Build LDAP service in Centos

For the RHCE test next week, there are several questions related to the LDAP service, and the center has a ready-made LDAP server, but the practice at home will be miserable, so I struggled with LDAP for a few days, the test was completed based on the document configuration methods and ideas of the central teacher and the online documents.

It is summarized as a document. If you are interested, you can use it as a reference. If you have any omissions, please reply and point out.

Lab environment:

REDHAT6.3

LDAP server: 172.24.30.20

LDAP clent: 172.24.30.25

Preparations:

Disable iptables and SELINUX before configuration to avoid errors during configuration.

# Service iptables stop

# Setenforce 0

# Vi/etc/sysconfig/selinux

---------------

SELINUX = disabled

---------------

1. LDAP server Configuration:

Install the LDAP Service (use the YUM local disk for installation)

# Yum install openldap-*-y

Prompt to install the following four packages

Openldap-devel-2.4.23-26.el6.x86_64

Openldap-clients-2.4.23-26.el6.x86_64

Openldap-2.4.23-26.el6.x86_64

Openldap-servers-2.4.23-26.el6.x86_64

Copy the LDAP configuration file to the LDAP directory (redhat6.3 ):

# Cd/etc/openldap/

# Cp/usr/share/openldap-servers/slapd. conf. obsolete slapd. conf

The redhat6.0 or 6.1 configuration file is backed up in the main directory:

# Cd/etc/openldap/

# Cp slapd. conf. bak slapd. conf

Create an LDAP administrator password:

# Slappasswd

The password I entered here is redhat. After the password is entered, a string of ciphertext is returned and saved to the clipboard first.

{SSHA} pfAJm + JJa4ec2y8GjTc8uMEJpoR5YKLy

Compile the configuration file

# Vi/etc/openldap/slapd. conf

Find row 115, default

To:

Highlight the generated password (encrypted ).

The permissions of the last few lines of the configuration file must be changed accordingly:

Original content:

Changed:

Save and exit.

Copy the DB_CONFIG file to the specified directory.

# Cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG

Delete all content under/etc/openldap/slapd. d by default. Otherwise, an error will be reported when ldapadd is used:

# Rm-rf/etc/openldap/slapd. d /*

Start the LDAP Server Load balancer service and set the auto-start mode:

# Service slapd restart

# Chkconfig slapd on

Grant permissions to the configuration directory:

# Chown-R ldap: ldap/var/lib/ldap

# Chown-R ldap: ldap/etc/openldap/

Test and generate the configuration file:

Slaptest-f/etc/openldap/slapd. conf-F/etc/openldap/slapd. d

If config file testing succeeded is returned, the configuration is successful.

Grant permissions to the generated configuration file and restart it:

# Chown-R ldap: ldap/etc/openldap/slapd. d

# Service slapd restart

Create an account for test login on the client

# Useradd ldapuser1

# Passwd ldapuser1

So far, these users only exist on the system (stored on/etc/passwd and/etc/shadow) and are not in the LDAP database, therefore, we need to import these users into LDAP. However, LDAP can only identify files with the suffix ldif (also text files) in a specific format. Therefore, you cannot directly use/etc/passwd and/etc/shadow. The migrationtools tool is required to convert these two files into LDAP-aware files.

Install and configure migrationtools

# Yum install migrationtools-y

Go to the migrationtool configuration directory

# Cd/usr/share/migrationtools/

First edit migrate_common.ph

# Vi migrate_common.ph

Find the following content (about 70 rows ):

To:

The following uses pl scripts to generate LDAP readable file formats for/etc/passwd and/etc/shadow and save them under/tmp /.

#./Migrate_base.pl>/tmp/base. ldif

#./Migrate_passwd.pl/etc/passwd>/tmp/passwd. ldif

#./Migrate_group.pl/etc/group>/tmp/group. ldif

Next we need to import these three files to LDAP, so that the LDAP database has the users we want.

# Ldapadd-x-D "cn = admin, dc = example, dc = com"-W-f/tmp/base. ldif

# Ldapadd-x-D "cn = admin, dc = example, dc = com"-W-f/tmp/passwd. ldif

# Ldapadd-x-D "cn = admin, dc = example, dc = com"-W-f/tmp/group. ldif

If no error is reported, the LDAP server configuration is complete.

Restart slapd to complete configuration

# Service slapd restart

Now NFS is installed and the Home Directory of ldapuser1 is used for NFS sharing.

REDHAT is installed by default.

# Yum install nfs *-y

Configure NFS sharing:

# Vi/etc/exports

--------------

/Home/ldapuser1 * (rw, no_root_squash)

--------------

Restart the nfs service:

# Service rpcbind restart

# Service nfs restart

2. LDAP client Configuration

Open the client's graphical interface command line

Enter system-config-authentication according to the Configuration:

After the configuration ends, save and exit. The sssd service is automatically restarted.

Configure autofs to enable ldapuser1 to access the local/home/ldapuser1 Directory, which is mounted to the local LDAP server 172.24.30.20:/home/ldapuser1.

# Vi/etc/auto. master

Add a row:

--------------

/Home/etc/auto. misc

--------------

# Vi/etc/auto. master

Add a row:

--------------

*-Fstype = nfs 172.24.30.20:/home /&

--------------

Restart the autofs service:

# Service autofs reload

Log on to the ldapuser1 account:

If the system does not return an error message indicating that ldapuser1 directory is not found, the LDAP client is configured successfully.

Note: If you still cannot log on, enter the setup mode to configure LDAP login.

# Id ldapuser1

Uid = 500 (ldapuser1) gid = 500 (ldapuser1) groups = 500 (ldapuser1)

# Su-ldapuser1

# Pwd

/Home/ldapuser1

This is a success...

Note: The LDAP service requires the server and client time to be roughly the same. Otherwise, an error may be reported when you log on to the ldapuser1 account. NTP service setup is omitted here, you can manually change the time of the two servers to be consistent.