Skip to main content
Home
//verder in webdiensten, techniek en beheer
  • Home
  • Private cloud
  • Salestracker CRM
  • Open source
  • Blog

Openldap in replication for authentication and automount

An installation procedure on RHEL/Alma linux 9

 

dnf install epel-release 
dnf install openldap-servers openldap-clients sssd autofs -y

systemctl enable slapd --now
 

The install example has domain example.com,    the servers are ldap1.example.com  and ldap2.example.com.   Change it for your needs!

Repeat this installation on both servers, only the replication ldif must be changed!

Create password voor ldap:


slappasswd 
Change SSHA string in init.ldif 


ldapmodify -Y EXTERNAL -H ldapi:/// -f init.ldif

dn: olcDatabase={2}mdb,cn=config 
changetype: modify 
replace: olcSuffix 
olcSuffix: dc=example,dc=com 

dn: olcDatabase={2}mdb,cn=config 
changetype: modify 
replace: olcRootDN 
olcRootDN: cn=admin,dc=example,dc=com 

dn: olcDatabase={2}mdb,cn=config 
changetype: modify 
replace: olcRootPW 
olcRootPW: {SSHA}I83pe96D8sKv+c0HhyvuudzhqjUSM7C+
 

Default schema's:


ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

 

Add base domain:


ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add-base.ldif 

dn: dc=example,dc=com 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: example.com 
dc: example
 

Add User and Group Organizational Units:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add-ou.ldif 

dn: ou=Groups,dc=example,dc=com 
ou: Groups 
objectClass: organizationalUnit 

dn: ou=Users,dc=example,dc=com 
ou: Users 
objectClass: organizationalUnit

 

 

Add modules for automount and replication:

ldapadd -Y EXTERNAL -H ldapi:/// -f add_module_entry.ldif 

dn: cn=module{0},cn=config 
objectClass: olcModuleList 
cn: module{0}
 

ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_modules.ldif 

dn: cn=module{0},cn=config 
changetype: modify 
add: olcModuleLoad 
olcModuleLoad: syncprov.la 
olcModuleLoad: accesslog.la
 

Add accesslog, add path  first, change password!

ldapadd -Y EXTERNAL -H ldapi:/// -f accesslog.ldif 

dn: olcDatabase={3}mdb,cn=config 
objectClass: olcDatabaseConfig 
objectClass: olcMdbConfig 
olcDatabase: {3}mdb 
olcDbDirectory: /var/lib/ldap/accesslog 
olcSuffix: cn=accesslog 
olcRootDN: cn=admin,cn=accesslog 
olcRootPW: {SSHA}FoJcNMML80s5EllEjdLsDNhu2xt8ew2s 
olcDbIndex: default eq 
olcDbIndex: entryCSN,entryUUID eq
 

Add replication,  change the rid and url   for both servers

On the ldap1:

olcSyncRepl: rid=002

provider=ldap://ldap2.example.com

On the ldap2:

olcSyncRepl: rid=001

provider=ldap://ldap1.example.com

 


ldapmodify -Y EXTERNAL -H ldapi:/// -f replication.ldif

 

# Define a unique server ID for server1 
dn: cn=config 
changetype: modify 
replace: olcServerID 
olcServerID: 1 

# Add the syncprov overlay for the {2}mdb database 
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config 
changetype: add 
objectClass: olcOverlayConfig 
objectClass: olcSyncProvConfig 
olcOverlay: syncprov 

# Configure syncrepl for replication and enable mirrormode 
dn: olcDatabase={2}mdb,cn=config 
changetype: modify 
add: olcSyncRepl 
olcSyncRepl: rid=003 
 provider=ldap://ldap3.example.com 
 bindmethod=simple 
 binddn="cn=admin,dc=example,dc=com" 
 credentials=changeme 
 searchbase="dc=example,dc=com" 
 scope=sub 
 schemachecking=on 
 type=refreshAndPersist 
 retry="30 5 300 3" 
 interval=00:00:05:00 
- 
add: olcMirrorMode 
olcMirrorMode: TRUE 

dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config 
changetype: add 
objectClass: olcOverlayConfig 
objectClass: olcSyncProvConfig 
olcOverlay: syncprov

 

 

Automount:

slapadd -b cn=config -l rfc2307.ldif -F /etc/openldap/slapd.d/ 
slapadd -n 2 -l autofs.ldif -F /etc/openldap/slapd.d/

 

Add users:

 
slapadd -n 2 -l openldap-data-import.ldif -F /etc/openldap/slapd.d/

dn: automountKey=john,automountMapName=auto.home,ou=automount,dc=example,dc=com 
objectClass: automount 
objectClass: top 
automountKey: john 
automountInformation: nfs01.example.com:/home0/john 
description: john 
structuralObjectClass: automount 

dn: cn=john,ou=Users,dc=example,dc=com 
uid: john 
gidNumber: 1076 
sn: Doe 
cn: john 
givenName: john 
loginShell: /bin/bash 
homeDirectory: /home/john 
objectClass: inetOrgPerson 
objectClass: organizationalPerson 
objectClass: person 
objectClass: top 
objectClass: posixAccount 
uidNumber: 1076 
structuralObjectClass: inetOrgPerson 
userPassword: VERYSTRONG 

dn: cn=john,ou=Groups,dc=example,dc=com 
gidNumber: 1076 
cn: john 
objectClass: top 
objectClass: posixGroup 
description: john

 

 

Finally:

chown -R ldap:ldap /etc/openldap

systemctl restart slapd 

 

 

Administration:

Add users:

example ldif:

dn: cn=paul,ou=Users,dc=example,dc=com 
uid: paul 
gidNumber: 1000 
sn: Smith 
cn: paul 
givenName: Paul 
loginShell: /bin/bash 
homeDirectory: /home/paul 
objectClass: inetOrgPerson 
objectClass: organizationalPerson 
objectClass: person 
objectClass: top 
objectClass: posixAccount 
uidNumber: 1000 

dn: cn=user,ou=Groups,dc=example,dc=com 
changetype: modify 
add: member 
member: cn=paul,ou=Users,dc=example,dc=com 

dn: cn=paul,ou=Users,dc=example,dc=com 
changetype: modify 
replace: userPassword 
userPassword: wukyutsya 

dn: automountKey=paul,automountMapName=auto.home,ou=automount,dc=example,dc=com 
objectClass: automount 
objectClass: top 
automountKey: paul 
automountInformation: nfs01.example.com:/home0/paul 
description: paul 
structuralObjectClass: automount
 

Add user: ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f paul.ldif

 

There is also a webinterface: https://github.com/leenooks/phpLDAPadmin. 

It is part of the Almalinux: dnf install phpldapadmin

 

SSSD 


/etc/sssd/sssd.conf (without sssl)


[domain/default] 
debug_level = 6 
id_provider = ldap 
autofs_provider = ldap 
ldap_autofs_search_base = ou=automount,dc=example,dc=com 
ldap_autofs_map_object_class = automountMap 
ldap_autofs_entry_object_class = automount 
ldap_autofs_map_name = automountMapName 
ldap_autofs_entry_key = automountKey 
ldap_autofs_entry_value = automountInformation 
auth_provider = ldap 
chpass_provider = ldap 
ldap_uri = ldap://localhost/ 
ldap_search_base = dc=example,dc=com 
ldap_id_use_start_tls = False 
ldap_tls_cacertdir = /etc/openldap/certs 
cache_credentials = True 
ldap_tls_reqcert = allow 
ldap_auth_disable_tls_never_use_in_production = true 

[sssd] 
services = nss, pam, autofs 
domains = default 
debug_level = 9 

[nss] 
homedir_substring = /home 

[autofs] 
debug_level = 6

systemctl restart sssd 

 

Automount

 

systemctl restart autofs

 

/etc/nsswitch.conf

passwd:     sss files systemd 
shadow:     files 
group:      sss files systemd 
hosts:      files dns myhostname 
services:   files sss 
netgroup:   sss 
automount:  files sss 

aliases:    files 
ethers:     files 
gshadow:    files 
# Allow initgroups to default to the setting for group. 
# initgroups: files 
networks:   files dns 
protocols:  files 
publickey:  files 
rpc:        files
 

Testing

ldapsearch -h 127.0.0.1 -x -W -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" "(&(structuralObjectClass=person))"

getent passwd john

 

 

Ulterius - T. 0623391101 - E. info@ulterius.nl
KvK. 55625207
Linkedin

ulterius: verder, meer geavanceerd, meer op afstand

#Linux - redhat - ubuntu - debian #Virtualisatie - proxmox  - kvm - lxc - docker - kubernetes     #Web - drupal - backdrop cms  - wordpress - php - apache - nginx - haproxy   #Mail - postfix - imap - zimbra   #Databases - mysql - postgresql #Netwerken - switches - routers - firewall - pfsense - iptables - openvpn - ipsec - nfs - samba - nis - ldap - dhcp - ftp - sftp - ssh #Backup - amanda - rsync - bacula - rsnapshot #Monitoring - nagios - zabbix - check_mk - elk stack #Scripting - bash - perl - python #Installatie methoden kickstart - preseed- Redhat sattellite #Configuratie management ansible - git