OpenLDAP + NFS + Automount = Complete Identity Solution

Well, we have lots of identity solutions these days. They are ready to be in use out-of-the-box with very little configuration changes. But having said that, be it MS Windows Active Directory, Red Hat Directory Server, or IBM Tivoli Identity Manager, all are based on rock-solid LDAP protocol. Still, I have seen people using OpenLDAP in Open Source projects as well as critical commercial environments.

I thought of setting up my own OpenLDAP server for my home lab, just for fun as well as to have more in-depth knowledge about it. As always, I felt sharing the knowledge I gained and the issues that I came across.

I am using RHEL 6.2 on both the server and clients.

Setting up the server:

1. Install the required packages

yum install openldap*

2. cd /etc/openldap/slapd.d
   find ./ -type f | xargs grep “dc=my-domain,dc=com”

This will usually point to ./cn=config/olcDatabase={2}bdb.ldif file
Open that file and change the domain name with yours in vi

:%s/my\-domain/vmnet/g

3. Change the domain admin’s user name from Manager to root to look like this

olcRootDN: cn=root,dc=vmnet,dc=com

4. Press CTRL+Z while in vi to stop the process and run slappasswd to set a new password for the domain admin, root in this case

5. Copy the password string and type ‘fg’ to get the vi session resumed. Make a new line after olcRootDN directive and put a line like this with the password

olcRootPW: {SSHA}wIEjnTE+CU6U1KsU5pGdcmEyqZ/jTsbt

6. At this point, you may check if the configs are fine by running the following command

slaptest -u 

-u is to ignore warnings for database files, no issues now as we are yet to create them

7. Now, we need to install migrationtools package to migrate exiting users/groups etc. database to LDAP

yum install migrationtools -y

8. cd to /usr/share/migrationtools/ and edit the follwing lines in the migrate_common.ph file to reflect correct domain name

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “vmnet.com”;

# Default base
$DEFAULT_BASE = “dc=vmnet,dc=com”;

9. Run the migrate_all_offline.sh script to build LDAP DBs out of local users, groups etc.

10. Now, change the owner of the newly created files in /var/lib/ldap directory

chown -R ldap:ldap /var/lib/ldap/*

11. Start the slapd service

service slapd start
chkconfig slapd on –level 35

12. Open up LDAP port 389 both TCP and UDP on iptables

iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 389 -j ACCEPT
iptables -I INPUT -m state –state NEW -m udp -p udp –dport 389 -j ACCEPT

13. At this point, you should be able to see the objects in the LDAP domain using slapcat command

Setting up the client

1. Install the following packages

yum install pam_ldap nss-pam-ldapd -y

2. Run authconfig-tui and select LDAP for User Information and Authentication and select NEXT. You have to then provide FQDN for your LDAP server and domain name in the Base DN field.

===============================
Adding/removing/modifying LDAP objects
===============================

If you are not familiar with the ldif file format, use slapcat or migrate_passwd.pl script in /usr/share/migrationtools directory to get one example.

Then you may execute one of the following:

ldapadd -a -W -D “cn=root,dc=vmnet,dc=com” </tmp/testuser.ldif

Or else, you may install phpLDAPadmin to administer the LDAP server through web

yum httpd php php-ldap

============================================
Getting user’s home directory automatically mounted on client
============================================

It’s better to create a separate home diretory for the ldap users. /home/users => this is what I chose

Share this through nfs server

/home/users   10.0.1.0/24(rw,no_root_squash,sync,no_wdelay)

Now, on the client side, configure autofs:

1. In the /etc/auto.master file, you may add the following

/home/users   /etc/auto.home

2. Create /etc/auto.home file and add the follwing

*       -fstype=nfs     red.vmnet.com:/home/users/&

3. Create /home/users directory

In this approach, there will not be any clash between a local user and an LDAP user logged in on the same client machine as they will have separate home directories. Otherwise, a local user would lose access to their home directory once an LDAP user’s home directory got automounted on /home.

Now, you are highly likely run into permission issue on the user’s home directories if you have not already configured how IDs should match. /etc/idmapd.conf on the client machine is something you need to concentrate on.

This file must be edited for the below directives/options

[General]
Domain = vmnet.com
[Translation]
LDAP_server = red.vmnet.com
LDAP_base = dc=vmnet,dc=com

Now, restart the rpcidmapd service

service restart rpcidmapd

You may ask the users to setup ssh-keys and they will be able to log in to any LDAP clients

That’s about it!!

Advertisements

About admin_xor

Un*x/Linux junkie, loves to program, automate, automate and automate
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to OpenLDAP + NFS + Automount = Complete Identity Solution

  1. Mohammad says:

    good stuff man, you provided some help for my assignment. I have to configure an environment that the user logs in through ldap and gets a home directory through nfs and that is precisely what you have done.
    Thanks,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s