Prepared & Compiled by : Manoharan Nadar

SERVER Configuration
Install Openldap Services :

Check if all the necessary packages have installed :

The following table summarizes the OpenLDAP Software packages installed in the above step.

openldap Contains all configuration files, libraries, and documentation for OpenLDAP.

openldap-
Contains files needed to host an LDAP server ( slapd and slurpd).
servers

openldap-
Contains the client programs needed for accessing and modifying LDAP directories.
clients

Contains access client software for using LDAP as a method of user authentication for
nss_ldap
Linux.

Check if the default LDAP database(BDB) packages are installed :

OpenLDAP Configuration Files :

After installing OpenLDAP Software, the next step is to modify the necessary configuration files to customize the
LDAP server. As with any new application, it is highly recommended to understand the purpose of each
configuration file and to create a backup of the original version of those configuration files before modifying
them.
The following table describes the client and server configuration files used to customize OpenLDAP Software.

Main server configuration file that contains information needed by

the slapd LDAP server. The slapd.conf file will be edited in this guide to set
/etc/openldap/slapd.conf all server-wide directives, directory configuration information specific to your
domain and server, database type and location, and ACL definitions that define
authorization to your directory.

Shell script used to start and stop the LDAP server (slapd and slurpd). Prior to
/etc/rc.d/init.d/ldap starting the LDAP server, the script performs a syntax check of
the slapd.confconfiguration file.

/etc/openldap/schema/*
Directory that contains a set of default schema specifications which describe the
different object classes that are available by default with the OpenLDAP
Software. Each set is defined in a file (i.e. core.schema) suitable for inclusion
using the includedirective in the global definitions portion of
the slapd.conf(5) file. It is helpful to browse the contents of these files to
determine the required and available attributes for a particular object class.

OpenLDAP Client tools :

/usr/bin is a standard directory on UNIX/Linux operating systems that contains most

of the executable files that are not needed for booting or repairing the operating system.

/usr/bin/ldap* In OpenLDAP, any file that begins with "ldap" is a client utility. This
includesldapsearch for searching a directory, ldapadd for adding records from the
client,ldapmodify for modifying existing directory records, and ldapdelete for
removing records from the directory.

Backup the original version of any OpenLDAP Software configuration file before making modifications.
Using OpenLDAP Software with a BDB backend requires a DB_CONFIG database configuration file for optimum
performance. An example DB_CONFIG file exists at/etc/openldap/DB_CONFIG.example. To create an
LDAP database configuration file for BDB, simply copy the example configuration file to the LDAP directory
database location as follows:

Modify the /etc/openldap/slapd.conf file

The rootdn entry is the full Distinguished Name (DN) for the user who is unrestricted by access controls or
administrative limit parameters set for operations on the LDAP directory and The rootpw option is the password
for the rootdn that you specified

I have used clear text password since many of us are stuck in this. You can make use of encrypted password
with the following command.

The LDAP server is now ready to be started for the first time.

Modify the LDAP server to start when the machine boots.

Make the LDIF Files directory and change the directory :

Create root record and its sub records , all in one file
where ,

1) ldapadd - is a command used to add LDAP objects to the DIT.

2) -D - Bind DN (Super user information i.e “cn=mano,dc=domain,dc=com” )
3) -W - Prompt for password ( Enter Password: )
4) -w - Don’t prompt for password and mention password following it. ( i.e -wsecret)
5) -x - By pass encrypted authentication (Simple authentication)
6) -f - File name ( i.e -f domain.com.ldif)

Other ways of adding CN / Objects to LDAP :

Without LDIF file :
PADL Scripts:

Users created in the local machine (/etc/passwd) can be imported to LDAP with the help of PADL scripts

[root@localhost LDIF]# cd /usr/share/openldap/migration/

[root@localhost migration]# cat /etc/passwd | grep "[5-9][0-9][0-9]" > /tmp/normalusers

[root@localhost migration]# ./migrate_passwd.pl /tmp/normalusers > /root/LDIF/normaluser.ldif

[root@localhost migration]# less /root/LDIF/normaluser.ldif

dn: uid=mano,ou=People,dc=padl,dc=com
uid: mano
cn: Manoharan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$i3SH2lp6$bqTLjklRUD98aiiyCPRiZ/
shadowLastChange: 15552
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/mano
gecos: Manoharan

However , my root domain is domain.com & not padl.com and hence i need to change this default setting at
/usr/share/openldap/migration/migrate_common.ph

[root@localhost migration]# vi /usr/share/openldap/migration/migrate_common.ph

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "domain.com";

# Default base
$DEFAULT_BASE = "dc=domain,dc=com";

:x! (save and exit)

[root@localhost migration]# ./migrate_passwd.pl /tmp/normalusers > /root/LDIF/normaluser.ldif

[root@localhost migration]# less /root/LDIF/normaluser.ldif

dn: uid=mano,ou=People,dc=domain,dc=com
uid: mano
cn: Manoharan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$i3SH2lp6$bqTLjklRUD98aiiyCPRiZ/
shadowLastChange: 15552
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/mano
gecos: Manoharan

[root@localhost migration]# ./migrate_group.pl /etc/group > /root/LDIF/allgroups.ldif

[root@localhost migration]# cd /root/LDIF

[root@localhost LDIF]# ldapadd -D "cn=mano,dc=domain,dc=com" -x -wsecret -f normaluser.ldif

adding new entry "uid=nfsnobody,ou=People,dc=domain,dc=com"

adding new entry "uid=mano,ou=People,dc=domain,dc=com"

adding new entry "uid=sachin,ou=People,dc=domain,dc=com"

[root@localhost LDIF]# ldapadd -D "cn=mano,dc=domain,dc=com" -x -wsecret -f allgroups.ldif

adding new entry "cn=mano,ou=Group,dc=domain,dc=com"

adding new entry "cn=ldap,ou=Group,dc=domain,dc=com"

adding new entry "cn=sachin,ou=Group,dc=domain,dc=com"

[root@localhost ~]# cd /usr/share/openldap/migration/

LDAP Search:

[root@localhost LDIF]# ldapsearch -b "dc=domain,dc=com" -x "(objectClass=*)"

Outputs all Entries

Where,
ldapsearch - is a command to search LDAP Objects / Entries
-b - base dn for search ( i.e –b "dc=domain,dc=com")
-x - Simple authentication

[root@localhost LDIF]# ldapsearch -b "ou=Group,dc=domain,dc=com" -x "(objectClass=*)"

# Group, domain.com
dn: ou=Group,dc=domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@localhost LDIF]# ldapsearch -b "dc=domain,dc=com" -x "(&(uid=mano) (cn=Manoharan))"

dn: uid=mano,ou=People,dc=domain,dc=com
uid: mano
cn: Manoharan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGkzU0gybHA2JGJxVExqa2xSVUQ5OGFpaXlDUFJpWi8=
shadowLastChange: 15552
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500

[root@localhost LDIF]# ldapsearch -b "dc=domain,dc=com" -x "(|(uid=mano) (cn=sachin))"

# mano, People, domain.com

dn: uid=mano,ou=People,dc=domain,dc=com
uid: mano
cn: Manoharan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGkzU0gybHA2JGJxVExqa2xSVUQ5OGFpaXlDUFJpWi8=
shadowLastChange: 15552
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/mano
gecos: Manoharan

# sachin, People, domain.com

dn: uid=sachin,ou=People,dc=domain,dc=com
uid: sachin
cn: sachin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJE5LUlRScFQ5JFU5TG12dkxub0EucENtdHVTaTlNeS4=
shadowLastChange: 15623
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/sachin
LDAP Modify:

[root@localhost LDIF]# ldapmodify -D "cn=mano,dc=domain,dc=com" -x -wsecret -a -f vijay.ldif

adding new entry "cn=vijay,ou=People,dc=domain,dc=com"

where,

ldapmodify - is a command to add / modify / delete LDAP Entries / Objects.

-D - Bind DN (Super user information i.e “cn=mano,dc=domain,dc=com” )
-x - Simple Authentication
-a - add values (default is to replace)
-w - Don’t prompt for password and mention password following it. ( i.e -wsecret)
-f - LDIF file name

Modifying the Attribute’s value:

[root@localhost LDIF]# ldapsearch -b "dc=domain,dc=com" -x "((cn=sachin))"

dn: uid=sachin,ou=People,dc=domain,dc=com
uid: sachin
cn: sachin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJE5LUlRScFQ5JFU5TG12dkxub0EucENtdHVTaTlNeS4=
shadowLastChange: 15623
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/sachin

[root@localhost LDIF]# ldapmodify -D "cn=mano,dc=domain,dc=com" -x –wsecret - ENTER

dn: uid=sachin,ou=People,dc=domain,dc=com - ENTER
changetype: modify - ENTER
replace: loginShell - ENTER
loginShell: /bin/sh - ENTER then CTRL + d
modifying entry "uid=sachin,ou=People,dc=domain,dc=com" - CTRL + c

Note : All the above entries can also be put in an .ldif file and executed at one go .

[root@localhost LDIF]# ldapsearch -b "dc=domain,dc=com" -x "((cn=sachin))"

# sachin, People, domain.com

dn: uid=sachin,ou=People,dc=domain,dc=com
uid: sachin
cn: sachin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJE5LUlRScFQ5JFU5TG12dkxub0EucENtdHVTaTlNeS4=
shadowLastChange: 15623
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
uidNumber: 501
gidNumber: 501
homeDirectory: /home/sachin
loginShell: /bin/sh

LDAP Delete:

[root@localhost LDIF]# ldapdelete -D "cn=mano,dc=domain,dc=com" -v –x

"cn=salman,ou=People,dc=domain,dc=com" –wsecret

ldap_initialize( <DEFAULT> )
deleting entry "cn=salman,ou=People,dc=domain,dc=com"

where,

ldapdelete - is a command to delete LDAP objects / Entries

-v - for verbose

NFS:

[root@localhost ~]# vi /etc/exports

/home 192.168.73.129(rw,sync)

[root@localhost ~]# service nfs start

Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]

[root@localhost ~]# chkconfig nfs on

[root@localhost ~]# service portmap start

Starting portmap: [ OK ]

[root@localhost ~]# chkconfig portmap on

Various CLIENT Configuration

Centralized Authentication and Storage

[root@CLIENT home]# rpm -qa | grep ldap
openldap-2.3.43-12.el5
python-ldap-2.2.0-2.1
nss_ldap-253-25.el5
[root@CLIENT home]# setup
[root@CLIENT home]# su - sachin
su: warning: cannot change directory to /home/sachin: No such file or directory
-bash-3.2$

-bash-3.2$ exit
logout

[root@CLIENT ~]# /etc/init.d/portmap start

Starting portmap: [ OK ]

[root@CLIENT ~]# chkconfig portmap on

[root@CLIENT ~]# showmount -e 192.168.73.129

Export list for 192.168.73.129:
/home 192.168.73.130

[root@CLIENT ~]# cd /home/

[root@CLIENT ~]#ls -la

[root@CLIENT ~]# mount -t nfs 192.168.73.129:/home /home

[root@CLIENT ~]# su – sachin

[root@CLIENT home]# less /etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

[sachin@CLIENT ~]$

PGINA: (windows Authenitcation using LDAP)

Downloads: http://www.pgina.org/?page_id=21
 Apache
Install All the Apache and Dependent Packages

Check if , the following modules are loaded for LDAP Authentication

Go to the Configuration directory of Apache

As a Golden Rule take the back-up of the ORIGINAL configuration file.

Edit the httpd.conf configuration as follows :

Restart the Apache Service :

Browse the Apache server IP address to ge the page as below

Enter the Username and Password (of sachin as described in httpd.conf) file and tadaaaaa....

Replication
By SLURPD Method

Slurpd style replication used a 'push' replication strategy and is obsoleted from version 2.4.
Documentation is maintained here for historical reasons and for anyone marooned on older
versions of OpenLDAP. It is configured and controlled as shown

The process is as follows:

1. The client sends an update request, which happens to be received by a slave.

2. The slave knows that writes can only come from its replication partner, and therefore it sends a referral back the
client, pointing it to the master server.
 3. The client reissues the update request to the master.

4. The master performs the update and writes the change to the replication log

5. slurpd, also running on the master, notices the change in the replication log.

6. slurpd sends the change to the slave.

In this way, slaves can be kept up to date with the master with little lag. If any interruptions happen, or an error occurs on a
slave, slurpd always knows which slaves need which updates.

Configuration of Master Server:

Create a replica account that slurpd will use to authenticate against the slave replica:

Add the SlaveAdmin Account in Master LDAP:

Now stop the Master LDAP Server

Configuration of Slave Server :
Follow all the Installation Steps from above and then

Start the Master Server, which will by defaults start SLURPD :

Add a new Entry in Master LDAP

Monitoring the Replication:

Notice the same LDAP-DATA is available at the Slave server (SERVER2)

By SyncRepl Method:

Slurpd is a straightforward solution to the replication problem, but it has several shortcomings. Shutting down your master
server so that you can synchronize a slave is inconvenient at best, and at worst it can affect service.

syncrepl is initiated from the slave, which is now given the name consumer. The master role is called provider. In syncrepl,
the consumer connects to the provider to get updates to the tree. In the most basic mode, called refreshOnly, the consumer
receives all the changed entries since its last refresh, requests a cookie that keeps track of the last synchronized change,
and then disconnects. On the next connection, the cookie is presented to the provider, which sends only the entries that
changed since the last synchronization.

Another syncrepl mode, called refreshAndPersist, starts off like the refreshOnly operation; but instead of disconnecting, the
consumer stays connected to receive any updates Any changes that happen after the initial refresh are immediately sent
over the connection to the consumer by the provider.

Configuration of Master Server:

Stop the Ldap Service :

Comment out the SLURPD Setting and enable SyncRepl setting

Overlays must be configured against a database; therefore, this configuration must go after your database configuration
line. The next two lines are optional, but they improve reliability.syncprov-checkpoint 100 10 tells the server to store
the value of contextCSN to disk every 100 write operations or every 10 minutes. contextCSN is part of the cookie
mentioned earlier that helps consumers pick up where they left off after the last replication cycle. syncprov-sessionlog
100 logs write operations to disk, which again helps in the refresh cycle.

Configuration of Slave Server :

Delete all the DIT that were created out of SLURPD Testing :

Comment out the SLURPD – Slave Setting and add the following lines :\

The rid identifies this consumer to the master. The consumer must have a unique ID between 1 and 999.
The provider is an LDAP URI pointing back to the provider. type specifies that you only want periodic synchronization
through refreshOnly, and the interval is every hour. Theinterval is specified in DD:hh:mm:ss format.

Start the consumer with an empty database, and it will replicate its data from the provider and update every hour.
Making the transition to refreshAndPersist mode is simple. In the above snippet remove the interval, and change
the type to refreshAndPersist

Restart the Slave Server :

Then Restart the Master Server :

Now come back to Slave Server (SERVER2) and do ldapsearch :

 phpLDAPadmin
phpLDAPadmin (also known as PLA) is a web-based LDAP client. It provides easy, anywhere-
accessible, multi-language administration for your LDAP server.
Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and
administer your LDAP directory. Since it is a web application, this LDAP browser works on many
platforms, making your LDAP server easily manageable from any location.
phpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base
consists mostly of LDAP administration professionals.

Installation:
Install the Latest version of PHP

Download the Tar of phpLDAPadmin :

Unzip the phpldapadmin:

Move the extracted directory to DocumentRoot of Apache:

Go to phpldapadmin directory :
Copy the config.php.example file as config.php

Restart the Apache service:

Point to the phpldapadmin directory from your browser :

http://192.168.17.53/phpldapadmin-1.2.3

Enter the Admin (DN) and password to authenticate your self:

And you go with the PhpLDAPAdmin Web-Panel :

For SADHIQ-LINUX-GROUP
Mano Nadar