LDAP Centralize Login - Document

What is LDAP ..._______________________________________________________

LDAP stands for "Lightweight Directory Access Protocol", is a software protocol
for enabling anyone to locate organizations, individuals and other resources such as
files and devices in a network, whether on the public Internet or a corporate intranet.
Case Study
To configure centralized login scheme, Setup LDAP Server and create all the
users for logging into our network at one place. We will also setup home folder for our
LDAP users in our RHEL5 (192.168.0.1) server and export them via NFS, so that when
user logs in on any machine in our network, he/she will automatically have his/her home
folder available.
♦ Domain Name is abc, which makes our domain component (dc)
♦ Server name is Iinux1 (192.168.0.1) and our testing client's name is
linux2(192.168.100.2)
♦ We will setup one Organization Unit (OU) called People and we will create our
new LDAP users in this OU.

Installation of LDAP Server/Client... ______________________________________

Install the following packages
Openldap-2.3.27
Openldap-clients-2.3.27
Openldap-devel-2.3.27
Openldap-servers-2.3.27
nss_ldap-253
LDAP Server Configuration ...

Database Directory ... __________________________________________________

First we create the LDAP database. LDAP databases are by default located in
/var/lib/ldap folder. If you like a special directory for your LDAP, you can create it within
the /var/lib/ldap folder and make the owner and group belong to Idap.

Create LDAP root Password ...

Using "slappasswd" command does this.
Note that password may be whatever you want it to be; it doesn't need to be the
same as root's password. You need to remember the encrypted password, since you will
have to paste it into /etc/openldap/slapdconf file with "rootpw" option.

Edit /etc/openldap/slapd.conf ...

This file is used to configure LDAP server. You can leave everything in the file as
is, except the following things that needs to be modified:
database bdb _______________
suffix "dc=abc,dc=com"
rootdn "cn=root,dc=abc,dc=com"
rootpw {SSHA}oOcr4B80xKG5oVyJhYpufyMXipyom9W8

Note, if you have had change the Idap directory, correct that in the line,
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools
# Mode 700 recommended
directory /var/lib/ldap

... otherwise leave it as is

This is the end of the configuration part for LDAP server You can start it by
[root@linux1 openldap]# service Idap start
And also make sure the service Idap is always started at boot time using,
[root@linux1 openldap]# chkconfig Idap on

Converting local users to LDAP users - ___________________________________

LDAP Centralize Login - Document

We will import our local user list into the LDAP Keep in mind that in order to import local
users to LDAP, you must convert the file (with user info) to the *ldif (LDAP Data
Interchange Files) format. This is done with already made script that comes with
OpenLDAP server.
The first step is to Import root user. Let's copy/paste or "grep" the root user
information from /etc/passwd file to the new file called passwdroot, this can be done like
this :
[root@linux1 ~]# grep root/etc/passwd > /etc/openldap/passwdroot
Next, you can additionally import your already-made local users to LDAP. This is
done the same way. For example, let's say I have user user1 and I want to import it I
would do
[root@linux1 ~]# grep user1 /etc/passwd > /etc/openldap/passwdldapusers
If you have any more local users that you wish to add, repeat the last step, but
this time use ">>" this symbols instead of">" to append the file.
[root@linux1 ~]# grep member /etc/passwd >/etc/openldap/passwdldapusers
Next, it's time to convert our files to *ldif format Locate the migrate_passwdpl
script, and do the following...
[root@linux1~]#/usr/share/openldap/migration/migrate_passwdpl
/etc/openldap/passwdroot/etc/openIda p/rootIdif
[root@linux1~]#/usr/share/openldap/migration/migrate_passwdpl
/etc/openldap/passwdldapusers/etc/openldap/ldapusersldif

Note if you add some local user to the LDAP sometime later, you need to rerun
the script for converting passwdldapusers file again. No need to do that for passwdroot
file
Now, we have to change in our two *ldif files. You need to change dn entry to
suit our scenario.
Since we also named our root user Manager in slapdconf file, You also need to
change the cn=root to cn=Manager in the rootldif file
Next, you have to create *ldif file for the abc" domain
The LDIF files you created from /etc/passwd referred to users only. The
attributes of the abc domain haven't yet been defined, and you also haven't defined the
organizational unit called People. This can be done using a third LDIF file called
/etc/openldap/abcldif, which should look this
LDAP Centralize Login - Document

dn: dc=abc,dc=com
dc: abc
description: Root LDAP entry for abc
objectClass: dcObject
ou: rootObject
objectClass: organizationalUnit

dn: cn=root,dc=abc,dc=com
objectClass: organizationalRole en:
root

dn: ou = People,dc=abc,dc=com
description: All people in organization
objectClass: organizationalUnit ou:
People

Please note, that you need that extra blank line in the abcIdif, which you have to
create and add the below line otherwise the import will fail with en error
The only step left is to actually import the three *ld if files to our LDAP. First you
need to import root domain info (abcIdif), than root user info (rootIdif) and last additional
local users info (Idapusersldif) in that order
This is done as shown below, first domain info
[root@linux2 openldap]# Idapadd -x -D "cn = root,dc=abc,dc=com" -W -f abcIdif
Enter LDAP Password: _____________
adding new entry "dc=abc,dc=com"
adding new entry "ou=People,dc=abc,dc=com"

Type your LDAP password when prompted and the data will be import into the
database. Do the same for file rootldif and Idapusersldif.
[root@linux2 openldap]# Idapadd -x -D "cn = root,dc=abc,dc=com" -W -f rootldif
Enter LDAP Password: ______________________________
adding new entry "uid = root,ou = People,dc=abc,dc=com"
We have completed LDAP Server Configuration. Now move towards LDAP
Client Configuration
LDAP Centralize Login - Document

LDAP Client Configuration ...

The client machine may be *any* machine that you want your LDAP users to be
connecting to (and use LDAP authentication of course). If you have a stand-alone server
that you just want it to share with others than the server is also the client machine.
Configure it to authenticate thru LDAP so that users connecting locally or remotely (via
ssh/telnet) can get authenticated.
On the client side, we only need to configure the authentication type and point to
the LDAP server.
For the GUI - style for setting this,
[root@linux1 ~]# system-config-authentication
or [root@linux1 ~]# authconfig

Under user information tab click on "Enable LDAP Support" checkbox, it will provide you
with configuration dialog.

LDAP Centralize Login - Document

Make sure you fill in the information correct. Don't check the "Use TLS to encrypt
connection" checkbox, because the authentication won't work. Changes the base DN
names from "example.com" to "abc" and type LDAP server IP that is 192.168.0.1.
Now, do the same on "Authentication" tab, enable the "Enable the LDAP
support" and click on button below to configure it Leave the checkboxes for "Use
shadow password" and "Use MD5 passwords" as is They need to stay enabled.
LDAP Centralize Login - Document

Exporting LDAP users home folders with NFS ...

In order for LDAP users home folders to be exported to any machine that they
will logon to, we need to setup a NFS server.

Setting up NFS Server ...

We have to setup NFS on the LDAP server. To import the directory via NFS,
open the /etc/exports file. In this file, for our scenario we want to export our /home
folders to all the client machine in our LAN.
[root@linux1 ~]# vi /etc/exports
/home *(rw,sync)

For NFS server to be able to read the configuration, invoke the command
[root@linux1 ~]# exportfs -a
Done with the configuration. Now, startup the services that needs to be running
in order for NFS to be successfully working, the services are portmap, nfslock, nfs
start them with service command and set it to automatic boot time loader with
chkconfig command.
[root@linux1 ~]# service portmap start
[root@linux1 ~]# service nfslock start
[root@linux1 ~]# service nfs start

... and make sure that the services are automatically start at boot time

[root@linux1 ~]# chkconfig portmap on

[root@linux1 ~]# chkconfig nfslock on
[root@linux1 ~]# chkconfig nfs on
[root@linux1 ~]# chkconfig Idap on
LDAP Centralize Login - Document

Setting up NFS Client...

The client side of configuration is also easy Just make sure that same services
as described above is started at boot time

[root@linux1 ~]# chkconfig portmap on

[root@linux1 ~]# chkconfig nfslock on
[root@linux1 ~]# chkconfig nfs on

Also, add the service autofs to your startup list, because this service will actually
mount our home folder from NFS server to our /home folder
[root@linux2 ~]# chkconfig autofs on

Next, clean-up the home folders. Change the mount point of /home folder into
/etc/fstab from /home to /homeold
Create the new folder/home
[root@linuxl ~]# mkdir /home
Ok, before testing with actual login, test if you can mount the exported /home
directory from NFS server [root@linux1 ~]# mount 192.168.0.1 :/home /home
Now, we want to mount the NFS Server's home partition at boot time, so do the
following 1] Open/etc/automaster
write down,
/home /etc/auto home
2] Open/etc/autohome
Write down,
* -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp
192.168.0.1:/home/&. That's it Make sure the needed services are started and
you are ready to test your configuration