GIT – How to setup  on CentOS. Following the guide as a reference from Stratus over at Overclockers.com.  This took WAY longer than it should have but I finally got the damn thing working.

  required packages:
yum install -y openldap-servers openldap-clients nss-pam-ldapd mlocate rsync sudo
chkconfig slapd on
 Create a encrypted to store:
slappasswd
Using “test” as our example password.
# New password: test
# Re-enter new password: test
{SSHA}Xks8d+MDEYPcntfJRCF2Mr4NppqmhEXK
Edit the database file to reflect your domain:
vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
 Inside VIM use a sed substitution to change the defaults:
:%s/dc=my-domain,dc=com/dc=your-domain,dc=com/g
 At the bottom of the file add these 3 lines to oldDatabase={2}bdb.ldif
olcRootPW: {SSHA}Xks8d+MDEYPcntfJRCF2Mr4NppqmhEXK
olcTLSCertificateFile: /etc/pki/tls/certs/stratus_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/stratus_key.pem
 Now we have to specify the monitoring privileges:
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
 Another sed substitution to replace the domain:
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=your-domain,dc=com/g
 Update Database and copy the db_config file:
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 Make sure the database has proper permissions:
chown -Rf ldap:ldap /var/lib/ldap/
 Set up a certificate for TLS:
vim /etc/sysconfig/ldap
SLAPD_LDAPS=yes
 Create a certificate.  This one is good for 10 years:
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapd_cert.pem -keyout /etc/pki/tls/certs/slapd_key.pem -days 3650
 This will create two keys, set the permissions:
chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
chmod -Rf 750 /etc/pki/tls/certs/$key.pem
 Test the config and make sure it’s working:
slaptest -u
config file testing succeeded
 Start up the ldap server:
service slapd start
 Edit LDAP config files:
vim /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/slapd_cert.pem
URI ldap://127.0.0.1
BASE dc=your-domain,dc=com
 Query the database to see if it’s working:
ldapsearch -x  -b ”dc=your-domain,dc=com”
 You should get something at the bottom like:
# search result
search: 2
result: 0 Success
 Create some templates to import:
vim /etc/openldap/schema/base.ldif
dn: dc=your-domain,dc=com
dc: your-domain
objectClass: top
objectClass: domain
dn: ou=Users,dc=your-domain,dc=com
ou: Users
objectClass: top
objectClass: organizationalUnit
dn: ou=Groups,dc=your-domain,dc=com
ou: Groups
objectClass: top
objectClass: organizationalUnit
vim /etc/openldap/schema/group.ldif
dn: cn=admin,ou=Groups,dc=your-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
gidNumber: 999
vim /etc/openldap/schema/users.ldif
dn: uid=admin,ou=Users,dc=your-domain,dc=com
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 999
gidNumber: 999
homeDirectory: /home/ldap
 After the files are created, add them into the LDAP database:
ldapadd -x -W -D “cn=Manager,dc=your-domain,dc=com” -f /etc/openldap/schema/base.ldif
ldapadd -x -W -D “cn=Manager,dc=your-domain,dc=com” -f /etc/openldap/schema/group.ldif
ldapadd -x -W -D “cn=Manager,dc=your-domain,dc=com” -f /etc/openldap/schema/users.ldif
 Verify that there are now users by re-running the ldapsearch command:
ldapsearch -x  -b ”dc=your-domain,dc=com”
 On the client:
yum install openldap-clients pam_ldap nss-pam-ldapd rsync vim sudo
 Enable nslcd to start at boot:
chkconfig nslcd on
Setup Authconfig:
authconfig –enableldap –ldapserver=”ldap://ipaddress” –ldapbasedn=”dc=your-domain,dc=com” –updateall
 Rsync the certs over from your ldap server:
rsync -avh root@ipaddress:/etc/pki/tls/certs/slapd*.pem /etc/pki/tls/certs/
 Edit your config files to reflect your new ldap server:
vim /etc/pam_ldap.conf
# Can delete the whole file if you want or just comment everything out
# These are the lines you need at the bottom
base dc=your-domain,dc=com
ssl off
tls_cacertfile /etc/pki/tls/certs/slapd_cert.pem
uri ldap://ipaddress
vim /etc/openldap/ldap.conf
URI ldap://ipaddress
BASE dc=your-domain,dc=com
TLS_CACERT /etc/pki/tls/certs/slapd_cert.pem
vim /etc/sysconfig/authconfig
USELDAPAUTH=yes
USELDAP=yes
vim /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
sudoers:        ldap
services:   files ldap
automount:  files ldap
vim /etc/pam.d/system-auth
 The important changes are the lines containing pam_ldap.so and the last line to setup the home directory on first login:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
# session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
 Since we changed a lot of things to do with PAM it’s best to reboot before any final testing!
reboot

Troubleshooting and Testing:

 On your client machine test if you can switch to your new ldap user:
su admin
 SSH from your ldap server into your client machine using ldap credentials:
ssh admin@ipaddress
 If you are unable to connect here, here are a couple files that you might look at.
I had this issue in the beginning and it took me awhile to figure out.
vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
vim /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
 So everything works great and you want to use a gui to manage your LDAP instance?

Try out LDAPAdmin – http://www.ldapadmin.org/

 Well that’s great and all but how the hell do I set it up?
  1. Install the software from the executable
  2. Open it up
  3. In the top left corner is a Connect button
  4. Click New Connection (your password is what you setup as test at the very beginning)

ldap_connection

That’s it your done!  If I’ve missed a step or something is incorrect please leave me a comment and I’ll get it fixed asap!

Print Friendly

Comments

comments

Bài viết liên quan