Presentation of LDAP
LDAP stands for Lightweight Directory Access Protocol. It’s an open protocol for accessing and maintaining distributed directory information services over an IP network (source wikipedia).
Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.
This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).
During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).
Installation Procedure
Install the following packages:
# yum install -y openldap openldap-clients openldap-servers migrationtools
Generate a LDAP password from a secret key (here redhat):
# slappasswd -s redhat -n > /etc/openldap/passwd
Generate a X509 certificate valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \ -keyout /etc/openldap/certs/priv.pem -days 365 Generating a 2048 bit RSA private key .....+++ ..............+++ writing new private key to '/etc/openldap/certs/priv.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:instructor.example.com Email Address []:
Secure the content of the /etc/openldap/certs directory:
# cd /etc/openldap/certs # chown ldap:ldap * # chmod 600 priv.pem
Prepare the LDAP database:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Generate database files (don’t worry about error messages!):
# slaptest 53d61aab hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2). 53d61aab backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch)
Change LDAP database ownership:
# chown ldap:ldap /var/lib/ldap/*
Activate the slapd service at boot:
# systemctl enable slapd
Start the slapd service:
# systemctl start slapd
Check the LDAP activity:
# netstat -lt | grep ldap tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN tcp6 0 0 [::]:ldap [::]:* LISTEN
Alternatively, you can use: # ss -ltap | grep ldap
To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:
# cd /etc/openldap/schema # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace PASSWORD with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: PASSWORD
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Note: A problem with olcTLSCertificateFile and olcTLSCertificateKeyFile has been reported in recent versions of OpenLDAP (details) coming with RHEL 7.5; these attributes have to be modified at the same time:
dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Send the new configuration to the slapd server:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
Create the /etc/openldap/base.ldif file and paste the following lines:
dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit
Build the structure of the directory service:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif adding new entry "dc=example,dc=com" adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Group,dc=example,dc=com"
Note: In case you’ve got the following error message “ldap_bind: Invalid credentials (49)”, check the password line is correct and re-run ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif if not.
For example: olcRootPW: {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg
Create two users for testing:
# mkdir /home/guests # useradd -d /home/guests/ldapuser01 ldapuser01 # passwd ldapuser01 Changing password for user ldapuser01. New password:user01ldapRetype new password:user01ldappasswd: all authentication tokens updated successfully. # useradd -d /home/guests/ldapuser02 ldapuser02 # passwd ldapuser02 Changing password for user ldapuser02. New password:user02ldapRetype new password:user02ldappasswd: all authentication tokens updated successfully.
User Account Migration
Go to the directory for the migration of the user accounts:
# cd /usr/share/migrationtools
Edit the migrate_common.ph file and replace in the following lines:
$DEFAULT_MAIL_DOMAIN = "example.com"; $DEFAULT_BASE = "dc=example,dc=com";
Create the current users in the directory service:
# grep ":10[0-9][0-9]" /etc/passwd > passwd # ./migrate_passwd.pl passwd users.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com" adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com" # grep ":10[0-9][0-9]" /etc/group > group # ./migrate_group.pl group groups.ldif # ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com" adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"
Test the configuration with the user called ldapuser01:
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
Firewall Configuration
Add a new service to the firewall (ldap: port tcp 389):
# firewall-cmd --permanent --add-service=ldap
Reload the firewall configuration:
# firewall-cmd --reload
Edit the /etc/rsyslog.conf file and add the following line:
local4.* /var/log/ldap.log
Restart the rsyslog service:
# systemctl restart rsyslog
Additional Resources
If you want to learn more about the LDAP topic, you can read this free LDAP book.
Fedora documentation‘s got a chapter about Configuring Directory Servers and OpenLDAP.
The Linoxide website provides a tutorial about Setting up OpenLDAP multi-master replication.
The learnitguide.net website offers a tutorial about Configuring an OpenLDAP server on RHEL 7.
wow,good man, followed you line by line and LDAP server running very smoothly.
Questions:
How do you setup the GUI side
and
is one expected to set this up during RHCSA exam??
No, there is no GUI side required for the RHCSA exam.
when I go to this command “ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif”
an error msg shown : “base.ldif No such file or directory”
I follow your steps by coping and pasting the command to the command line. Do you have any suggestion to such problems. Thanks.
Replace base.ldif with /etc/openldap/base.ldif
[root@example migrationtools]# grep “:10[0-9][0-9]” /etc/passwd > passwd
[root@example migrationtools]# ./migrate_passwd.pl passwd users.ldif
[root@example migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
ldap_bind: Invalid credentials (49)
[root@example migrationtools]#
[root@example migrationtools]#
Are you sure that you followed the instruction # slappasswd -s redhat -n > /etc/openldap/passwd?
Hi CertDepot, I have same problem.
[root@server2 schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
ldap_bind: Invalid credentials (49)
Kindly help!
Start the tutorial again!
CertDepot, it seems you only reply to selected candidates as I never get a reply from you
Sorry but I can’t answer all the questions I receive. I didn’t create a web forum for this same reason: I haven’t got the time.
Nevertheless, no one can deny the fact this website is amazingly helpful.
Thanks for great work!
A big thank you for these kind words.
Excellent article. Thanks for sharing. May I suggest though to replace the line containing:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif
by:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
?
You are right. It is now fixed. Thank you.
everything was going fine until here please help:
[root@rhel7-testServer schema]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
Did you start the OpenLDAP server? # systemctl start slapd
This works perfectly now…
But do we need to remember all these for RHCSA exam? It will be a killer!!
No, you only need to remember how to configure the client side for the RHCSA exam, not the server side.
The server side tutorial is only there to allow you to test your client configuration.
All is well until I get to the ‘Build the structure of the directory service’ I run the ldapadd command and I get this error:
ber_get_next failed.
ldap_result: Can’t contact LDAP server (-1)
my server is running RHEL7.1 and selinux is permissive.
thanks in advance for any help you can provide.
Sorry, I don’t know what this error means.
Hi thanks for fantastic website. I only wish things could go smooth with me.
You wrote:
openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout
I had to do this like this:
openssl req -new -x509 -nodes -keyout /etc/openldap/certs/cert.pem
Then it worked.
When you wrote:
Generate a LDAP password from a secret key (here redhat):
slappasswd -s redhat -n > /etc/openldap/passwd
I just made up non-existing file, then created some secret key with ssh-keygen and replace redhat with it.
However when I’m in config /etc/openldap/changes.ldif
replace password with the previously created password)
then what should I do ? Put plain text password for my generated key? Or path to it?
Nevertheless when I
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
my output is
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
ldap_modify: Constraint violation (19)
additional info: extra cruft after
Thus I get ldap_bind: Invalid credentials (49)
on STEP:
ldapadd -x -w /root/kluczLDAP -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
HELP
I didn’t write: # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout
but: # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
I repeat my instructions:
# slappasswd -s redhat -n > /etc/openldap/passwd
# cat /etc/openldap/passwd
{SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg
Then, replace passwd # previously generated password (see above) with {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg
Good luck 😉
Excellent Article !! Can be treated a perfect walkthrough document for LDAP Server configuration in RHEL7 !! Cheers !!
Thank you.
Great tutorial, everything worked fine! Just one questions about the ports: In your tutorial you are opening port 389. As we are using a certificate and therefore ldaps, shouldn’t it be port 636?
I think we are using ldap with a TLS layer on top of it. I don’t think we are really using ldaps.
This explains why we only open the 389 port.
Thanks for the tutorial.
On the 636 port thingy, I was also surprised for not using ldaps.
I found that to enable it, you should edit /etc/sysconfig/slapd and add ldaps:/// there in SLAPD_URLS.
Also, TLSCACertificateFile should be added according to OPENLDAP documentation (same cert in the case of a Self Signed Cert)
Very interesting. Thanks.
my server works if I user ldapwhoami ldap:/// but if I use ldaps:/// I would get:
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
and if I add this to /etc/sysconfig/slapd:
SLAPD_URLS=”ldapi:/// ldaps:///”
# Any custom options
SLAPD_OPTIONS=”-g ldap”
Not even ldap:/// would work. Not quite sure how to add TLSCACertificateFile to openldap, if you believe that is the problem. but ldapwhoami ldap:/// should still work and it will if I change the /etc/sysconfig/slapd to SLAPD_URLS=”ldapi:/// ldaps:///”. Thanks for any thoughs and feedbacks.
I have solved the part with regard to SLAPD_URLS by adding “ldap:/// ldapi:/// ldaps:///” but not sure the certificated part is correct as ldpas still does not work . I followed these two links but still no joy:
http://www.server-world.info/en/note?os=CentOS_7&p=ssl
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4
Hi Dear
Do we have to configure LDAP server in the exam which you showed on this page.
because in exam objectives it says:
**Configure a system to use an existing authentication service for user and group information**
No, you definitively don’t need to configure a LDAP server during the RHCSA 7 exam.
However, in order to test your LDAP client configuration, it is better to set up such a server in your own lab.
Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace passwd with the previously created password like {SSHA}l8A+0c+lRcymtWuIFbbc3EJ1PRZz9mGg ):
I am stuck in this step. I don’t see any password generated previously ?
Can you please help on this
In one of the first steps, you typed # slappasswd -s redhat -n > /etc/openldap/passwd
Now, you have to paste the content of the /etc/openldap/passwd file.
Hi CertDepot,
I have a requirement to configure LDAP in production. But i dont want to install OPENLDAP. Do we have any difference between LDAP and OPEN LDAP.. Do you have any configuration steps for LDAP.
2) Once server setup done. how do i configure ldap client, so that i can login to redhat machine with the user which i created on ldap user
Please help me on by two question s
regards
suresh bk
This website is mainly around the RHCSA and RHCE exams, it doesn’t explain how to set up all the available tools outside this context.
However, to answer your question, besides OpenLDAP, you can look at FreeIPA that is also a LDAP server. You have two options: install the FreeIPA server with all its components (Kerberos, Apache, LDAP, DNS, etc -> http://www.pmsas.pr.gov.br/wp-content/?id=certdepot-EX200&exam=rhel7-configure-freeipa-server/) or only install the LDAP component called 389.
Very good article Man I really appreciate it. I just need your help I have configured OpenLdap for my GIT server everything is going well but the only problem with the users password. For every user, I have to set a password but the users are not able to change it after. How do I force the users to change their password at first login?
Please suggest! I have googled it a lot but no possible solution found.
Sorry, I don’t know. Create a thread on Reddit, somebody will perhaps be able to answer your question.
Do we need to install a dns server prior to this openldap server configuration?
No, the OpenLDAP server name can also be resolved via the /etc/hosts file.
Hello Everyone
I am working on configuring ldap using this article. I believe i messed up
executing ldapserach returns the following error .
[root@linux7 schema]# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=ldapuser01
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Will be glad if someone can help in rectifying this.
Below are few of the details of my settings i have on the Linux machine
[root@linux7 schema]# hostname
linux7.ak.com
[root@linux7 schema]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.66.150 linux7.ak.com
[root@linux7 schema]# cat /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ak,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ak,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}st++Pz9tulT4t0AackWoAPONq3HgNEOI
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=”cn=Manager,dc=ak,dc=com” read by * none
[root@linux7 schema]#
How do you enable LDAPS? When I tried by editing /etc/sysconfig/slapd and putting in SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///” it doesn’t work.
I get
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
Have you tested this with self-signed certificates?
No, I didn’t test it because I thought it was not part of the exam.
Would there be a similar link for ldap replication, this is very good. I am trying this site below for centos 7, seems easy but does not work. Nothing on this site ever worked for me even though looks very well put together.
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5
LDAP replication is a feature I have never used until now. If I have to set it up, I will write an article 😉
Please do try LDAP replication, you write great articles, it was through this article that I got my server, client working. Thank you in advance.
Is this also an RHCSA exam requirement or we need to configure Client part only ??
The precise requirement is to configure the client part. However, to test the client part, you also need to set up the server part.
Of course, in lab we need to configure the server as well… but can we expect pre-configured LDAP server to be present in the lab for RHCSA??
Yes, during the exam, the LDAP server is already configured. You don’t need to do anything on this side.
I wasn’t able to copy / paste the changes.ldif (I’m using VirtualBox, which doesn’t seem to allow copy/paste even though I have clipboard enabled between host and guest…). But I verified it, literally 4 times, very slowly, and its correct.
But apparently its not, I get:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/opnldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “cn=config”
modifying entry “cn=config”
modifying entry “cn=config”
ldapmodify: invalid format (line 35) entry: “olcDatabase={1}monitor,cn=config”
#
Line 35 is the long one, staring with dn.base… looks good. So hmm, suggestions?
Thanks!
SK
Figured it out, there was a hidden line feed that was somehow entered due to the small vbox screen… The pain we IT guys go through just to prepare a server to just prepare for an exam, lol. Dedicated bunch aren’t we?!
Now on to the client side to test my external ldap authentication skills.
SK
After the step: “To start the configuration of the LDAP server, add the cosine & nis LDAP schemas” I am getting this error:
ldap_modify: Confidentiality required (13)
additional info: stronger confidentiality required for update
Any ideas?
Sorry, I don’t know.
Hi CertDepot,
Need your enlightment for practicing LDAP. Can we use IPA Server instead or this is different?
I think it’s different. The OpenLDAP server configuration takes time but is a proved solution.
Hi CertDepot,
Sorry for asking again IMHO when we install IPA server isn’t the LDAP and Kerberos automatically configured also, so we don’t have to do it manually
Again thank you for your reply and info
Yes, a lot of things are set automatically. However, on the client side, the configuration can be slightly different.
I’m not saying that it’s not possible, I only think it can be slightly different.
Great article indeed! Really useful for Red Hat and Linux Foundation exams, please keep up the good work!. I’d like to make a suggestion. As netstat is not installed by default in CentOS/RedHat 7 maybe you could change:
netstat -lt | grep ldap
With:
ss -ltap | grep ldap
It seems that ss replaced netstat, but of course you can still use it installing the net-tools package (yum install net-tools).
Cheers!
I’m updating the tutorial right away. Thanks.
Hi, stuck on:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
getting the error
ladp_bind: Invalid credentials (49)
Although I used “redhat” as password.
Any ideas?
I would try to reset the password.
Generate a new password:
# slappasswd -h {SSHA}
Create an LDIF to change it:
# cat ./change_pw.ldif
dn: cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}sha_value_you_got_above
Change the password:
# ldapadd -Y EXTERNAL -H ldapi:/// -f ./change_pw.ldif
Hello! Please help me I’m stuck at here too. I tried several times from scratch (even from fresh CentOS7 installations) but I still get
ladp_bind: Invalid credentials (49)
after
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
If you bump into the error:
“ldap_add: Invalid syntax (21)
additional info: objectClass: value #2 invalid per syntax”
when trying to migrate users try:
# grep “:100[1-9]” /etc/passwd > passwd
Hi, Thanks for the tutorial. I successfully configured ldap server. I’ve a silly question, while I am configuring ldap client using the gui system-config-authentication command, which certificate i need to download for the TLS encryption download CA Certificate?
Hello CertDepot! Thank you very much for creating this site! I have followed your instructions step-by-step but now I am facing an issue at step “Build the structure of the directory service:” When I use this command:
ldapadd -x -w centos -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
I receive the following reply:
ldap_bind: Invalid credentials (49)
Do you know where I have gone wrong? Thank you for your time and help!
You are not the only one to get this error. I sincerely don’t know what causes it.
What values do you have set for olcRootDN and olcRootPW? Make sure you use these with ldapadd command, as otherwise it will not work.
Ok Thank you. I will start over again and try it out.
Hello CertDepot and thank you for your tutorial.
I have a problem with it.
When i push the command :” ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif” i have this next error :
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”
ldap_modify: No such object (32)
matched DN: cn=config
Could you help me please?
If the file /var/lib/ldap/DB_CONFIG present on your system?
I found that the slapd service runs as the ldap user, and because of this, the directory server is unable to modify any files created by slapadd.
The file /var/lib/ldap/DB_CONFIG is present.
The service slapd run with the ldap user.
I’m about half way through, am now at changes.ldif
I’m using a server with a hostname in the format:
servernumber.subdomain.name.com
Can I still use dc=example,dc=com ??
Does it have to be related in any way whatsoever, to the hostname? I understand I’ll have to edit /etc/hosts of the clients I’m setting up.
OK decided to just change static hostname on the server. Followed this guide *precisely* on a CentOS server and it’s all working now, from a CentOS client.
At first I couldn’t get the LDAP client to work on Fedora, so thought maybe the server was misconfigured ? Doesn’t matter anymore.
Also, in the middle, I accidentally followed your RHEL6/2014 version of this guide, on a different page, and then when I came back to this RHEL7 version, I couldn’t:
systemctl start slapd
But I realized that I just had to delete the olcRootPW: line from olcDatabase={2}bdb.ldif
Many thanks ! Was relatively painless. Now I just have to memorize ‘>.<' [it's an emoji!]
Perfect.
Do you know if it’s at all possible for an LDAP user to get access to the server’s
/etc/passwd/file, or a list of the server’s users? I’m thinking for malicious reasons.I actually did stray from this guide when following it – where it says
grep “:10[0-9][0-9]”I instead did grepldapuseras I only wantedldapuser01andldapuser02to be shared.No, I don’t think an LDAP user can get access to the /etc/passwd file of the server nor the users’ list.
Can someone even connect at all to this LDAP server setup, if they don’t have the cert.pem ?
Hi,
Thanks for the excellent article.
Question: how can I set the the access permission to each OU (organization unit) ?
I mean I have installed LDAP successfully.
My domain is ntcong.net, there are 2 OU : People and Group.
Currently, when I use the LDAP client, I can access to LDAP server without any username/password (even if LDAP client requires username/password and I enter with invalid username/password, it can access to LDAP server too)
So how can I set the username1 can access to ou: People but this user (username1) cannot access to ou: Group ?
I am using Centos7. I searched this one in internet but the AC(Access control) in openLDAP based on Centos7 is different than the others.
Could you please help me in this case.
Thank you so much and Have nice day!.
Regards,
Cong
When you say you can access LDAP server without authentication, do you mean you can bind with invalid password, or you can actually read data with invalid password?
You are likely going to need to restrict access, the folloing may work (depending on your LDAP setup obviously):
* by dn=”cn=admin,dc=top” write by dn=”cn=autobind,dc=top” read by self write by users read by anonymous auth by * none
So the above means that admin can write, autobind can read, anonymous users are provided access to the userPassword attribute for the initial connection to occur, and all users have read access to their passwords due to “by self write” permissions.
I ran into the same problem as others with the error:ldap_bind: Invalid credentials (49)
I got it to work, but didn’t troubleshoot too much after I got it to work, I’ll leave that to smarter people.
So, what I did was change olcRootPW: in changes.ldif to just plain text redhat:
olcRootPW:redhat
That worked after running:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
and then:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
just because I was curious, after which I tried again with a newly created hash with the command:
slappasswd -s redhat
and copied the result from the console and not the file and put that hash back into the changes.ldif, did the same steps as above and then further ldapadds worked also.
So it seems to be something when copying the hash, maybe your getting a space before or after or a carriage return when copying it in? Good luck.
Thanks.
Excellent topic. I just stuck in the following step:
[root@rh7 MigrationTools-47]# ./migrate_passwd.pl passwd users.ldif
Undefined subroutine &main::getsuffix called at ./migrate_passwd.pl line 43.
if you just sudo ldapuser how can you change the password of ldapuser?
This is not an RHCSA objective.
If you enabled LDAP authentication globally through PAM and configured /etc/pam.d/passwd, then a user can change his own LDAP password through the passwd command like it’s common for local Unix accounts.
Great! Followed the steps and everything is working fine. Thank you. But it would be even better if certdepot provides (in this website itself. not in third party websites) the steps for AutoFS and NFS Server configuration steps to mount the ldapusers’ home directories when needed.
CertDepot, is it ok to not to use the certificate in ldap exam even they have provided, because I’m going to use authconfig-tui in exam, and may I know if it safe to use authconfig-tui during the exam?
If they provide you a certificate, why wouldn’t you use it? It doesn’t make sense!
Concerning authconfig-tui, I said in one of my tutorials that it was deprecated because I read it. However, it is still one of the simplest way to perform the different tasks during the exam. You can use it without any problem.
Hi CertDepot, thank you so much, I passed the RHCSA exam. This is my first time to take certification. I’m glad that your site was one of my sources while I was preparing the exam.
Thanks and congratulations!
Those who are getting credential error on line:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
ldap_bind: Invalid credentials (49)
Solution:
The comment after line:
/etc/openldap/changes.ldif
need to be removed. That is remove the part “# previously generated password (see above)”. The script is assuming it forms part of the password.
Only the word passwd needs to be replaced with the content of /etc/openldap/passwd
After removing, re-run:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
You shall be good to go.
@CertDepot: can you modify this part in the tutorial please?
Done. Thanks.
I am getting an error on line :
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
Can someone help please?
I also tried:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /usr/share/migrationtools/users.ldif
adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
Same error
error:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry “uid=ldapuser01,ou=People,dc=padl,dc=com”
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
Solution:
replace all line with “dn: uid=ldapuser01,ou=People,dc=padl,dc=com” to “dn: uid=ldapuser01,ou=People,dc=example,dc=com” in file /usr/share/migrationtools/users.ldif
same for /usr/share/migrationtools/groups.ldif
If anyone is having a problem on Red Hat/CentOS 7.5, change
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem to:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
–
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
ref: https://github.com/ansible/ansible/issues/25665
This worked great. Thank you!
Hi CertDepot, is authconfig-tui still a valid method to use when doing ldap authentication in the RHCSA exam?
In the official RHEL documentation, it is written that the authconfig-tui command is deprecated. However, it is still a prefectly valid method to use when configuring ldap authentication. It’s only a frond-end for the authconfig command.
Hi Certdepot
I was trying to install openldap server using the instruction provided by your tutorial. When starting the systemctl start slapd below two errors came in journalctl.
1.Aug 31 05:44:20 instructor.example.com slapd[1347]: tlsmc_cert_create_hash_symlink: ERROR: OS error: Permission denied
Solution:
# grep slapd /var/log/audit/audit.log | audit2allow
#============= slapd_t ==============
allow slapd_t slapd_tmp_t:lnk_file create;
After confirm above, make a policy.
# grep slapd /var/log/audit/audit.log | audit2allow -m slapd > slapd.te
# grep slapd /var/log/audit/audit.log | audit2allow -M slapd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i slapd.pp
# semodule -i slapd.pp
2.Aug 31 06:32:00 instructor.example.com slapd[1698]: main: TLS init def ctx failed: -1
Solution: I searched on internet everywhere but could not find any thing to resolve this issue, disabled SELinux and problem solved.
May you help me about what could be the SELinux policy to resolve this issue?
What minor version of CentOS/RHEL are you using? What version of OpenLDAP are you installing?
I am running RHEL 7.4 an openldapd 2.4.44.
Have you tried this?
I have followed this procedure 3 times now and I can never get the credentials right. I even used the redhat password exactly as you do and it still doesn’t work. Obviously, something has changed.
Please help.
I just tried this today and it worked for me.
Hi,
after running this command :
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
I get this error :
modifying entry “cn=config”
ldap_modify: Other (e.g., implementation specific) error (80)
Please help me finish installing ldap server,
Thanks.
Thanks, I found the problem myself, added the following lines as instructed for RHEL 7.5 despite actually using RHEL 7.3.
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
–
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Problem is I can only establish LDAP connection
to server without TLS, on the client side I used
yum groups install “Directory Client”
authconfig-tui
copied the cert file from server with scp to
/etc/openldap/cacerts
I get an error on /var/log/messages saying “Server is unavailble: Could not initialize TLS.
Already tried turning off SELINUX, created a firewall rule allowing LDAP and SLDAP with no success.
.
any advice?
Try running the following to start the LDAP server in debug mode with logging to the console:
The logs can be a difficult to parse, but with Google search and a bit of luck you should to be able to work out what is going on.
Thanks.