ldap with replication
TRANSCRIPT
-
8/2/2019 Ldap With Replication
1/12
OPEN LDAP CONFIGURATION
CONF FOR SERVERLOGIN DETAILS FOR LDAP
masterserver: ragu2.google.com
client:ragu52.google.com
slave server :ragu1.google.com
LDAP passwd: google123
1) pack required:
1.openldap2.openldap-clients ===> overall3.openldap-devel yum install openldap* -y4.nss_ldap yum install nss_ldap* -y5.openldap-servers*
&start the service using
# chkconfig --levels 235 ldap on# service ldap start
2)creating a database directory:
# mkdir /var/lib/ldap/google.com# chown ldap:ldap /var/lib/ldap/google.com
*LDAP service by default stores the database to /VAR/LIB/LDAP
*we are creating our dedicated directory that is /google.com
* /VAR/LIB/LDAP directory must be owned by LDAP user
* LDAP user is created by default while installing the packages
3)creating ldap passwd:
# slappasswd ----> will get encripted passwd
*Generating LDAP root paasword which has all access to create , delete and modifythe ldap accounts
4)create a ldap user: ex- raghu:
-
8/2/2019 Ldap With Replication
2/12
# useradd raghu# passwd raghu
*Creating the normal user user for example
5)Edit the slapd.conf file: vim /etc/openldap/slapd.conf
----> add the following info
database bdbsuffix "dc=google,dc=com"rootdn "cn=root,dc=google,dc=com"rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ [enc pswd]directory /var/lib/ldap/google.com
*This is the configuration file of LDAP add the above information
wher DC = domain component & CN = common name
service ldap restart
6)Creating a ldap database:
*need to mygrate systems authentication files to LDAP database*download migration tool ---> (optional one) by default with the ldap
packages it has been installed so we can continue with the 7th step
# wget http://www.padl.com/download/MigrationTools.tgz
# tar -xvzf MigrationTools.tgz
# mkdir -p /usr/share/openldap/migration/
# cd MigrationTools*
# cp -rv * /usr/share/openldap/migration/
# cd
7)Edit the vi /usr/share/openldap/migration/migrate_common.ph forpassword conversion
replace 'padl'----> 'google'
*PADL.COM maintains the migartion tools..... they have given theexample configuration file to migrate... we neec to edit for our convenience
# sed %s/padl.com/google.com/g/usr/share/openldap/migration/migrate_common.ph
# sed %s/dc=padl/dc=google/g/usr/share/openldap/migration/migrate_common.ph
8). Locating the DB_CONFIG.google starter file to your LDAP databasedirectory of /var/lib/ldap/google.com:
# updatedb ---->to bring locate database as current database
http://www.padl.com/download/MigrationTools.tgzhttp://www.padl.com/download/MigrationTools.tgz -
8/2/2019 Ldap With Replication
3/12
# locate DB_CONFIG
# cp /usr/share/doc/openldap-servers-2.4.16/DB_CONFIG.google \/var/lib/ldap/google.com/DB_CONFIG
*This DB_CONFIG config file is supporting file of slapd configuration
9).Migrating system's authentication files using themigrate_all_offline.sh:
# /usr/share/openldap/migration/migrate_all_offline.sh
10).Ldap database directory should be owned by the ldap user
# chown -R ldap:ldap /var/lib/ldap/google.com
# service ldap start
# chkconfig ldap on
11).Migrating local users to LDAP
# grep raghu /etc/passwd > /etc/openldap/passwd.raghu
12).Converting passwd.file to ldif (LDAP Data Interchange Format) file
#/usr/share/openldap/migration/migrate_passwd.pl/etc/openldap/passwd.raghu /etc/openldap/raghu.ldif
13).creating a domain lidf file(/etc/openldap/google.com.ldif)
# cat /etc/openldap/google.com.ldif
dn: dc=google,dc=comdc: googledescription: LDAP AdminobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject
dn: ou=People, dc=google,dc=comou: Peopledescription: Users of googleobjectClass: organizationalUnit
15).Importing all users in to the LDAP
For domain:# ldapadd -x -D "cn=root,dc=google,dc=com" -W -f/etc/openldap/google.com.ldif
for users:ldapadd -x -D "cn=Manager,dc=google,dc=com" -W -f/etc/openldap/raghu.ldif
& finally....
-
8/2/2019 Ldap With Replication
4/12
# service ldap restart
16).Testing LDAP Server:
# ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)'
* To check the enteries what we have added
------------------------------------------------------------|
LDAP CLIENT CONFIGURATION
-------------------------------------------------------------
pack required:1)openldap
2)openldap-clients3)openldap-devel4)nss_ldap
2) configuration file
/etc/openldap/ldap.conf
HOST 192.168.1.100----->LDAP server ip address shiould bre replaced there
BASE dc=google,dc=com
*Edit this two lines in that
3)Authconfig-tui
[*] Use Shadow Passwords[*] Use MD5 Passwords[*] Use LDAP [ ] Use TLS
Server: ldap server ipBase DN: dc=google,dc=com
*This does add the above information to the /etc/nssswitch.conf filewhich makes which involves in giving the priority to search for the user accountinformation account
* now the client is ready it sohuld fetch the user information fromthe server for that we want to create home directory for RAGU user which we havecreated in the server
-
8/2/2019 Ldap With Replication
5/12
#grep ragu /etc/passwd----> check the user exist in the client or not
it should not be here if it so check wit the new user
#mkdir /home/ragu
#chmod 700 /home/ragu/
#cp /etc/skel/.* /home/ragu/
# chown -R ragu:ragu /home/ragu
*there should not be any error in this.... it should fetch theinformation r else its u should check it wit starting the services and importingprocedures...
#service ldap start
4)Configuring Encrypted LDAP Communication between server and client
using ssl and tls(secured socket layer&transport layer security)
*Both the LDAP server and client need to be configured with a shared copyof a CA certificate beforehand.
1. When the TLS LDAP connection is made, the client and server negotiate their SSL
encryption scheme.2. The LDAP server then sends its public encryption key and its server certificate.
3. The LDAP client inspects the server certificate to make sure that it hasn't expired and takesnote of the name and key ID of the CA server that issued it. It then checks this CA
information with all the CA certificates in its database to determine whether the server
certificate should be trusted.4. If everything is valid, the LDAP client then creates a random "premaster" secret encryption
key that it encrypts with the LDAP server's public key. It then sends the encryptedencryption key to the LDAP server.
5. When public keys are created, a special "private" key is also simultaneously created.
Anything encrypted with the public key can only be decrypted with the private key and viceversa. The server then uses its private key to extract the premaster key.
6. The client and server then use the premaster key to generate a master secret that will be the
same for both, but will never be transmitted so that a third-party cannot intercept it.7. The master secret key is then used to create session keys that will be used to encrypt all
future communication between client and server for the duration of the TLS session.
-
8/2/2019 Ldap With Replication
6/12
Configuring tls server (ldap server)
make sure both server and client has each other host name in /etc/hostsfile
generating certificate with the validity of 10 year
# cd /etc/openldap/cacerts/
# openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyoutserver.pem -days 3650
* in the CACERTS directory create SERVER.PEM file will be created
# grep -A 100 CERTIFICATE server.pem > client.pem
# edit the /etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pemTLSCertificateFile /etc/openldap/cacerts/server.pemTLSCertificateKeyFile /etc/openldap/cacerts/server.pemTLSVerifyClient allow
*insert this lines to listen to clients certificate
verification
*copy the client.pem to ldap client to the same location CACERTS
# openldap]# chown ldap:ldap cacerts/*
# service ldap restart
# netstat -a | grep ldap--- check with this command
tls client configuration
-------------------Authentication Configuration -------------------
| || User Information Authentication |
-
8/2/2019 Ldap With Replication
7/12
| [ ] Cache Information [*] Use MD5 Passwords || [ ] Use Hesiod [*] Use Shadow Passwords || [*] Use LDAP [*] Use LDAP Authentication || [ ] Use NIS [ ] Use Kerberos || [ ] Use Winbind [ ] Use SMB Authentication || [ ] Use Winbind Authentication || [ ] Local authorization is sufficient |
| || ---------- -------- || | Cancel | | Next | || ---------- -------- || || |-------------------------------------------------------------------
------------------- LDAP Settings -------------------| || [*] Use TLS |
| Server:ragu2.google.com__________________ || Base DN: dc=google,dc=com_______________________ || || --------
------ || | Back | | Ok | || -------- ------ || || |
/etc/ldap.conf & /etcopenldap/ldap.conf
u could see the same info what u have given in tui tool
/etc/ldap.conf
# File: /etc/ldap.conf
uri ldaps://ldapserver ip/
# ssl start_tls ---->{ disable this line by preceeding with # need oly{tls
tls_cacertdir /etc/openldap/cacerts
-
8/2/2019 Ldap With Replication
8/12
* add these lines
/etc/openldap/ldap.conf
URI ldaps://ldap server ip/
BASE dc=google,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
*it should contain these lines
# ldapsearch -x ----> check the same enteries here
# openssl s_client -connect bigboy:636 -showcerts-->{to see{certificate
Common LDAP Administrative Tasks (server side)
/usr/local/bin/modifyldapuser---> script for modifyldapuser command
#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed -e 's/padl.com/google.com/g' \
-e 's/dc=padl/dc=google/g' > /tmp/modifyldapuser.ldif
ldapmodify -x -D "cn=root,dc=google,dc=com" -W -f \
/tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*
*so if we changing any users passwd and want to update it to ldap
means we can use this modifyldapuser command
ex:
# passwd ragu
# modifyldapuser ragu
-
8/2/2019 Ldap With Replication
9/12
/usr/local/bin/addldapuser--->to addthe ldapuser easily addldapuser
#!/bin/bash
grep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed -e 's/padl.com/google.com/g' \
-e 's/dc=padl/dc=google/g' > /tmp/changeldappasswd.ldif
ldapadd -x -D "cn=root,dc=google,dc=com" -W -f \
/tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*
ex:
# useradd test1
# passwd test1
# addldapuser test1
*it ll ask for the LDAP passwd then it ll be added in the
database
usr/local/bin/deleteldapuser-----> script for dele command deleteldapuser
#!/bin/bash
ldapdelete -x -W -D "cn=root,dc=google,dc=com" \
"uid=$1,ou=People,dc=google,dc=com"
ex:
deleteldapuser test1
* give LDAP passwd it ll be deleted
# ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)'
-
8/2/2019 Ldap With Replication
10/12
execute this command and check test1 user is there in the list
r not
---------------------------------
LDAP SLAVE REPLICATION
1.install necessary packages
# yum install openldap*
# yum install nss_ldap*
[while doing this replication stop the the ldap service in both the machines]
2.copy DATABASE of master to slave
[master]# scp /var/lib/ldap/google.com root@slave:/var/lib/ldap
# chown -R ldap:ldap google.com
3.add the database using slapcat commandalso
[master]# slapcat -l master.ldif(master.ldif)file ll be created just copy that
to slave using scp
[slave]
Edit the vi /usr/share/openldap/migration/migrate_common.ph for passwordconversion
replace 'padl'----> 'google'
*PADL.COM maintains the migartion tools..... they have given theexample configuration file to migrate... we neec to edit for our convenience
# sed %s/padl.com/google.com/g/usr/share/openldap/migration/migrate_common.ph
# sed %s/dc=padl/dc=google/g/usr/share/openldap/migration/migrate_common.ph
# /usr/share/openldap/migration/migrate_all_offline.sh
# /usr/sbin/slapadd -v -d3 -l master.ldif
*now the data bases from both the servers ll be same
***add the content of master slapd.conf to slav's slapd.conf*****
mailto:root@slavehttp://ldap//ldapmailto:root@slavehttp://ldap//ldap -
8/2/2019 Ldap With Replication
11/12
contents to be added for replication in both the servers
Master: slapd.conf
# slapd master# global section...
# database sectiondatabase bdb...# allows read access from consumer# may need merging with other ACL's
access to *by dn.base="cn=admin,ou=people,dc=example,dc=com" readby * break
# NOTE:# the provider configuration contains no reference to any consumers
# define the provider to use the syncprov overlay# (last directives in database section)overlay syncprov# allows contextCSN to saves to database every 100 updates or ten minutessyncprov-checkpoint 100 10
Slave: slapd.conf
# global section
# database sectiondatabase bdb...
# provider is ldap://master-ldap.example.com:389, sync interval
# every 1 hour, whole DIT (searchbase), all user attributes synchronized# simple security with cleartext password# NOTE: comments inside the syncrepl directive are rejected by OpenLDAP# and are included only to carry further explanation. They MUST NOT# appear in an operational filesyncrepl rid=000
provider=ldap://master-ldap.example.comtype=refreshOnly
# re-connect/re-sync every hourinterval=00:1:00:00retry="5 5 300 +"searchbase="dc=example,dc=com"
# both user (*) and operational (+) attributes requiredattrs="*,+"bindmethod=simplebinddn="cn=admin,ou=people,dc=example,dc=com"
-
8/2/2019 Ldap With Replication
12/12
# Warning: password sent in clear - insecurecredentials=dirtysecret
*now restart both the servers u can see the replication in slave
* mention the slave ip address in authconfig-tui of client
* now stop the ldap service in master and try login as the ldap user frommaster or slave to client
* because of replication u ll be able to login even though the master fails
***************************END****************************
LOGIN DETAILS FOR LDAP
server: ragu2.google.com
LDAP passwd: google123