169174714 RHEL6 Openldap Server Laurent Domb OSS Blog
-
Upload
rayapudi-lakshmaiah -
Category
Documents
-
view
40 -
download
0
description
Transcript of 169174714 RHEL6 Openldap Server Laurent Domb OSS Blog
-
LinuxAboutPuppetVirtualization
75 CommentsMar - 30 - 2011laurent
Please note that all double quote characters in this example are plain ASCII characters not typographical ones!
Step 1: first we need to install the required packages:
#yum install openldap-servers migrationtools
Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Now create the ldap password:
#slappasswd
youll get something like this {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV as a result. This is the string we will have to add to the bdb.ldif config file.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
1 of 39 8/26/2013 10:17 AM
-
# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3: We now set the admin password and specify the location of our encryption certificate and key.
add these 3 lines at the end of the file bdb.ldif file:
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuVolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4: Now we have to specify the monitoring privileges
#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
again, we have to replace the default domain name with our domain name
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g
Step 5: Now its time for the Database Cache
#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/
Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldapSLAPD_LDAPS=yes
Now we can create the certificate
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
2 of 39 8/26/2013 10:17 AM
-
Step 7: Time to test our configuration
# slaptest -uconfig file testing succeeded
Step 8: Start the ldap server
#service sladp start
lets check if our ldap server really works:
#ldapsearch -x -b dc=yourdomain,dc=com
if you get a search: 2 then your on track!
Step 9: Configure the base domain
#vi base.ldif
dn: dc=yourdomain,dc=netdc: yourdomainobjectClass: topobjectClass: domain
dn: ou=People,dc=yourdomain,dc=netou: PeopleobjectClass: topobjectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=netou: GroupobjectClass: topobjectClass: organizationalUnit
now we import our base information to the ldap directory:
#ldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f base.ldif
Step 10: lets migrate the users
Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
3 of 39 8/26/2013 10:17 AM
-
Set:# Default DNS domain$DEFAULT_MAIL_DOMAIN = yourdomain.com;# Default base$DEFAULT_BASE = dc=yourdomain,dc=com;
#grep :5[0-9][0-9] /etc/passwd > passwd#grep :5[0-9][0-9] /etc/group > group#./migrate_passwd.pl passwd > users.ldif#./migrate_group.pl group > group.ldif#sed -e s/ou=Group/ou=Groups/g group.ldif > groups.ldifldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f users.ldifldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f groups.ldif
Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x cn=mani -b dc=mycompany,dc=com
If the test is successful your done
Categories: Linux
75 Responses so far.
Travis says:April 6, 2011 at 5:37 pm
Hey, this is a great posting. Thanks so much for taking the time to do this.
I do have one question though..
When I add: olcRootPW: {SSHA}. as part of your instructions
1.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
4 of 39 8/26/2013 10:17 AM
-
I get the following message when I run the slaptest -uolcRootPW: value #0: can only be set when rootdn is under suffix
I cant see what Ive missed. If I comment that line out of the olcDatabase={2}monitor.ldif the error goes away, but I of course cant authenticate either.
Any ideas?
Reply
laurent says:April 6, 2011 at 10:24 pm
Yes the 3 lines
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuVolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
have to be added to the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file not the olcDatabase={2}monitor.ldif.
Reply
Robert says:April 9, 2011 at 4:42 pm
Hi, thanks for the help. Ive been looking for some help for a while. I stuck on a certain point. Where you import base information:ldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f base.ldif
I get an error:Enter LDAP Password:ldap_bind: Invalid DN syntax (34)additional info: invalid DN
I dont know why Im getting this error. I changed yourdomain to example which is my domain.
Any help would be appreciated, thanks,Rob
Reply
laurent says:April 11, 2011 at 6:35 pm
2.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
5 of 39 8/26/2013 10:17 AM
-
Hi Robert,
You have to pay attention the syntax in the ldif file:
Here an example:dn: dc=domb,dc=net // (dn:[whitespace] dc=domb,dc=net [ENTER])dc: dombobjectClass: topobjectClass: domain [ENTER][ENTER]dn: ou=People,dc=domb,dc=netou: PeopleobjectClass: topobjectClass: organizationalUnit[ENTER][ENTER]dn: ou=Group,dc=domb,dc=netou: GroupobjectClass: topobjectClass: organizationalUnit
Hope this helps to solve your problem. If not post me your base.ldif
Reply
dave says:April 15, 2011 at 8:49 pm
hello i finally found someone doing it on rhel6 thanks, but when i run theslaptest -ui get
-
thank youdave
Reply
laurent says:April 18, 2011 at 3:50 am
create the ssl cert and run the test again. When you run the slaptest -u before creating the certificate youll get that error.
Reply
James says:April 20, 2011 at 8:36 pm
Where can I find the official RHEL-6 document of the configuration of both LDAP server and client?
Thanks,James
Reply
laurent says:April 21, 2011 at 2:44 am
You can find it at http://docs.redhat.com/docs/en-US/index.html
Reply
4.
Eris says:April 25, 2011 at 5:17 am
Thank you very much for the post, and all of the others here too! Im studying for the RHCE and although I have a good background with a lot of thematerial from working in webhosting for many years, LDAP is brand new to me and this was the simplest and most lucid tutorial Ive yet found.
I do have one suggestion, and it may help others too. Please change the double quote characters in your example to use the plain ASCII characterinstead of the typographical open and close quote characters. Like Robert above, the ldapadd command initially gave me this error
ldap_bind: Invalid DN syntax (34)additional info: invalid DN
It turned out to be the result of the UTF-8 open and clsoe quote chars. I had to change the command from this
5.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
7 of 39 8/26/2013 10:17 AM
-
ldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f base.ldif
to this
ldapadd -x -W -D cn=Manager,dc=yourdomain,dc=com -f base.ldif
(And I hope WordPress doesnt auto change those quotes on me! The second line should have the non-curved typewriter double quote symbol from theASCII set.)
Reply
Eris says:April 25, 2011 at 5:18 am
Hmpf. WordPress changed the quotes on me automatically.
Reply
6.
Lyndon says:May 1, 2011 at 9:01 am
Thank you very much for detailed instruction! When I restarted slapd, I met the following issue:Checking configuration files for slapd: [FAILED]PROXIED attributeDescription DC inserted.
-
no other files should be kept within this cn=config besides the slapd generated ldifs.
Reply
ramakrishna says:May 31, 2011 at 6:02 am
hiThank you so much.I been trying so long time with like old ldap configuration.Finally I got though you. Thanking you lotThanksRamakrishna
Reply
8.
JD says:June 29, 2011 at 12:28 am
# extended LDIF## LDAPv3# base with scope subtree# filter: (objectclass=*)# requesting: ALL#
# search resultsearch: 2result: 32 No such object
# numResponses: 1
After step #ldapsearch -x -b dc=yourdomain,dc=com
Also, I am not finding the following file to configure:Step 9: Configure the base domain
#vi base.ldif
Where is this config file located at?
Any help would be great.
9.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
9 of 39 8/26/2013 10:17 AM
-
Reply
sridhar says:June 30, 2011 at 10:38 am
plz tell me where is the error
dn: dc=sridhar,dc=netdc: sridharobjectClass: topobjectClass: domain
dn: ou=People,dc=sridhar,dc=netou: PeopleobjectClass: topobjectClass: organizationalUnit
dn: ou=Group,dc=sridhar,dc=netou: GroupobjectClass: topobjectClass: organizationalUnit
Reply
10.
sridhar says:June 30, 2011 at 10:53 am
type ls from where you first typed vi base.ldif
JD
Reply
11.
venku says:July 6, 2011 at 12:37 pm
Plz tell me how I can add a new custom attribute which is not included presently to this OpenLDAP server of RHEL 6. I would like to extend the schemaof the same.
Reply
12.
Nolan says:July 18, 2011 at 3:55 pm
13.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
10 of 39 8/26/2013 10:17 AM
-
Hello, First of all thank you for the tutorial.
Running into a similar issue as the first comment. I have only add the 3 lines:olcRootPW: {SSHA}my-hasholcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
To the end of:/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
And I get the error:[root@directory ~]# slaptest -uolcRootPW: value #0: can only be set when rootdn is under suffixconfig error processing olcDatabase={1}bdb,cn=config: can only be set when rootdn is under suffixslaptest: bad configuration file!
Not sure whats up and dont know what else to change. Thanks !
Reply
Nolan says:July 18, 2011 at 4:45 pm
Solved it, quotes around hash helped.
Reply
14.
Jorell says:July 22, 2011 at 11:33 am
I just have to say thank you for this how-to
I only had to do one thing differently:
1chown -f root:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/certsReply
15.
sangita says:July 25, 2011 at 1:15 pm
I am tring on my localhost with dc=test,dc=com
however LDAPSEARCH gave the following output :
16.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
11 of 39 8/26/2013 10:17 AM
-
ldapsearch -x -b dc=test,dc=com
which gave me error as below:
ldap_sasl_bind(SIMPLE): Cant contact LDAP server (-1)
here I have added localhost and given me following output:
ldapsearch -x -h localhost -b dc=test,dc=com
# extended LDIF## LDAPv3# base with scope subtree# filter: (objectclass=*)# requesting: ALL#
# search resultsearch: 2result: 32 No such object
# numResponses: 1-Am I correct here?
I have created the base.ldif and tried ldapadd command as:
ldapadd -x -h 127.0.0.1 -D cn=Manager,dc=test,dc=com -W -f base.ldifldapadd -x -h locahost -D cn=Manager,dc=test,dc=com -W -f base.ldifldapadd -x -h -D cn=Manager,dc=test,dc=com -W -f base.ldifwith the password which was generated with cammand
#slappasswd
This gaves error as:ldap_bind: Invalid credentials (49)
What is wrong ? Please help!!!!
Reply
Stas says:17.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
12 of 39 8/26/2013 10:17 AM
-
July 28, 2011 at 7:03 am
Thank you for this how-to. Everything works.NOTE: Do not directly copy text of this how-to, better you enter the text on a new
Reply
Abhinav says:August 3, 2011 at 8:54 am
Iam not able to find the the DB_CONFIG File in openldap-servers path#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
ANDPlease tell me the location of base.ldif file
Reply
18.
mohit says:August 8, 2011 at 1:55 pm
Please tell me the location of base.ldif file
Reply
19.
shashank agarwal says:August 9, 2011 at 11:58 am
i have done all steps upto 7 steps and all are working fine but when i start the slapd service ,it failed,when i start the slapd service 1st time it show me thewarning suffix of DB_CONFIG file has changed,performing data base recovery to apply new settingsdbb_db_open: database dc=example.com,dc=com:recpvery skipped in read only mode.run manual recovery if error persistconfig file testing succeded.
starting slapd: [Failed]and it shows service failed whenever i start the serviceplease help
Reply
20.
Robeto Mason says:August 10, 2011 at 5:29 pm
Thanks for he tutorial. Im not proficient with Openldap. This is he first time Im trying to implement it at home. Im running Centos 6.0 Im stuck on step
21.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
13 of 39 8/26/2013 10:17 AM
-
#9. When I do the I get the following error
ldap_bind: Invalid credentials (49)
where do u think I may have gone wrong?
Thanks
Reply
Roberto Mason says:August 10, 2011 at 5:32 pm
Sorry, had to repost
Thanks for he tutorial. Im not proficient with Openldap. This is he first time Im trying to implement it at home. Im running Centos 6.0 Im stuck on step#9. When I do the# ldapadd -x -W -D cn=Manager,dc=rmasonfamily,dc=info -f /root/base.ldifI get the following error
ldap_bind: Invalid credentials (49)
where do u think I may have gone wrong?
Thanks
Reply
22.
sandy says:August 10, 2011 at 6:27 pm
Hey any one can help me to build my ldapserver after slaptest -u.i have successfully tested my slaptest -u opting but as I start my slapd deamon it get failed neither it stops nor starts. And I want to inform that my eth0 isalso creating problem I cant configure Static IP it fails after service network restart. I am using COMPAQ CQ 40 series laptop. and RHEL 6.0. Plz helpme.
Reply
23.
Anonymous says:August 12, 2011 at 4:54 am
what is wrong with my configuration? please see message below. tnx
#ldapadd -x -W -D cn=Manager,dc=ncfs -f ncfs.ldif
24.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
14 of 39 8/26/2013 10:17 AM
-
Enter LDAP Password:ldap_bind: Invalid DN syntax (34)additional info: invalid DN
My ldif file:==============dn: dc=ncfsdc: ncfsobjectClass: topobjectClass: domain
dn: ou=People,dc=ncfsou: PeopleobjectClass: topobjectClass: organizationalUnit
dn: ou=Group,dc=ncfsou: GroupobjectClass: topobjectClass: organizationalUnit
Reply
Aik Zu Shyong says:August 18, 2011 at 6:29 am
For those of you with errors:PROBLEMldap_bind: Invalid credentials (49)
-SOLUTION/TROUBLESHOOTING-Use ldapsearch in debug mode to identify the issue:No encryption:# ldapsearch -x -b dc=yourdomain,dc=net -d -1With TLS:# ldapsearch -x -b dc=yourdomain,dc=net -ZZ -d -1
One add on to Laurents entry if you use a self-signed Certification. Remember to add below line as well to bdb.ldif:
25.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
15 of 39 8/26/2013 10:17 AM
-
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
Otherwise, you will get complaints about self-signed certificate.
Reply
Toomas says:August 21, 2011 at 12:15 pm
It seems theres a typo:
1234
dn: ou=Group,dc=yourdomain,dc=netou: GroupobjectClass: topobjectClass: organizationalUnit
as later Group is replaced with Groups. Anyway, Ive got an error with plural and passed through with singular .
Reply
26.
vipin singhal says:August 23, 2011 at 11:54 am
Hi, thanks for telling us the configuration of openldap server for RHEL 6. I have done all that you have written in this blog and my openldap service hasstartedbutCan you tell me how i can integrate openldap with Samba as a PDC for RHEL 6?
Reply
rumbi says:May 8, 2012 at 10:24 am
Did you manage to successfully configure samba with the ldap backend. I am looking for a solution to this.
If anyone has a solution please share
Reply
27.
Ali says:August 24, 2011 at 11:30 pm
Hi,Thanks so much bro for this helped me a lot, regarding the fact that redhat as explicitly mentioned not manually editing the ldif files
28.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
16 of 39 8/26/2013 10:17 AM
-
(http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-configuration)is there a neater way to do this using commands?
Reply
Simon Brennan says:August 26, 2011 at 12:42 am
This is an excellent article, thanks for taking the time to write it.I had built LDAP domains in CentOS 5 a number of times, but the new configuration layout threw me.
Thanks!
Reply
29.
Shout out for a great CentOS 6 LDAP Server setup blog | Myblog Nodeofcrash.com says:August 26, 2011 at 2:00 am
[...] There is a great article here on how to set it up, kudos to the Author! http://www.salsaunited.net/blog/?p=74 [...]
Reply
30.
Dhamu says:August 29, 2011 at 9:47 am
When trying to add the ldap ,am getting the error.
ldapadd -x -W -D cn=Manager,dc=rhceldap,dc=com -f base.ldifEnter LDAP Password:ldap_bind: Invalid credentials (49)
where is the location of base.ldif file?..
Thanks in advance..
Reply
31.
Dhamu says:August 29, 2011 at 10:13 am
ldap_bind: Invalid credentials (49)
get solved by adding
URI ldap://192.168.0.4/
32.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
17 of 39 8/26/2013 10:17 AM
-
BASE dc=rhceldap,dc=comTLS_CACERTDIR /etc/openldap/cacerts
on /etc/openldap/ldap.conf
Reply
phani says:September 2, 2011 at 5:21 am
This is a great, Thanks
Reply
33.
Jane says:September 5, 2011 at 5:17 am
A question on base.ldif.
The example for base.ldif is alway dc=yourdomain,dc=com. But the dc assigned to me at work is dc=area,dc=test,dc=org (my domain is area.test.org).
How would my base.ldif look like? What do I use on the dc:?dn: dc=area,dc=test,dc=orgdc: ????objectClass: topobjectClass: domain
Thanks!
Reply
34.
flemin says:September 8, 2011 at 7:37 am
Great posting Thank you
I configured LDAP as described above i didnt got any errors but when i Start the LDAP service its failed .. i couldnt figure out the error When ichecked the certifacate folder /etc/pki/tls/certs i couldnt find any certificates generated So can you help me in this case
Thankyou
Reply
35.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
18 of 39 8/26/2013 10:17 AM
-
Islam Eldib says:September 11, 2011 at 9:53 pm
I get the following error when I try and do a slaptest -uslaptest -udatabase init failed (monitor)olcDatabase: value #0: only one monitor database allowed (monitor)config error processing olcDatabase={1}monitor,cn=config: only one monitor database allowedslaptest: bad configuration file!
Can anyone help out ?
Reply
36.
Toomas says:September 24, 2011 at 11:30 am
My five cents in addition to this very helpful howto:
Add
1TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
to ldap.conf.
Otherwise, running request with TLSldapsearch -x -b dc=yourdomain,dc=net -ZZyoull get Self-signed certificate error.
Reply
37.
srikanth says:September 26, 2011 at 10:10 am
I got the following error
-
srikanth says:September 26, 2011 at 10:16 am
lol.. I got, I done a silly mistake.. when i redirect that password, i forgot to remove the New Password:Re-enter new password:lines.. what a silly mistake i done.
Reply
39.
Randy Larson says:October 2, 2011 at 5:32 pm
Excellent posting. I teach Linux at a local community college and after reading some of the postings I suspect some of the above users are coping andpasting your text into their config files. This changes the formatting and will give them errors; even the command dos2unix will not always fix this. Thereis one typo that may throw a newbie off: you have service sladp start Like me, you probably have large fingers. Thanks again fro supporting thecommunity.Kind regards,Randy
Reply
40.
rumbi says:October 3, 2011 at 11:12 am
Thank you so much for an easy to follow guide.I have installed and configured openldap on my rhel6 server and would want to use FreeRadius with openldap. The two are working well separatley and Iwould now like to set them up such that users can connect through Freeradius and authenticate on an openldap backend. Can you point me todocumentation for doing this on rhel6?The documentation that i am currently getting refers to a different version and I have configuration files (unedited) that are completely different fromwhat I am referred to. I understand that RHEL has a different radius configuration file and I wold want to know how to configure freeradius to seopenldap for authentication.
Reply
41.
Dhiraj Dwarapudi says:October 4, 2011 at 1:49 am
@Abhinav
On RHEL 6 the DB_CONFIG.example file is located at /usr/share/DB_CONFIG.example
Reply
42.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
20 of 39 8/26/2013 10:17 AM
-
rumbi says:October 6, 2011 at 1:10 pm
Ok To answer my own question , the authenticate and authorisation modules are in the modules directory. Another question, is there anyone who knowswhere documentation fro rhel6 is?
Reply
43.
Sohail says:October 8, 2011 at 2:19 pm
Thank you for putting out this step by step guide. Without it, it is almost impossible to get openLDAP setup with RHEL6. You should considercontributing this piece to openldap project as there are many people who might be able to save time using this.
I had to change dc=com from dc=net in base.ldif because I was getting error when using dc=net.
Thanks again.
Reply
44.
Amit Saha says:October 12, 2011 at 5:40 am
#slaptest -uconfig file testing succeeded NEXT And ERROR I am getting down there is as
[root@newspeak openldap]# ldapadd -x -W -D cn=Manager,dc=newspeak,dc=org -f base.ldifEnter LDAP Password:ldap_bind: Invalid DN syntax (34)additional info: invalid DN NEXTGOT ERROR-
#vi base.ldifdn: dc=newspeak,dc=orgdc: newspeakobjectClass: topobjectClass: domain
dn: ou=People,dc=newspeak,dc=orgou: PeopleobjectClass: topdn: olcDatabase={2}monitorobjectClass: olcDatabaseConfigolcDatabase: {2}monitor
45.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
21 of 39 8/26/2013 10:17 AM
-
olcAccess: {0}to * by dn.base=cn=Manager,dc=newspeak,dc=org read by * noneolcAddContentAcl: FALSEolcLastMod: TRUEolcMaxDerefDepth: 15olcReadOnly: FALSEolcMonitoring: FALSEstructuralObjectClass: olcDatabaseConfigentryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ffcreatorsName: cn=configcreateTimestamp: 20111012032406ZentryCSN: 20111012032406.106705Z#000000#000#000000modifiersName: cn=configmodifyTimestamp: 20111012032406Z
objectClass: organizationalUnit
dn: ou=Group,dc=newspeak,dc=orgou: GroupobjectClass: topobjectClass: organizationalUnit NEXT#vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldifdn: olcDatabase={1}bdbobjectClass: olcDatabaseConfigobjectClass: olcBdbConfigolcDatabase: {1}bdbolcSuffix: dc=newspeak,dc=orgolcAddContentAcl: FALSEolcLastMod: TRUEolcMaxDerefDepth: 15olcReadOnly: FALSEolcRootDN: cn=Manager,dc=newspeak,dc=orgolcMonitoring: TRUEolcDbDirectory: /var/lib/ldapolcDbCacheSize: 1000olcDbCheckpoint: 1024 15olcDbNoSync: FALSEolcDbDirtyRead: FALSEolcDbIDLcacheSize: 0olcDbIndex: objectClass pres,eqolcDbIndex: cn pres,eq,subolcDbIndex: uid pres,eq,sub
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
22 of 39 8/26/2013 10:17 AM
-
olcDbIndex: uidNumber pres,eqolcDbIndex: gidNumber pres,eqolcDbIndex: mail pres,eq,subolcDbIndex: ou pres,eq,subolcDbIndex: loginShell pres,eqolcDbIndex: sn pres,eq,subolcDbIndex: givenName pres,eq,subolcDbIndex: memberUid pres,eq,subolcDbIndex: nisMapName pres,eq,subolcDbIndex: nisMapEntry pres,eq,subolcDbLinearIndex: FALSEolcDbMode: 0600olcDbSearchStack: 16olcDbShmKey: 0olcDbCacheFree: 1olcDbDNcacheSize: 0structuralObjectClass: olcBdbConfigentryUUID: 629b5454-88cd-1030-94b4-5b8c5298a3ffcreatorsName: cn=configcreateTimestamp: 20111012032406ZentryCSN: 20111012032406.106705Z#000000#000#000000modifiersName: cn=configmodifyTimestamp: 20111012032406ZolcRootPW: {SSHA}eCf/UCxBWzZuWc0Dd/mkW+jlaXxy++RFolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pemolcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem NEXT
#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldifdn: olcDatabase={2}monitorobjectClass: olcDatabaseConfigolcDatabase: {2}monitorolcAccess: {0}to * by dn.base=cn=Manager,dc=newspeak,dc=org read by * noneolcAddContentAcl: FALSEolcLastMod: TRUEolcMaxDerefDepth: 15olcReadOnly: FALSEolcMonitoring: FALSEstructuralObjectClass: olcDatabaseConfigentryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ffcreatorsName: cn=configcreateTimestamp: 20111012032406Z
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
23 of 39 8/26/2013 10:17 AM
-
entryCSN: 20111012032406.106705Z#000000#000#000000modifiersName: cn=configmodifyTimestamp: 20111012032406Z
Can anyone help regarding the same??? Thanks in advance!!
Reply
Amit Saha says:October 12, 2011 at 10:09 am
I found the problem later. It was back quote (). It is working now. Thank you very much Mr. Laurent. Good post!!!
Reply
46.
Deval says:November 1, 2011 at 7:28 am
heythank you for the wonderful guidebut im getting following error while ldapsearch
ldapsearch -x -b dc=example,dc=comldap_sasl_bind(SIMPLE): Cant contact LDAP server (-1)
please help me..
Reply
47.
Mansoor Md says:March 31, 2012 at 4:21 am
RHEL 6.0 Documentation
System name: ldap.example.comDomain name: example.comSystem IP: 192.168.1.250Step #1. Requirementscompat-openldapopenldap-clientsopenldap-developenldap-serversmigrationtoolsYou can install them using the command:
48.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
24 of 39 8/26/2013 10:17 AM
-
yum install *openldap* migrationtools
Step #2. Create LDAP root user password[root@ldap ~]# slappasswdNew password:Re-enter new password:{SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW[root@ldap ~]# mkdir -m 700 /var/lib/ldap/example.com[root@ldap ~]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG[root@ldap ~]# chown -Rvf ldap:ldap /var/lib/ldap/
Step #3. Update /etc/openldap/slapd.conf for the root password[root@ldap ~]# cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.conf[root@ldap ~]# vim /etc/openldap/slapd.confEsc :%s/my-domain/example/g Enter. Check the below lines same as in config filedatabase bdbsuffix dc=example,dc=comrootdn cn=Manager,dc=example,dc=comrootpw {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW
Step #4. vim /usr/share/migrationtools/migrate_common.ph change padl to exampleEsc :%s/padl/example/g & check the below line(71 & 74) is same in config$DEFAULT_MAIL_DOMAIN = example.comm;$DEFAULT_BASE = dc=example,dc=com;
Step # 5. Create a domain ldif file (/etc/openldap/example.com.ldif)[root@ldap ~]# vim /etc/openldap/example.com.ldifdn: dc=example,dc=comdc: exampledescription: LDAP AdminobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject
dn: ou=People, dc=example,dc=comou: peopledescription: Users of exampleobjectClass: organizationalUnit
dn: ou=Group, dc=example,dc=comou: Groupdescription: Groups of example
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
25 of 39 8/26/2013 10:17 AM
-
objectClass: organizationalUnitStep# 6 create a new config files using slaptest command1. Delete all files in directory /etc/openldap/slapd.d/ with the command[root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*2. Run slaptest for test the configuration file and create new configuration in directory /etc/openldap/slapd.d/.[root@ezylinux ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d3. Set permissions for a new configuration file.[root@ezylinux ~]# chown -R ldap:ldap /etc/openldap/slapd.d[root@ezylinux ~]# chmod -R 000 /etc/openldap/slapd.d[root@ezylinux ~]# chmod -R u+rwX /etc/openldap/slapd.d
# service slapd restart (if any warning provide permission as chown ldap:ldap /var/lib/ldap Rvf or chown ldap:ldap /etc/openldap/slapd.d)
Step # 7. Import all users in to the LDAPAdd the Domain ldif file[root@ldap ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/example.com.ldifEnter LDAP Password:adding new entry dc=example,dc=comadding new entry ou=People, dc=example,dc=comadding new entry ou=group, dc=example,dc=com[root@ldap ~]#
Add the users:[root@ldap ~]# mkdir /ldaphome[root@ldap ~]# useradd u 1000 -d /ldaphome/testusr testusr[root@ldap ~]# passwd testusrChanging password for user testusr.New UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully.
Step # 8. Migrate local users to LDAP[root@ldap ~]# grep testusr /etc/passwd > /etc/openldap/passwd.testusr[root@ldap ~]# grep testusr /etc/group > /etc/openldap/group.testusr
[root@ldap ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/passwd.testusr /etc/openldap/testusr.ldif[root@ldap ~]# /usr/share/migrationtools/migrate_group.pl /etc/openldap/group.testusr /etc/openldap/testusr-group.ldifSetp# 9 Adding users & groups into Ldap server[root@ldap ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/testusr.ldifEnter LDAP Password:adding new entry uid=ldapuser1,ou=People,dc=example,dc=com
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
26 of 39 8/26/2013 10:17 AM
-
[root@ldap ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/testusr-group.ldifEnter LDAP Password:adding new entry uid=ldapuser1,ou=Group,dc=example,dc=com
Step # 10. Test LDAP ServerIt prints all the user information:[root@ldap ~]# ldapsearch -x -b dc=example,dc=com (objectclass=*)
Step# 11 NFS for ldapuser home share:#yum install nfs-utils#service rpcbind restart
Vim /etc/exports/ldaphome *(rw,sync)#Chkconfig nfs on#Service nfs restart
Home directory Creation in LDAP server(optional)
Reference from: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Create_The_Home_Directory_For_ldapuser_On_The_LDAP_Client
[root@smallfry tmp]# mkdir /ldaphome/wml[root@smallfry tmp]# chmod 700 /home/ldaphome/wml[root@smallfry tmp]# cp /etc/skel/.* /home/ldaphome/wmlcp: omitting directory `/etc/skel/.cp: omitting directory `/etc/skel/..cp: omitting directory `/etc/skel/.kde[root@smallfry tmp]# chown -R wml:group /home/ldaphome/wml[root@smallfry tmp]#
2. 0. Step-by-step OpenLDAP Installation and Configuration of Client SystemLDAP Client Configuration
Step # 1. Installation[root@ldapclient ~]# yum install nss-pam-ldapd nfs-utils autofsStep # 2. Autofs configuration[root@ldapclient ~] vim /etc/auto.masterAdd the below line in end:/ldaphome /etc/auto.misc -timeout=60[root@ldapclient ~] vim /etc/auto.miscAdd the below line in end* -rw,soft,intr 192.168.1.250:/ldaphome/&
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
27 of 39 8/26/2013 10:17 AM
-
[root@ldapclient ~] service autofs stop[root@ldapclient ~] service autofs start[root@ldapclient ~] service autofs reload[root@ldapclient ~] service autofs restart[root@ldapclient ~] service nfs restart
Step# 3 Settings ldap configuration[root@ldapclient ~]# setup
Step #3. Settings[*] Use LDAP [*] Use LDAP Authentication[Both should be checked]Click Next.[ ] Use TLSServer: ldap.example.comBase DN: dc=example,dc=comClick Ok to confirm.OR[root@ldapclient ~]# vim /etc/openldap/ldap.confURI ldap://ldap1.example.comBASE dc=example,dc=com
[root@ldapclient ~] vim /etc/nssswitch.confpasswd: files ldapshadow: files ldapgroup: files ldapnetgroup: files ldapautomount: files ldap
#chkconfig nfs on#chkconfig autofs on#chkconfig rpcbind on[root@ldapclient ~] vim /etc/nslcd.confuid nslcdgid ldapuri ldap://ldap1.example.combase dc=example,dc=comssl notls_cacertdir /etc/openldap/cacerts[root@ldapclient ~] vim /etc/pam_ldap.confComment #host 127.0.0.1base dc=example,dc=com
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
28 of 39 8/26/2013 10:17 AM
-
uri ldap://ldap1.example.comssl notls_cacertdir /etc/openldap/cacertspam_password md5
Reply
Olivier says:April 30, 2012 at 8:26 am
Hello Laurent,
Here is my monitor section :
cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
dn: olcDatabase={2}monitor,cn=configobjectclass: olcDatabaseConfigolcaccess: {0}to * by dn.exact=cn=Manager,dc=exemple,dc=frby * noneolcaddcontentacl: FALSEolcdatabase: {2}monitorolclastmod: TRUEolcmaxderefdepth: 15olcmonitoring: FALSEolcreadonly: FALSEolcsyncusesubentry: FALSE.
slapd runs and respond :ldapsearch -x -D cn=Manager,dc=exemple,dc=fr -W -b olcDatabase={2}monitor,cn=config -s base 1.1
# {2}monitor, configdn: olcDatabase={2}monitor,cn=config
# search resultsearch: 2result: 0 Success
However I cant get any monitoring information :
$ ldapsearch -x -D cn=Manager,dc=exemple,dc=fr -W -b cn=Monitor -s base 1.1
49.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
29 of 39 8/26/2013 10:17 AM
-
# search resultsearch: 2result: 32 No such object
Would you have any advice to use openldap monitoring abilities ?
# cat /etc/issueRed Hat Enterprise Linux Server release 6.2 (Santiago)
openldap-servers-2.4.23-20.el6.x86_64
# slapd -VVV@(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) [email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
Thanks !
Reply
manny says:May 25, 2012 at 6:35 am
hi,
you really did best and i was successful through your steps, thing was i dont fine any /usr/share/migration folder in my server. mine is rhel-64bit.
i dont know why it was not ther ldap search is fine, ok,
please help me finish the last 2 stepsa
thank you.
Reply
50.
leolinux says:June 2, 2012 at 1:50 am
]# yum install migrationtools
will install the directory and other usefulscripts inside
Reply
51.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
30 of 39 8/26/2013 10:17 AM
-
Glen says:June 19, 2012 at 5:14 am
It works, good posts, thanks a lot! From China~
Reply
52.
Akhil says:June 29, 2012 at 7:57 am
slaptest -uPROXIED attributeDescription DC inserted.
-
Thank you for your all help i have configured successfully ldap server by following this guide.
Now my next question is how to move it into production environment where users can login on this ldap server.
I am configuring DNS with my domain on this server as well.
when i am trying to access this server by using above url ldap://192.168.0.6:389 it is not processing further can ou please tell me why ?
Reply
shankar says:July 10, 2012 at 5:22 am
Thanks, very helpful.
I am configuring postfix+squirrelmail+dovecot with openldap on RHEL6.1_64 bit.
kindly help me to getthe rh-mail.schema.
Thanks,Shankar
Reply
Priyank says:July 15, 2012 at 4:06 pm
hello,
Thanks for you help in providing steps to configure LDAP server in RHEL6 and everything seems to be working but I am not able to login into the clientmachine using ldap server can any one please help me how can I do it?
My email address [email protected], please if possible reply me there or here
Reply
56.
ping says:July 23, 2012 at 11:53 am
Hi,
I went thru the steps and it is working.The clients I setup with the command
57.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
32 of 39 8/26/2013 10:17 AM
-
authconfig disablenis enablemkhomedir enableshadow enablelocauthorize enableldap ldapserver=10.24.0.55 enablemd5ldapbasedn=dc=mydomain,dc=com updateall
The clients are able to authenticate the logins.but if a user is added or an existing users passwd is changed, that user is unable to login with the new password. what could be the issue please? any helpwould be greatly appreciated, as I am a newbie.
thanks
Ping
Reply
German Rosero says:August 23, 2012 at 2:36 pm
Hello I am getting the following errors when i start slapd service:
service slapd startChecking configuration files for slapd: [FAILED]olcRootPW: value #0: can only be set when rootdn is under suffixconfig error processing olcDatabase={2}bdb,cn=config: can only be set when rootdn is under suffixslaptest: bad configuration file!
But, if remove the lines that contains olcRootPW, olcTLSCertificateFile andolcTLSCertificateKeyFile the service starts fine.
I have CentOS release 6.3 and OpenLDAP: slapd 2.4.23
Thanks for your help,G
Reply
58.
Abhisek says:August 28, 2012 at 10:50 am
Hi, thanks a lot for this tutorial, it has been very helpful!I had a small question:why do we need this command:sed -e s/ou=Group/ou=Groups/g group.ldif > groups.ldif
I think this will replace or=Group with ou=Groups, but in the base.ldif, we are using:
59.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
33 of 39 8/26/2013 10:17 AM
-
dn: ou=Group,dc=yourdomain,dc=net
Please let me know!
Thanks again!Abhisek
Reply
vamsikrishna says:October 13, 2012 at 1:39 am
Hi, thanks for the help. Ive been looking for some help for a while. I stuck on a certain point. Where you import base information:
dn: dc=example,dc=comdc: exampleobjectClass: topobjectClass: example
dn: ou=Administration,dc=example,dc=comou: AdninistrationobjectClass: topobjectClass: AdministrationHi, thanks for the help. Ive been looking for some help for a while. I stuck on a certain point. Where you import base information:
dn: ou=Group,dc=example,dc=comou: GroupobjectClass: topobjectClass: organizationalUnit
Error:#ldapadd -x -W cn=manager,dc=example,dc=com -f base.ldifEnter LDAP Password:ldap_bind: Invalid credentials (49)
MY ldap details:
MY DOMAIN IS : example.comORGANIZATION UNIT NAME : administrationLdap password is : password
please give me the solution to this error.
60.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
34 of 39 8/26/2013 10:17 AM
-
Reply
ram says:March 5, 2013 at 6:12 am
if i run ldapsearch -x -b dc=example,dc=com
i got searchresult 2 then i got 34 dn syntax errorgive me the solution
Reply
61.
tom says:April 16, 2013 at 3:27 pm
i get the 34 dn syntax error from the wrong . type from new the double quotes
Reply
62.
OPENLDAP Invalid Credentials Issue says:May 23, 2013 at 8:09 am
[...] [...]
Reply
63.
OPENLDAP Invalid Credentials Issue says:May 23, 2013 at 10:05 am
[...] ldap://10.205.21.76/ ~ I have followed the below link.. Please help me to resolve this issue.. http://blog.domb.net/?p=74 I have set the password tosecret then also am facing the problem.. [root@ip-10-205-21-76 [...]
Reply
64.
imports says:May 30, 2013 at 11:30 am
Nice post. I was checking continuously this blog and I am impressed!Very useful info particularly the last part I carefor such info much. I was seeking this particular information fora long time. Thank you and good luck.
Reply
65.
sunil says:66.
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
35 of 39 8/26/2013 10:17 AM
-
May 30, 2013 at 4:19 pm
Good one!
Reply
Name (required) Mail (required) Website
CAPTCHA Code *
PopularRecentTags
RHEL6 openldap serve
Please note that all double quote characters in this example ...
RHEL6 virsh console
To use the #virsh console command on a RHEL6 Virtual ...
Puppet Dashboard, my
Syncing a 100-200 hosts every 30 minutes and reporting to ...
RHEL6 vsftp anonymou
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
36 of 39 8/26/2013 10:17 AM
-
First install the vsftpd package #yum install vsftpd after that edit the ...
RHEL6 as LDAP client
Edit the file /etc/openldap/ldap.conf URI ldap://$FQDN_OF_SERVER/ (has to be the same ...
Gitlab 5.2 on RHEL/C
Redhat release software collection January this year. It's kind of cool ...
DNS Master / SLAVE T
I am using 2 dns server here. 192.168.2.83 (Master) and ...
Kerberos on Centos 5
First make sure that your time is in sync. So ...
Foreman and mcollect
I've been working for a nice project the last month. ...
Logstash amqp ipv6 D
Today I was working on creating a logstash -> logstash ...
dns tsig rhcss errata foreman gitlab Linux Logstash ipv6 OEL puppet enterprise puppet pe RabbitMQ rhel 6.4 scl
Links
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
37 of 39 8/26/2013 10:17 AM
-
Recent Posts
Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software CollectionDNS Master / SLAVE TSIG on RHEL 5.8Kerberos on Centos 5.9 RHCSSForeman and mcollective with puppet enterprise / puppetLogstash amqp ipv6 DNS lookup on CentOS 6.2 openjdk jruby
Recent Comments
Laurent on Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software Collectionlaurent on RHEL6 virsh console domainsukrant on RHEL6 virsh console domainsukrant on RHEL6 virsh console domainPat Podenski on Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software Collection
Archives
June 2013May 2013
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
38 of 39 8/26/2013 10:17 AM
-
October 2012September 2012August 2012July 2012April 2012March 2012January 2012July 2011May 2011March 2011February 2011January 2011
Categories
AboutLinuxPuppetVirtualization
Copyright 2013 Laurent Domb OSS Blog - this blog is about OSS, Linux, virtualization, security, business.Powered by WordPress 3.5.2 & Vulcan. Free WordPress Themes designs by FabThemes.com
RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74
39 of 39 8/26/2013 10:17 AM