Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7

Create LDAP user:

Instead of creating a new user, you can migrate the local users to LDAP.

Let’s create an LDIF file for a new user called raj.

vi raj.ldif

Paste the below lines to above LDIF file.

dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f raj.ldif

Enter LDAP Password: 
adding new entry "uid=raj,ou=People,dc=itzgeek,dc=local"

Assign a password to the user.

ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=raj,ou=People,dc=itzgeek,dc=local"

Where,

-s specify the password for the username

-x username for which the password is changed

-D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

ldapsearch -x cn=raj -b dc=itzgeek,dc=local

Output:

# extended LDIF
#
# LDAPv3
# base <dc=itzgeek,dc=local> with scope subtree
# filter: cn=raj
# requesting: ALL
#

# raj, People, itzgeek.local
dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=itzgeek,dc=local" "uid=raj,ou=People,dc=itzgeek,dc=local"

Firewall:

Add the LDAP service to the firewall (tcp 389).

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Enable LDAP logging:

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf

Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

Restart the rsyslog service.

systemctl restart rsyslog

LDAP client configuration to use LDAP Server:

Install the necessary LDAP client packages on the client machine.

# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.12.10” with your LDAP server’s IP address or hostname.

# authconfig --enableldap --enableldapauth --ldapserver=192.168.12.10 --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update

Restart the LDAP client service.

# systemctl restart  nslcd

Verify LDAP Login:

Use getent command to get the LDAP entries from the LDAP server.

# getent passwd raj

raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash

Screenshot:

OpenLDAP Server Configuration on CentOS 7 - Verify LDAP Login
OpenLDAP Server Configuration on CentOS 7 – Verify LDAP Login

To verify the LDAP, log in using the LDAP user “raj” on the client machine.

OpenLDAP Server Configuration on CentOS 7 - LDAP User Login
OpenLDAP Server Configuration on CentOS 7 – LDAP User Login

That’s All.

POSTS YOU MAY LIKE -:)

Share This Post

  • Hamdan Radaideh

    i got error when i tried to start the ldap service .. bad configration file

  • abigal

    I did receive anything with getent, but get no errors.

  • Santosh Reddy Malyala

    everything working fine.But i cannot login from gui ldapuser1. i can switch all other users from root. I cannot login directly ldap users from gui

  • Easy to follow clear guide

  • I get the following error:

    slaptest -u
    5952455c UNKNOWN attributeDescription “CHANGETYPE” inserted.
    5952455c UNKNOWN attributeDescription “REPLACE” inserted.
    5952455c is_entry_objectclass(“cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute
    5952455c is_entry_objectclass(“olcDatabase={2}hdb,cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute
    5952455c is_entry_objectclass(“olcDatabase={1}monitor,cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute

  • Sachin Gujral

    595de9a0 <= str2entry: str2ad(changetype): attribute type undefined
    slaptest: bad configuration file!

    This is the error while fire this command
    # slaptest -u

    Checked each and every thing and follow this process.

    Please Let me know if you have any update for same.

  • The only guide that actually worked

  • Indian_P

    Configured exactly the same way you mentioned and passwordless authentication is also working/ But I can not login with ssh or putty from another server!! Please help.

    • Hey,

      Post your secure log entries during the login

      • Indian_P

        Thaks for your reply. I have configured and created six servers for this in last two days, but not working. I am getting the following error,

        [root@centos104 ~]# ssh raj@192.168.1.6
        raj@192.168.1.6’s password:
        Permission denied, please try again.
        raj@192.168.1.6’s password:
        Permission denied, please try again.
        raj@192.168.1.6’s password:
        Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
        [root@centos104 ~]#

        Do we need to configure anything on client for example, retore any pem key? I have followed the same commands from a fresh centos 7 server as you mentioned.

        • Hey,

          Upload /car/log/secure and /var/log/message

          File

          • Indian_P

            secure:
            Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=centos105.rakeshldap.local user=raj
            Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): received for user raj: 4 (System error)
            Jul 16 04:07:46 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Connection closed by 192.168.1.6 [preauth]

            message:
            Jul 16 04:01:01 centos105 systemd: Starting Session 15 of user root.
            Jul 16 04:04:07 centos105 dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
            Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
            Jul 16 04:04:07 centos105 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
            Jul 16 04:04:07 centos105 systemd: Starting Hostname Service…
            Jul 16 04:04:07 centos105 dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
            Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
            Jul 16 04:04:07 centos105 systemd: Started Hostname Service.

          • Indian_P

            all these are for client server.
            ssh_config:
            *************

            Host *
            GSSAPIAuthentication yes
            # If this option is set to yes then remote X11 clients will have full access
            # to the original X11 display. As virtually no X11 client supports the untrusted
            # mode correctly we set this to yes.
            ForwardX11Trusted yes
            # Send locale-related environment variables
            SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
            SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
            SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
            SendEnv XMODIFIERS

            sshd_config:
            ***************

            # HostKey for protocol version 1
            #HostKey /etc/ssh/ssh_host_key
            # HostKeys for protocol version 2
            HostKey /etc/ssh/ssh_host_rsa_key
            #HostKey /etc/ssh/ssh_host_dsa_key
            HostKey /etc/ssh/ssh_host_ecdsa_key
            HostKey /etc/ssh/ssh_host_ed25519_key

            # Lifetime and size of ephemeral version 1 server key
            #KeyRegenerationInterval 1h
            #ServerKeyBits 1024

            # Ciphers and keying
            #RekeyLimit default none

            # Logging
            # obsoletes QuietMode and FascistLogging
            #SyslogFacility AUTH
            SyslogFacility AUTHPRIV
            #LogLevel INFO

            # Authentication:

            #LoginGraceTime 2m
            #PermitRootLogin yes
            #StrictModes yes
            #MaxAuthTries 6
            #MaxSessions 10

            #RSAAuthentication yes
            #PubkeyAuthentication yes

            # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
            # but this is overridden so installations will only check .ssh/authorized_keys
            AuthorizedKeysFile .ssh/authorized_keys

            #AuthorizedPrincipalsFile none

            #AuthorizedKeysCommand none
            #AuthorizedKeysCommandUser nobody

            # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
            #RhostsRSAAuthentication no
            # similar for protocol version 2
            #HostbasedAuthentication no
            # Change to yes if you don’t trust ~/.ssh/known_hosts for
            # RhostsRSAAuthentication and HostbasedAuthentication
            #IgnoreUserKnownHosts no
            # Don’t read the user’s ~/.rhosts and ~/.shosts files
            #IgnoreRhosts yes

            # To disable tunneled clear text passwords, change to no here!
            #PasswordAuthentication yes
            #PermitEmptyPasswords no
            PasswordAuthentication yes

            # Change to no to disable s/key passwords
            #ChallengeResponseAuthentication yes
            ChallengeResponseAuthentication no

            # Kerberos options
            #KerberosAuthentication no
            #KerberosOrLocalPasswd yes
            #KerberosTicketCleanup yes
            #KerberosGetAFSToken no
            #KerberosUseKuserok yes

            # GSSAPI options
            GSSAPIAuthentication yes
            GSSAPICleanupCredentials no
            #GSSAPIStrictAcceptorCheck yes
            #GSSAPIKeyExchange no
            #GSSAPIEnablek5users no

            # Set this to ‘yes’ to enable PAM authentication, account processing,
            # and session processing. If this is enabled, PAM authentication will
            # be allowed through the ChallengeResponseAuthentication and
            # PasswordAuthentication. Depending on your PAM configuration,
            # PAM authentication via ChallengeResponseAuthentication may bypass
            # the setting of “PermitRootLogin without-password”.
            # If you just want the PAM account and session checks to run without
            # PAM authentication, then enable this but set PasswordAuthentication
            # and ChallengeResponseAuthentication to ‘no’.
            # WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
            # problems.
            UsePAM yes

            #AllowAgentForwarding yes
            #AllowTcpForwarding yes
            #GatewayPorts no
            X11Forwarding yes
            #X11DisplayOffset 10
            #X11UseLocalhost yes
            #PermitTTY yes
            #PrintMotd yes
            #PrintLastLog yes
            #TCPKeepAlive yes
            #UseLogin no
            UsePrivilegeSeparation sandbox # Default for new installations.
            #PermitUserEnvironment no
            #Compression delayed
            #ClientAliveInterval 0
            #ClientAliveCountMax 3
            #ShowPatchLevel no
            #UseDNS yes
            #PidFile /var/run/sshd.pid
            #MaxStartups 10:30:100
            #PermitTunnel no
            #ChrootDirectory none
            #VersionAddendum none

            # no default banner path
            #Banner none

            # Accept locale-related environment variables
            AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
            AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
            AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
            AcceptEnv XMODIFIERS

            # override default of no subsystems
            Subsystem sftp /usr/libexec/openssh/sftp-server

            # Example of overriding settings on a per-user basis
            #Match User anoncvs
            # X11Forwarding no
            # AllowTcpForwarding no
            # PermitTTY no
            # ForceCommand cvs server

          • It’s seems authentication is not happening through LDAP. Are your local users able to login to this server??

  • Jazzinic

    I get Invalid credential (49) after this command,
    ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif

    I am pretty sure the password I give is correct.

Shares