Wednesday, April 1, 2009

How to configure ldap in fedora & rhel -5

$  yum install openldap-clients
$  yum install openldap-servers
$  
yum install openldap*
$rpm -qa | grep ldap
Take backup for slapd.conf
$ /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
Edit the file /etc/openldap/slapd.conf


we need to change some lines suffix,
rootdn and the two rootpw lines.


Suffix is the high level descriptor you selected above. The
rootdn is who (the user) that owns the server and should start with
cn=. The first root password (rootpw) line should be set to
secret. You can generate an encrypted password for the second
rootpw line using the command:
$ slappasswd
Just cut and paste the output of the slappasswd command into the
second rootpw line in slapd.conf
$ vim /etc/openldap/slapd.conf
suffix "dc=bloger,dc=com"

bloger is a your domain name

rootdn "cn=Manager,dc=bloger,dc=com"
rootpw secret
rootpw {SSHA}MRNBda83kd9f7d7did902mLA1x0AVOWMRBua

save & exit this file.
open ldap.conf file.
$ vim /etc/openldap/ldap.conf
change 2 line in this file
HOST 127.0.0.1
BASE dc=bloger,dc=com

save & exit this file.
LDAP Migration tools-:
These tools are located
in /usr/share/openldap/migration. If
you don't find them in your distribution you can download these tools
from:
http://www.padl.com/OSS/MigrationTools.html

Install is simple.

untar zxf MigrationTools.tgz
cd MigrationTools-47

You then must edit migrate_common.ph and change the following site-specific variables to reflect your installation:


# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "bloger.com";

# Default base
$DEFAULT_BASE = "dc=blger,dc=com
Now we need to add the base entries into the LDAP. Here is an example of a new base org. units you may need and a user new user. The file we will create in out example is bloger.com.ldif.

Create a data file (bloger.ldif) & copy following content.
$ tuch bloger.ldif

dn: dc=bloger,dc=com
objectclass: top
objectclass: organization
o: bloger
description: Top level LDAP for bloger.com
dn: ou=Group,dc=bloger,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=bloger,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=bloger,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
save this file.
$
/usr/share/openldap/migration/
migrate_base.pl > bloger.ldif
Import first record

$
ldapadd -a -W -x -D "cn=Manager,dc=bloger,dc=com"
-f bloger.ldif
$
ldapsearch -x -b '
dc=bloger,dc=com
' 'objectclass=*
Create test user-:create file newrec.ldif for test user & add some content in this file.

$ touch bloger.ldif
note-
You need an empty line before each line starting with "dn:"
$ vim bloger.ldif
# test1, < style="font-weight: bold;">bloger, com

dn: uid=test,ou=People,dc=bloger,dc=com
cn: test
sn: test
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$!Z0ksiAKjsKLAsjuwyuAK!jksX
uid: test
uidNumber: 501
gidNumber: 501
loginShell: /bin/bash
homeDirectory: /home/test
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowInactive: -1
shadowWarning: 7
shadowFlag: 0
shadowExpire: -1
save & exit this file.
The dn: record must be uniqe and should include the include your suffix.

Add the record to your LDAP

To add a record to the ldap database we use the command ldapadd

$ ldapadd -W -x -D "cn=Manager,dc=bloger,dc=com" -W -f newrec.ldif
$ ldapsearch -x -b 'cn=test,dc=bloger,dc=com'
will display this record if it is added correctly.
Client Side Authentication-:
1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button
3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.
4. Click the Authentications tab and check Enable LDAP Support.

To test this, create a user in your LDAP directory that is not in
your machine. Then check the account by fingering the
user. For example, if you add the test record for you
should be able to essue the command:
$ getent passwd
$ finger test1




1 comment:

Anonymous said...

Thanx. it really helped me.