Sunday, February 9, 2014

OpenLDAP server on Fedora 20

Installation

# yum install openldap-servers migrationtools -y

Initial Start

Genrate new passwd for openldap server.

# slappasswd

{SSHA}KMAAqJoh0gUxs8TPZfa2MvZezcp5+O4E

Configuration Files
[root@localhost openldap]# ls -l
total 20
drwxr-xr-x. 2 root root 4096 Feb  7 11:53 certs
-rw-r--r--. 1 root root  121 Jan 13 19:50 check_password.conf
-rw-r--r--. 1 root root  364 Jan 13 19:50 ldap.conf
drwxr-xr-x. 2 root root 4096 Feb  7 11:53 schema
drwx------. 3 ldap ldap 4096 Feb  7 11:53 slapd.d
[root@localhost openldap]# cd slapd.d/
[root@localhost slapd.d]# ls -l
total 8
drwxr-x---. 3 ldap ldap 4096 Feb  7 12:12 cn=config
-rw-------. 1 ldap ldap  589 Feb  7 11:53 cn=config.ldif
[root@localhost slapd.d]# cd cn\=config
[root@localhost cn=config]# ls -l
total 24
drwxr-x---. 2 ldap ldap 4096 Feb  7 11:53 cn=schema
-rw-------. 1 ldap ldap  378 Feb  7 11:53 cn=schema.ldif
-rw-------. 1 ldap ldap  513 Feb  7 11:53 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap  408 Feb  7 11:53 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap  562 Feb  7 11:53 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap  609 Feb  7 11:53 olcDatabase={2}hdb.ldif

Fedora configuration for Openldap server.
[root@localhost cn=config]# cat olcDatabase\=\{2\}hdb.ldif

      1 # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
      2 # CRC32 2792fd93
      3 dn: olcDatabase={2}hdb
      4 objectClass: olcDatabaseConfig
      5 objectClass: olcHdbConfig
      6 olcDatabase: {2}hdb
      7 olcDbDirectory: /var/lib/ldap
      8 olcSuffix: dc=my-domain,dc=com
      9 olcRootDN: cn=Manager,dc=my-domain,dc=com
     10 olcDbIndex: objectClass eq,pres
     11 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
     12 structuralObjectClass: olcHdbConfig
     13 entryUUID: 147058b0-240c-1033-97b1-2b95e7519548
     14 creatorsName: cn=config
     15 createTimestamp: 20140207062318Z
     16 entryCSN: 20140207062318.835797Z#000000#000#000000
     17 modifiersName: cn=config
     18 modifyTimestamp: 20140207062318Z

[root@localhost cn=config]# cat olcDatabase\=\{1\}monitor.ldif

      1 # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
      2 # CRC32 98c50304
      3 dn: olcDatabase={1}monitor
      4 objectClass: olcDatabaseConfig
      5 olcDatabase: {1}monitor
      6 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
      7  ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
      8 structuralObjectClass: olcDatabaseConfig
      9 entryUUID: 147053f6-240c-1033-97b0-2b95e7519548
     10 creatorsName: cn=config
     11 createTimestamp: 20140207062318Z
     12 entryCSN: 20140207062318.835676Z#000000#000#000000
     13 modifiersName: cn=config
     14 modifyTimestamp: 20140207062318Z

# cd /usr/share/migrationtools/

# vi migrate_common.ph
48 $NAMINGCONTEXT{'group'}             = "ou=Group" (need to “s” in “ou=Groups”)

70 # Default DNS domain
71 $DEFAULT_MAIL_DOMAIN = "tomjerry.and";
72
73 # Default base
74 $DEFAULT_BASE = "dc=tomjerry,dc=and";

90 $EXTENDED_SCHEMA = 1; ## "0" edit to "1"##

Config FQDN for openldap.

# ./migrate_base.pl
dn: dc=tomjerry,dc=and
dc: tomjerry
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Mounts,dc=tomjerry,dc=and
ou: Mounts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Rpc,dc=tomjerry,dc=and
ou: Rpc
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=People,dc=tomjerry,dc=and
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Hosts,dc=tomjerry,dc=and
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: nisMapName=netgroup.byuser,dc=tomjerry,dc=and
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Netgroup,dc=tomjerry,dc=and
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Networks,dc=tomjerry,dc=and
ou: Networks
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Services,dc=tomjerry,dc=and
ou: Services
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: nisMapName=netgroup.byhost,dc=tomjerry,dc=and
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Aliases,dc=tomjerry,dc=and
ou: Aliases
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Group,dc=tomjerry,dc=and
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

dn: ou=Protocols,dc=tomjerry,dc=and
ou: Protocols
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: tomjerry.and

To gentrate base.ldif

# ./migrate_base.pl > /root/base.ldif

Add user to system and ldap server

# mkdir /home/ldappeople
# useradd -d /home/ldappeople/ldappeople1 ldappeople1
# useradd -d /home/ldappeople/ldappeople2 ldappeople2
# useradd -d /home/ldappeople/ldappeople3 ldappeople3
# useradd -d /home/ldappeople/ldappeople4 ldappeople4
# useradd -d /home/ldappeople/ldappeople5 ldappeople5

#passwd ldappeople1
#passwd ldappeople2
#passwd ldappeople3
#passwd ldappeople4
#passwd ldappeople5

# getent passwd

# getent passwd | tail -n 5 >  /root/users

#getent shadow

#getent shadow | tail –n 5 >  /root/passwords

#getent group |tail -n 5

#getent group |tail -n 5 > /root/groups

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/tomjerry.pem -keyout /etc/pki/tls/certs/tomjerrykey.pem -days 365
Generating a 2048 bit RSA private key
...+++
..................................................+++
writing new private key to '/etc/pki/tls/certs/tomjerry.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MAHA
Locality Name (eg, city) [Default City]:MUMBAI
Organization Name (eg, company) [Default Company Ltd]:TOMJERRY. INC,
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:tomjerry.and
Email Address []:rajat@tomjerry.and

# chown -R root:ldap /etc/pki/tls/certs/yeswedeal*

# cp -rvf /etc/pki/tls/certs/yeswedeal* /var/ftp/pub/
`/etc/pki/tls/certs/yeswedealkey.pem' -> `/var/ftp/pub/yeswedealkey.pem'
`/etc/pki/tls/certs/yeswedeal.pem' -> `/var/ftp/pub/yeswedeal.pem'


# ln -s /var/ftp/pub/ /var/www/html/

# vi /usr/share/migrationtools/migrate_passwd.pl
186 sub read_shadow_file
    187 {
    188         open(SHADOW, "/root/passwords") || return; ## add your path exmple :/root/passwords ##
    189         while(<SHADOW>) {
    190                 chop;
    191                 ($shadowUser) = split(/:/, $_);
    192                 $shadowUsers{$shadowUser} = $_;
    193         }
    194         close(SHADOW);
    195 }

Migrate all user and they password to ldap.

# ls -l /root/
total 24
-rw-------. 1 root root  980 Feb  7 11:39 anaconda-ks.cfg
-rw-r--r--. 1 root root 2088 Feb 10 10:16 base.ldif
-rw-r--r--. 1 root root  100 Feb 10 10:24 groups
-rw-r--r--. 1 root root  713 Feb  7 14:30 ldap.sh
-rw-r--r--. 1 root root  650 Feb 10 10:24 passwords
-rw-r--r--. 1 root root  320 Feb 10 10:23 users

# ./migrate_passwd.pl /root/users
dn: uid=ldappeople1,ou=People,dc=tomjerry,dc=and
uid: ldappeople1
cn: ldappeople1
sn: ldappeople1
mail: ldappeople1@tomjerry.and
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$yX9pRsgh$73UTx9iUPGhzGmTRw0C2c2SueSLcgTpV.6xlWuUrJdiZsCdV0b2er.kynPcgyqT/4VtJYLSu/fYKakeHC/2az1
shadowLastChange: 16111
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldappeople/ldappeople1

dn: uid=ldappeople2,ou=People,dc=tomjerry,dc=and
uid: ldappeople2
cn: ldappeople2
sn: ldappeople2
mail: ldappeople2@tomjerry.and
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$jHCMjc3c$kX5.rv15RUh3FFRpb5WPuHo/w2Lz.CA1fV9u7Mv0C921yKl6BNuRSW2yuyRZnzFkgqSuz7zFfRPaH8CZbpqx.1
shadowLastChange: 16111
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldappeople/ldappeople2

dn: uid=ldappeople3,ou=People,dc=tomjerry,dc=and
uid: ldappeople3
cn: ldappeople3
sn: ldappeople3
mail: ldappeople3@tomjerry.and
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$OJjfVqpu$mziIRrTz0ZD1LYQsul5ELhEAaps2aX/d5oV62OlOexaVtu0hD1zp8ChYcdKCu1qn4E/5hiLo5ubNE4ytWy8tF0
shadowLastChange: 16111
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/ldappeople/ldappeople3

dn: uid=ldappeople4,ou=People,dc=tomjerry,dc=and
uid: ldappeople4
cn: ldappeople4
sn: ldappeople4
mail: ldappeople4@tomjerry.and
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$bOo7/SBC$yjDSZCCoaLfJwemlW3Cwh84EJNVLmTImYubHnfzfrpG7ROBV66PTcWorZ1EUdxNRZVM5izY2sMJ3VQXgfcy9J1
shadowLastChange: 16111
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/ldappeople/ldappeople4

dn: uid=ldappeople5,ou=People,dc=tomjerry,dc=and
uid: ldappeople5
cn: ldappeople5
sn: ldappeople5
mail: ldappeople5@tomjerry.and
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$ONFG4JSW$WR.eRoK6oO2lwuAVTYDVSAwfaEIyd3EKVRL7//9J80dk6XkkooFY73oCf0JDkEZ1f9wib3/VaXotwmgaoZd6h1
shadowLastChange: 16111
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/ldappeople/ldappeople5


#  ./migrate_passwd.pl  /root/users > /root/users.ldif

# ./migrate_group.pl  /root/groups
dn: cn=ldappeople1,ou=Group,dc=tomjerry,dc=and
objectClass: posixGroup
objectClass: top
cn: ldappeople1
userPassword: {crypt}x
gidNumber: 1001

dn: cn=ldappeople2,ou=Group,dc=tomjerry,dc=and
objectClass: posixGroup
objectClass: top
cn: ldappeople2
userPassword: {crypt}x
gidNumber: 1002

dn: cn=ldappeople3,ou=Group,dc=tomjerry,dc=and
objectClass: posixGroup
objectClass: top
cn: ldappeople3
userPassword: {crypt}x
gidNumber: 1003

dn: cn=ldappeople4,ou=Group,dc=tomjerry,dc=and
objectClass: posixGroup
objectClass: top
cn: ldappeople4
userPassword: {crypt}x
gidNumber: 1004

dn: cn=ldappeople5,ou=Group,dc=tomjerry,dc=and
objectClass: posixGroup
objectClass: top
cn: ldappeople5
userPassword: {crypt}x
gidNumber: 1005


#  ./migrate_group.pl  /root/groups > /root/groups.ldif

# ls -ltr /root/
total 32
-rw-------. 1 root root  980 Feb  7 11:39 anaconda-ks.cfg
-rw-r--r--. 1 root root  713 Feb  7 14:30 ldap.sh
-rw-r--r--. 1 root root 2088 Feb 10 10:16 base.ldif
-rw-r--r--. 1 root root  320 Feb 10 10:23 users
-rw-r--r--. 1 root root  650 Feb 10 10:24 passwords
-rw-r--r--. 1 root root  100 Feb 10 10:24 groups
-rw-r--r--. 1 root root 2785 Feb 10 10:34 users.ldif
-rw-r--r--. 1 root root  720 Feb 10 10:35 groups.ldif

Now time to upload ldif file to LDAP Server
# slaptest -u
52f86020 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
52f86020 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

#systemctl restart slapd.service

# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
   Active: active (running) since Mon 2014-02-10 10:48:59 IST; 5min ago
  Process: 799 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 771 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 801 (slapd)
   CGroup: /system.slice/slapd.service
           └─801 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Feb 10 10:53:10 localhost.localdomain slapd[801]: conn=1002 op=2 UNBIND
Feb 10 10:53:10 localhost.localdomain slapd[801]: conn=1002 fd=11 closed
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 fd=11 ACCEPT from IP=[::1]:47273 (IP=[::]:389)
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=0 BIND dn="cn=Manager,dc=tomjerry,dc=and" method=128
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=0 BIND dn="cn=Manager,dc=tomjerry,dc=and" mech=SIMPLE ssf=0
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=0 RESULT tag=97 err=0 text=
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=1 ADD dn="cn=ldappeople1,ou=Group,dc=tomjerry,dc=and"
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=1 RESULT tag=105 err=21 text=objectClass: value #0 invalid per syntax
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 op=2 UNBIND
Feb 10 10:53:27 localhost.localdomain slapd[801]: conn=1003 fd=11 closed


#ldapadd -x -W -D "cn=Manager,dc=tomjerry,dc=and" -f /root/base.ldif

#ldapadd -x -W -D "cn=Manager,dc=tomjerry,dc=and" -f /root/users.ldif

#ldapadd -x -W -D "cn=Manager,dc=tomjerry,dc=and" -f /root/groups.ldif

#ldapsearch -x -b “dc=tomjerry,dc=and” |less


Network Ports
# lsof -i -n -P | grep -i slapd
slapd    496 ldap    8u  IPv4  32324      0t0  TCP *:389 (LISTEN)
slapd    496 ldap    9u  IPv6  32325      0t0  TCP *:389 (LISTEN)

On the Client system.

# ping tomjeery.and

#vi /etc/hosts

Add LDAP server ipaddress & fqdn and save

#getent passwd ldappeople1

# su – ldappeople1
su: user ldappeople1 does not exist

#authconfig-tui or authconfig-gtk (any of tool to config ldap Clint)

choose --LDAP
LDAP Server Base DN dc=tomjerry,dc=and
LDAP Server ldap://ldap.tomjerry.and

Use TLS to Encrypt connections

Download CA Certificate----http://ldap.tomjerry.and/pub/tomjerry.pem

getent passwd ldappeople1