What is LDAP ?
LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers and so on; company structure information (although frankly you can extend it and store anything in there).
Name- openldap-serveer
Package- openldap*
Port - 389
Daemon- slaped
Script- slaped
Config File-
/etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"
/etc/openldap/slapd.d/"cn=config"/"olcDatabase{1}monitor.ldif"
Configure openldap-servers-
Note- Pre-Requisites:
1- Working DNS Server: If you don't know how to configure DNS Server, Please Click this link- http://ashutoshlinuxnotes.blogspot.in/p/26_7.html
2- Server should be synced with NTP Server, NTP Server configuration please check this link- http://ashutoshlinuxnotes.blogspot.in/p/1_7.html
Step-1 Disable Selinux-
Edit selinux file and set SELINUX=disable
[root@server ~]# vim /etc/sysconfig/selinux
Iptables Configuration-
[root@server ~]# service iptables stop
[root@server ~]# chkconfig iptables off
[root@server ~]#
Step-2 Set Static IP
[root@server ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
or
[root@server ~]# setup
IPADDRS 192.168.0.1
NETMASK 255.255.255.0
Step-3 Change hostname-
[root@server ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=server.ashu.com
[root@server ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.2.182 server.ashu.com server
[root@server ~]# /etc/init.d/NetworkManager restart
[root@server ~]# hostname
server.ashu.com
[root@server ~]# ping server.ashu.com
PING server.ashu.com (10.0.2.182) 56(84) bytes of data.
64 bytes from server.ashu.com (10.0.2.182): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from server.ashu.com (10.0.2.182): icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from server.ashu.com (10.0.2.182): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from server.ashu.com (10.0.2.182): icmp_seq=2 ttl=64 time=0.040 ms
Step-4 Now generate a encrypted password for Administrator User That is "Manager"
[root@server ~]# slappasswd
New password: redhat
Re-enter new password: redhat
{SSHA}tEyKAy8ik3U7HQ3Mdb5Qs+3DiGX78FMX
Note- You need to copy above generated password
Step-5 Now Configure OpenLDAP Server, so edit the following file:
[root@server ~]# cd /etc/openldap/slapd.d/
[root@server slapd.d]# ll
drwxrwxrwx. 3 ldap ldap 4096 Mar 23 12:46 cn=config
-rwxrwxrwx. 1 ldap ldap 1131 Nov 15 14:39 cn=config.ldif
[root@server slapd.d]# cd cn\=config
[root@server cn=config]# ll
drwxrwxrwx. 2 ldap ldap 4096 Nov 15 14:39 cn=schema
-rwxrwxrwx. 1 ldap ldap 51896 Nov 15 14:39 cn=schema.ldif
-rwxrwxrwx. 1 ldap ldap 592 Nov 15 14:39 olcDatabase={0}config.ldif
-rwxrwxrwx. 1 ldap ldap 525 Nov 15 14:39 olcDatabase={-1}frontend.ldif
-rwxrwxrwx. 1 ldap ldap 622 Nov 15 14:39 olcDatabase={1}monitor.ldif
-rwxrwxrwx. 1 ldap ldap 1202 Nov 15 14:39 olcDatabase={2}bdb.ldif
[root@server cn=config]# pwd/etc/openldap/slapd.d/cn=config
[root@server cn=config]# vim olcDatabase\=\{2\}bdb.ldif
Inside this file do the following changes:
-----------------------------------------------------------------------
olcSuffix: dc=ashu,dc=com
olcRootDN: cn=Manager,dc=ashu,dc=com
-----------------------------------------------------------------------
Inside this file create the following lines:
-----------------------------------------------------------------------
#Note--> Paste youre encrypted password
olcRootPW: {SSHA}tEyKAy8ik3U7HQ3Mdb5Qs+3DiGX78FMX
olcTLSCertificateFile: /etc/pki/tls/certs/ashu.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ashukey.pem
:wq
-----------------------------------------------------------------------
Step-6 Specify the Monitoring Privileges file..
[root@server cn=config]# vim olcDatabase\=\{1\}monitor.ldif
(Search Following Line- olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=manager,dc=my-domain,dc=com" read by * none)
and Change this into-
-----------------------------------------------------------------------
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=Manager,dc=ashu,dc=com" read by * none
:wq
-----------------------------------------------------------------------
Step-7 Copy the Simple Database file
[root@server cn=config]# cd -
[root@server ~]#
[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
`/usr/share/openldap-servers/DB_CONFIG.example' -> `/var/lib/ldap/DB_CONFIG'
[root@server ~]# cd /var/lib/ldap/
[root@server ldap]# ll
-rw-r--r--. 1 root root 921 Mar 23 12:57 DB_CONFIG
Note- Change owner and group ownership of this Database 'DB-CONFIG' and update database..
[root@server ldap]# chown -R ldap:ldap DB_CONFIG
[root@server ldap]# ll
-rw-r--r--. 1 ldap ldap 921 Mar 23 12:57 DB_CONFIG
[root@server ldap]# updatedb
Step-8 Configure OpenLdap to listen on SSL/TLS
[root@server ldap]# cd
[root@server ~]# vim /etc/sysconfig/ldap
Inside this file do the following changes:-
-------------------------------------------
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
:wq
-------------------------------------------
Step-9 Now you need to generate a self sign certificate for OpenLDAP Server.You Can also configure CA Server..
But I'm creating self sign certificate.....
[root@server ~]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ashu.pem -keyout /etc/pki/tls/certs/ashukey.pem -days 365
__________________________________________________________________________________
Generating a 2048 bit RSA private key
..............+++
............................................+++
writing new private key to '/etc/pki/tls/certs/ashukey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:Ashu, Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:server.ashu.com
Email Address []:root@server.ashu.com
__________________________________________________________________________________
[root@server ~]# ls -l /etc/pki/tls/certs/ashu*
-rw-r--r--. 1 root root 1704 Mar 23 13:17 /etc/pki/tls/certs/ashukey.pem
-rw-r--r--. 1 root root 1440 Mar 23 13:17 /etc/pki/tls/certs/ashu.pem
[root@server ~]#
Step-10 Change owner and group ownership of certificate and key file: 'ashukey.pem', 'ashu.pem'
[root@server ~]# chown -Rf root:ldap /etc/pki/tls/certs/ashu.pem
[root@server ~]# chown -Rf root:ldap /etc/pki/tls/certs/ashukey.pem
[root@server ~]# ls -l /etc/pki/tls/certs/ashu*
-rw-r--r--. 1 root ldap 1704 Mar 23 13:17 /etc/pki/tls/certs/ashukey.pem
-rw-r--r--. 1 root ldap 1440 Mar 23 13:17 /etc/pki/tls/certs/ashu.pem
[root@server ~]#
Step-11 Restart OpenLdap services...
[root@server ~]# /etc/init.d/slapd restart;chkconfig slapd on
OR
[root@server ~]# service slapd restart
[root@server ~]# chkconfig slapd on
Step-12 Now Copy certificate file '/etc/pki/tls/certs/ashu.pem'in '/var/ftp/pub/'
[root@server ~]# cp -rvf /etc/pki/tls/certs/ashu.pem /var/ftp/pub/
`/etc/pki/tls/certs/ashu.pem' -> `/var/ftp/pub/ashu.pem'
[root@server ~]# service vsftpd restart
[root@server ~]# chkconfig vsftpd on
[root@server ~]# ln-s /var/ftp/pub/ /var/www/html
[root@server ~]# service httpd restart
[root@server ~]# chkconfig httpd on
Step-13 Now you need to create base objects in OpenLDAP.
NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.
there are two ways-
1- you can create it manually.
2- you can use migration tools.
Note- I am using migration tools.
[root@server ~]# yum install migrationtools
[root@server ~]# cd /usr/share/migrationtools/
[root@server migrationtools]# ls #--> Show the all file
migrate_aliases.pl migrate_automount.pl migrate_networks.pl
migrate_all_netinfo_offline.sh migrate_base.pl migrate_passwd.pl
migrate_all_netinfo_online.sh migrate_common.ph migrate_profile.pl
migrate_all_nis_offline.sh migrate_fstab.pl migrate_protocols.pl
migrate_all_nis_online.sh migrate_group.pl migrate_rpc.pl
migrate_all_nisplus_offline.sh migrate_hosts.pl migrate_services.pl
migrate_all_nisplus_online.sh migrate_netgroup_byhost.pl migrate_slapd_conf.pl
migrate_all_offline.sh migrate_netgroup_byuser.pl
migrate_all_online.sh migrate_netgroup.pl
Step-14 you need to change some predefined values according to your domain name, for that do the following
[root@server migrationtools]# vim migrate_common.ph
___________________________________________________________________
#-->On The Line Number-61..
$NAMINGCONTEXT{'group'} = "ou=Groups";
#-->On The Line Number-71..
$DEFAULT_MAIL_DOMAIN = "ashu.com";
#-->On The Line Number-74..
$DEFAULT_BASE = "dc=ashu,dc=com";
#-->On The Line Number-90..
$EXTENDED_SCHEMA = 1;
:wq
___________________________________________________________________
Step-15 Generate a base.ldif file for your domain..
#--> Check all migrate file setting
[root@server migrationtools]# ./migrate_base.pl
[root@server migrationtools]# ./migrate_base.pl > /root/base.ldif
Step-16 If you want to migrate you local users and groups on ldap
Note- First crate Some user. and then asign password...
[root@server migrationtools]# cd
[root@server ~]# mkdir /home/ldap
[root@server ~]# useradd -d /home/ldap/ldapuser-1 ldapuser-1
[root@server ~]# useradd -d /home/ldap/ldapuser-2 ldapuser-2
[root@server ~]# useradd -d /home/ldap/ldapuser-3 ldapuser-3
[root@server ~]# useradd -d /home/ldap/ldapuser-4 ldapuser-4
[root@server ~]# useradd -d /home/ldap/ldapuser-5 ldapuser-5
[root@server ~]# passwd ldapuser-1
[root@server ~]# passwd ldapuser-2
[root@server ~]# passwd ldapuser-3
[root@server ~]# passwd ldapuser-4
[root@server ~]# passwd ldapuser-5
[root@server ~]# cat /etc/passwd (Check user information)
[root@server ~]#
Step-17
1- Filter out these users from '/etc/passwd' to another file..
[root@server ~]# getent passwd | tail -n 5
[root@server ~]# getent passwd | tail -n 5 > /root/users
2- filter out password information from '/etc/shadow' to another file
[root@server ~]# getent shadow | tail -n 5
[root@server ~]# getent shadow | tail -n 5 > /root/passwords
3- filter out user groups from '/etc/group' to another file..
[root@server ~]# getent group | tail -n 5
[root@server ~]# getent group | tail -n 5 > /root/groups
Note- getent is a unix command that helps a user get entries in a number of important text files called databases.
The databases it searches in are: passwd, group, hosts, services, protocols, ethers (Ethernet addresses) or networks.
Step-18 Now open 'migrate_passwd.pl' file to change the location of password file..
[root@server ~]# cd /usr/share/migrationtools/
[root@server migrationtools]# ls
[root@server migrationtools]# vim migrate_passwd.pl
______________________________________________________________________________
#-->Line Number- 188, OR Search '/etc/shadow' and change to '/root/passwords'
sub read_shadow_file
{
open(SHADOW, "/root/shadow") || return;
while(<SHADOW>) {
chop;
($shadowUser) = split(/:/, $_);
$shadowUsers{$shadowUser} = $_;
}
:wq
______________________________________________________________________________
Step-19 Generate a ldif file for users and groups...
[root@server migrationtools]#./migrate_passwd.pl /root/users
[root@server migrationtools]#./migrate_passwd.pl /root/users > /root/users.ldif
[root@server migrationtools]#./migrate_group.pl /root/groups
[root@server migrationtools]#./migrate_group.pl /root/groups > /root/groups.ldif
[root@server migrationtools]# cd
[root@server ~]# ls -l
______________________________________________________________________
-rwxrwxrwx. 1 root root 2105 Nov 14 16:32 anaconda-ks.cfg
-rw-r--r--. 1 root root 1200 Mar 23 14:17 base.ldif
drwxrwxrwx. 7 root root 4096 Feb 21 20:53 Desktop
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Documents
drwxrwxrwx. 7 root root 4096 Jan 13 14:19 Downloads
-rw-r--r--. 1 root root 94 Mar 23 14:45 groups
-rw-r--r--. 1 root root 695 Mar 23 14:46 groups.ldif
-rwxrwxrwx. 1 root root 46359 Nov 14 16:32 install.log
-rwxrwxrwx. 1 root root 10329 Nov 14 16:30 install.log.syslog
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Music
-rw-r--r--. 1 root root 94 Mar 23 14:45 passwords
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Pictures
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Public
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Templates
-rw-r--r--. 1 root root 94 Mar 23 14:47 users
-rw-r--r--. 1 root root 94 Mar 23 14:49 users.ldif
drwxrwxrwx. 2 root root 4096 Nov 14 16:35 Videos
______________________________________________________________________
Step-20 Now it' time to upload these ldif file to LDAP Server..
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
Note- Enter LDAP Password: (you have to type the password which you generated in encrypted format.)
Use 'ldapsearch' command-
[root@server ~]# ldapsearch -x -b "dc=example,dc=com" | less
Step-21 Now share LDAP Users home Directory via NFS..
[root@server ~]# vim /etc/exports
______________________________________________________________
/home/ldap 192.168.0.0/255.255.255.0(rw,sync)
:wq
_____________________________________________________________
[root@server ~]# /etc/init.d/nfs restart;chkconfig nfs on
Note- If You are getting the blew error while starting your NFS service because you have not installed or started rpcbind service.
Error:- "Cannot register service: RPC: Unable to receive; errno = Connection refused"
Solution:- Install 'rpcbind' service. and then restart 'rpcbind' service..
[root@server ~]# yum -y install rpcbind
[root@server ~]# /etc/init.d/rpcbind start
Again Check-
[root@server ~]# /etc/init.d/nfs restart;chkconfig nfs on
Problem has been resolved..
LDAP server configuration has been completed...
Client PC-
Now go to the client machine to use ldap server and it's users..
Step-1 Check ip add..
[root@client ~]# ifconfig
IPADDRS 192.168.0.2
NetMask 255.255.255.0
[root@client ~]# ping 192.168.0.1
[root@client ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.1 server.ashu.com server
192.168.0.1 client.ashu.com client
Step-2 Open 'authconfig-gtk'
[root@client ~]# authconfig-gtk
Now open New box---
Click on--> 'Identity & Authentication' Tab
Click on drop down menu in--> 'User Account Database' And Select 'LDAP'
LDAP Search Base DN: DC=ashu,dc=com
LDAP Server: ldap://ldap.ashu.com
Select The Check Box of- 'Use TLS to encrypt connection'
Click. 'Doenload CA Certificate'
Certificate URL: http://server.ashu.com/pub/ashu.pem
Click- Apply
Step-3 Create the following new line.
[root@client ~]# vim /etc/auto.master
/home/ldap /etc/auto.ldap
[root@client ~]# vim /etc/auto.ldap
* -rw server.ashu.com:/home/ldap/&
[root@client ~]# service autofs reload
[root@client ~]# su - ldapuser-1
[ldapuser-1@client ~]#
[ldapuser-1@client ~]# logout
[root@client ~]#
[root@client ~]# su - ldapuser-2
[ldapuser-2@client ~]#
OpenLdap server and client configuration has been finished...
How to add LDAP User-
--------------------------------
1- Create a user
[root@server ~]# useradd -d /home/ldap/ldapuser-6 ldapuser-6
2- Set password-
[root@server ~]# passwd ldapuser-6
3- Now Filter out your users from '/etc/passwd'to other file.
[root@server ~]# getent passwd | tail -n 1 > /root/users
4- Now Filter out your Groups from '/etc/group' to other file.
[root@server ~]# getent group | tail -n 1 > /root/groups
5- Now Filter out your password information from '/etc/shadow' to other file.
[root@server ~]# getent shadow | tail -n 5 > /root/passwords
6- Now use the migrationtools to generate ldif file for users and groups
"How to use Migrationtools" (Step-19). or
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=ashu,dc=com" -f /root/users.ldif
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=ashu,dc=com" -f /root/groups.ldif
7- Now add that users and groups ldif files to LDAP (Step-20) or
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=ashu,dc=com" -f /root/users.ldif
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=ashu,dc=com" -f /root/groups.ldif
How to change LDAP User Password-
----------------------------------------------------
[root@server ~]# ldappasswd -x -w redhat1 -D 'cn=Manager,dc=ashu,dc=com' -s redhat1 'uid=ldap,ou=Users,dc=ashu,dc=com'
Note- In this example, my first "redhat" word is the password of "Manager" user and second "redhat" word is the password of "ldap" user.
How to Delete LDAP User-
------------------------------------
[root@server ~]# ldapdelete -x -W -D 'cn=Manager,PC-dc=ashu,dc=com' 'uid=ldap,ou=Users,dc=ashu,dc=com'
Note- In this example, i want to delete a user name "ldap" so you have to type complete DN of that user.
_____________________________________________________________________________________
LDAP Interview Question & Answer-
--------------------------------------------------
Q: - Is there Graphical editors for LDAP ?
Yes, Following are some GUI based tools for LDAP
- GQ
- Java LDAP Browser/Editor
- Softerra LDAP Browser
Q: - What can i do if my application doesn't speak to LDAP ?
Gateway that translate one directory access protocol into another.
Q: - How can i join information contained in different directories ?
Distributed, Multivendor directories glued together by referrals and references.
Q: - What is "LDIF" ?
The LDAP Interchange Format (LDIF) is a standard text file format for storing LDAP configuration information and directory contents. LDIF files are often used to import new data into your directory or make changes to existing data.
Q: - Name the object class types ?
- Structural Object class
- Auxiliary Object class
- Abstract object classes
Q: - What is the name of main configuration file name for LDAP server ?
slapd.conf
Q: - What is LDAP ?
LDAP stands for Lightweight Directory Access Protocol. In plain and simple terms, its a database whereby it has all the details of all of organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on corporate intranetand whether or not you know the domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed among many servers on a network, then replicated and synchronized regularly. An LDAP server is also known as a Directory System Agent (DSA). Its a not a relational database. Outlook and other email programs uses LDAP to search for a recipient in an organization.
Q: - Whats the relation ship between LDAP and JNDI?
JNDI has classes provided by SUN that will help ur appln interact with and LDAP server. JNDI appln work similarly to JDBC applns once and be free to use 'drivers' from different vendors. SUN provides the "driver" that will help interact with the LDAP server. Sun also provides "drivers" for other naming services (like CORBA).
Q: - Why LDAP is called light weight?
LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAP clients.
LDAP servers store "directories" which are access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP
(Directory Access Protocol) defined in the OSI network protocol stack.
Q: - what is SLAPD?
SLAPD stands for Stand-Alone LDAP.Clients connect to the server over the LDAP protocol, usually using a network-based connection (though SLAPD provides a UNIX socket listener).
Q: - Which daemons are required for LDAP server?
slapd and slurpd
Q: - Tell me the name of three LDAP Client utilities or Applications
ldapsearch
ldapadd
ldapmodify
Q: - Define Schemas?
Schemas provide definitions of the different object classes and attribute types that OpenLDAP should support. Using these, OpenLDAP can determine what entries it is allowed to store, whether any given entry is valid, and how entries should optimally be stored.
Q: - Explain modulepath directive?
The modulepath directive provides the full path to the directory where the modules (the compiled libraries) are stored.
Q: - Explain moduleload directive?
The moduleload directive instructs OpenLDAP to load a particular module.
Q: - What is HDB?
HDB is the new generation storage mechanism for OpenLDAP. Like its predecessor, the BDB backend, HDB uses the Oracle BerkeleyDB database for storage, but HDB stores entries hierarchically, a perfect fit for LDAP's tree structure. The old BDB backend is still supported, and you can use it by specifying bdb instead of hdb in the database directive.
Q: - Which utility is used to Encrypt the password?
ldappasswd
Q: - How you will verify LDAP configuration file?
Use "slaptest" utility.
slaptest -v -f /etc/ldap/slapd.conf
Q: - Which configuration file is required for LDAP clients?
ldap.conf
Q: - Explain "SIZELIMIT" directive?
This directive indicates the upper limits on the number of records returned.
Q: - Explain "TIMELIMIT" directive?
This directive will give the information about the amount of time the client will wait for the server to respond.
Q: - Tell me the name of logical operators which are used in ldap filters.
AND (&), OR (|), and NOT (!)
Q: - What Does slapadd Do?
The slapadd utility reads the slapd.conf file, loads the appropriate backend databases, and then reads LDIF data.
Q: - Which web based tool you have used for LDAP?
phpLDAPadmin
_____________________________________________________________________________________________
Click Back.. Click Home..
