Create LDAP user
vi raj.ldif
Paste the below lines to above LDIF file.
dn: uid=raj,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) ITzGeek]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f raj.ldif
Output: – Enter ldapadm password.
Enter LDAP Password: adding new entry "uid=raj,ou=People,dc=itzgeek,dc=local"
Assign a password to the user.
ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=raj,ou=People,dc=itzgeek,dc=local"
Where,
-s specify the password for the username
-x username for which the password is changed
-D Distinguished name to authenticate to the LDAP server.
Verify LDAP entries.
ldapsearch -x cn=raj -b dc=itzgeek,dc=local
Output:
# extended LDIF # # LDAPv3 # base <dc=itzgeek,dc=local> with scope subtree # filter: cn=raj # requesting: ALL # # raj, People, itzgeek.local dn: uid=raj,ou=People,dc=itzgeek,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: raj uid: raj uidNumber: 9999 gidNumber: 100 homeDirectory: /home/raj loginShell: /bin/bash gecos: Raj [Admin (at) ITzGeek] shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
To delete an entry from LDAP (Optional).
ldapdelete -W -D "cn=ldapadm,dc=itzgeek,dc=local" "uid=raj,ou=People,dc=itzgeek,dc=local"
Firewall
Add the LDAP service to the firewall (TCP 389).
firewall-cmd --permanent --add-service=ldap firewall-cmd --reload
Enable LDAP logging
Configure Rsyslog to log LDAP events to log file /var/log/ldap.log.
vi /etc/rsyslog.conf
Add below line to /etc/rsyslog.conf file.
local4.* /var/log/ldap.log
Restart the rsyslog service.
systemctl restart rsyslog
LDAP client configuration to use LDAP Server
Install the necessary LDAP client packages on the client machine.
yum install -y openldap-clients nss-pam-ldapd
Execute the below command to add the client machine to LDAP server for single sign-on. Replace “192.168.1.10” with your LDAP server’s IP address or hostname.
authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update
Restart the LDAP client service.
systemctl restart nslcd
Verify LDAP Login
Use the getent command to get the LDAP entries from the LDAP server.
getent passwd raj
Output:
raj:x:9999:100:Raj [Admin (at) ITzGeek]:/home/raj:/bin/bash
Screenshot:
To verify the LDAP, log in using the LDAP user “raj” on the client machine.
That’s All.
i got error when i tried to start the ldap service .. bad configration file
I did receive anything with getent, but get no errors.
everything working fine.But i cannot login from gui ldapuser1. i can switch all other users from root. I cannot login directly ldap users from gui
Easy to follow clear guide
I get the following error:
595de9a0 <= str2entry: str2ad(changetype): attribute type undefined
slaptest: bad configuration file!
This is the error while fire this command
# slaptest -u
Checked each and every thing and follow this process.
Please Let me know if you have any update for same.
The only guide that actually worked
Configured exactly the same way you mentioned and passwordless authentication is also working/ But I can not login with ssh or putty from another server!! Please help.
Hey,
Post your secure log entries during the login
Thaks for your reply. I have configured and created six servers for this in last two days, but not working. I am getting the following error,
[root@centos104 ~]# ssh raj@192.168.1.6
raj@192.168.1.6’s password:
Permission denied, please try again.
raj@192.168.1.6’s password:
Permission denied, please try again.
raj@192.168.1.6’s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@centos104 ~]#
Do we need to configure anything on client for example, retore any pem key? I have followed the same commands from a fresh centos 7 server as you mentioned.
Hey,
Upload /car/log/secure and /var/log/message
File
secure:
Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=centos105.rakeshldap.local user=raj
Jul 16 04:07:46 centos105 sshd[6000]: pam_sss(sshd:auth): received for user raj: 4 (System error)
Jul 16 04:07:46 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Failed password for raj from 192.168.1.6 port 52300 ssh2
Jul 16 04:07:47 centos105 sshd[6000]: Connection closed by 192.168.1.6 [preauth]
message:
Jul 16 04:01:01 centos105 systemd: Starting Session 15 of user root.
Jul 16 04:04:07 centos105 dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Activating via systemd: service name=’org.freedesktop.hostname1′ unit=’dbus-org.freedesktop.hostname1.service’
Jul 16 04:04:07 centos105 systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Jul 16 04:04:07 centos105 systemd: Starting Hostname Service…
Jul 16 04:04:07 centos105 dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
Jul 16 04:04:07 centos105 dbus-daemon: dbus[553]: [system] Successfully activated service ‘org.freedesktop.hostname1’
Jul 16 04:04:07 centos105 systemd: Started Hostname Service.
all these are for client server.
ssh_config:
*************
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
sshd_config:
***************
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
# WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
It’s seems authentication is not happening through LDAP. Are your local users able to login to this server??
I get Invalid credential (49) after this command,
ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif
I am pretty sure the password I give is correct.
Did you change the dc=itzgeek,dc=local ?
I got the same Invalid Credential errors as well for the same exact base.ldif file. I did change the dc to reflect my own domain. Any other ideas?
if hdb file exists in the path /etc/openldap/slapd.d/cn=config/ then there is no modification required in db.ldif
if bdb file exists in the path /etc/openldap/slapd.d/cn=config/ then modify the db.ldif file content with olcDatabase={2}bdb
this will resolve the invalid credential error
So, all of that up there ^^^ is correct, but I still have the invalid credential error, and I am completely stumped. I don’t know what I’m doing wrong. It should work.
Hi All,
This post was tested on September 2017 and it’s working fine.
You should not face any problem if you followed the post properly.
If you still facing any issues check LDAP logs.
Do you need any support,let us know. We will help you.
Thanks.
Awesome article, thanks worked fantastic. 🙂
HI Guys,
When i’m using this command:
“ldapadd -x -W -D “cn=ldapadm,dc=itzgeek,dc=local” -f base.ldif”
the error is:-
“ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)”
Please help me.
Please check whether the service is running
Hi Getting below error.
adding new entry “dc=myldap,dc=com”
ldap_add: Naming violation (64)
additional info: value of single-valued naming attribute ‘dc’ conflicts with value present in entry
after run the below command.
[root@localhost slapd.d]# ldapadd -x -W -D “cn=ldapadm,dc=myldap,dc=com” -f base.ldif
Hi, Great tutorial 😀
It’s working with me, now 2 questions for you:
1. Do you know any GUI for this LDAP server so it is easier to manage everything?
2. Can I say with LDAP which user can authenticate to which host and not for all hosts?
Thanks
Alex
Hi Alex,
1. Try phpLDAPadmin, a web based management tool.
https://www.itzgeek.com/how-tos/linux/centos-how-tos/install-configure-phpldapadmin-centos-7-ubuntu-16-04.html
2. Try using sshd_config file for this.
very excellent tutorial. Congrats