First of all I'm using CentOS 6.3 and trying to install an LDAP server and NFS server. From there i want a client machine to access the server and authenticate using LDAP and mount the NFS directory. I'm having problems finding a how to guide for this. I have pieced together some different guides as best i could that made sense to me.
I have before set up a NFS server and a client to mount the NFS directory. I'm a little lost excatly how to make LDAP be used. i will post what i have done so fare here. Any help and or guidence would be very much appreciated. Both the server and the client are on VM's right now. i also did a
Code:
ldapsearch -x -H serverip
and the client could see the server.
Here is what i have done so far
TL;DR need help setting up a ldap and nfs server on a vm; and on the client authenticate using ldap to mount the nfs folder.
Code:
Ldap
Sources: http://zee.linxsol.com/system-administration/centos-62-installing-ldap-directory-services-using-cli.html
http://exablurb.blogspot.com/2012/01/introduction-nfs-v4-requirements-nfs-v3.html
1.
yum install openldap-servers openldap-clients migration tools
2.
Edit your ldap.conf file and enter the IP address or domain name of your server:
vi /etc/openldap/ldap.conf
URI ldap://192.168.1.39
BASE dc=ldap,dc=com
3.
Copy the sample files from /usr/share/openldap to /etc/openldap and var/lib/ldap:
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /etc/openldap/DB_CONFIG
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /var/lib/ldap/slapd.conf
4
.Setup a new root password:
slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
{SSHA}KwdGwU7MCAbovTA/IycoaGb+A(zero)LePze8
Copy the password as you need to enter the password in slapd.conf:
5.
vi /etc/openldap/slapd.conf
:%s/dc=my-domain/dc=ldap/g #This regex will replace all the instances of my-domain with your domain name.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
6. If this doesnt work i might want to look at another option at ldif files
Create a root.ldif file and enter the entries below:
vi /root/root.ldif
#root
dn: dc=ldap,dc=com
dc: ldap
objectClass: dcObject
objectClass: organizationalUnit
ou: shan.com
#staff
dn: ou=staff,dc=ldap,dc=com
ou: staff
objectClass: organizationalUnit
7.
Remove everything in slapd.d dir and tell the slapd for root.ldif file:
rm -rf /etc/openldap/slapd.d/*
slapadd -n 2 -l /root/root.ldif
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
8.
Set the appropriate permissions:
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d
9
Make sure the service is on on the runlevel 3:
chkconfig --level 235 slapd on
service slapd start
10. Might be able to skip this part
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart
11.
Create an SSL certificate:
cd /etc/pki/tls/certs
rm slapd.pem
make slapd.pem
chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/certs/slapd.pem
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
vi /etc/openldap/slapd.conf
TLSCACertificatePath /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT never
12.
Test if everything is up and working fine:
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart
ldapsearch -x -ZZ -h localhost (TLS)
ldapsearch -x -H ldaps://localhost (SSL) - i got an error here not too concerned right now
13. misc things i forgot to do
iptables -F
iptables -L
useradd testuser
passwd testuser
useradd m
passwd m
14. i didn’t have any users in the ldap so....
The directory is to be used to manage the users, groups, hosts etc., openldap comes with a number of scripts that can be used to copy existing values into the directory. These scripts are installed into/usr/share/openldap/migration. Start by editing the migrate_common.ph script and replace all instances of the domain padl.com with the domain that you are using for your directory.
For example, in our case we are using the domain el01.com so substitute all string occurances of "padl" with "el01".
more than likely you will have errors that can be ignored.
Configuring a client to use LDAP
15.
The client will need most of the programs we installed on the server.
yum install openldap{,-clients,-devel,} nss_ldap
On the client we can install NFS as follows
yum install nfs-utils nfs-utils-lib
First edit the /etc/openldap.conf file to specify the directory server host IP address and the base DN used.
...
host 192.168.1.39
base dc=ldap,dc=com
...
Edit the /etc/nsswitch.conf file to specify all the entries that you would like to have resolved in ldap, specifying the resolution order. For example:-
...
passwd: files ldap
shadow: files ldap
group: files ldap
[root@dlp ~]#
vi /etc/idmapd.conf
# line 5: uncomment and change to your domain name
Domain = ldap.com
[root@dlp ~]#
vi /etc/exports
Note: Some additional steps
Open /etc/nsswitch.conf and edit the entry 'hosts' and add the ldap first so clients can authenticate from ldap:
vi /etc/nsswitch.conf
hosts: ldap files
Add the rule in firewall for port 636
iptables -I INPUT -m state --state NEW -p tcp -s 192.168.1.222/24 --dport 636 -j ACCEPT
