일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |
- kmip
- FIDO2
- git
- Nodejs
- SwiftUI
- albumbook
- otpkey
- 애플
- Xcode
- SSL
- apple
- 2FA
- openssl
- WebAuthn
- 인증
- 앨범북
- appres
- SSH
- fido
- MFA
- OTP
- OSX
- MSYS2
- 앱스토어
- css
- 안드로이드
- 앱리소스
- Android
- SWIFT
- MYSQL
- Today
- Total
인디노트
Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7 본문
Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7
인디개발자 2018. 2. 21. 19:23OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.
It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.
In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.
Environment:
Host Name | IP Address | OS | Purpose |
---|---|---|---|
server.itzgeek.local | 192.168.12.10 | CentOS 7 | LDAP Server |
client.itzgeek.local | 192.168.12.20 | CentOS 7 | LDAP Client |
Prerequisites:
1. Make sure both LDAP server “server.itzgeek.local” (192.168.12.10) and LDAP client “client.itzgeek.local” (192.168.12.20) are accessible.
2. Make an entry for each machines in /etc/hosts for name resolution.
vi /etc/hosts 192.168.12.10 server.itzgeek.local server 192.168.12.20 client.itzgeek.local client
or
If you plan to use server name instead of IP address, configure DNS server using article on How to Configure DNS Server on RHEL7.
Here I will use IP address for all the configuration.
Install LDAP:
Install the following LDAP RPM packages to get started. Run below command on LDAP server (server.itzgeek.local).
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Start the LDAP service and enable it for the auto start of service on system boot.
systemctl start slapd.service systemctl enable slapd.service
Verify the LDAP.
netstat -antup | grep -i 389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1520/slapd tcp6 0 0 :::389 :::* LISTEN 1520/slapd
READ: netstat command not found on CentOS 7 / RHEL 7 – Quick Fix
Setup LDAP root password:
Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.
[root@server ~]# slappasswd New password: Re-enter new password: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3 [root@server ~]#
Configure OpenLDAP server:
OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
name.
olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
olcRootPW – Password for the above RootDN.
Please create a .ldif file and add the below entries.
# vi db.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=itzgeek,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=itzgeek,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}QF+jBFJ/RWGVwPuDzQI87YJfJtKOYGhK
Once you are done with the ldif file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.
# vi monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
Create LDAP certificate:
Let’s create a self-signed certificate for our LDAP server, below command generates both certificate and private key in /etc/openldap/certs/ directory.
openssl req -new -x509 -nodes -out /etc/openldap/certs/itzgeekldapcert.pem -keyout /etc/openldap/certs/itzgeekldapkey.pem -days 365 Generating a 2048 bit RSA private key ...+++ .....................................+++ writing new private key to '/etc/openldap/certs/itzgeekldapkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: XX State or Province Name (full name) []: XX Locality Name (eg, city) [Default City]: XXXXXX Organization Name (eg, company) [Default Company Ltd]:ITzGeek Organizational Unit Name (eg, section) []:IT Infra Common Name (eg, your name or your server's hostname) []:server.itzgeek.local Email Address []:admin@itzgeek.com
Set the owner and group permissions to ldap.
chown -R ldap:ldap /etc/openldap/certs/*.pem
Verify the created LDAP certificate under /etc/openldap/certs/.
ll /etc/openldap/certs/*.pem
-rw-r--r--. 1 ldap ldap 1440 Oct 10 02:31 /etc/openldap/certs/itzgeekldapcert.pem -rw-r--r--. 1 ldap ldap 1704 Oct 10 02:31 /etc/openldap/certs/itzgeekldapkey.pem
Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.
# vi certs.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/itzgeekldapcert.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/itzgeekldapkey.pem
Import the configurations to LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
Verify the configuration:
slaptest -u
You should get the following message confirms the verification is complete.
config file testing succeeded
Set up LDAP database:
Copy the sample database configuration file to /var/lib/ldap and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Generate base.ldif file for your domain.
# vi base.ldif dn: dc=itzgeek,dc=local dc: itzgeek objectClass: top objectClass: domain dn: cn=ldapadm ,dc=itzgeek,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=itzgeek,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=itzgeek,dc=local objectClass: organizationalUnit ou: Group
Build the directory structure.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif
Output:
Enter LDAP Password: adding new entry "dc=itzgeek,dc=local" adding new entry "cn=ldapadm ,dc=itzgeek,dc=local" adding new entry "ou=People,dc=itzgeek,dc=local" adding new entry "ou=Group,dc=itzgeek,dc=local"
Create LDAP user:
Let’s create an LDIF file for a new user called raj.
vi raj.ldif
Paste the below lines to above LDIF file.
dn: uid=raj,ou=People,dc=itzgeek,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: raj uid: raj uidNumber: 9999 gidNumber: 100 homeDirectory: /home/raj loginShell: /bin/bash gecos: Raj [Admin (at) ITzGeek] userPassword: {crypt}x shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7
Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f raj.ldif Enter LDAP Password: adding new entry "uid=raj,ou=People,dc=itzgeek,dc=local"
Assign a password to the user.
ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=raj,ou=People,dc=itzgeek,dc=local"
Where,
-s specify the password for the username
-x username for which the password is changed
-D Distinguished name to authenticate to the LDAP server.
Verify LDAP entries.
ldapsearch -x cn=raj -b dc=itzgeek,dc=local
Output:
# extended LDIF # # LDAPv3 # base <dc=itzgeek,dc=local> with scope subtree # filter: cn=raj # requesting: ALL # # raj, People, itzgeek.local dn: uid=raj,ou=People,dc=itzgeek,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: raj uid: raj uidNumber: 9999 gidNumber: 100 homeDirectory: /home/raj loginShell: /bin/bash gecos: Raj [Admin (at) ITzGeek] shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
To delete an entry from LDAP (Optional).
ldapdelete -W -D "cn=ldapadm,dc=itzgeek,dc=local" "uid=raj,ou=People,dc=itzgeek,dc=local"
Firewall:
Add the LDAP service to the firewall (tcp 389).
firewall-cmd --permanent --add-service=ldap firewall-cmd --reload
Enable LDAP logging:
Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.
vi /etc/rsyslog.conf
Add below line to /etc/rsyslog.conf file.
local4.* /var/log/ldap.log
Restart the rsyslog service.
systemctl restart rsyslog
LDAP client configuration to use LDAP Server:
Install the necessary LDAP client packages on the client machine.
# yum install -y openldap-clients nss-pam-ldapd
Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.12.10”with your LDAP server’s IP address or hostname.
# authconfig --enableldap --enableldapauth --ldapserver=192.168.12.10 --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update
Restart the LDAP client service.
# systemctl restart nslcd
Verify LDAP Login:
Use getent command to get the LDAP entries from the LDAP server.
# getent passwd raj raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash
Screenshot:
To verify the LDAP, log in using the LDAP user “raj” on the client machine.
That’s All.
'개발 플랫폼 및 언어' 카테고리의 다른 글
How To Install EPEL Repo on a CentOS and RHEL 7.x (0) | 2018.02.22 |
---|---|
yum 에서 특정 파일 있는 레포지토리 찾기 (0) | 2018.02.21 |
Openldap 설치 방법(Linux) (0) | 2018.02.20 |
CentOS 7 OpenLDAP LDAP 서버 설정 (0) | 2018.02.20 |
authorized_keys 에 public key 를 추가했으나 자동 로그인이 안 됨 (0) | 2018.02.12 |