Introduction:
Keeping local user accounts for all these machines and their services in sync is a daunting task, even more so when passwords need to remain synced.
A solution to this is to not store account information on local system, but instead retrieve this information from a centralized store. having user information, and the associated authentication information, centralized also allows for something call Single Sign-On (SSO). With SSO, a user authenticates once using a password (or other means, and then obtains a form of ticket or cookie that can be used to automatically authenticate to other services.
A centralized identity management system will need to provide at least two service:
Account information: This includes information such as username, home directory location, UID ad GID, group membership, etc. Popular solutions include LDAP(Lightweight Directory Access Protocol), used in multiple products such as Active Directory and IPA Server, and Network Information Service (NIS).
Authentication information: A means for a system for a system to validate that a user is who he/she claims to b e. This can be done by providing a cryptographic password hash to the client system, or by sending the (encrypted) password to the server, and receiving a response. An LDAP server can provide authentication information in addition to account information. Kerberos only provides SSO authentication services, and is typically used alongside LDAP user information. Kerberos is used in both IPA server and Active Directory.
| 1.Install the LDAP package [root@linux1 ~]# yum -y install openldap* migrationtools |
| 2.Create a LDAP root password for administration purpose [root@linux1 ~]# slappasswd New password: Re-enter new password: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL Note: copy the encrypted password and save it somewhere |
| 3.Edit the openLDAP server configuration [root@linux1 ~]# cd /etc/openldap/slapd.d/cn=config [root@linux1 cn=config]# vi olcDatabase={2}hdb.ldif |
| change the variable of “olcSuffix” and “olxRootDN” according to your domain below: olcSuffix: dc=learnitguide,dc=net olcRootDN: cn=Manager,dc=learnitguide,dc=net |
| Add the below three lines additionally in the same configuration file olcRootPW: {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL olcTLSCertificateFile: /etc/pki/tls/certs/learnitguideldap.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/learnitguideldapkey.pem Note: Replace the “olxRootPW” value with your copied password |
| 4.Providing the Monitor privileges [root@linux1 cn=config]# vi olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth” read by dn.base=”cn=Manager,dc=learnitguide,dc=net” read by * none |
| Verify the configuration [root@linux1 cn=config]# slaptest -u 56abba86 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif” 56abba86 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif” config file testing succeeded |
| 5.Enable and start the SLDAP service [root@linux1 cn=config]# systemctl start slapd [root@linux1 cn=config]# systemctl enable slapd [root@linux1 cn=config]# netstat -lt | grep ldap tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN tcp6 0 0 [::]:ldap [::]:* LISTEN |
| 6.Configure the LDAP database [root@linux1 cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@linux1 cn=config]# chown -R ldap:ldap /var/lib/ldap/ |
| Add the following LDAP Schemas [root@linux1 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [root@linux1 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [root@linux1 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif |
| 7.Create the Self-signed Certificate root@linux1 cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/learnitguideldap.pem -keyout /etc/pki/tls/certs/learnitguideldapkey.pem -days 365 |
| Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Chennai Locality Name (eg, city) [Default City]:Chennai Organization Name (eg, company) [Default Company Ltd]:Learnitguide Organizational Unit Name (eg, section) []:DCOPS Common Name (eg, your name or your server’s hostname) []:linux1.learnitguide.net Email Address []:root@linux1.learnitguide.net |
| [root@linux1 cn=config]# ll /etc/pki/tls/certs/*.pem -rw-r–r–. 1 root root 1704 Jan 8 14:52 /etc/pki/tls/certs/learnitguideldapkey.pem -rw-r–r–. 1 root root 1497 Jan 8 14:52 /etc/pki/tls/certs/learnitguideldap.pem |
| 8.Create base objects in openLDAP [root@linux1 cn=config]# cd /usr/share/migrationtools/ [root@linux1 migrationtools]# vi migrate_common.ph |
| Go to line number 71 and change your domain name $DEFAULT_MAIL_DOMAIN = “learnitguide.net”; |
| Go to line number 74 and change your base name $DEFAULT_BASE = “dc=learnitguide,dc=net”; |
| Go to line number 90 and change your EXTENDED_SCHEMA from 0 to 1 $EXTENDED_SCHEMA = 1; Finally save and exit. |
| 9.Generate a base.ldif file for your domain [root@linux1 migrationtools]# touch /root/base.ldif |
| copy the below and paste inside /root/base.ldif dn: dc=learnitguide,dc=net objectClass: top objectClass: dcObject objectclass: organization o: learnitguide net dc: learnitguide dn: cn=Manager,dc=learnitguide,dc=net objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=learnitguide,dc=net objectClass: organizationalUnit ou: People dn: ou=Group,dc=learnitguide,dc=net objectClass: organizationalUnit ou: Group |
| 10.Create a local user [root@linux1 migrationtools} # useradd ldapuser1 [root@linux1 migrationtools} # useradd ldapuser2 [root@linux1 migrationtools] # echo “redhat” | passwd –stdin ldapuser1 [root@linux1 migrationtools] # echo “redhat” | passwd –stdin ldapuser2 |
| [root@linux1 migrationtools]# grep “:10[0-9][0-9]” /etc/passwd > /root/passwd |
| [root@linux1 migrationtools]# grep “:10[0-9][0-9]” /etc/group > /root/group |
| [root@linux1 migrationtools]# ./migrate_passwd.pl /root/passwd /root/users.ldif |
| [root@linux1 migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif |
| 11.Import user into the LDAP database [root@linux1 migrationtools]# ldapadd -x -W -D “cn=Manager,dc=learnitguide,dc=net” -f /root/base.ldif |
| [root@linux1 migrationtools]# ldapadd -x -W -D “cn=Manager,dc=learnitguide,dc=net” -f /root/users.ldif |
| [root@linux1 migrationtools]# ldapadd -x -W -D “cn=Manager,dc=learnitguide,dc=net” -f /root/groups.ldif |
| 12.Test the configuration [root@linux1 migrationtools]# ldapsearch -x cn=ldapuser1 -b dc=learnitguide,dc=net |
| [root@linux1 migrationtools]# ldapsearch -x -b ‘dc=learnitguide,dc=net’ ‘(objectclass=*)’ |
| 13.Stop firewall to allow connection. [root@linux1 migrationtools]# systemctl stop firewalld |
| 14.NFS configuration to export home directory [root@linux1 ~]# vi /etc/exports /home *(rw,sync) |
| Enable and restart rpcbind and nfs service [root@linux1 ~]# yum -y install rpcbind nfs-utils [root@linux1 ~]# systemctl start rpcbind [root@linux1 ~]# systemctl start nfs [root@linux1 ~]# systemctl enable rpcbind [root@linux1 ~]# systemctl enable nfs |
| Test the NFS configuration [root@linux1 ~]# showmount -e Export list for linux1.learnitguide.net: /home * |
Client End Configuration
| 1.LDAP client configuration to use LDAP server [root@linux2 ~]# yum install -y openldap-clients nss-pam-ldapd [root@linux2 ~]# authconfig-tui |
| Steps to follow for LDAP Authentication: 1.Put ‘*’ mark on ‘Use LDAP’ 2.Put ‘*’ mark on ‘Use LDAP Authentication’ 3.Select Next and Enter. 4.Enter the server field as “ldap://linux1.learnitguide.net/” 5.Enter the base DN field as “dc=learnitguide,dc=net” 6.Select ok and Enter |
| 2.Test the client Configuration [root@linux2 ~]# getent passwd ldapuser1 ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash |
| 3.Mount the LDAP user home directory linux1.learnitguide.net:/home /home auto defaults 0 0s |
