Configure LDAP Server & Client With AutoFS in RHEL 7: ===================================================== LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia). Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers. This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions). During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn). Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS). Installation Procedure LDAP Server Configuration: (192.168.1.113) ------------------------------------------ # yum install -y openldap openldap-clients openldap-servers migrationtools # slappasswd -s redhat -n > /etc/openldap/passwd # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365 # cd /etc/openldap/certs # chown ldap:ldap * # chmod 600 priv.pem Prepare the LDAP database: # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG Generate database files (don’t worry about error messages!): # slaptest Change LDAP database ownership: # chown ldap:ldap /var/lib/ldap/* # systemctl enable slapd # systemctl start slapd Check the LDAP activity: # netstat -lt | grep ldap To start the configuration of the LDAP server, add the cosine & nis LDAP schemas: # cd /etc/openldap/schema # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace PASSWORD with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ): # vim /etc/openldap/changes.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: PASSWORD dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: -1 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none Note: A problem with olcTLSCertificateFile and olcTLSCertificateKeyFile has been reported in recent versions of OpenLDAP (details) coming with RHEL 7.5; these attributes have to be modified at the same time: dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem Send the new configuration to the slapd server: # ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif Create the /etc/openldap/base.ldif file and paste the following lines: # vim /etc/openldap/base.ldif dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit Build the structure of the directory service: # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif Create two users for testing: # mkdir /home/guests # useradd -d /home/guests/ldapuser01 ldapuser01 # passwd ldapuser01 Changing password for user ldapuser01. New password: user01ldap Retype new password: user01ldap passwd: all authentication tokens updated successfully. # useradd -d /home/guests/ldapuser02 ldapuser02 # passwd ldapuser02 Changing password for user ldapuser02. New password: user02ldap Retype new password: user02ldap passwd: all authentication tokens updated successfully. User Account Migration Go to the directory for the migration of the user accounts: # cd /usr/share/migrationtools Edit the migrate_common.ph file and replace in the following lines: # vim migrate_common.ph $DEFAULT_MAIL_DOMAIN = "example.com"; $DEFAULT_BASE = "dc=example,dc=com"; Create the current users in the directory service: # grep ":10[0-9][0-9]" /etc/passwd > passwd # ./migrate_passwd.pl passwd users.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com" adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com" # grep ":10[0-9][0-9]" /etc/group > group # ./migrate_group.pl group groups.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com" adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com" Test the configuration with the user called ldapuser01: # ldapsearch -x cn=ldapuser01 -b dc=example,dc=com Firewall Configuration Add a new service to the firewall (ldap: port tcp 389): # firewall-cmd --permanent --add-service=ldap Reload the firewall configuration: # firewall-cmd --reload Edit the /etc/rsyslog.conf file and add the following line: local4.* /var/log/ldap.log Restart the rsyslog service: # firewall-cmd --add-service={nfs3,mountd,rpc-bind} --permanent # systemctl restart rsyslog ----- Configure & Configure NFS: # yum install -y nfs* rpcbind mountd # vim /etc/exports /home *(rw,sync) Start & Enable the Services: # systemctl start rpcbind # systemctl start nfs # systemctl enable rpcbind # systemctl enable nfs Test NFS Configuration: # showmount -e ================= Client Configuration: --------------------- Install the packages: # yum install -y openldap-clients nss-pam-ldapd autofs Setup Authentication Mechanism: # authconfig-tui Select LDAP & LDAP Authenication # vim /etc/auto.master /home /etc/auto.txt --timeout=60 # vim /etc/auto.txt home/guests -rw,sync 192.168.1.113:/home # systemctl start autofs # systemctl enable autofs # systemctl status autofs
thank you sir, appreciated it, very precise video. Do you know if there is any tools such as FreeIPA or GUI that can be used to create user at LDAP server?
Package openldap-2.6.6-1.el9.x86_64 is already installed. No match for argument: migrationtools Error: Unable to find a match: migrationtools i can't able to find this package Please help me on this.
The error you’re seeing indicates that the migrationtools package isn’t available in the default repositories for CentOS 9. The migrationtools package is typically used for migrating data to an LDAP directory server but might not be included in the repositories for CentOS 9 by default. Here’s how you can work around this issue: 1. Check EPEL Repository The migrationtools package is often found in the Extra Packages for Enterprise Linux (EPEL) repository. You can enable EPEL and then try installing the package. sudo dnf install epel-release sudo dnf update sudo dnf install migrationtools 2. Manual Installation from Source If the package is not available in the EPEL repository, you can manually download and install it. Here’s how to do it: Download the Source: You can download the migrationtools source package from the CentOS or Fedora repositories. wget archives.fedoraproject.org/pub/archive/fedora/linux/releases/34/Everything/source/tree/Packages/m/migrationtools-47-19.fc34.src.rpm Install Required Tools: You’ll need some tools to build and install the package from the source. sudo dnf install rpm-build Build and Install: Once you have the source package, you can rebuild it: rpmbuild --rebuild migrationtools-47-19.fc34.src.rpm Then, install the built package (it should be in your ~/rpmbuild/RPMS/ directory): sudo dnf install ~/rpmbuild/RPMS/noarch/migrationtools-*.rpm 3. Use an Alternative Tool or Method If you’re only looking to perform certain migrations and can’t get migrationtools working, you might want to look into alternative tools or scripts that accomplish the same tasks. There are various LDAP migration scripts available online that can be adapted to your needs. 4. Search for the Package in CentOS 8 Repositories In some cases, you can manually download a package from an older CentOS repository and install it. However, this might lead to compatibility issues, so it’s best used as a last resort. wget mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/migrationtools-47-19.el8.noarch.rpm sudo dnf install migrationtools-47-19.el8.noarch.rpm If you’re still having trouble, please let me know, and I can help you further troubleshoot the issue!
i m facing this error when login from client machine : su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory -bash-4.2$ how solve?
When I type su - ldapuser01 it gives the following error, what could be the reason? su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory -bash-4.2$
HI sir , could you please make a video on How can only specific user related to group can access the linux vm. Mean user how is the part of the group in LDAP can be access the linux machine.
no match for argument: openldap-server no match for argument: migration tools error unable to find a match: openldap-servers migration tools (such kind of error is showing while installing ldap........... i used yum install openldap openldap-clients openldap-servers migration tools) plz resolve it sir
Sir I appreciate your work, kindly clear my point please can we use ldap as a domain controller? Like samba ? Kya ham client pc ko domain pe le sakte he? Please sir answer it
@@NehraClasses sir can we use ldap as a active directory domain controller like samba, because we can use samba as a domain controller, mtlb kya ham windows ki machines domain pe dal sakte he ldap k through?
Hi Sir .. hope in future you make a video to explain LDAP and its working, here I was unable to understand what we are doing , theory behind the steps was missing .. appreciate if you consider this request
Configure LDAP Server & Client With AutoFS in RHEL 7:
=====================================================
LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia).
Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.
This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).
During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).
Installation Procedure
LDAP Server Configuration: (192.168.1.113)
------------------------------------------
# yum install -y openldap openldap-clients openldap-servers migrationtools
# slappasswd -s redhat -n > /etc/openldap/passwd
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem
Prepare the LDAP database:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Generate database files (don’t worry about error messages!):
# slaptest
Change LDAP database ownership:
# chown ldap:ldap /var/lib/ldap/*
# systemctl enable slapd
# systemctl start slapd
Check the LDAP activity:
# netstat -lt | grep ldap
To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:
# cd /etc/openldap/schema
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace PASSWORD with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):
# vim /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: PASSWORD
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Note: A problem with olcTLSCertificateFile and olcTLSCertificateKeyFile has been reported in recent versions of OpenLDAP (details) coming with RHEL 7.5; these attributes have to be modified at the same time:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Send the new configuration to the slapd server:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
Create the /etc/openldap/base.ldif file and paste the following lines:
# vim /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Build the structure of the directory service:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
Create two users for testing:
# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
Changing password for user ldapuser01.
New password: user01ldap
Retype new password: user01ldap
passwd: all authentication tokens updated successfully.
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02
Changing password for user ldapuser02.
New password: user02ldap
Retype new password: user02ldap
passwd: all authentication tokens updated successfully.
User Account Migration
Go to the directory for the migration of the user accounts:
# cd /usr/share/migrationtools
Edit the migrate_common.ph file and replace in the following lines:
# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";
Create the current users in the directory service:
# grep ":10[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"
# grep ":10[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"
adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"
Test the configuration with the user called ldapuser01:
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
Firewall Configuration
Add a new service to the firewall (ldap: port tcp 389):
# firewall-cmd --permanent --add-service=ldap
Reload the firewall configuration:
# firewall-cmd --reload
Edit the /etc/rsyslog.conf file and add the following line:
local4.* /var/log/ldap.log
Restart the rsyslog service:
# firewall-cmd --add-service={nfs3,mountd,rpc-bind} --permanent
# systemctl restart rsyslog
-----
Configure & Configure NFS:
# yum install -y nfs* rpcbind mountd
# vim /etc/exports
/home *(rw,sync)
Start & Enable the Services:
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs
Test NFS Configuration:
# showmount -e
=================
Client Configuration:
---------------------
Install the packages:
# yum install -y openldap-clients nss-pam-ldapd autofs
Setup Authentication Mechanism:
# authconfig-tui
Select LDAP & LDAP Authenication
# vim /etc/auto.master
/home /etc/auto.txt --timeout=60
# vim /etc/auto.txt
home/guests -rw,sync 192.168.1.113:/home
# systemctl start autofs
# systemctl enable autofs
# systemctl status autofs
Thank you. very helpful
Sir user does not exit show kr rha h
Sir m ek question tha ldap m s user ko kaise delete krenge
thank you sir, appreciated it, very precise video. Do you know if there is any tools such as FreeIPA or GUI that can be used to create user at LDAP server?
well... that works.
Package openldap-2.6.6-1.el9.x86_64 is already installed.
No match for argument: migrationtools
Error: Unable to find a match: migrationtools
i can't able to find this package Please help me on this.
The error you’re seeing indicates that the migrationtools package isn’t available in the default repositories for CentOS 9. The migrationtools package is typically used for migrating data to an LDAP directory server but might not be included in the repositories for CentOS 9 by default.
Here’s how you can work around this issue:
1. Check EPEL Repository
The migrationtools package is often found in the Extra Packages for Enterprise Linux (EPEL) repository. You can enable EPEL and then try installing the package.
sudo dnf install epel-release
sudo dnf update
sudo dnf install migrationtools
2. Manual Installation from Source
If the package is not available in the EPEL repository, you can manually download and install it.
Here’s how to do it:
Download the Source:
You can download the migrationtools source package from the CentOS or Fedora repositories.
wget archives.fedoraproject.org/pub/archive/fedora/linux/releases/34/Everything/source/tree/Packages/m/migrationtools-47-19.fc34.src.rpm
Install Required Tools:
You’ll need some tools to build and install the package from the source.
sudo dnf install rpm-build
Build and Install:
Once you have the source package, you can rebuild it:
rpmbuild --rebuild migrationtools-47-19.fc34.src.rpm
Then, install the built package (it should be in your ~/rpmbuild/RPMS/ directory):
sudo dnf install ~/rpmbuild/RPMS/noarch/migrationtools-*.rpm
3. Use an Alternative Tool or Method
If you’re only looking to perform certain migrations and can’t get migrationtools working, you might want to look into alternative tools or scripts that accomplish the same tasks. There are various LDAP migration scripts available online that can be adapted to your needs.
4. Search for the Package in CentOS 8 Repositories
In some cases, you can manually download a package from an older CentOS repository and install it. However, this might lead to compatibility issues, so it’s best used as a last resort.
wget mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/migrationtools-47-19.el8.noarch.rpm
sudo dnf install migrationtools-47-19.el8.noarch.rpm
If you’re still having trouble, please let me know, and I can help you further troubleshoot the issue!
Does it supported by RHEL 9 in 2024 ??
Yes, LDAP is supported on Red Hat Enterprise Linux (RHEL) 9
Vi /etc/openldap/changes.ldif file is missing
i m facing this error when login from client machine :
su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory
-bash-4.2$
how solve?
please share the error screenshot and logs in our telegram group.
When I type su - ldapuser01 it gives the following error, what could be the reason?
su: warning: cannot change directory to /home/guests/ldapuser01: No such file or directory
-bash-4.2$
Because user home dir is not present on the machine where you are trying to login.
HI sir , could you please make a video on How can only specific user related to group can access the linux vm. Mean user how is the part of the group in LDAP can be access the linux machine.
For on demand videos please join the membership first and raise the request in the telegram group.
hi, very helpful for me.
Thanks
no match for argument: openldap-server
no match for argument: migration tools
error unable to find a match: openldap-servers migration tools
(such kind of error is showing while installing ldap........... i used yum install openldap openldap-clients openldap-servers migration tools) plz resolve it sir
please contact us in telegram.
Sir I appreciate your work, kindly clear my point please can we use ldap as a domain controller? Like samba ? Kya ham client pc ko domain pe le sakte he? Please sir answer it
Can you elaborate please?
@@NehraClasses sir can we use ldap as a active directory domain controller like samba, because we can use samba as a domain controller, mtlb kya ham windows ki machines domain pe dal sakte he ldap k through?
Hi Sir .. hope in future you make a video to explain LDAP and its working, here I was unable to understand what we are doing , theory behind the steps was missing .. appreciate if you consider this request
You can join our personal training for this.
Sir nice work but how to set up password for client users when they login in .
Useful Video
Please help to configure LDAP with "unlimited days certificate" or without certificate.
You can regenerate certificate
i have error when i install openldap-servers
please share the screenshot in the telegram group.
FirewallD is not running error getting while executing cmd - firewall-cmd --permanent --add-service=ldap
check your command and service
I install onlyoffice on Ubuntu I want to do ldap configuration for dc can you please assist me for it how to do please
[root@localhost certs]# chown ldap:ldap *
chown: invalid user: ‘ldap:ldap’