LDAP Server configuration using 389
Directory Server
Setup
Details:-
OperatingSystem : RHEL 6.5 server
Hostname : ms389.example.com
IPAddress : 172.66.249.3/16
Selinux is Enabled:-[root@ms389~]# getenforce
Enforcing
[root@ms389~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.66.249.3 ms389.example.com ms389
IPtables Configuration:
[root@ms389~]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9830
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Save and Restart iptables service:
[root@ms389~]#service iptables save
[root@ms389~]#service iptables restart
Performance and Security tuning for LDAP server:-
sysctl is used to set advanced security options of the TCP/IP stack and Virtual Memory to improve security, performance of the system. Also it is used to prevent certain kinds of attacks like spoofing attack,syn flood attack etc..
sysctl settings are stored in /etc/sysctl.conf and are loaded at each boot before /etc/rc.d/rc.local file is loaded.
Sysctcl command is used to modify kernel parameters at runtime
[root@ms389~]# vim /etc/sysctl.conf
Add the following lines at the bottom of this file
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
[root@ms389~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
To view current parameter values
[root@ms389~]# sysctl -a
To load parameter setting:
[root@ms389~]# sysctl -p
Edit file “/etc/security/limits.conf”,
limits.conf is the configuration file for the pam_limits module, this is the files used to set program limits in linux.
* → all users except root{ because root will not include}
nofile → maximum number of open files
[root@ms389~]# cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
* soft nofile 8192
* hard nofile 8192
Edit file “/etc/profile”,
[root@ms389~]# vim /etc/profile
ulimit -n 8192
Edit file “/etc/pam.d/login”,
[root@ms389~]# vim /etc/pam.d/login
[root@ms389~]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
session required /lib/security/pam_limits.so
Start Install 389 Directory Server :
Create a LDAP user account.
[root@ms389~]# useradd adminuser
[root@ms389~]# passwd --stdin adminuser
Changing
password for user adminuser.
adminuser123
passwd: all authentication tokens updated successfully.
[root@ms389~]#yum install -y 389-ds openldap-clients
[root@ms389~]# setup-ds-admin.pl
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 23-FEBRUARY-2012.
NOTICE : System is x86_64-unknown-linux2.6.32-431.el6.x86_64 (1 processor).
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
WARNING : The warning messages above should be reviewed before proceeding.
Would you like to continue? [no]: yes
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [ms389.example.com]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: adminuser
System Group [nobody]: adminuser
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [example.com]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [ms389]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=example, dc=com]:
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
The password must be at least 8 characters long. Please choose another one.
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'ms389' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output: [ OK ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupIHkrXh.log'
Make the LDAP server daemon to start automatically on every reboot
[root@ms389~]# service dirsrv status
dirsrv ms389 (pid 2288) is running...
[root@ms389~]# service dirsrv-admin status
dirsrv-admin
(pid 2414) is running...
[root@ms389~]# chkconfig dirsrv on
[root@ms389~]# chkconfig dirsrv-admin on
[root@ms389~]# ldapsearch -x -b "dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
# Directory Administrators, example.com
dn: cn=Directory Administrators,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, example.com
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, example.com
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, example.com
dn: cn=HR Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, example.com
dn: cn=QA Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, example.com
dn: cn=PD Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9
Creating Users from the Command-Line
[root@ms389 ~]# ldapadd -a -D "cn=Directory Manager" -W -p 389 -h localhost -f jhon.ldif
Enter LDAP Password:
adding new entry "uid=jhon,ou=People,dc=example,dc=com"
Befor adding new user first create concern ldif file
[root@ms389 ~]# cat jhon.ldif
dn: uid=jhon,ou=People,dc=example,dc=com
uid: jhon
givenName: jhon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: jhon
cn: jhon
[root@ms389 ~]# ldapsearch -x "uid=jhon"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jhon
# requesting: ALL
#
# jhon, People, example.com
dn: uid=jhon,ou=People,dc=example,dc=com
uid: jhon
givenName: jhon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: jhon
cn: jhon
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ms389 ~]# ldapadd -a -D "cn=Directory Manager" -W -p 389 -h localhost -f apple.ldif
Enter LDAP Password:
adding new entry "uid=apple,ou=People,dc=example,dc=com"
[root@ms389 ~]# cat apple.ldif
dn: uid=apple,ou=People,dc=example,dc=com
givenName: apple
sn: apple
uidNumber: 1000
gidNumber: 1000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixaccount
uid: apple
cn: apple
homeDirectory: /home/apple
[root@ms389 ~]# ldapsearch -x "uid=apple"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=apple
# requesting: ALL
#
# apple, People, example.com
dn: uid=apple,ou=People,dc=example,dc=com
givenName: apple
sn: apple
uidNumber: 1000
gidNumber: 1000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixaccount
uid: apple
cn: apple
homeDirectory: /home/apple
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Delete User from command line using ldapdelete command
[root@ms389 ~]# ldapdelete -D "cn=Directory Manager" -p 389 -h localhost -W "uid=delme,ou=People,dc=example,dc=com"
Enter LDAP Password:
Add new entry for existing user "apple"
[root@ms389 ~]# ldapmodify -D "cn=Directory Manager" -W -p 389 -h localhost -f modify.ldif
[root@ms389 ~]# cat modify.ldif
dn: uid=apple,ou=People,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: 505 555 6617
telephonenumber: 505 555 4352
Manage 389 ds with Admin Server Console:
To access 389 ds admin console locally, type 389-console command in terminal. By using this 389 console you can create, delete or edit LDAP organizational units, groups and users graphically.
Manage 389 ds with Admin Server Console:
To access 389 ds admin console locally, type 389-console command in terminal. By using this 389 console you can create, delete or edit LDAP organizational units, groups and users graphically.
[root@ms389~]# 389-console
Client Side Configuration:-
[root@ms389 ~]# yum install authconfig-* sssd -y
Note :- Don't install any nss-pam-ldapd packages or ldapd or anything
[root@ms389 ~]# authconfig-gtk
Starting sssd: [ OK ]
Select User Account Database as LDAP after that enter the base dn & ldap server hostname
then finally click apply it will start the sssd service,
Please see the /etc/sssd/sssd.conf it look similar to this
[root@ms389 ~]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=example,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ms389.example.com/
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
Note:- The passwd, shadow, and group sections of /etc/nsswitch.conf to be "files sss". Do not use "files ldap".
[root@ms389 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
Check the LDAP setup is ready
[root@ms389 ~]# getent passwd apple
apple:*:1000:1000:apple:/home/apple:
[root@ms389 ~]# id apple
uid=1000(apple) gid=1000 groups=1000
