LDAP Server Configuration For SSH Login

1. PRE-REQUISITE:

    HOSTNAME = ldap.example.com (update files '/etc/hosts' and '/etc/sysconfig/network)
    IP Address = 202.52.134.111
    OS = CentOS 6.4 latest updated
    FIREWALL = 'Selinux = Disabled' & 'iptables -F'
    PACKAGE/SOFTWARE = openldap

2. INSTALL LDAP PACKAGES:
   
    ]# yum install openldap*


3. CONFIGURE AND CHECK HOSTNAME AND IP ADDRESS:

    ]# ifconfig ( Eg. 202.52.134.111 )

    ]# hostname ( Eg. ldap.example.com )

4. Edit the database file to reflect your domain,

    ]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

    olcSuffix: dc=example,dc=com
    olcRootDN: cn=Manager,dc=example,dc=com

    :wq

    Note, You may use sed substitution to make changes in entire file,
     ":%s/dc=my-domain,dc=com/dc=example,dc=com/g"

5. Here, we will add password for LDAP server,

    ]# slappasswd
        New Password:
        Re-enter new password:   
        {SSHA}K1Q5Zyhe34dZeRo3ESZniZf98aDrNqge

    ]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
   
    # Go to EOF and add below line to paste above encrypted password,

    olcRootPw: {SSHA}K1Q5Zyhe34dZeRo3ESZniZf98aDrNqge

    :wq

6. TLS Certificate settings in database file,

    ]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

    olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
    olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem

    :wq

7. Configure monitoring settings,

    ]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

    # Here just change case of first character of word "manager" from 'manager' to 'Manager',

    olcAccess:..........dn.base="cn=Manager,dc=my-domain,dc=com" read.........

    :wq

8.

    ]# cp -rvf /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

    ]# chown -R ldap:ldap /var/lib/ldap/
   
    ]# updatedb

9.

    ]# vi /etc/sysconfig/ldap

    SLAPD_LDAPS=yes
   
    :wq
   
10.

    ]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout /etc/pki/tls/certs/examplekey.pem -days 365
   
    Specify,
   
        COUNTRY=IN
        STATE PROVINCE NAME = Maharashtra
        LOCALITY NAME (CITY) = Pune
        ORGANISATION NAME = Example, Inc.
        ORGANISATIONAL UNIT = IT
        COMMON NAME = ldap.example.com
        EMAIL ADDRESS = prem@example.com

    ]# chown -R root:ldap /etc/pki/tls/certs/example*
   
    ]# service slapd start
    ]# chkconfig slapd on
   
   
    ]# yum install vsftpd
    ]# cp -rvf /etc/pki/tls/certs/example.pem /var/ftp/pub/
    ]# service vsftpd start
    ]# chkconfig vsftpd on

    ]# yum install httpd
    ]# ln -s /var/ftp/pub/ /var/www/html/
    ]# server httpd restart
    ]# chkconfig httpd on
   
    ]# service iptables stop
    ]# chkconfig iptables off
   
    ]# yum install migrationtools -y
   
    ]# vim /usr/share/migrationtools/migrate_common.ph
    # On line no 61, set "ou=Groups" for variable "$NAMINGCONTEXT{group'}" as below,
   
    $NAMINGCONTEXT{'group'}             = "ou=Groups";
   
    # Also replace domain for below 2 variables,
   
    $DEFAULT_MAIL_DOMAIN = "example.com"
    $DEFAULT_BASE = "dc=example,dc=com"
    $EXTENDED_SCHEMA = 1;
   
    :wq
   
    ]# ./migrate_base.pl > /root/base.ldif
    ]# mkdir /home/guests
    ]# useradd -d /home/guests/ldapuser1 ldapuser1
    ]# useradd -d /home/guests/ldapuser2 ldapuser2
    ]# useradd -d /home/guests/ldapuser3 ldapuser3
    ]# useradd -d /home/guests/ldapuser4 ldapuser4
    ]# useradd -d /home/guests/ldapuser5 ldapuser5
   
    ]# passwd ldapuser1
    ]# passwd ldapuser2
    ]# passwd ldapuser3
    ]# passwd ldapuser4
    ]# passwd ldapuser5
   
    ]# getent passwd
    ]# getent passwd | tail -n 5 > /root/users
    ]# getent shadow | tail -n 5 > /root/passwords
    ]# getent group | tail -n 5 > /root/groups
   
    ]# vim migrate_passwd.pl
    # Replace "/etc/shadow" with "/root/passwords".
    :wq
   
    ]# ./migrate_passwd.pl /root/users
    ]# ./migrate_passwd.pl /root/users > /root/users.ldif
    ]# ./migrate_group.pl /root/groups
    ]# ./migrate_group.pl /root/groups > /root/groups.ldif
    ]# cd /root
    ]# ls -l *.ldif (base.ldif, groups.ldif, users.ldif)
   
    ]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
    ]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
    ]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
   
    ]# ldapsearch -x -b "dc=example,dc=com" | less
   
    ]# vim /etc/exports
   
    /home/guests    202.52.134.0/255.255.255.0[rw,sync]
   
    :wq
   
    ]# service nfs start
    ]# chkconfig nfs on
   
    ]# showmount -e ldap.example.com
    OK...LDAP Server Configured...Now configure the Client.
   
CLIENT SIDE CONFIGURATION:

    ]# ping ldap.example.com OR ]# ping 202.52.134.111
   
    ]# authconfig-gtk
        USER ACCOUNT DATABASE : LDAP
        LDAP SEARCH BASE DN : dc=example,dc=com
        LDAP SERVER : ldap://ldap.example.com
        USE TLS : [*]
        DOWNLOAD CACERTIFICAT (Certificate URL): http://ldap.example.com/pub/example.pem
            [OK]

In CentOS Text Based Client:

    ]# yum install pam_ldap nss-pam-ldapd
   
    ]# authconfig-tui
        [*] Use LDAP
        [*] Use LDAP Authentication
        [NEXT]
        [*] Use TLS
        Server : ldap://ldap.example.com/
        Base DN: dc=example,dc=com
        [OK]
        Finally copy 'example.pem' certificate file to '/etc/openldap/certs/' directory.
       
    ]# getent passwd ldapuser1
    ]# getent passwd ldapuser2
    ]# getent passwd ldapuser3
    ]# getent passwd ldapuser4
    ]# getent passwd ldapuser5
   
    ]# vim /etc/auto.master
    ...
    /misc    /etc/auto.misc
    ....
    /home/guests    /etc/auto.guests
   
    :wq
   
    ]# vim /etc/auto.guests
    *    -rw    ldap.example.com:/home/guests/&
    :wq
   
    ]# sevice autofs reload
   
    ]# su - ldapuser1
    <password>
   

http://suresh-chandra.blogspot.in