldap/certs/lbcdomainldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Chennai
Organization Name (eg, company) [Default Company Ltd]:Linux Book Center
Organizational Unit Name (eg, section) []:Linux Book Center
Common Name (eg, your name or your server's hostname) []:Server
Email Address []:[email protected]

 

Now change the ownership and group to key files.

[root@server cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

[root@server certs]# ll | grep pem
-rw-r--r--. 1 ldap ldap 1480 Aug 15 11:32 lbcdomainldapcert.pem
-rw-r--r--. 1 ldap ldap 1708 Aug 15 11:32 lbcdomainldapkey.pem

 

Create certs.ldif file to configure LDAP to use secure communication using self signed certificates.

[root@server certs]# vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lbcdomainldapcert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lbcdomainldapkey.pem

oncefile created import the certificate configuration by usging below ldapmodify command

[root@server certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

[root@server certs]#

 

Use the below command to verify the configuration:

[root@server certs]# slaptest -u
5992a281 UNKNOWN attributeDescription "CHANGETYPE" inserted.
5992a281 UNKNOWN attributeDescription "REPLACE" inserted.
5992a281 is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
5992a281 is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded

LDAP Database creation:

Sample configuration file will be available in /var/lib/ldap  file. Copy the sample file and change the file permission.

[root@server certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server certs]# chown ldap:ldap /var/lib/ldap/*

Add cosine ans nis LDAP schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"
[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"

 

Now create ldif file for our domain

[root@server certs]# vi base.ldif

dn: dc=lbcdomain,dc=com
dc: lbcdomain
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=lbcdomain,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: Group

Now build the directory structure

[root@server certs]# ldapadd -x -W -D "cn=ldapadm,dc=lbcdomain,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=lbcdomain,dc=com"
ldap_add: Already exists (68)

 

We configured LDAP server and now will use ldap credentials to access centralized data/ service like NFS share.

 

2 thoughts on “Configuring LDAP based authentication in RHEL7”

  1. This is the fitting blog for anyone who desires to seek out out about this topic. You realize a lot its virtually arduous to argue with you (not that I truly would want…HaHa). You positively put a new spin on a topic thats been written about for years. Nice stuff, just nice!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *