What is LDAP?
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.
LDAP is mostly used by medium-to-large organizations. If you belong to one that has an LDAP server, you can use it to look up contact info and the like. Otherwise, if you were just wondering about this acronym, you probably don't need it. But feel free to read on to learn the story of this bit of Internet plumbing.
Every email program has a personal address book, but how do you look up an address for someone who's never sent you email? How can an organization keep one centralized up-to-date phone book that everybody has access to?
Those questions led companies such as Microsoft, IBM, Lotus, and Netscape to support a standard called LDAP. "LDAP-aware" client programs can ask LDAP servers to look up entries in a wide variety of ways. LDAP servers index all the data in their entries, and "filters" may be used to select just the person or group you want, and return just the information you want. For example, here's an LDAP search translated into plain English: "Search for all people located in Chicago whose name contains "Fred" that have an email address. Please return their full name, email, title, and description."
LDAP is not limited to contact information, or even information about people. LDAP is used to look up encryption certificates, pointers to printers and other services on a network, and provide "single sign-on" where one password for a user is shared between many services. LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the norm.
As a protocol, LDAP does not define how programs work on either the client or server side. It defines the "language" used for client programs to talk to servers (and servers to servers, too). On the client side, a client may be an email program, a printer browser, or an address book. The server may speak only LDAP, or have other methods of sending and receiving data—LDAP may just be an add-on method.
If you have an email program (as opposed to web-based email), it probably supports LDAP. Most LDAP clients can only read from a server. Search abilities of clients (as seen in email programs) vary widely. A few can write or update information, but LDAP does not include security or encryption, so updates usually require additional protection such as an encrypted SSL connection to the LDAP server.
If you have OS X and access to an LDAP server, you can enter your LDAP account into System Preferences--Internet Accounts. At bottom of the right pane, click Add Other Account, then choose the LDAP account option. This lets Address Book look up info from your server.
LDAP also defines: Permissions, set by the administrator to allow only certain people to access the LDAP database, and optionally keep certain data private. Schema: a way to describe the format and attributes of data in the server. For example: a schema entered in an LDAP server might define a "groovyPerson" entry type, which has attributes of "instantMessageAddress", and "coffeeRoastPreference". The normal attributes of name, email address, etc., would be inherited from one of the standard schemas, which are rooted in X.500 (see below).
LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. X.500 is too complex to support on desktops and over the Internet, so LDAP was created to provide this service "for the rest of us."
LDAP servers exist at three levels: There are big public servers, large organizational servers at universities and corporations, and smaller LDAP servers for workgroups. Most public servers from around year 2000 have disappeared, although directory.verisign.com exists for looking up X.509 certificates. The idea of publicly listing your email address for the world to see, of course, has been crushed by spam.
While LDAP didn't bring us the worldwide email address book, it continues to be a popular standard for communicating record-based, directory-like data between programs.
OpenLDAP Setup Overview
This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to
The basic steps for creating an LDAP server are as follows:
- Install the openldap, openldap-servers, and openldap-clients RPMs.
- Edit the /etc/openldap/slapd.conf file to specify the LDAP domain and server.
- Start slapd with the command:
- /sbin/service ldap start
- After configuring LDAP, use chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to
- Add entries to an LDAP directory with ldapadd.
- Use ldapsearch to determine if slapd is accessing the information correctly.
- At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
To use the slapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.
The suffix line names the domain for which the LDAP server provides information and should be changed from:
suffix "dc=your-domain,dc=com"Edit it accordingly so that it reflects a fully qualified domain name. For example:
suffix "dc=example,dc=com"The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:
rootdn "cn=root,dc=example,dc=com"When populating an LDAP directory over a network, change the rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
slappasswdWhen prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
Next, copy the newly created encrypted password into the /etc/openldap/slapd.conf on one of the rootpwlines and remove the hash mark (#).
When finished, the line should look similar to the following example:
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u
WarningLDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
To enable TLS encryption, review the comments in /etc/openldap/slapd.conf and refer to the man page for slapd.conf.
For added security, the rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).
When using the /usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.
Important
Only the root user can use /usr/sbin/slapadd. However, the directory server runs as the ldapuser. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldap
Let’s see how to install and configure OpenLDAP Server 2.4 on CentOS 6.4. Here I have a minimal installation of CentOS 6.4 x86_64.
Pre-requisites:
- Working DNS Server : If you don't know how to configure DNS, please search this blog
- Server should be synced with NTP Server. Please follow my post for NTP Server configuration
- Disable SELinux
Install OpenLDAP server and client packages
[root@ldap1 ~]# yum install openldap openldap-servers openldap-clients -y
Installation of openldap-servers package gives a template slapd.conf with an example bdb configured. In this example, We will modify the slapd.conf to convert it to cn=config format. cn=config is a new feature of OpenLDAP 2.4 which enables dynamic changes to configuration without requiring to restart.
Copy the example slapd.conf to /etc/openldap/
[root@ldap1 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
Generate the encrypted password for rootdn to use in /etc/openldap/slapd.conf
[root@ldap1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
Copy the generated password and edit the /etc/openldap/slapd.conf
Note: In the below slapd.conf file changes are highlighted with red colour.
[root@ldap1 ~]# vim /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
loglevel 256
sizelimit unlimited
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
Clean up all content and previous existing LDAP configuration and files, incase if exists. And re-initialize them.
[root@ldap1 ~]# rm -rf /var/lib/ldap/*
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
Copy the sample DB_CONFIG file to /var/lib/ldap/
[root@ldap1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Check for errors in /etc/openldap/slapd.conf using the below command
[root@ldap1 ~]# slaptest -u
config file testing succeeded
Convert configuration file into dynamic configuration under /etc/openldap/slapd.d/ directory
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
Set permission on /var/lib/ldap/ and /etc/openldap/slapd.d/ to ldap
[root@ldap1 ~]# chown -Rf ldap. /etc/openldap/slapd.d/
[root@ldap1 ~]# chown -Rf ldap. /var/lib/ldap/
[root@ldap1 ~]# chmod 700 /var/lib/ldap/
[root@ldap1 ~]# chmod 700 /etc/openldap/slapd.d/
Start the slapd process and service at system bootup
[root@ldap1 ~]# service slapd start
Starting slapd: [ OK ]
[root@ldap1 ~]# chkconfig slapd on
Confirm the slapd process is running using the below commands
[root@ldap1 ~]# service slapd status
slapd (pid 1301) is running...[root@ldap1 ~]# netstat -ntlup | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1301/slapd
tcp 0 0 :::389 :::* LISTEN 1301/slapd
[root@ldap1 ~]# ps -ef | grep slapd
ldap 1301 1 0 08:21 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
root 1318 1208 0 08:23 pts/1 00:00:00 grep slapd
If you the get the output as above it means, your slapd is running with any problem. All connections to the server from the client are in plain text without encryption. The problem here is if anybody on the network using a packet sniffing tool such as ethereal can view the data that is transmitted between server and client, so he can view all the sensitive information. To eradicate such problem we are going to use slapd with SASL/TLS connection. For this we will use self signed certificates
Enabling encrypted connection for slapd using self-signed certificates
Install the openssl package using yum
[root@ldap1 ~]# yum install openssl -y
Generate the keypair using the below command
[root@ldap1 ~]# openssl req -newkey rsa:1024 -x509 -nodes -out /etc/pki/tls/certs/ldap1_pubkey.pem -keyout /etc/pki/tls/certs/ldap1_privkey.pem -days 3650
Generating a 1024 bit RSA private key
....++++++
....++++++
writing new private key to '/etc/pki/tls/certs/ldap1_privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Andhra Pradesh
Locality Name (eg, city) [Default City]:Hyderabad
Organization Name (eg, company) [Default Company Ltd]:Example Inc.,
Organizational Unit Name (eg, section) []:ITD
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []:root@ldap1.example.com
Set permission on the generated certificates to ldap
[root@ldap1 ~]# chown ldap. /etc/pki/tls/certs/ldap1_p*
[root@ldap1 ~]# ll /etc/pki/tls/certs/ldap1_p*
-rw-r--r-- 1 ldap ldap 912 Oct 27 08:40 /etc/pki/tls/certs/ldap1_privkey.pem
-rw-r--r-- 1 ldap ldap 1131 Oct 27 08:40 /etc/pki/tls/certs/ldap1_pubkey.pem
Change the setting for the certificate files in the following config file. It is highlighted with red colour font
[root@ldap1 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" manage by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcTLSCertificateFile: /etc/pki/tls/certs/ldap1_pubkey.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ldap1_privkey.pem
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 4e47724a-d2fd-1032-8616-41f003d9fb12
creatorsName: cn=config
createTimestamp: 20131027024329Z
entryCSN: 20131027024329.230729Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20131027024329Z
Modify the setting for SLAPD as below in file /etc/sysconfig/ldap
[root@ldap1 ~]# vim /etc/sysconfig/ldap
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes
Restart the SLAPD process
[root@ldap1 ~]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
Check the service is running on LDAPS port or not
[root@ldap1 ~]# netstat -ntlup | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1402/slapd
tcp 0 0 :::389 :::* LISTEN 1402/slapd
Modify the iptables configuration to allow LDAP ports
[root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 389 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 389 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p udp -s 192.168.124.0/24 --dport 636 -j ACCEPT
[root@ldap1 ~]# iptables -I INPUT -p tcp -s 192.168.124.0/24 --dport 636 -j ACCEPT
[root@ldap1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Create a base for the DIT (Directory Information Tree) using the following file.
[root@ldap1 ~]# vim dit.ldif
# Creates a base for DIT
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: Example Inc DIT
# Creates a Users OU (Organizational Unit)
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
# Creates a Groups OU
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: ou=Admins,dc=example,dc=com
objectClass: organizationalUnit
ou: Admins
# Create a user student1 with some basic info
dn: uid=student1,ou=Users,dc=example,dc=com
uid: student1
cn: student1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student1
uidNumber: 15000
gidNumber: 10000
userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5
mail: student1@example.com
gecos: Student1 User
# Create a user student2 with some basic info
dn: uid=student2,ou=Users,dc=example,dc=com
uid: student2
cn: student2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student2
uidNumber: 15001
gidNumber: 10000
userPassword: {SSHA}CQG5KHc6b1ii+qopaVCsNa14v9+r14r5
mail: student2@example.com
gecos: Student2 User
# Creates a ldapusers group under Groups OU
dn: cn=ldapusers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 10000
memberuid: uid=student1
memberuid: uid=student2
Change the /etc/openldap/ldap.conf file as below
[root@ldap1 ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/openldap/certs
ssl start_tls
TLS_REQCERT allow
BASE dc=example,dc=com
URI ldaps://ldap.example.com
HOST 192.168.124.251
Populate the DIT with the values in the file dit.ldif
[root@ldap1 ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f dit.ldif -H ldaps://ldap1.example.comEnter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=Users,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "uid=student1,ou=Users,dc=example,dc=com"
adding new entry "uid=student2,ou=Users,dc=example,dc=com"
adding new entry "cn=ldapusers,ou=Groups,dc=example,dc=com"
Search the DIT using the following command to find the newly added values
[root@ldap1 ~]# ldapsearch -x -b "dc=example,dc=com" -H ldaps://ldap1.example.com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: Example
description: Example Inc DIT
# Users, example.com
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
# student1, Users, example.com
dn: uid=student1,ou=Users,dc=example,dc=com
uid: student1
cn: student1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student1
uidNumber: 14583100
gidNumber: 14564100
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student1@example.com
gecos: Student1 User
# student2, Users, example.com
dn: uid=student2,ou=Users,dc=example,dc=com
uid: student2
cn: student2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student2
uidNumber: 14583101
gidNumber: 14564100
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student2@example.com
gecos: Student2 User
# ldapusers, Groups, example.com
dn: cn=ldapusers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword:: e2NyeXB0fXg=
gidNumber: 14564100
memberUid: uid=student1
memberUid: uid=student2
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries:7
Configure Rsyslog to log the LDAP to LOCAL4
[root@ldap1 ~]# vim /etc/rsyslog.conf
# At the end of file write the below
local4.* /var/log/ldap
[root@ldap1 ~]# service rsyslog restart
Now all LDAP log will be in the file /var/log/ldap
Client Side Configuration
Configure the client to allow LDAP users to log into the system
[root@client ~]# yum install openldap-clients sssd -y
[root@client ~]# vim /etc/openldap/ldap.conf
ssl start_tls
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
BASE dc=example,dc=com
URI ldaps://ldap1.example.com
HOST 192.168.124.251
Copy the LDAP public certificate into the client system at /etc/openldap/cacerts
[root@client ~]# scp ldap:/etc/pki/tls/certs/ldap.pem /etc/openldap/cacerts
Create a sssd.conf file at this location /etc/sssd/sssd.conf
[root@client ~]# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=example,dc=com
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://ldap1.example.com/
ldap_chpass_uri = ldaps://.ldap1.example.com/
krb5_kdcip = ldap1.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = ldap1.example.com
Configure the System to use LDAP authentication
[root@client ~]# authconfig-tui
Click Next
Click OK
Starting sssd: [ OK ]
[root@client ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
[root@client ~]# getent passwd student1
student1:*:15000:10000:Student1 User:/home/student1:/bin/bash
[root@client ~]# id student1
uid=15000(student1) gid=10000(ldapusers) groups=10000(ldapusers)
Now login to the system with any LDAP user
[root@client ~]# su - student1
Creating directory '/home/student1'.
[student1@client ~]$ pwd
/home/student1
Troubleshooting:
Incase you get error as below:
bdb_db_open: database "dc=example,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
Then initialize DB files for content in /var/lib/ldap directory
[root@ldap1 ~]# echo "" | slapadd -f /etc/openldap/slapd.conf
After this again run the command
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d