RHEL 7 : openLDAP setup

Posted on by fabio.reis

Neste post será apresentado como configurar um servidor openLDAP para labs futuros integrados para o RHCE .

users-ldap

 

1) Ambiente :

10.0.0.10 – openldap e kerberos server – domain.fajlinux.com

 

2) Requisitos:

yum install -y openldap openldap-clients openldap-servers migrationtools

 

3) Crie a senha do LDAP manager :

slappasswd -s 123456
{SSHA}Jyf8oxNQ6P65UayvD2aIvAlXj9O0YoCL

4) Gere o cerfificado :

Executando o openssl e digitando o hostname no campo common name :

openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365
.....
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: domain.fajlinux.com
Email Address []:

Ajustando a permissão do diretório de certificados :

 cd /etc/openldap/certs
 chown ldap:ldap *
 chmod 600 priv.pem

5) Configuração do slapd.conf em /etc/openldap :

Na configuração deverá ser colocado a senha conforme a saída do comando slappasswd na entrada rootpw :

include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema

include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database config
access to *
               by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
               by * none
database monitor
access to *
               by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
               by dn.exact="cn=Manager,dc=fajlinux,dc=com" read
               by * none
database        bdb
suffix          "dc=fajlinux,dc=com"
rootdn          "cn=Manager,dc=fajlinux,dc=com"
rootpw          {SSHA}Jyf8oxNQ6P65UayvD2aIvAlXj9O0YoCL
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

 

OBS: Onde se fala de INCLUDE são na verdade estruturas que o LDAP vai absorver para a base de dados dele, que utiliza o Berkeley DB, então se você for utilizar por exemplo a integração do Samba com o OpenLDAP, deverá colocar o include do schema Samba nessas primeiras linhas, que é fornecido junto com o Samba.

 

6) Inicie o serviço do LDAP :

 

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl enable slapd 
systemctl start slapd

 

7) Criação dos arquivos ldif :

/etc/openldap/base.ldif

dn: dc=fajlinux,dc=com
dc: fajlinux
objectClass: top
objectClass: domain

dn: ou=People,dc=fajlinux,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=fajlinux,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Execute o comando abaixo para criar as estruturas :

ldapadd -x -D "cn=Manager,dc=fajlinux,dc=com" -w 123456 -f base.ldif

Crie um usuário de teste

mkdir /home/guests
useradd -d /home/guests/ldapuser01 ldapuser01
passwd ldapuser01

Vamos utilizar o migration tools para criar as contas e grupos :

cd /usr/share/migrationtools

Edite as entradas abaixo do arquivo migrate_common.ph para o domínio configurado :

$DEFAULT_MAIL_DOMAIN = "fajlinux.com";
$DEFAULT_BASE = "dc=fajlinux,dc=com";

Usando o migration tools migrar os usuários para a base ldap :

grep ":10[0-9][0-9]" /etc/passwd > passwd
./migrate_passwd.pl passwd users.ldif
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif

 

Usando o migration tools migrar os grupos para a base ldap :

grep ":10[0-9][0-9]" /etc/group > group
./migrate_group.pl group groups.ldif
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif

 

Pesquise o usuário ldapuser01 para teste :

ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

captura-de-tela-2016-11-06-as-20-31-34

 

8) Ajustes finais no servidor :

Regras do FirewallD

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

 

Ajustes do Syslog no arquivo /etc/rsyslog.conf

local4.* /var/log/ldap.log

Restart o serviço 

systemctl restart rsyslog

 

Referências :

https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/Using_Subscription_Asset_Manager/Managing_Users_with_LDAP_Authentication.html

 

Translate »