Tuesday, 28 April 2015

LDAP Authentication Server and Client in RHEL7

When a user logs into a system, that user presents some sort of credential to establish the user identity. The system then checks those credentials against the configured authentication service. If the credentials match and the user account is active, then the user is authenticated
The information to verify the user can be located on the local system or the local system can reference a user database on a remote system, such as LDAP or Kerberos.

A local system can use a variety of different data stores for user information, including Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), and Winbind. Additionally, both LDAP and NIS data stores can use Kerberos to authenticate users.

LDAP is often used by organizations as a central repository for user information and as an authentication service.

LDAP allows password authentication or Kerberos authentication.
The LDAP password option requires either a secure (ldaps://) URL or the TLS option to connect to the LDAP server.

In this tutorial, we will use LDAP for both identity lookup and authentication. LDAP server is configured to store the username, passwords of all users. Client machines will authenticate against this central directory service. We will use Start TLS to encrypt the connections to the LDAP server. This enables a secure connection over a standard port.

We will create an LDAP server and migrate existing '/etc/passwd' and '/etc/shadow' files to the LDAP server. Then we will configure a client machine to authenticate against this LDAP server.

Configure  LDAP Authentication Server

LDAP Server Name: oserver1.mycompany.com

1) Install packages.
[root@oserver1 ~]# yum install openldap-servers openldap-clients migration-tools

2) Start ldap server.
[root@oserver1 ~]# systemctl start slapd

3) Configure ldap client file '/etc/openldap/ldap.conf'. Edit the following entries.
       BASE dc=my-domain,dc=com 
       URI ldap://localhost

4) Verify operation of ldap server
[root@oserver1 ~]# ldapsearch -x -b '' -s base '(objectClass=*)' namingContexts

5) Add the cosine and nis LDAP schemas. These schemas contain definitions for the /etc/passwd and /etc/shadow files.
[root@oserver1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@oserver1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

6) Set root password.
    6.1)Create a file 'passwd.ldif' with the following entries.
       dn: olcDatabase={2}hdb,cn=config
       changetype: modify
       replace: olcRootPW
       olcRootPW: secret

    6.2) Make entry
[root@oserver1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f passwd.ldif

7) Add base domain entry.
   7.1)Create a file 'base.ldif' with the following entries.
       dn: dc=my-domain,dc=com
       dc: my-domain
       objectClass: top
       objectClass: domain

       dn: ou=People,dc=my-domain,dc=com
       ou: People
       objectClass: top
       objectClass: organizationalUnit

       dn: ou=Group,dc=my-domain,dc=com
       ou: Group
       objectClass: top
       objectClass: organizationalUnit

    7.2) Add the entry.
[root@oserver1 ~]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f base.ldif -w secret

8) Convert '/etc/passwd', '/etc/group' into ldif format and add to ldap database.
[root@oserver1 ~]# cd /usr/share/migrationtools
[root@oserver1 migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > passwd
[root@oserver1 migrationtools]# ./migrate_passwd.pl  passwd users.ldif
[root@oserver1 migrationtools]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f users.ldif -w secret

[root@oserver1 migrationtools]# grep ":10[0-9][0-9]" /etc/group > group
[root@oserver1 migrationtools]# ./migrate_group.pl  group groups.ldif
[root@oserver1 migrationtools]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f groups.ldif -w secret
[root@oserver1 migrationtools]# cd

9) Open Firewall
[root@oserver1 ~]# firewall-cmd --zone=public --add-service=ldap --permanent
[root@oserver1 ~]# firewall-cmd --reload

10) Create Server Certificate. Follow the following steps:
    10.1) Create a local Certificate Authority (CA).
[root@oserver1 ~]# /etc/pki/tls/misc/CA  -newca

    10.2) Create public-private key pair
[root@oserver1 ~]#  openssl genrsa -out ldapserver.key

    10.3) Create a certificate signing request (CSR)
[root@oserver1 ~]# openssl req -new -key ldapserver.key -out ldapserver.csr

    10.4) Sign the certificate with the local CA.
[root@oserver1 ~]# openssl ca -in ldapserver.csr -out ldapserver.crt

   10.5) Copy the files 'ldapserver.key' and 'ldapserver.crt' to the dir. '/etc/openldap/certs/'

   10.6) We have to copy the CA cert file '/etc/pki/CA/cacert.pem' to the dir '/etc/openldap/cacerts/' on every client machine.

    10.7)Create a file 'cert.ldif' with the following entries.
          dn: cn=config
          changetype: modify
          replace: olcTLSCertificateFile
          olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt

          dn: cn=config
          changetype: modify
          replace: olcTLSCertificateKeyFile
          olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key

     10.8) Make entry
[root@oserver1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif

11) Configure logging.
    11.1) Edit the file '/etc/rsyslog.conf' and add the following entry.
              local4.*                    /var/log/ldap.log

    11.2) Restart rsyslog
[root@oserver1 ~]# systemctl restart rsyslog  

12) Restart the server.
[root@oserver1 ~]# systemctl restart slapd

13) Test the server
[root@oserver1 ~]# ldapsearch -x '(uid=*)' 

Configure Client for LDAP Authentication

We use the System Security Services Daemon (SSSD)  for user information services and authentication, instead of  the  legacy services.

We use the authconfig tool for authentication configuration.
 If --test action is specified, the authconfig just  reads  the  current settings  from the various configuration files and prints their values. If --update action is specified, authconfig must be  run  by  root, and configuration changes are saved.

Each  --enable has a matching --disable option that disables the service if it  is  already  enabled.      

Perform the following steps on the client machine:

1) Install Packages.
[root@meru ~]#    yum -y install openldap-clients authconfig sssd*

2) Configure authentication using 'authconfig'.
[root@meru ~]#    authconfig --enableldap --enableldapauth --ldapserver="ldap://oserver1.mycompany.com:389"  --ldapbasedn="dc=my-domain,dc=com" --passalgo=sha512 --enableldaptls  --enablemkhomedir  --update

--enableldap -> Use LDAP as an Identity Store. Configures user information services in /etc/nsswitch.conf. 

--enableldapauth -> Use LDAP as the Authentication method. Configures  authentication functions  via  /etc/pam.d/system-auth.

--ldapserver="ldap://oserver1.mycompany.com:389" -> The URL of the LDAP Server. This usually requires both the host name and port number of the LDAP server.

--ldapbasedn="dc=my-domain,dc=com" -> gives the root suffix or distinguished name (DN) for the user directory. All of the user entries used for identity/authentication will exist below this parent entry.

--enableldaptls -> sets whether to use Start TLS to encrypt the connections to the LDAP server. This enables a secure connection over a standard port. We will later retrieve the issuing CA certificate for the LDAP server and configure it in 'sssd'.

--passalgo=sha512 -> The algorithm used for storing password hashes.

--enablemkhomedir -> Create home directory on first login

3) Verify the settings.
[root@meru ~]# authconfig --test

4) Install C.A. Certificate
    3.1) Copy C.A. Certificate 'cacert.pem' from the server to the dir '/etc/openldap/cacerts/'

    3.2) Edit the file '/etc/sssd/sssd.conf' and add the following entry
           ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem

    3.3) Restart sssd
[root@meru ~]# systemctl restart sssd

    3.4) Edit the file '/etc/openldap/ldap.conf' and add the following entry
           TLS_CACERT = /etc/openldap/cacerts/cacert.pem

5) Test the connection. Consider user 'shabbir'. Comment the entry for user 'shabbir' in '/etc/passwd' if it exists. Then execute the below command.

root@meru ~]#  getent passwd shabbir

[root@meru ~]# ldapsearch -x '(uid=shabbir)'   

6) Log in into the machine as user 'shabbir' and password as given  in the LDAP database.


  1. It is very useful information. Thanks for sharing with us. I would like share my website about LDAP Integeration Module

  2. What about when hackers use someones network and how would you trace it to the actual IP Location and not the stolen network when they run alot of alias and even Redhat are asking for user,password and location?