LDAP-server and LDAP-client installation and configuration RHEL 6

What is LDAP ?


LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers and so on; company structure information (although frankly you can extend it and store anything in there).

Name-            openldap-serveer
Package-        openldap*
Port –              389
Daemon–        slaped
Script-            slaped
Config File- 

Configure openldap-servers-

Note- Pre-Requisites:

1- Working DNS Server: If you don’t know how to configure DNS Server, Please Click this link- http://ashutoshlinuxnotes.blogspot.in/p/26_7.html

2- Server should be synced with NTP Server, NTP Server configuration please check this link- http://ashutoshlinuxnotes.blogspot.in/p/1_7.html 

Step-1 Disable Selinux-
   Edit selinux file and set SELINUX=disable

[root@server ~]# vim /etc/sysconfig/selinux

Iptables Configuration-

[root@server ~]# service iptables stop
[root@server ~]# chkconfig iptables off
[root@server ~]#

Step-2 Set Static IP
[root@server ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

[root@server ~]# setup


Step-3 Change hostname-

[root@server ~]# vim /etc/sysconfig/network


[root@server ~]# vim /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6      server.ramesh.com         server

[root@server ~]# /etc/init.d/NetworkManager restart

[root@server ~]# hostname

[root@server ~]# ping server.ramesh.com

PING server.ramesh.com ( 56(84) bytes of data.
64 bytes from server.ramesh.com ( icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from server.ramesh.com ( icmp_seq=2 ttl=64 time=0.040 ms

64 bytes from server.ramesh.com ( icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from server.ramesh.com ( icmp_seq=2 ttl=64 time=0.040 ms

Step-4 Now generate a encrypted password for Administrator User That is “Manager”

[root@server ~]# slappasswd 

New password: redhat
Re-enter new password: redhat

Note- You need to copy above generated password

Step-5 Now Configure OpenLDAP Server, so edit the following file:

[root@server ~]# cd /etc/openldap/slapd.d/

[root@server slapd.d]# ll

drwxrwxrwx. 3 ldap ldap 4096 Mar 23 12:46 cn=config
-rwxrwxrwx. 1 ldap ldap 1131 Nov 15 14:39 cn=config.ldif

[root@server slapd.d]# cd cn=config
[root@server cn=config]# ll

drwxrwxrwx. 2 ldap ldap  4096 Nov 15 14:39 cn=schema
-rwxrwxrwx. 1 ldap ldap 51896 Nov 15 14:39 cn=schema.ldif
-rwxrwxrwx. 1 ldap ldap   592 Nov 15 14:39 olcDatabase={0}config.ldif
-rwxrwxrwx. 1 ldap ldap   525 Nov 15 14:39 olcDatabase={-1}frontend.ldif
-rwxrwxrwx. 1 ldap ldap   622 Nov 15 14:39 olcDatabase={1}monitor.ldif
-rwxrwxrwx. 1 ldap ldap  1202 Nov 15 14:39 olcDatabase={2}bdb.ldif

[root@server cn=config]# pwd/etc/openldap/slapd.d/cn=config

[root@server cn=config]# vim olcDatabase={2}bdb.ldif 

Inside this file do the following changes:
olcSuffix: dc=ashu,dc=com

olcRootDN: cn=Manager,dc=ashu,dc=com

Inside this file create the following lines:

#Note--> Paste youre encrypted password

olcRootPW: {SSHA}tEyKAy8ik3U7HQ3Mdb5Qs+3DiGX78FMX     
olcTLSCertificateFile: /etc/pki/tls/certs/ashu.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ashukey.pem


Step-6 Specify the Monitoring Privileges file..

[root@server cn=config]# vim olcDatabase={1}monitor.ldif

(Search Following Line- olcAccess: {0}to *  by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth” read  by dn.base=”cn=manager,dc=my-domain,dc=com” read  by * none)

and Change this into-
olcAccess: {0}to *  by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth” read  by dn.base=”cn=Manager,dc=ashu,dc=com” read  by * none


Step-7 Copy the Simple Database file

[root@server cn=config]# cd –
[root@server ~]#
[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

`/usr/share/openldap-servers/DB_CONFIG.example’ -> `/var/lib/ldap/DB_CONFIG’

[root@server ~]# cd /var/lib/ldap/
[root@server ldap]# ll

-rw-r–r–. 1 root root 921 Mar 23 12:57 DB_CONFIG

Note- Change owner and group ownership of this Database ‘DB-CONFIG’ and update database..

[root@server ldap]# chown -R ldap:ldap DB_CONFIG
[root@server ldap]# ll

-rw-r–r–. 1 ldap ldap 921 Mar 23 12:57 DB_CONFIG

[root@server ldap]# updatedb

Step-8 Configure OpenLdap to listen on SSL/TLS

[root@server ldap]# cd
[root@server ~]# vim /etc/sysconfig/ldap

Inside this file do the following changes:-
# Run slapd with -h “… ldaps:/// …”
# yes/no, default: no


Step-9 Now you need to generate a self sign certificate for OpenLDAP Server.You Can also configure CA Server..
But I’m creating self sign certificate…..

[root@server ~]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ashu.pem -keyout /etc/pki/tls/certs/ashukey.pem -days 365

Generating a 2048 bit RSA private key
writing new private key to ‘/etc/pki/tls/certs/ashukey.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:Ashu, Inc.  
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:server.ashu.com
Email Address []:root@server.ashu.com

[root@server ~]# ls -l /etc/pki/tls/certs/ashu*
-rw-r–r–. 1 root root 1704 Mar 23 13:17 /etc/pki/tls/certs/ashukey.pem
-rw-r–r–. 1 root root 1440 Mar 23 13:17 /etc/pki/tls/certs/ashu.pem

[root@server ~]# 

Step-10 Change owner and group ownership of certificate and key file: ‘ashukey.pem’, ‘ashu.pem’

[root@server ~]# chown -Rf root:ldap /etc/pki/tls/certs/ashu.pem
[root@server ~]# chown -Rf root:ldap /etc/pki/tls/certs/ashukey.pem 

[root@server ~]# ls -l /etc/pki/tls/certs/ashu*
-rw-r–r–. 1 root ldap 1704 Mar 23 13:17 /etc/pki/tls/certs/ashukey.pem
-rw-r–r–. 1 root ldap 1440 Mar 23 13:17 /etc/pki/tls/certs/ashu.pem

[root@server ~]# 

Step-11 Restart OpenLdap services…

[root@server ~]# /etc/init.d/slapd restart;chkconfig slapd on

[root@server ~]# service slapd restart
[root@server ~]# chkconfig slapd on

Step-12 Now Copy certificate file ‘/etc/pki/tls/certs/ashu.pem’in ‘/var/ftp/pub/’

[root@server ~]# cp -rvf /etc/pki/tls/certs/ashu.pem /var/ftp/pub/

`/etc/pki/tls/certs/ashu.pem’ -> `/var/ftp/pub/ashu.pem’

[root@server ~]# service vsftpd restart
[root@server ~]# chkconfig vsftpd on
[root@server ~]# ln-s /var/ftp/pub/ /var/www/html
[root@server ~]# service httpd restart
[root@server ~]# chkconfig httpd on

Step-13 Now you need to create base objects in OpenLDAP.

NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.

there are two ways-
1- you can create it manually.
2- you can use migration tools.

Note– I am using migration tools.

[root@server ~]# yum install migrationtools

[root@server ~]# cd /usr/share/migrationtools/

[root@server migrationtools]# ls      #–> Show the all file 

migrate_aliases.pl              migrate_automount.pl        migrate_networks.pl
migrate_all_netinfo_offline.sh  migrate_base.pl             migrate_passwd.pl
migrate_all_netinfo_online.sh   migrate_common.ph           migrate_profile.pl
migrate_all_nis_offline.sh      migrate_fstab.pl            migrate_protocols.pl
migrate_all_nis_online.sh       migrate_group.pl            migrate_rpc.pl
migrate_all_nisplus_offline.sh  migrate_hosts.pl            migrate_services.pl
migrate_all_nisplus_online.sh   migrate_netgroup_byhost.pl  migrate_slapd_conf.pl
migrate_all_offline.sh          migrate_netgroup_byuser.pl
migrate_all_online.sh           migrate_netgroup.pl

Step-14 you need to change some predefined values according to your domain name, for that do the following

[root@server migrationtools]# vim migrate_common.ph


#–>On The Line Number-61..

$NAMINGCONTEXT{‘group’}             = “ou=Groups“;

#–>On The Line Number-71..

$DEFAULT_MAIL_DOMAIN = “ramesh.com”;

#–>On The Line Number-74..

$DEFAULT_BASE = “dc=ramesh,dc=com”;

#–>On The Line Number-90..



Step-15 Generate a base.ldif file for your domain..

#–> Check all migrate file setting

[root@server migrationtools]# ./migrate_base.pl   

[root@server migrationtools]# ./migrate_base.pl > /root/base.ldif

Step-16 If you want to migrate you local users and groups on ldap
Note- First crate Some user. and then asign password…

[root@server migrationtools]# cd

[root@server ~]# mkdir /home/ldap

[root@server ~]# useradd -d /home/ldap/ldapuser-1 ldapuser-1
[root@server ~]# useradd -d /home/ldap/ldapuser-2 ldapuser-2
[root@server ~]# useradd -d /home/ldap/ldapuser-3 ldapuser-3
[root@server ~]# useradd -d /home/ldap/ldapuser-4 ldapuser-4
[root@server ~]# useradd -d /home/ldap/ldapuser-5 ldapuser-5

[root@server ~]# passwd ldapuser-1
[root@server ~]# passwd ldapuser-2
[root@server ~]# passwd ldapuser-3
[root@server ~]# passwd ldapuser-4
[root@server ~]# passwd ldapuser-5

[root@server ~]# cat /etc/passwd  
(Check user information)
[root@server ~]#


1- Filter out these users from ‘/etc/passwd’ to another file..

[root@server ~]# getent passwd | tail -n 5
[root@server ~]# getent passwd | tail -n 5 > /root/users

2- filter out password information from ‘/etc/shadow’ to another file

[root@server ~]# getent shadow | tail -n 5
[root@server ~]# getent shadow | tail -n 5 > /root/passwords

3- filter out user groups from ‘/etc/group’ to another file..

[root@server ~]# getent group | tail -n 5
[root@server ~]# getent group | tail -n 5 > /root/groups

Note- getent is a unix command that helps a user get entries in a number of important text files called databases.
The databases it searches in are: passwd, group, hosts, services, protocols, ethers (Ethernet addresses) or networks.

Step-18 Now open ‘migrate_passwd.pl’ file to change the location of password file..

[root@server ~]# cd /usr/share/migrationtools/

[root@server migrationtools]# ls

[root@server migrationtools]# vim migrate_passwd.pl
#–>Line Number- 188, OR Search ‘/etc/shadow’ and change to ‘/root/passwords’
sub read_shadow_file
         open(SHADOW, “/root/shadow“) || return;
         while(<SHADOW>) {
                 ($shadowUser) = split(/:/, $_);
                 $shadowUsers{$shadowUser} = $_;


Step-19 Generate a ldif file for users and groups…

[root@server migrationtools]#./migrate_passwd.pl /root/users
[root@server migrationtools]#./migrate_passwd.pl /root/users > /root/users.ldif

[root@server migrationtools]#./migrate_group.pl /root/groups
[root@server migrationtools]#./migrate_group.pl /root/groups > /root/groups.ldif

[root@server migrationtools]# cd
[root@server ~]# ls -l

-rwxrwxrwx. 1 root root   2105 Nov 14 16:32 anaconda-ks.cfg
-rw-r–r–. 1 root root   1200 Mar 23 14:17 base.ldif
drwxrwxrwx. 7 root root   4096 Feb 21 20:53 Desktop
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Documents
drwxrwxrwx. 7 root root   4096 Jan 13 14:19 Downloads
-rw-r–r–. 1 root root     94 Mar 23 14:45 groups
-rw-r–r–. 1 root root    695 Mar 23 14:46 groups.ldif
-rwxrwxrwx. 1 root root  46359 Nov 14 16:32 install.log
-rwxrwxrwx. 1 root root  10329 Nov 14 16:30 install.log.syslog
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Music
-rw-r–r–. 1 root root     94 Mar 23 14:45 passwords
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Pictures
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Public
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Templates
-rw-r–r–. 1 root root     94 Mar 23 14:47 users
-rw-r–r–. 1 root root     94 Mar 23 14:49 users.ldif
drwxrwxrwx. 2 root root   4096 Nov 14 16:35 Videos

Step-20 Now it’ time to upload these ldif file to LDAP Server..

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/base.ldif

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/users.ldif

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/groups.ldif 
Note- Enter LDAP Password: (you have to type the password which you generated in encrypted format.)

Use ‘ldapsearch’ command-

[root@server ~]# ldapsearch -x -b “dc=example,dc=com” | less

Step-21 Now share LDAP Users home Directory via NFS..

[root@server ~]# vim /etc/exports



[root@server ~]# /etc/init.d/nfs restart;chkconfig nfs on

Note- If You are getting the blew error while starting your NFS service because you have not installed or started rpcbind service.

Error:-  “Cannot register service: RPC: Unable to receive; errno = Connection refused”

Solution:- Install ‘rpcbind’ service. and then restart ‘rpcbind’ service..

[root@server ~]# yum -y install rpcbind
[root@server ~]# /etc/init.d/rpcbind start

Again Check-

[root@server ~]# /etc/init.d/nfs restart;chkconfig nfs on

Problem has been resolved..

LDAP server configuration has been completed…

Client PC-

Now go to the client machine to use ldap server and it’s users..

Step-1 Check ip add..

[root@client ~]# ifconfig

[root@client ~]# ping

[root@client ~]# vim /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6     server.ramesh.com         server     client.ramesh.com         client

Step-2 Open ‘authconfig-gtk’

[root@client ~]# authconfig-gtk

Now open New box—

Click on–> ‘Identity & Authentication’ Tab
Click on drop down menu in–> ‘User Account Database’ And Select ‘LDAP’
LDAP Search Base DN: DC=ashu,dc=com
LDAP Server: ldap://ldap.ashu.com

Select The Check Box of- ‘Use TLS to encrypt connection’
Click. ‘Doenload CA Certificate’
Certificate URL: http://server.ashu.com/pub/ashu.pem
Click- Apply

Step-3 Create the following new line.

[root@client ~]# vim /etc/auto.master

/home/ldap    /etc/auto.ldap

[root@client ~]# vim /etc/auto.ldap

*       -rw     server.ashu.com:/home/ldap/&

[root@client ~]# service autofs reload

[root@client ~]# su – ldapuser-1
[ldapuser-1@client ~]#
[ldapuser-1@client ~]# logout

[root@client ~]#
[root@client ~]# su – ldapuser-2
[ldapuser-2@client ~]#

OpenLdap server and client configuration has been finished…

How to add LDAP User-

1- Create a user
[root@server ~]# useradd -d /home/ldap/ldapuser-6 ldapuser-6

2- Set password-

[root@server ~]# passwd ldapuser-6

3- Now Filter out your users from ‘/etc/passwd’to other file.

[root@server ~]# getent passwd | tail -n 1 > /root/users

4- Now Filter out your Groups from ‘/etc/group’ to other file.

[root@server ~]# getent group | tail -n 1 > /root/groups

5- Now Filter out your password information from ‘/etc/shadow’ to other file.

[root@server ~]# getent shadow | tail -n 5 > /root/passwords

6- Now use the migrationtools to generate ldif file for users and groups
“How to use Migrationtools” (Step-19).  or

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=ramesh,dc=com” -f /root/users.ldif

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=ramesh,dc=com” -f /root/groups.ldif 

7- Now add that users and groups ldif files to LDAP (Step-20) or

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=ramesh,dc=com” -f /root/users.ldif

[root@server ~]# ldapadd -x -W -D “cn=Manager,dc=ramesh,dc=com” -f /root/groups.ldif

How to change LDAP User Password-

[root@server ~]# ldappasswd -x -w redhat1 -D ‘cn=Manager,dc=ramesh,dc=com’ -s redhat1 ‘uid=ldap,ou=Users,dc=ramesh,dc=com’

Note- In this example, my first “redhat” word is the password of “Manager” user and second “redhat” word is the password of “ldap” user.
How to Delete LDAP User-

[root@server ~]# ldapdelete -x -W -D ‘cn=Manager,PC-dc=ramesh,dc=com’ ‘uid=ldap,ou=Users,dc=ramesh,dc=com’

Note- In this example, i want to delete a user name “ldap” so you have to type complete DN of that user.

LDAP Interview Question & Answer-
Q: – Is there Graphical editors for LDAP ?

Yes, Following are some GUI based tools for LDAP
– GQ
– Java LDAP Browser/Editor
– Softerra LDAP Browser 

Q: – What can i do if my application doesn’t speak to LDAP ?

Gateway that translate one directory access protocol into another.

Q: – How can i join information contained in different directories ?

Distributed, Multivendor directories glued together by referrals and references.

Q: – What is “LDIF” ?

The LDAP Interchange Format (LDIF) is a standard text file format for storing LDAP configuration information and directory contents. LDIF files are often used to import new data into your directory or make changes to existing data.

Q: – Name the object class types ?

– Structural Object class
– Auxiliary Object class
– Abstract object classes
Q: – What is the name of main configuration file name for LDAP server ?


Q: – What is LDAP ?

LDAP stands for Lightweight Directory Access Protocol. In plain and simple terms, its a database whereby it has all the details of all of organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on corporate intranetand whether or not you know the domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed among many servers on a network, then replicated and synchronized regularly. An LDAP server is also known as a Directory System Agent (DSA). Its a not a relational database. Outlook and other email programs uses LDAP to search for a recipient in an organization.
Q: – Whats the relation ship between LDAP and JNDI?

JNDI has classes provided by SUN that will help ur appln interact with and LDAP server. JNDI appln work similarly to JDBC applns once and be free to use ‘drivers’ from different vendors. SUN provides the “driver” that will help interact with the LDAP server. Sun also provides “drivers” for other naming services (like CORBA).
Q: – Why LDAP is called light weight?

LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAP clients.
LDAP servers store “directories” which are access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP
(Directory Access Protocol) defined in the OSI network protocol stack.

Q: – what is SLAPD?

SLAPD stands for Stand-Alone LDAP.Clients connect to the server over the LDAP protocol, usually using a network-based connection (though SLAPD provides a UNIX socket listener).

Q: – Which daemons are required for LDAP server?

slapd and slurpd

Q: – Tell me the name of three LDAP Client utilities or Applications


Q: – Define Schemas?

Schemas provide definitions of the different object classes and attribute types that OpenLDAP should support. Using these, OpenLDAP can determine what entries it is allowed to store, whether any given entry is valid, and how entries should optimally be stored.

Q: – Explain modulepath directive?

The modulepath directive provides the full path to the directory where the  modules (the compiled libraries) are stored.

Q: – Explain moduleload directive?

The moduleload directive instructs OpenLDAP to load a particular module.

Q: – What is HDB?

HDB is the new generation storage mechanism for OpenLDAP. Like its predecessor, the BDB backend, HDB uses the Oracle BerkeleyDB database for storage, but HDB stores entries hierarchically, a perfect fit for LDAP’s tree structure. The old BDB backend is still supported, and you can use it by specifying bdb instead of hdb in the database directive.

Q: – Which utility is used to Encrypt the password?


Q: – How you will verify LDAP configuration file?

Use “slaptest” utility.
slaptest -v -f /etc/ldap/slapd.conf

Q: – Which configuration file is required for LDAP clients?


Q: – Explain “SIZELIMIT” directive?

This directive indicates the upper limits on the number of records returned.
Q: – Explain “TIMELIMIT” directive?

This directive will give the information about the amount of time the client will wait for the server to respond.

Q: – Tell me the name of logical operators which are used  in ldap filters.

AND (&), OR (|), and NOT (!)

Q: – What Does slapadd Do?

The slapadd utility reads the slapd.conf file, loads the appropriate backend databases, and then reads LDIF data.

Q: – Which web based tool you have used for LDAP?


Leave a Reply

Your email address will not be published. Required fields are marked *