OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.
It functions as a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.
In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in to multiple servers.
READ: How to configure OpenLDAP with SSL on CentOS 7 / RHEL 7
Environment
Host Name | IP Address | OS | Purpose |
---|---|---|---|
server.itzgeek.local | 192.168.1.10 | CentOS 7 | LDAP Server |
client.itzgeek.local | 192.168.1.20 | CentOS 7 | LDAP Client |
Prerequisites
1. Make sure both LDAP server “server.itzgeek.local” (192.168.1.10) and LDAP client “client.itzgeek.local” (192.168.1.20) are accessible.
2. Make an host entry on each machine in /etc/hosts
for name resolution.
192.168.1.10 server.itzgeek.local server 192.168.1.20 client.itzgeek.local client
OR
If you plan to use a hostname instead of IP address, then configure DNS server using the article on How to Configure DNS Server on CentOS 7 / RHEL 7.
Here I will use IP address for all the configuration.
Install OpenLDAP Packages
Install the following LDAP RPM packages on LDAP server (server.itzgeek.local).
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Start the LDAP service and enable it for the auto start of service on system boot.
systemctl start slapd systemctl enable slapd
Verify the LDAP.
netstat -antup | grep -i 389
Output:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1520/slapd tcp6 0 0 :::389 :::* LISTEN 1520/slapd
READ: netstat command not found on CentOS 7 / RHEL 7 – Quick Fix
Setup LDAP admin password
Run below command to create an LDAP root password. We will use this LDAP admin (root) password throughout this article.
Replace ldppassword with your password.
slappasswd -h {SSHA} -s ldppassword
The above command will generate an encrypted hash of entered password which you need to use in LDAP configuration file. So make a note of this and keep it aside.
Output:
{SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Configure OpenLDAP server
OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/
. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
name.
olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
olcRootPW – LDAP admin password for the above RootDN.
/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.Please create a .ldif file.
vi db.ldif
Add the below entries.
Replace the encrypted password ({SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3) with the password you generated in the previous step.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Once you are done with the ldif file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.
vi monitor.ldif
Use the below information.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
Set up LDAP database
Copy the sample database configuration file to /var/lib/ldap
and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Generate base.ldif
file for your domain.
vi base.ldif
Use the below information. You can modify it according to your requirement.
dn: dc=itzgeek,dc=local dc: itzgeek objectClass: top objectClass: domain dn: cn=ldapadm ,dc=itzgeek,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=itzgeek,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=itzgeek,dc=local objectClass: organizationalUnit ou: Group
Build the directory structure.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif
Output:
Enter LDAP Password: adding new entry "dc=itzgeek,dc=local" adding new entry "cn=ldapadm ,dc=itzgeek,dc=local" adding new entry "ou=People,dc=itzgeek,dc=local" adding new entry "ou=Group,dc=itzgeek,dc=local"
i got error when i tried to start the ldap service .. bad configration file
I did receive anything with getent, but get no errors.
everything working fine.But i cannot login from gui ldapuser1. i can switch all other users from root. I cannot login directly ldap users from gui
Easy to follow clear guide
I get the following error:
595de9a0 <= str2entry: str2ad(changetype): attribute type undefined
slaptest: bad configuration file!
This is the error while fire this command
# slaptest -u
Checked each and every thing and follow this process.
Please Let me know if you have any update for same.
The only guide that actually worked
Configured exactly the same way you mentioned and passwordless authentication is also working/ But I can not login with ssh or putty from another server!! Please help.
Hey,
Post your secure log entries during the login
Thaks for your reply. I have configured and created six servers for this in last two days, but not working. I am getting the following error,
[root@centos104 ~]# ssh raj@192.168.1.6
raj@192.168.1.6’s password:
Permission denied, please try again.
raj@192.168.1.6’s password:
Permission denied, please try again.
raj@192.168.1.6’s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@centos104 ~]#
Do we need to configure anything on client for example, retore any pem key? I have followed the same commands from a fresh centos 7 server as you mentioned.
Hey,
Upload /car/log/secure and /var/log/message
File
secure:
Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=centos105.rakeshldap.local user=raj
Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): received for user raj: 4 (System error)
Jul 16 04:07:46 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Connection closed by 192.168.1.6 [preauth]
message:
Jul 16 04:01:01 centos105 systemd: Starting Session 15 of user root.
Jul 16 04:04:07 centos105 dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
Jul 16 04:04:07 centos105 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Jul 16 04:04:07 centos105 systemd: Starting Hostname Service…
Jul 16 04:04:07 centos105 dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
Jul 16 04:04:07 centos105 systemd: Started Hostname Service.
all these are for client server.
ssh_config:
*************
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
sshd_config:
***************
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
# WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
It’s seems authentication is not happening through LDAP. Are your local users able to login to this server??
I get Invalid credential (49) after this command,
ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif
I am pretty sure the password I give is correct.
Did you change the dc=itzgeek,dc=local ?
I got the same Invalid Credential errors as well for the same exact base.ldif file. I did change the dc to reflect my own domain. Any other ideas?
if hdb file exists in the path /etc/openldap/slapd.d/cn=config/ then there is no modification required in db.ldif
if bdb file exists in the path /etc/openldap/slapd.d/cn=config/ then modify the db.ldif file content with olcDatabase={2}bdb
this will resolve the invalid credential error
So, all of that up there ^^^ is correct, but I still have the invalid credential error, and I am completely stumped. I don’t know what I’m doing wrong. It should work.
Hi All,
This post was tested on September 2017 and it’s working fine.
You should not face any problem if you followed the post properly.
If you still facing any issues check LDAP logs.
Do you need any support,let us know. We will help you.
Thanks.
Awesome article, thanks worked fantastic. 🙂
HI Guys,
When i’m using this command:
“ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif”
the error is:-
“ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)”
Please help me.
Please check whether the service is running
Hi Getting below error.
adding new entry “dc=myldap,dc=com”
ldap_add: Naming violation (64)
additional info: value of single-valued naming attribute ‘dc’ conflicts with value present in entry
after run the below command.
[root@localhost slapd.d]# ldapadd -x -W -D “cn=ldapadm,dc=myldap,dc=com” -f base.ldif
Hi, Great tutorial 😀
It’s working with me, now 2 questions for you:
1. Do you know any GUI for this LDAP server so it is easier to manage everything?
2. Can I say with LDAP which user can authenticate to which host and not for all hosts?
Thanks
Alex
Hi Alex,
1. Try phpLDAPadmin, a web based management tool.
https://www.itzgeek.com/how-tos/linux/centos-how-tos/install-configure-phpldapadmin-centos-7-ubuntu-16-04.html
2. Try using sshd_config file for this.
very excellent tutorial. Congrats