LDAP Server & Client Configuration in RHEL 7 With AutoFS | Setup LDAP User Authentication in Linux
ฝัง
- เผยแพร่เมื่อ 23 ก.ย. 2024
- LDAP Server & Client Configuration in RHEL 7 | Setup LDAP User Authentication in Linux
===
Please go to pinned comment for detailed information and steps used in configuration.
===
Join this channel to get access to perks:
/ @nehraclasses
===
Thanks for watching the video. If it helped you then, please do like & share it with others as well. Feel free to post your queries & suggestions, we will be glad to answer your queries.
If you like our hard work then do subscribe to our channel & turn on the bell notification for latest updates.
===
Contact Us:
Follow our all social media accounts @NehraClasses
Vikas Nehra's Twitter Handle: bit.ly/VikasNeh...
Vikas Nehra's FB Account: / er.vikasnehra
Vikas Nehra's Instagram Handle: / er.vikasnehra
Registration Form: bit.ly/NehraCla...
Twitter Handle: bit.ly/NehraCla...
Facebook Page: nehraclasses
Instagram: / nehraclasses
Telegram Channel: t.me/NehraClasses
WhatsApp Us: bit.ly/2Kpqp5z
Email Us: nehraclasses@gmail.com
===
©COPYRIGHT. ALL RIGHTS RESERVED.
#NehraClasses #LinuxTraining #Trending
Configure LDAP Server & Client With AutoFS in RHEL 7:
=====================================================
LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia).
Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.
This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).
During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).
Installation Procedure
LDAP Server Configuration: (192.168.1.113)
------------------------------------------
# yum install -y openldap openldap-clients openldap-servers migrationtools
# slappasswd -s redhat -n > /etc/openldap/passwd
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem
Prepare the LDAP database:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Generate database files (don’t worry about error messages!):
# slaptest
Change LDAP database ownership:
# chown ldap:ldap /var/lib/ldap/*
# systemctl enable slapd
# systemctl start slapd
Check the LDAP activity:
# netstat -lt | grep ldap
To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:
# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace PASSWORD with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):
# vim /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: PASSWORD
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Note: A problem with olcTLSCertificateFile and olcTLSCertificateKeyFile has been reported in recent versions of OpenLDAP (details) coming with RHEL 7.5; these attributes have to be modified at the same time:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Send the new configuration to the slapd server:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
Create the /etc/openldap/base.ldif file and paste the following lines:
# vim /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Build the structure of the directory service:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
Create two users for testing:
# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
Changing password for user ldapuser01.
New password: user01ldap
Retype new password: user01ldap
passwd: all authentication tokens updated successfully.
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02
Changing password for user ldapuser02.
New password: user02ldap
Retype new password: user02ldap
passwd: all authentication tokens updated successfully.
User Account Migration
Go to the directory for the migration of the user accounts:
# cd /usr/share/migrationtools
Edit the migrate_common.ph file and replace in the following lines:
# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";
Create the current users in the directory service:
# grep ":10[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"
# grep ":10[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"
Test the configuration with the user called ldapuser01:
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
Firewall Configuration
Add a new service to the firewall (ldap: port tcp 389):
# firewall-cmd --permanent --add-service=ldap
Reload the firewall configuration:
# firewall-cmd --reload
Edit the /etc/rsyslog.conf file and add the following line:
local4.* /var/log/ldap.log
Restart the rsyslog service:
# firewall-cmd --add-service={nfs3,mountd,rpc-bind} --permanent
# systemctl restart rsyslog
-----
Configure & Configure NFS:
# yum install -y nfs* rpcbind mountd
# vim /etc/exports
/home *(rw,sync)
Start & Enable the Services:
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs
Test NFS Configuration:
# showmount -e
=================
Client Configuration:
---------------------
Install the packages:
# yum install -y openldap-clients nss-pam-ldapd autofs
Setup Authentication Mechanism:
# authconfig-tui
Select LDAP & LDAP Authenication
# vim /etc/auto.master
/home /etc/auto.txt --timeout=60
# vim /etc/auto.txt
home/guests -rw,sync 192.168.1.113:/home
# systemctl start autofs
# systemctl enable autofs
# systemctl status autofs
Thank you. very helpful
Sir user does not exit show kr rha h
Sir m ek question tha ldap m s user ko kaise delete krenge
thank you sir, appreciated it, very precise video. Do you know if there is any tools such as FreeIPA or GUI that can be used to create user at LDAP server?
Vi /etc/openldap/changes.ldif file is missing
Package openldap-2.6.6-1.el9.x86_64 is already installed.
No match for argument: migrationtools
Error: Unable to find a match: migrationtools
i can't able to find this package Please help me on this.
The error you’re seeing indicates that the migrationtools package isn’t available in the default repositories for CentOS 9. The migrationtools package is typically used for migrating data to an LDAP directory server but might not be included in the repositories for CentOS 9 by default.
Here’s how you can work around this issue:
1. Check EPEL Repository
The migrationtools package is often found in the Extra Packages for Enterprise Linux (EPEL) repository. You can enable EPEL and then try installing the package.
sudo dnf install epel-release
sudo dnf update
sudo dnf install migrationtools
2. Manual Installation from Source
If the package is not available in the EPEL repository, you can manually download and install it.
Here’s how to do it:
Download the Source:
You can download the migrationtools source package from the CentOS or Fedora repositories.
wget archives.fedoraproject.org/pub/archive/fedora/linux/releases/34/Everything/source/tree/Packages/m/migrationtools-47-19.fc34.src.rpm
Install Required Tools:
You’ll need some tools to build and install the package from the source.
sudo dnf install rpm-build
Build and Install:
Once you have the source package, you can rebuild it:
rpmbuild --rebuild migrationtools-47-19.fc34.src.rpm
Then, install the built package (it should be in your ~/rpmbuild/RPMS/ directory):
sudo dnf install ~/rpmbuild/RPMS/noarch/migrationtools-*.rpm
3. Use an Alternative Tool or Method
If you’re only looking to perform certain migrations and can’t get migrationtools working, you might want to look into alternative tools or scripts that accomplish the same tasks. There are various LDAP migration scripts available online that can be adapted to your needs.
4. Search for the Package in CentOS 8 Repositories
In some cases, you can manually download a package from an older CentOS repository and install it. However, this might lead to compatibility issues, so it’s best used as a last resort.
wget mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/migrationtools-47-19.el8.noarch.rpm
sudo dnf install migrationtools-47-19.el8.noarch.rpm
If you’re still having trouble, please let me know, and I can help you further troubleshoot the issue!
HI sir , could you please make a video on How can only specific user related to group can access the linux vm. Mean user how is the part of the group in LDAP can be access the linux machine.
For on demand videos please join the membership first and raise the request in the telegram group.
i m facing this error when login from client machine :
su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory
-bash-4.2$
how solve?
please share the error screenshot and logs in our telegram group.
Sir I appreciate your work, kindly clear my point please can we use ldap as a domain controller? Like samba ? Kya ham client pc ko domain pe le sakte he? Please sir answer it
Can you elaborate please?
@@NehraClasses sir can we use ldap as a active directory domain controller like samba, because we can use samba as a domain controller, mtlb kya ham windows ki machines domain pe dal sakte he ldap k through?
When I type su - ldapuser01 it gives the following error, what could be the reason?
su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory
-bash-4.2$
Because user home dir is not present on the machine where you are trying to login.
no match for argument: openldap-server
no match for argument: migration tools
error unable to find a match: openldap-servers migration tools
(such kind of error is showing while installing ldap........... i used yum install openldap openldap-clients openldap-servers migration tools) plz resolve it sir
please contact us in telegram.
Sir nice work but how to set up password for client users when they login in .
Please help to configure LDAP with "unlimited days certificate" or without certificate.
You can regenerate certificate
FirewallD is not running error getting while executing cmd - firewall-cmd --permanent --add-service=ldap
check your command and service
Hi Sir .. hope in future you make a video to explain LDAP and its working, here I was unable to understand what we are doing , theory behind the steps was missing .. appreciate if you consider this request
You can join our personal training for this.
I install onlyoffice on Ubuntu I want to do ldap configuration for dc can you please assist me for it how to do please
well... that works.
Does it supported by RHEL 9 in 2024 ??
Yes, LDAP is supported on Red Hat Enterprise Linux (RHEL) 9
hi, very helpful for me.
Thanks
i have error when i install openldap-servers
please share the screenshot in the telegram group.
Useful Video
[root@localhost certs]# chown ldap:ldap *
chown: invalid user: ‘ldap:ldap’