You are on page 1of 12


master server: slave server LDAP passwd: google123

1) pack required: 1.openldap

2.openldap-clients 3.openldap-devel 4.nss_ldap 5.openldap-servers* ===> overall yum install openldap* -y yum install nss_ldap* -y

&start the service using # chkconfig --levels 235 ldap on # service ldap start

2)creating a database directory: # mkdir /var/lib/ldap/

# chown ldap:ldap /var/lib/ldap/ *LDAP service by default stores the database to /VAR/LIB/LDAP *we are creating our dedicated directory that is / * /VAR/LIB/LDAP directory must be owned by LDAP user * LDAP user is created by default while installing the packages

3)creating ldap passwd: # slappasswd ----> will get encripted passwd *Generating LDAP root paasword which has all access to create , delete and modify the ldap accounts 4)create a ldap user: ex- raghu:

# useradd raghu
# passwd raghu *Creating the normal user user for example 5)Edit the slapd.conf file: vim /etc/openldap/slapd.conf ----> add the following info database suffix rootdn rootpw directory bdb "dc=google,dc=com" "cn=root,dc=google,dc=com" {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ [enc pswd] /var/lib/ldap/

*This is the configuration file of LDAP add the above information wher DC = domain component & CN = common name & # service ldap restart 6)Creating a ldap database: *need to mygrate systems authentication files to LDAP database *download migration tool ---> (optional one) by default with the ldap packages it has been installed so we can continue with the 7th step # wget

# tar -xvzf MigrationTools.tgz # mkdir -p /usr/share/openldap/migration/ # cd MigrationTools* # cp -rv * /usr/share/openldap/migration/ # cd 7)Edit the vi /usr/share/openldap/migration/ for password conversion replace 'padl'----> 'google' *PADL.COM maintains the migartion tools..... they have given the example configuration file to migrate... we neec to edit for our convenience # sed %s/ /usr/share/openldap/migration/ # sed %s/dc=padl/dc=google/g /usr/share/openldap/migration/

8). Locating the starter file to your LDAP database directory of /var/lib/ldap/ # updatedb ---->to bring locate database as current database

# locate DB_CONFIG # cp /usr/share/doc/openldap-servers-2.4.16/ /var/lib/ldap/ \

*This DB_CONFIG config file is supporting file of slapd configuration 9).Migrating system's authentication files using the # /usr/share/openldap/migration/ 10).Ldap database directory should be owned by the ldap user # chown -R ldap:ldap /var/lib/ldap/ # service ldap start # chkconfig ldap on 11).Migrating local users to LDAP # grep raghu /etc/passwd > /etc/openldap/passwd.raghu 12).Converting passwd.file to ldif (LDAP Data Interchange Format) file #/usr/share/openldap/migration/ /etc/openldap/passwd.raghu /etc/openldap/raghu.ldif

13).creating a domain lidf file(/etc/openldap/

# cat /etc/openldap/
dn: dc=google,dc=com dc: google description: LDAP Admin objectClass: dcObject objectClass: organizationalUnit ou: rootobject dn: ou=People, dc=google,dc=com ou: People description: Users of google objectClass: organizationalUnit

15).Importing all users in to the LDAP

For domain:# ldapadd -x -D "cn=root,dc=google,dc=com" -W -f /etc/openldap/ for users:ldapadd -x -D "cn=Manager,dc=google,dc=com" -W -f /etc/openldap/raghu.ldif & finally....

# service ldap restart 16).Testing LDAP Server:

# ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)' * To check the enteries what we have added

------------------------------------------------------------| LDAP CLIENT CONFIGURATION ------------------------------------------------------------pack required: 1)openldap

2)openldap-clients 3)openldap-devel 4)nss_ldap

2) configuration file /etc/openldap/ldap.conf HOST>LDAP server ip address shiould bre replaced there
BASE dc=google,dc=com *Edit this two lines in that


[*] Use Shadow Passwords

[*] Use MD5 Passwords [*] Use LDAP [ ] Use TLS Server: ldap server ip Base DN: dc=google,dc=com

*This does add the above information to the /etc/nssswitch.conf file which makes which involves in giving the priority to search for the user account information account * now the client is ready it sohuld fetch the user information from the server for that we want to create home directory for RAGU user which we have created in the server

#grep ragu /etc/passwd----> check the user exist in the client or not it should not be here if it so check wit the new user

#mkdir /home/ragu

#chmod 700 /home/ragu/ #cp /etc/skel/.* /home/ragu/ # chown -R ragu:ragu /home/ragu *there should not be any error in this.... it should fetch the information r else its u should check it wit starting the services and importing procedures... #service ldap start

4)Configuring Encrypted LDAP Communication between server and client using ssl and tls(secured socket layer&transport layer security)

*Both the LDAP server and client need to be configured with a shared copy of a CA certificate beforehand.

1. When the TLS LDAP connection is made, the client and server negotiate their SSL encryption scheme. 2. The LDAP server then sends its public encryption key and its server certificate. 3. The LDAP client inspects the server certificate to make sure that it hasn't expired and takes note of the name and key ID of the CA server that issued it. It then checks this CA information with all the CA certificates in its database to determine whether the server certificate should be trusted. 4. If everything is valid, the LDAP client then creates a random "premaster" secret encryption key that it encrypts with the LDAP server's public key. It then sends the encrypted encryption key to the LDAP server. 5. When public keys are created, a special "private" key is also simultaneously created. Anything encrypted with the public key can only be decrypted with the private key and vice versa. The server then uses its private key to extract the premaster key. 6. The client and server then use the premaster key to generate a master secret that will be the same for both, but will never be transmitted so that a third-party cannot intercept it. 7. The master secret key is then used to create session keys that will be used to encrypt all future communication between client and server for the duration of the TLS session.

Configuring tls server (ldap server) make sure both server and client has each other host name in /etc/hosts file generating certificate with the validity of 10 year

# cd /etc/openldap/cacerts/

# openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 * in the CACERTS directory create SERVER.PEM file will be created # grep -A 100 CERTIFICATE server.pem > client.pem # edit the /etc/openldap/slapd.conf TLSCipherSuite TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile TLSVerifyClient HIGH:MEDIUM:+SSLv2:+SSLv3:RSA /etc/openldap/cacerts/server.pem /etc/openldap/cacerts/server.pem /etc/openldap/cacerts/server.pem allow

*insert this lines to listen to clients certificate verification *copy the client.pem to ldap client to the same location CACERTS # openldap]# chown ldap:ldap cacerts/* # service ldap restart # netstat -a | grep ldap--- check with this command

tls client configuration

-------------------Authentication Configuration ------------------| | | |

User Information


| [ ] Cache Information [*] Use MD5 Passwords | | [ ] Use Hesiod [*] Use Shadow Passwords | | [*] Use LDAP [*] Use LDAP Authentication | | [ ] Use NIS [ ] Use Kerberos | | [ ] Use Winbind [ ] Use SMB Authentication | | [ ] Use Winbind Authentication | | [ ] Local authorization is sufficient | | | | ----------------| | | Cancel | | Next | | | ----------------| | | | | -------------------------------------------------------------------

------------------- LDAP Settings ------------------| | | [*] Use TLS | | | | Base DN: dc=google,dc=com_______________________ | | | | --------

| | | |

-----| Back | --------

| Ok | ------

| | | |

/etc/ldap.conf & /etcopenldap/ldap.conf u could see the same info what u have given in tui tool /etc/ldap.conf # File: /etc/ldap.conf uri ldaps://ldapserver ip/ # ssl start_tls ---->{ disable this line by preceeding with # need oly {tls tls_cacertdir /etc/openldap/cacerts

* add these lines


URI ldaps://ldap server ip/ BASE dc=google,dc=com TLS_CACERTDIR /etc/openldap/cacerts *it should contain these lines # ldapsearch -x ----> check the same enteries here # openssl s_client -connect bigboy:636 -showcerts-->{to see {certificate Common LDAP Administrative Tasks (server side) /usr/local/bin/modifyldapuser---> script for modifyldapuser command #!/bin/bash grep $1 /etc/passwd > /tmp/modifyldapuser.tmp /usr/share/openldap/migration/ \ /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp cat /tmp/modifyldapuser.ldif.tmp | sed -e 's/' \ -e 's/dc=padl/dc=google/g' > /tmp/modifyldapuser.ldif ldapmodify -x -D "cn=root,dc=google,dc=com" -W -f \ /tmp/modifyldapuser.ldif rm -f /tmp/modifyldapuser.* *so if we changing any users passwd and want to update it to ldap means we can use this ex: # passwd ragu # modifyldapuser ragu modifyldapuser command

/usr/local/bin/addldapuser--->to addthe ldapuser easily addldapuser

#!/bin/bash grep $1 /etc/passwd > /tmp/changeldappasswd.tmp /usr/share/openldap/migration/ \ /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp cat /tmp/changeldappasswd.ldif.tmp | sed -e 's/' \ -e 's/dc=padl/dc=google/g' > /tmp/changeldappasswd.ldif

ldapadd -x -D "cn=root,dc=google,dc=com" -W -f \ /tmp/changeldappasswd.ldif rm -f /tmp/changeldappasswd.*

ex: # useradd test1 # passwd test1 # addldapuser test1 *it ll ask for the LDAP passwd then it ll be added in the database

usr/local/bin/deleteldapuser-----> script for dele command deleteldapuser #!/bin/bash ldapdelete -x -W -D "cn=root,dc=google,dc=com" \ "uid=$1,ou=People,dc=google,dc=com"

ex: deleteldapuser test1 * give LDAP passwd it ll be deleted # ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)'

execute this command and check test1 user is there in the list r not --------------------------------LDAP SLAVE REPLICATION

1.install necessary packages # yum install openldap* # yum install nss_ldap* [while doing this replication stop the the ldap service in both the machines] 2.copy DATABASE of master to slave [master]# scp /var/lib/ldap/ root@slave:/var/lib/ldap # chown -R ldap:ldap 3.add the database using slapcat command also [master]# slapcat -l master.ldif(master.ldif)file ll be created just copy that to slave using scp [slave] Edit the vi /usr/share/openldap/migration/ for password conversion replace 'padl'----> 'google' *PADL.COM maintains the migartion tools..... they have given the example configuration file to migrate... we neec to edit for our convenience # sed %s/ /usr/share/openldap/migration/ # sed %s/dc=padl/dc=google/g /usr/share/openldap/migration/

# /usr/share/openldap/migration/ # /usr/sbin/slapadd -v -d3 -l master.ldif *now the data bases from both the servers ll be same ***add the content of master slapd.conf to slav's slapd.conf*****

contents to be added for replication in both the servers Master: slapd.conf

# slapd master # global section ... # database section database bdb ... # allows read access from consumer # may need merging with other ACL's access to * by dn.base="cn=admin,ou=people,dc=example,dc=com" read by * break # NOTE: # the provider configuration contains no reference to any consumers # define the provider to use the syncprov overlay # (last directives in database section) overlay syncprov # allows contextCSN to saves to database every 100 updates or ten minutes syncprov-checkpoint 100 10 Slave: slapd.conf

# global section # database section database bdb ... # provider is ldap://, sync interval # every 1 hour, whole DIT (searchbase), all user attributes synchronized # simple security with cleartext password # NOTE: comments inside the syncrepl directive are rejected by OpenLDAP # and are included only to carry further explanation. They MUST NOT # appear in an operational file syncrepl rid=000 provider=ldap:// type=refreshOnly # re-connect/re-sync every hour interval=00:1:00:00 retry="5 5 300 +" searchbase="dc=example,dc=com" # both user (*) and operational (+) attributes required attrs="*,+" bindmethod=simple binddn="cn=admin,ou=people,dc=example,dc=com"

# Warning: password sent in clear - insecure credentials=dirtysecret

*now restart both the servers u can see the replication in slave * mention the slave ip address in authconfig-tui of client * now stop the ldap service in master and try login as the ldap user from master or slave to client * because of replication u ll be able to login even though the master fails ***************************END****************************

LOGIN DETAILS FOR LDAP server: LDAP passwd: google123