Wednesday 30 September 2015

389 directory server configuration in RHEL/CentOS

LDAP Server configuration using 389 Directory Server

Setup Details:-
OperatingSystem    : RHEL 6.5 server
Hostname                : ms389.example.com
IPAddress               : 172.66.249.3/16
Selinux is Enabled:-
[root@ms389~]# getenforce


Enforcing


[root@ms389~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4


::1 localhost localhost.localdomain localhost6 localhost6.localdomain6


172.66.249.3 ms389.example.com ms389


IPtables Configuration:



[root@ms389~]#iptables -L



Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:9830
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination




  Save and Restart iptables service:





 [root@ms389~]#service iptables save



 [root@ms389~]#service iptables restart











Performance and Security tuning for LDAP server:-



sysctl is used to set advanced security options of the TCP/IP stack and Virtual Memory to improve security, performance of the system. Also it is used to prevent certain kinds of attacks like spoofing attack,syn flood attack etc..



sysctl settings are stored in /etc/sysctl.conf and are loaded at each boot before /etc/rc.d/rc.local file is loaded.



Sysctcl command is used to modify kernel parameters at runtime



[root@ms389~]# vim /etc/sysctl.conf



Add the following lines at the bottom of this file



net.ipv4.tcp_keepalive_time = 300



net.ipv4.ip_local_port_range = 1024 65000



fs.file-max = 64000



[root@ms389~]# cat /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000


To view current parameter values



[root@ms389~]# sysctl -a



To load parameter setting:



[root@ms389~]# sysctl -p



Edit file “/etc/security/limits.conf”,

limits.conf is the configuration file for the pam_limits module, this is the files used to set program limits in linux.







*  →  all users except root{ because root will not include}



nofile →  maximum number of open files




[root@ms389~]# cat /etc/security/limits.conf



# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#@student        -       maxlogins       4

# End of file
*               soft     nofile          8192
*               hard     nofile          8192










Edit file “/etc/profile”,
[root@ms389~]# vim /etc/profile


ulimit -n 8192



Edit file “/etc/pam.d/login”,
[root@ms389~]# vim /etc/pam.d/login



[root@ms389~]# cat /etc/pam.d/login



#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so
session    required     /lib/security/pam_limits.so















Start Install 389 Directory Server :




Create a LDAP user account. 





[root@ms389~]# useradd adminuser




[root@ms389~]# passwd --stdin adminuser



Changing
password for user adminuser.



adminuser123



passwd: all authentication tokens updated successfully.


[root@ms389~]#yum install -y 389-ds openldap-clients


[root@ms389~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]:

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux2.6.32-431.el6.x86_64 (1 processor).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name


Computer name [ms389.example.com]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: adminuser
System Group [nobody]: adminuser

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]:

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [example.com]:

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]:

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [ms389]:

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=example, dc=com]:

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]:
Password:
The password must be at least 8 characters long.  Please choose another one.

Password:
Password (confirm):

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]:

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'ms389' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output:                                                    [  OK  ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupIHkrXh.log'








Make the LDAP server daemon to start automatically on every reboot





[root@ms389~]# service dirsrv status



dirsrv ms389 (pid 2288) is running...



[root@ms389~]# service dirsrv-admin status



dirsrv-admin
(pid 2414) is running...



[root@ms389~]# chkconfig dirsrv on



[root@ms389~]# chkconfig dirsrv-admin on



[root@ms389~]# ldapsearch -x -b "dc=example,dc=com"

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

# Directory Administrators, example.com
dn: cn=Directory Administrators,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager

# Groups, example.com
dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

# Special Users, example.com
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts

# Accounting Managers, Groups, example.com
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# HR Managers, Groups, example.com
dn: cn=HR Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager

# QA Managers, Groups, example.com
dn: cn=QA Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager

# PD Managers, Groups, example.com
dn: cn=PD Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9


Creating Users from the Command-Line

[root@ms389 ~]# ldapadd -a -D "cn=Directory Manager" -W -p 389 -h localhost -f jhon.ldif 
Enter LDAP Password: 
adding new entry "uid=jhon,ou=People,dc=example,dc=com"

Befor adding new user first create concern ldif file

[root@ms389 ~]# cat jhon.ldif 
dn: uid=jhon,ou=People,dc=example,dc=com
uid: jhon
givenName: jhon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: jhon
cn: jhon

[root@ms389 ~]# ldapsearch -x "uid=jhon"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jhon
# requesting: ALL
#

# jhon, People, example.com
dn: uid=jhon,ou=People,dc=example,dc=com
uid: jhon
givenName: jhon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: jhon
cn: jhon

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1 

[root@ms389 ~]# ldapadd -a -D "cn=Directory Manager" -W -p 389 -h localhost -f apple.ldif
Enter LDAP Password:
adding new entry "uid=apple,ou=People,dc=example,dc=com"

[root@ms389 ~]# cat apple.ldif
dn: uid=apple,ou=People,dc=example,dc=com
givenName: apple
sn: apple
uidNumber: 1000
gidNumber: 1000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixaccount
uid: apple
cn: apple
homeDirectory: /home/apple


[root@ms389 ~]# ldapsearch -x "uid=apple"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=apple
# requesting: ALL
#

# apple, People, example.com
dn: uid=apple,ou=People,dc=example,dc=com
givenName: apple
sn: apple
uidNumber: 1000
gidNumber: 1000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixaccount
uid: apple
cn: apple
homeDirectory: /home/apple

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Delete User from command line using ldapdelete command

[root@ms389 ~]# ldapdelete -D "cn=Directory Manager" -p 389 -h localhost -W "uid=delme,ou=People,dc=example,dc=com"
Enter LDAP Password:

Add new entry for existing user "apple"
[root@ms389 ~]# ldapmodify -D "cn=Directory Manager" -W -p 389 -h localhost -f modify.ldif

[root@ms389 ~]# cat modify.ldif 
dn: uid=apple,ou=People,dc=example,dc=com 
changetype: modify
add: telephonenumber
telephonenumber: 505 555 6617
telephonenumber: 505 555 4352


 Manage 389 ds with Admin Server Console:
To access 389 ds admin console locally, type 389-console command in terminal. By using this 389 console you can create, delete or edit LDAP organizational units, groups and users graphically.


Manage 389 ds with Admin Server Console:



To access 389 ds admin console locally, type 389-console command in terminal. By using this 389 console you can create, delete or edit LDAP organizational units, groups and users graphically.



[root@ms389~]# 389-console



































































































































































Client Side Configuration:-



[root@ms389 ~]# yum install authconfig-* sssd -y

Note :-  Don't install any nss-pam-ldapd packages or ldapd or anything

[root@ms389 ~]# authconfig-gtk

Starting sssd:                                             [  OK  ]













Select User Account Database as LDAP after that enter the base dn & ldap server hostname

then finally click apply it will start the sssd service,

Please see the /etc/sssd/sssd.conf it look similar to this

[root@ms389 ~]# cat /etc/sssd/sssd.conf

[domain/default]



ldap_id_use_start_tls = False

cache_credentials = True

ldap_search_base = dc=example,dc=com

krb5_realm = EXAMPLE.COM

krb5_server = kerberos.example.com

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://ms389.example.com/

ldap_tls_cacertdir = /etc/openldap/cacerts

[sssd]

services = nss, pam

config_file_version = 2



domains = default

[nss]



[pam]



[sudo]



[autofs]



[ssh]



[pac]



Note:- The passwd, shadow, and group sections of /etc/nsswitch.conf to be "files sss". Do not use "files ldap".



[root@ms389 ~]# cat /etc/nsswitch.conf

#

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry '[NOTFOUND=return]' means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Valid entries include:

#

# nisplus   Use NIS+ (NIS version 3)

# nis   Use NIS (NIS version 2), also called YP

# dns   Use DNS (Domain Name Service)

# files   Use the local files

# db   Use the local database (.db) files

# compat   Use NIS on compat mode

# hesiod   Use Hesiod for user lookups

# [NOTFOUND=return] Stop searching if not found so far

#



# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

#

# Example:

#passwd:    db files nisplus nis

#shadow:    db files nisplus nis

#group:     db files nisplus nis



passwd:     files sss

shadow:     files sss

group:      files sss



#hosts:     db files nisplus nis dns

hosts:      files dns



# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files   



bootparams: nisplus [NOTFOUND=return] files



ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files sss



netgroup:   files sss



publickey:  nisplus



automount:  files ldap

aliases:    files nisplus





Check the LDAP setup is ready



[root@ms389 ~]# getent passwd apple

apple:*:1000:1000:apple:/home/apple:



[root@ms389 ~]# id apple



uid=1000(apple) gid=1000 groups=1000




















Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)