Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7

27

Create LDAP user

Instead of creating a new user, you can migrate the local users to LDAP. Let’s create an LDIF file for a new user called raj.
vi raj.ldif

Paste the below lines to above LDIF file.

dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f raj.ldif

Output: – Enter ldapadm password.

Enter LDAP Password: 
adding new entry "uid=raj,ou=People,dc=itzgeek,dc=local"

Assign a password to the user.

ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=raj,ou=People,dc=itzgeek,dc=local"

Where,

-s specify the password for the username

-x username for which the password is changed

-D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

ldapsearch -x cn=raj -b dc=itzgeek,dc=local

Output:

# extended LDIF
#
# LDAPv3
# base <dc=itzgeek,dc=local> with scope subtree
# filter: cn=raj
# requesting: ALL
#

# raj, People, itzgeek.local
dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=itzgeek,dc=local" "uid=raj,ou=People,dc=itzgeek,dc=local"

Firewall

Add the LDAP service to the firewall (TCP 389).

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Enable LDAP logging

Configure Rsyslog to log LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf

Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

Restart the rsyslog service.

systemctl restart rsyslog

LDAP client configuration to use LDAP Server

Install the necessary LDAP client packages on the client machine.

yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign-on. Replace “192.168.1.10” with your LDAP server’s IP address or hostname.

authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update

Restart the LDAP client service.

systemctl restart  nslcd

Verify LDAP Login

Use the getent command to get the LDAP entries from the LDAP server.

getent passwd raj

Output:

raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash

Screenshot:

OpenLDAP Server Configuration on CentOS 7 - Verify LDAP Login
OpenLDAP Server Configuration on CentOS 7 – Verify LDAP Login

To verify the LDAP, log in using the LDAP user “raj” on the client machine.

OpenLDAP Server Configuration on CentOS 7 - LDAP User login on Client machine
OpenLDAP Server Configuration on CentOS 7 – LDAP User login on the Client machine

That’s All.

You might also like