Linux, Windows, Virtualization, OpenSource & Blogging

Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7

18

Create LDAP user:

Instead of creating a new user, you can migrate the local users to LDAP.

Let’s create an LDIF file for a new user called raj.

vi raj.ldif

Paste the below lines to above LDIF file.

dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f raj.ldif

Enter LDAP Password: 
adding new entry "uid=raj,ou=People,dc=itzgeek,dc=local"

Assign a password to the user.

ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=raj,ou=People,dc=itzgeek,dc=local"

Where,

-s specify the password for the username

-x username for which the password is changed

-D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

ldapsearch -x cn=raj -b dc=itzgeek,dc=local

Output:

# extended LDIF
#
# LDAPv3
# base <dc=itzgeek,dc=local> with scope subtree
# filter: cn=raj
# requesting: ALL
#

# raj, People, itzgeek.local
dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=itzgeek,dc=local" "uid=raj,ou=People,dc=itzgeek,dc=local"

Firewall:

Add the LDAP service to the firewall (tcp 389).

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Enable LDAP logging:

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf

Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

Restart the rsyslog service.

systemctl restart rsyslog

LDAP client configuration to use LDAP Server:

Install the necessary LDAP client packages on the client machine.

# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.12.10” with your LDAP server’s IP address or hostname.

# authconfig --enableldap --enableldapauth --ldapserver=192.168.12.10 --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update

Restart the LDAP client service.

# systemctl restart  nslcd

Verify LDAP Login:

Use getent command to get the LDAP entries from the LDAP server.

# getent passwd raj

raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash

Screenshot:

OpenLDAP Server Configuration on CentOS 7 - Verify LDAP Login
OpenLDAP Server Configuration on CentOS 7 – Verify LDAP Login

To verify the LDAP, log in using the LDAP user “raj” on the client machine.

OpenLDAP Server Configuration on CentOS 7 - LDAP User Login
OpenLDAP Server Configuration on CentOS 7 – LDAP User Login

That’s All.

POSTS YOU MAY LIKE -:)

You might also like
  • Hamdan Radaideh

    i got error when i tried to start the ldap service .. bad configration file

  • abigal

    I did receive anything with getent, but get no errors.

  • Santosh Reddy Malyala

    everything working fine.But i cannot login from gui ldapuser1. i can switch all other users from root. I cannot login directly ldap users from gui

  • Easy to follow clear guide

  • blade19899

    I get the following error:

    slaptest -u
    5952455c UNKNOWN attributeDescription “CHANGETYPE” inserted.
    5952455c UNKNOWN attributeDescription “REPLACE” inserted.
    5952455c is_entry_objectclass(“cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute
    5952455c is_entry_objectclass(“olcDatabase={2}hdb,cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute
    5952455c is_entry_objectclass(“olcDatabase={1}monitor,cn=config,cn=config”, “2.16.840.1.113730.3.2.6”) no objectClass attribute

  • Sachin Gujral

    595de9a0 <= str2entry: str2ad(changetype): attribute type undefined
    slaptest: bad configuration file!

    This is the error while fire this command
    # slaptest -u

    Checked each and every thing and follow this process.

    Please Let me know if you have any update for same.

  • The only guide that actually worked

  • Indian_P

    Configured exactly the same way you mentioned and passwordless authentication is also working/ But I can not login with ssh or putty from another server!! Please help.

    • Hey,

      Post your secure log entries during the login

      • Indian_P

        Thaks for your reply. I have configured and created six servers for this in last two days, but not working. I am getting the following error,

        [root@centos104 ~]# ssh raj@192.168.1.6
        raj@192.168.1.6’s password:
        Permission denied, please try again.
        raj@192.168.1.6’s password:
        Permission denied, please try again.
        raj@192.168.1.6’s password:
        Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
        [root@centos104 ~]#

        Do we need to configure anything on client for example, retore any pem key? I have followed the same commands from a fresh centos 7 server as you mentioned.

        • Hey,

          Upload /car/log/secure and /var/log/message

          File

          • Indian_P

            secure:
            Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=centos105.rakeshldap.local user=raj
            Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): received for user raj: 4 (System error)
            Jul 16 04:07:46 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
            Jul 16 04:07:47 centos105 sshd[6000]: Connection closed by 192.168.1.6 [preauth]

            message:
            Jul 16 04:01:01 centos105 systemd: Starting Session 15 of user root.
            Jul 16 04:04:07 centos105 dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
            Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
            Jul 16 04:04:07 centos105 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
            Jul 16 04:04:07 centos105 systemd: Starting Hostname Service…
            Jul 16 04:04:07 centos105 dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
            Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
            Jul 16 04:04:07 centos105 systemd: Started Hostname Service.

          • Indian_P

            all these are for client server.
            ssh_config:
            *************

            Host *
            GSSAPIAuthentication yes
            # If this option is set to yes then remote X11 clients will have full access
            # to the original X11 display. As virtually no X11 client supports the untrusted
            # mode correctly we set this to yes.
            ForwardX11Trusted yes
            # Send locale-related environment variables
            SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
            SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
            SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
            SendEnv XMODIFIERS

            sshd_config:
            ***************

            # HostKey for protocol version 1
            #HostKey /etc/ssh/ssh_host_key
            # HostKeys for protocol version 2
            HostKey /etc/ssh/ssh_host_rsa_key
            #HostKey /etc/ssh/ssh_host_dsa_key
            HostKey /etc/ssh/ssh_host_ecdsa_key
            HostKey /etc/ssh/ssh_host_ed25519_key

            # Lifetime and size of ephemeral version 1 server key
            #KeyRegenerationInterval 1h
            #ServerKeyBits 1024

            # Ciphers and keying
            #RekeyLimit default none

            # Logging
            # obsoletes QuietMode and FascistLogging
            #SyslogFacility AUTH
            SyslogFacility AUTHPRIV
            #LogLevel INFO

            # Authentication:

            #LoginGraceTime 2m
            #PermitRootLogin yes
            #StrictModes yes
            #MaxAuthTries 6
            #MaxSessions 10

            #RSAAuthentication yes
            #PubkeyAuthentication yes

            # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
            # but this is overridden so installations will only check .ssh/authorized_keys
            AuthorizedKeysFile .ssh/authorized_keys

            #AuthorizedPrincipalsFile none

            #AuthorizedKeysCommand none
            #AuthorizedKeysCommandUser nobody

            # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
            #RhostsRSAAuthentication no
            # similar for protocol version 2
            #HostbasedAuthentication no
            # Change to yes if you don’t trust ~/.ssh/known_hosts for
            # RhostsRSAAuthentication and HostbasedAuthentication
            #IgnoreUserKnownHosts no
            # Don’t read the user’s ~/.rhosts and ~/.shosts files
            #IgnoreRhosts yes

            # To disable tunneled clear text passwords, change to no here!
            #PasswordAuthentication yes
            #PermitEmptyPasswords no
            PasswordAuthentication yes

            # Change to no to disable s/key passwords
            #ChallengeResponseAuthentication yes
            ChallengeResponseAuthentication no

            # Kerberos options
            #KerberosAuthentication no
            #KerberosOrLocalPasswd yes
            #KerberosTicketCleanup yes
            #KerberosGetAFSToken no
            #KerberosUseKuserok yes

            # GSSAPI options
            GSSAPIAuthentication yes
            GSSAPICleanupCredentials no
            #GSSAPIStrictAcceptorCheck yes
            #GSSAPIKeyExchange no
            #GSSAPIEnablek5users no

            # Set this to ‘yes’ to enable PAM authentication, account processing,
            # and session processing. If this is enabled, PAM authentication will
            # be allowed through the ChallengeResponseAuthentication and
            # PasswordAuthentication. Depending on your PAM configuration,
            # PAM authentication via ChallengeResponseAuthentication may bypass
            # the setting of “PermitRootLogin without-password”.
            # If you just want the PAM account and session checks to run without
            # PAM authentication, then enable this but set PasswordAuthentication
            # and ChallengeResponseAuthentication to ‘no’.
            # WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
            # problems.
            UsePAM yes

            #AllowAgentForwarding yes
            #AllowTcpForwarding yes
            #GatewayPorts no
            X11Forwarding yes
            #X11DisplayOffset 10
            #X11UseLocalhost yes
            #PermitTTY yes
            #PrintMotd yes
            #PrintLastLog yes
            #TCPKeepAlive yes
            #UseLogin no
            UsePrivilegeSeparation sandbox # Default for new installations.
            #PermitUserEnvironment no
            #Compression delayed
            #ClientAliveInterval 0
            #ClientAliveCountMax 3
            #ShowPatchLevel no
            #UseDNS yes
            #PidFile /var/run/sshd.pid
            #MaxStartups 10:30:100
            #PermitTunnel no
            #ChrootDirectory none
            #VersionAddendum none

            # no default banner path
            #Banner none

            # Accept locale-related environment variables
            AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
            AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
            AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
            AcceptEnv XMODIFIERS

            # override default of no subsystems
            Subsystem sftp /usr/libexec/openssh/sftp-server

            # Example of overriding settings on a per-user basis
            #Match User anoncvs
            # X11Forwarding no
            # AllowTcpForwarding no
            # PermitTTY no
            # ForceCommand cvs server

          • It’s seems authentication is not happening through LDAP. Are your local users able to login to this server??

  • Jazzinic

    I get Invalid credential (49) after this command,
    ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif

    I am pretty sure the password I give is correct.

    • AP

      Did you change the dc=itzgeek,dc=local ?

  • Hi All,

    This post was tested on September 2017 and it’s working fine.

    You should not face any problem if you followed the post properly.

    If you still facing any issues check LDAP logs.

    Do you need any support,let us know. We will help you.

    Thanks.

  • auscop

    Awesome article, thanks worked fantastic. 🙂

Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7

18