ldap with replication

8/2/2019 Ldap With Replication

1/12

OPEN LDAP CONFIGURATION

CONF FOR SERVERLOGIN DETAILS FOR LDAP

masterserver: ragu2.google.com

client:ragu52.google.com

slave server :ragu1.google.com

LDAP passwd: google123

1) pack required:

1.openldap2.openldap-clients ===> overall3.openldap-devel yum install openldap* -y4.nss_ldap yum install nss_ldap* -y5.openldap-servers*

&start the service using

# chkconfig --levels 235 ldap on# service ldap start

2)creating a database directory:

# mkdir /var/lib/ldap/google.com# chown ldap:ldap /var/lib/ldap/google.com

*LDAP service by default stores the database to /VAR/LIB/LDAP

*we are creating our dedicated directory that is /google.com

* /VAR/LIB/LDAP directory must be owned by LDAP user

* LDAP user is created by default while installing the packages

3)creating ldap passwd:

# slappasswd ----> will get encripted passwd

*Generating LDAP root paasword which has all access to create , delete and modifythe ldap accounts

4)create a ldap user: ex- raghu:


2/12

# useradd raghu# passwd raghu

*Creating the normal user user for example

5)Edit the slapd.conf file: vim /etc/openldap/slapd.conf

----> add the following info

database bdbsuffix "dc=google,dc=com"rootdn "cn=root,dc=google,dc=com"rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ [enc pswd]directory /var/lib/ldap/google.com

*This is the configuration file of LDAP add the above information

wher DC = domain component & CN = common name

service ldap restart

6)Creating a ldap database:

*need to mygrate systems authentication files to LDAP database*download migration tool ---> (optional one) by default with the ldap

packages it has been installed so we can continue with the 7th step

# wget http://www.padl.com/download/MigrationTools.tgz

# tar -xvzf MigrationTools.tgz

# mkdir -p /usr/share/openldap/migration/

# cd MigrationTools*

# cp -rv * /usr/share/openldap/migration/

# cd

7)Edit the vi /usr/share/openldap/migration/migrate_common.ph forpassword conversion

replace 'padl'----> 'google'

*PADL.COM maintains the migartion tools..... they have given theexample configuration file to migrate... we neec to edit for our convenience

# sed %s/padl.com/google.com/g/usr/share/openldap/migration/migrate_common.ph

# sed %s/dc=padl/dc=google/g/usr/share/openldap/migration/migrate_common.ph

8). Locating the DB_CONFIG.google starter file to your LDAP databasedirectory of /var/lib/ldap/google.com:

# updatedb ---->to bring locate database as current database
http://www.padl.com/download/MigrationTools.tgzhttp://www.padl.com/download/MigrationTools.tgz


3/12

# locate DB_CONFIG

# cp /usr/share/doc/openldap-servers-2.4.16/DB_CONFIG.google \/var/lib/ldap/google.com/DB_CONFIG

*This DB_CONFIG config file is supporting file of slapd configuration

9).Migrating system's authentication files using themigrate_all_offline.sh:

# /usr/share/openldap/migration/migrate_all_offline.sh

10).Ldap database directory should be owned by the ldap user

# chown -R ldap:ldap /var/lib/ldap/google.com

# service ldap start

# chkconfig ldap on

11).Migrating local users to LDAP

# grep raghu /etc/passwd > /etc/openldap/passwd.raghu

12).Converting passwd.file to ldif (LDAP Data Interchange Format) file

#/usr/share/openldap/migration/migrate_passwd.pl/etc/openldap/passwd.raghu /etc/openldap/raghu.ldif

13).creating a domain lidf file(/etc/openldap/google.com.ldif)

# cat /etc/openldap/google.com.ldif

dn: dc=google,dc=comdc: googledescription: LDAP AdminobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject

dn: ou=People, dc=google,dc=comou: Peopledescription: Users of googleobjectClass: organizationalUnit

15).Importing all users in to the LDAP

For domain:# ldapadd -x -D "cn=root,dc=google,dc=com" -W -f/etc/openldap/google.com.ldif

for users:ldapadd -x -D "cn=Manager,dc=google,dc=com" -W -f/etc/openldap/raghu.ldif

& finally....


4/12

# service ldap restart

16).Testing LDAP Server:

# ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)'

* To check the enteries what we have added

------------------------------------------------------------|

LDAP CLIENT CONFIGURATION

-------------------------------------------------------------

pack required:1)openldap

2)openldap-clients3)openldap-devel4)nss_ldap

2) configuration file

/etc/openldap/ldap.conf

HOST 192.168.1.100----->LDAP server ip address shiould bre replaced there

BASE dc=google,dc=com

*Edit this two lines in that

3)Authconfig-tui

[*] Use Shadow Passwords[*] Use MD5 Passwords[*] Use LDAP [ ] Use TLS

Server: ldap server ipBase DN: dc=google,dc=com

*This does add the above information to the /etc/nssswitch.conf filewhich makes which involves in giving the priority to search for the user accountinformation account

* now the client is ready it sohuld fetch the user information fromthe server for that we want to create home directory for RAGU user which we havecreated in the server


5/12

#grep ragu /etc/passwd----> check the user exist in the client or not

it should not be here if it so check wit the new user

#mkdir /home/ragu

#chmod 700 /home/ragu/

#cp /etc/skel/.* /home/ragu/

# chown -R ragu:ragu /home/ragu

*there should not be any error in this.... it should fetch theinformation r else its u should check it wit starting the services and importingprocedures...

#service ldap start

4)Configuring Encrypted LDAP Communication between server and client

using ssl and tls(secured socket layer&transport layer security)

*Both the LDAP server and client need to be configured with a shared copyof a CA certificate beforehand.

1. When the TLS LDAP connection is made, the client and server negotiate their SSL

encryption scheme.2. The LDAP server then sends its public encryption key and its server certificate.

3. The LDAP client inspects the server certificate to make sure that it hasn't expired and takesnote of the name and key ID of the CA server that issued it. It then checks this CA

information with all the CA certificates in its database to determine whether the server

certificate should be trusted.4. If everything is valid, the LDAP client then creates a random "premaster" secret encryption

key that it encrypts with the LDAP server's public key. It then sends the encryptedencryption key to the LDAP server.

5. When public keys are created, a special "private" key is also simultaneously created.

Anything encrypted with the public key can only be decrypted with the private key and viceversa. The server then uses its private key to extract the premaster key.

6. The client and server then use the premaster key to generate a master secret that will be the

same for both, but will never be transmitted so that a third-party cannot intercept it.7. The master secret key is then used to create session keys that will be used to encrypt all

future communication between client and server for the duration of the TLS session.


6/12

Configuring tls server (ldap server)

make sure both server and client has each other host name in /etc/hostsfile

generating certificate with the validity of 10 year

# cd /etc/openldap/cacerts/

# openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyoutserver.pem -days 3650

* in the CACERTS directory create SERVER.PEM file will be created

# grep -A 100 CERTIFICATE server.pem > client.pem

# edit the /etc/openldap/slapd.conf

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA

TLSCACertificateFile /etc/openldap/cacerts/server.pemTLSCertificateFile /etc/openldap/cacerts/server.pemTLSCertificateKeyFile /etc/openldap/cacerts/server.pemTLSVerifyClient allow

*insert this lines to listen to clients certificate

verification

*copy the client.pem to ldap client to the same location CACERTS

# openldap]# chown ldap:ldap cacerts/*

# service ldap restart

# netstat -a | grep ldap--- check with this command

tls client configuration

-------------------Authentication Configuration -------------------

| || User Information Authentication |


7/12

| [ ] Cache Information [*] Use MD5 Passwords || [ ] Use Hesiod [*] Use Shadow Passwords || [*] Use LDAP [*] Use LDAP Authentication || [ ] Use NIS [ ] Use Kerberos || [ ] Use Winbind [ ] Use SMB Authentication || [ ] Use Winbind Authentication || [ ] Local authorization is sufficient |

| || ---------- -------- || | Cancel | | Next | || ---------- -------- || || |-------------------------------------------------------------------

------------------- LDAP Settings -------------------| || [*] Use TLS |

| Server:ragu2.google.com__________________ || Base DN: dc=google,dc=com_______________________ || || --------

------ || | Back | | Ok | || -------- ------ || || |

/etc/ldap.conf & /etcopenldap/ldap.conf

u could see the same info what u have given in tui tool

/etc/ldap.conf

# File: /etc/ldap.conf

uri ldaps://ldapserver ip/

# ssl start_tls ---->{ disable this line by preceeding with # need oly{tls

tls_cacertdir /etc/openldap/cacerts


8/12

* add these lines

/etc/openldap/ldap.conf

URI ldaps://ldap server ip/

BASE dc=google,dc=com

TLS_CACERTDIR /etc/openldap/cacerts

*it should contain these lines

# ldapsearch -x ----> check the same enteries here

# openssl s_client -connect bigboy:636 -showcerts-->{to see{certificate

Common LDAP Administrative Tasks (server side)

/usr/local/bin/modifyldapuser---> script for modifyldapuser command

#!/bin/bash

grep $1 /etc/passwd > /tmp/modifyldapuser.tmp

/usr/share/openldap/migration/migrate_passwd.pl \

/tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp

cat /tmp/modifyldapuser.ldif.tmp | sed -e 's/padl.com/google.com/g' \

-e 's/dc=padl/dc=google/g' > /tmp/modifyldapuser.ldif

ldapmodify -x -D "cn=root,dc=google,dc=com" -W -f \

/tmp/modifyldapuser.ldif

rm -f /tmp/modifyldapuser.*

*so if we changing any users passwd and want to update it to ldap

means we can use this modifyldapuser command

ex:

# passwd ragu

# modifyldapuser ragu


9/12

/usr/local/bin/addldapuser--->to addthe ldapuser easily addldapuser

#!/bin/bash

grep $1 /etc/passwd > /tmp/changeldappasswd.tmp

/usr/share/openldap/migration/migrate_passwd.pl \

/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp

cat /tmp/changeldappasswd.ldif.tmp | sed -e 's/padl.com/google.com/g' \

-e 's/dc=padl/dc=google/g' > /tmp/changeldappasswd.ldif

ldapadd -x -D "cn=root,dc=google,dc=com" -W -f \

/tmp/changeldappasswd.ldif

rm -f /tmp/changeldappasswd.*

ex:

# useradd test1

# passwd test1

# addldapuser test1

*it ll ask for the LDAP passwd then it ll be added in the

database

usr/local/bin/deleteldapuser-----> script for dele command deleteldapuser

#!/bin/bash

ldapdelete -x -W -D "cn=root,dc=google,dc=com" \

"uid=$1,ou=People,dc=google,dc=com"

ex:

deleteldapuser test1

* give LDAP passwd it ll be deleted

# ldapsearch -x -b 'dc=google,dc=com' '(objectclass=*)'


10/12

execute this command and check test1 user is there in the list

r not

---------------------------------

LDAP SLAVE REPLICATION

1.install necessary packages

# yum install openldap*

# yum install nss_ldap*

[while doing this replication stop the the ldap service in both the machines]

2.copy DATABASE of master to slave

[master]# scp /var/lib/ldap/google.com root@slave:/var/lib/ldap

# chown -R ldap:ldap google.com

3.add the database using slapcat commandalso

[master]# slapcat -l master.ldif(master.ldif)file ll be created just copy that

to slave using scp

[slave]

Edit the vi /usr/share/openldap/migration/migrate_common.ph for passwordconversion

replace 'padl'----> 'google'

*PADL.COM maintains the migartion tools..... they have given theexample configuration file to migrate... we neec to edit for our convenience

# sed %s/padl.com/google.com/g/usr/share/openldap/migration/migrate_common.ph

# sed %s/dc=padl/dc=google/g/usr/share/openldap/migration/migrate_common.ph

# /usr/share/openldap/migration/migrate_all_offline.sh

# /usr/sbin/slapadd -v -d3 -l master.ldif

*now the data bases from both the servers ll be same

***add the content of master slapd.conf to slav's slapd.conf*****
mailto:root@slavehttp://ldap//ldapmailto:root@slavehttp://ldap//ldap


11/12

contents to be added for replication in both the servers

Master: slapd.conf

# slapd master# global section...

# database sectiondatabase bdb...# allows read access from consumer# may need merging with other ACL's

access to *by dn.base="cn=admin,ou=people,dc=example,dc=com" readby * break

# NOTE:# the provider configuration contains no reference to any consumers

# define the provider to use the syncprov overlay# (last directives in database section)overlay syncprov# allows contextCSN to saves to database every 100 updates or ten minutessyncprov-checkpoint 100 10

Slave: slapd.conf

# global section

# database sectiondatabase bdb...

# provider is ldap://master-ldap.example.com:389, sync interval

# every 1 hour, whole DIT (searchbase), all user attributes synchronized# simple security with cleartext password# NOTE: comments inside the syncrepl directive are rejected by OpenLDAP# and are included only to carry further explanation. They MUST NOT# appear in an operational filesyncrepl rid=000

provider=ldap://master-ldap.example.comtype=refreshOnly

# re-connect/re-sync every hourinterval=00:1:00:00retry="5 5 300 +"searchbase="dc=example,dc=com"

# both user (*) and operational (+) attributes requiredattrs="*,+"bindmethod=simplebinddn="cn=admin,ou=people,dc=example,dc=com"


12/12

# Warning: password sent in clear - insecurecredentials=dirtysecret

*now restart both the servers u can see the replication in slave

* mention the slave ip address in authconfig-tui of client

* now stop the ldap service in master and try login as the ldap user frommaster or slave to client

* because of replication u ll be able to login even though the master fails

***************************END****************************

LOGIN DETAILS FOR LDAP

server: ragu2.google.com

LDAP passwd: google123

ldap with replication

Documents