P. 1
LDAP.1

LDAP.1

|Views: 16|Likes:
Published by anp523

More info:

Published by: anp523 on Mar 29, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/02/2014

pdf

text

original

LDAP Centralize Login - Document What is LDAP ...

_______________________________________________________ LDAP stands for "Lightweight Directory Access Protocol", is a software protocol for enabling anyone to locate organizations, individuals and other resources such as files and devices in a network, whether on the public Internet or a corporate intranet. Case Study To configure centralized login scheme, Setup LDAP Server and create all the users for logging into our network at one place. We will also setup home folder for our LDAP users in our RHEL5 (192.168.0.1) server and export them via NFS, so that when user logs in on any machine in our network, he/she will automatically have his/her home folder available. ♦ ♦ ♦ Domain Name is abc, which makes our domain component (dc) Server name is Iinux1 (192.168.0.1) and our testing client's name is linux2(192.168.100.2) We will setup one Organization Unit (OU) called People and we will create our new LDAP users in this OU. Installation of LDAP Server/Client... ______________________________________ Install the following packages Openldap-2.3.27 Openldap-clients-2.3.27 Openldap-devel-2.3.27 Openldap-servers-2.3.27 nss_ldap-253

# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools # Mode 700 recommended directory /var/lib/ldap .conf . __________________________________________________ First we create the LDAP database. Note that password may be whatever you want it to be. This file is used to configure LDAP server. except the following things that needs to be modified: database suffix rootdn rootpw bdb _______________ "dc=abc.. it doesn't need to be the same as root's password.___________________________________ . You can leave everything in the file as is. since you will have to paste it into /etc/openldap/slapdconf file with "rootpw" option... if you have had change the Idap directory.. correct that in the line. [root@linux1 openldap]# chkconfig Idap on Converting local users to LDAP users . otherwise leave it as is This is the end of the configuration part for LDAP server You can start it by [root@linux1 openldap]# service Idap start And also make sure the service Idap is always started at boot time using.dc=com" {SSHA}oOcr4B80xKG5oVyJhYpufyMXipyom9W8 Note. If you like a special directory for your LDAP.. Database Directory .LDAP Server Configuration ...dc=com" "cn=root.. LDAP databases are by default located in /var/lib/ldap folder. Create LDAP root Password . Using "slappasswd" command does this. Edit /etc/openldap/slapd. You need to remember the encrypted password. you can create it within the /var/lib/ldap folder and make the owner and group belong to Idap..dc=abc..

. you can additionally import your already-made local users to LDAP. we have to change in our two *ldif files. you must convert the file (with user info) to the *ldif (LDAP Data Interchange Files) format. The attributes of the abc domain haven't yet been defined. you need to rerun the script for converting passwdldapusers file again. repeat the last step. and do the following.LDAP Centralize Login . and you also haven't defined the organizational unit called People. which should look this . For example. let's say I have user user1 and I want to import it I would do [root@linux1 ~]# grep user1 /etc/passwd > /etc/openldap/passwdldapusers If you have any more local users that you wish to add. but this time use ">>" this symbols instead of">" to append the file.Document We will import our local user list into the LDAP Keep in mind that in order to import local users to LDAP. Since we also named our root user Manager in slapdconf file. You also need to change the cn=root to cn=Manager in the rootldif file Next. [root@linux1 ~]# grep member /etc/passwd >/etc/openldap/passwdldapusers Next. The first step is to Import root user.. [root@linux1~]#/usr/share/openldap/migration/migrate_passwdpl /etc/openldap/passwdroot/etc/openIda p/rootIdif [root@linux1~]#/usr/share/openldap/migration/migrate_passwdpl /etc/openldap/passwdldapusers/etc/openldap/ldapusersldif Note if you add some local user to the LDAP sometime later. you have to create *ldif file for the abc" domain The LDIF files you created from /etc/passwd referred to users only. This can be done using a third LDIF file called /etc/openldap/abcldif. You need to change dn entry to suit our scenario. this can be done like this : [root@linux1 ~]# grep root/etc/passwd > /etc/openldap/passwdroot Next. No need to do that for passwdroot file Now. This is done with already made script that comes with OpenLDAP server. it's time to convert our files to *ldif format Locate the migrate_passwdpl script. Let's copy/paste or "grep" the root user information from /etc/passwd file to the new file called passwdroot. This is done the same way.

dc=com" adding new entry "ou=People.dc=com" Type your LDAP password when prompted and the data will be import into the database.dc=abc. first domain info [root@linux2 openldap]# Idapadd -x -D "cn = root.LDAP Centralize Login .dc=com description: All people in organization objectClass: organizationalUnit ou: People Please note. First you need to import root domain info (abcIdif). [root@linux2 openldap]# Idapadd -x -D "cn = root.dc=abc. that you need that extra blank line in the abcIdif.dc=com dc: abc description: Root LDAP entry for abc objectClass: dcObject ou: rootObject objectClass: organizationalUnit dn: cn=root.dc=abc.dc=abc.dc=abc.dc=abc.dc=com" -W -f abcIdif Enter LDAP Password: _____________ adding new entry "dc=abc. which you have to create and add the below line otherwise the import will fail with en error The only step left is to actually import the three *ld if files to our LDAP.dc=com" -W -f rootldif Enter LDAP Password: ______________________________ adding new entry "uid = root. Do the same for file rootldif and Idapusersldif. than root user info (rootIdif) and last additional local users info (Idapusersldif) in that order This is done as shown below.dc=com objectClass: organizationalRole en: root dn: ou = People.Document dn: dc=abc. Now move towards LDAP Client Configuration .dc=com" We have completed LDAP Server Configuration.ou = People.

Now.0.Document LDAP Client Configuration . LDAP Centralize Login .168. If you have a stand-alone server that you just want it to share with others than the server is also the client machine. do the same on "Authentication" tab..1. On the client side. we only need to configure the authentication type and point to the LDAP server. Changes the base DN names from "example. Configure it to authenticate thru LDAP so that users connecting locally or remotely (via ssh/telnet) can get authenticated. it will provide you with configuration dialog. The client machine may be *any* machine that you want your LDAP users to be connecting to (and use LDAP authentication of course). .com" to "abc" and type LDAP server IP that is 192. because the authentication won't work. enable the "Enable the LDAP support" and click on button below to configure it Leave the checkboxes for "Use shadow password" and "Use MD5 passwords" as is They need to stay enabled. Don't check the "Use TLS to encrypt connection" checkbox. [root@linux1 ~]# system-config-authentication or [root@linux1 ~]# authconfig Under user information tab click on "Enable LDAP Support" checkbox..LDAP Centralize Login .style for setting this.Document Make sure you fill in the information correct. For the GUI .

and make sure that the services are automatically start at boot time [root@linux1 ~]# chkconfig portmap on [root@linux1 ~]# chkconfig nfslock on [root@linux1 ~]# chkconfig nfs on [root@linux1 ~]# chkconfig Idap on .. We have to setup NFS on the LDAP server. for our scenario we want to export our /home folders to all the client machine in our LAN. Setting up NFS Server . [root@linux1 ~]# service portmap start [root@linux1 ~]# service nfslock start [root@linux1 ~]# service nfs start . open the /etc/exports file.. we need to setup a NFS server. nfs start them with service command and set it to automatic boot time loader with chkconfig command. To import the directory via NFS. startup the services that needs to be running in order for NFS to be successfully working.. In this file. the services are portmap. nfslock..Document Exporting LDAP users home folders with NFS ..sync) For NFS server to be able to read the configuration.. invoke the command [root@linux1 ~]# exportfs -a Done with the configuration. Now. [root@linux1 ~]# vi /etc/exports /home *(rw.LDAP Centralize Login . In order for LDAP users home folders to be exported to any machine that they will logon to.

The client side of configuration is also easy Just make sure that same services as described above is started at boot time [root@linux1 ~]# chkconfig portmap on [root@linux1 ~]# chkconfig nfslock on [root@linux1 ~]# chkconfig nfs on Also.0. That's it Make sure the needed services are started and you are ready to test your configuration .soft..nosuid. so do the following 1] Open/etc/automaster write down. clean-up the home folders.LDAP Centralize Login . before testing with actual login.168.wsize=8192. Change the mount point of /home folder into /etc/fstab from /home to /homeold Create the new folder/home [root@linuxl ~]# mkdir /home Ok.intr. /home 2] /etc/auto home Open/etc/autohome Write down.0. * -fstype=nfs.1:/home/&.tcp 192.rsize=8192.Document Setting up NFS Client. add the service autofs to your startup list. test if you can mount the exported /home directory from NFS server [root@linux1 ~]# mount 192. we want to mount the NFS Server's home partition at boot time.1 :/home /home Now..168. because this service will actually mount our home folder from NFS server to our /home folder [root@linux2 ~]# chkconfig autofs on Next.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->