Configuring LDAP Authentication on CentOS 6.0

Introduction

This HOWTO describes how to configure a CentOS 6.0 system to use LDAP authentication as a centralized authentication system, including user authentication, group information and automatic mounting of home directories with automount maps. By implementing this HOWTO, your CentOS 6.0 systems will be able to utilize a central authentication schema with common home directories across all servers.

Recommended Server Configuration

In order to implement the centralized authentication scheme, two servers are required. The first should be a CentOS 6.0 server with the following specifications:

Note that the partitioning scheme is designed such that failures (such as log overruns) do not affect the ability to service clients. However, if you have a Network Install Server, you can use that to configure this server.

In addition, you will need an NFS server for handling home directories. I use FreeNAS for this purpose. OpenFiler is another open source option. Both of these products can use the LDAP database that you will set up within this HOWTO. Specifically, you will need to share out the home directories area in two ways:

Preparing for the Installation

Your NFS server and Authentication server should be registered in DNS before continuing. You will also need to decide on some basic configuration elements.

In these instructions, I will use the above mnemonics. However, in my install, I use:

You should replace YOUR-DOMAIN, BASE-DN and PASSWORD throughout these instructions. In addition, my NFS server is called "files.localdomain.com" and my authentication server is called "ldap.localdomain.com"

Install as root

All commands, except where noted, are entered as root on the authentication server. Refer to Becoming Root for more information.

Configuring the OpenLDAP Server

With the introduction of CentOS 6.0, the configuration of various servers, including OpenLDAP, was changed - in some cases, dramatically. Start by installing necessary packages:

yum -y install openldap openldap-servers openldap-clients perl

Configuration is no longer done by changing /etc/openldap/slapd.conf. Instead, configuration is read from objects within the directory that are pre-populated from separate configuration files in /etc/openldap/slapd.d. To configure the OpenLDAP server for the domain, use the following:

cd /etc/openldap/slapd.d/cn\=config
for i in olcDatabase*; do
    perl -npe 's/dc=my-domain,dc=com/BASE-DN/' -i $i
done
for i in olcDatabase*bdb.ldif; do
    echo "olcRootPW: $(slappasswd -s PASSWORD)" >> $i
done
cd /etc/sysconfig
perl -npe 's/#SLAPD_/SLAPD_/' -i ldap

By default, the system does not log slapd events, which aid in debugging. Use the following to log slapd messaged:

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf
service rsyslog restart

Now that the configuration is in place, start the slapd process.

service slapd start
chkconfig slapd on

Review the log file /var/log/slapd.conf to see if there are any errors. They usually refer to errors in the configuration files you just changed.

Create the Initial Directory Information Tree

The default database has no structure, so you will have to create it yourself. My default structure has separate areas for users, groups and automount maps:

cat <<EOF >/root/initial-dit.ldif
dn: BASE-DN
dc: localdomain
o: localdomain
objectclass: dcObject
objectclass: organization
objectclass: top

dn: ou=Users, BASE-DN
ou: Users
objectclass: organizationalUnit

dn: ou=Groups, BASE-DN
ou: Groups
objectclass: organizationalUnit

dn: ou=Maps, BASE-DN
ou: Maps
objectclass: organizationalUnit
EOF
ldapadd -a -c -f /root/initial-dit.ldif -H ldap:/// -D "cn=Manager,BASE-DN" -W

Don't forget to replace BASE-DN with your base DN in this file. Also change "localdomain" to that portion of your domain name. The ldapadd command will prompt you for your password - this is the same password you used in configuring the OpenLDAP server earlier. If all goes well, you should see four lines indicating that the server added a new entry. If this is not the case, something has gone wrong. Refer to the error messages and /var/log/slapd.log to retry the command.

If you are trying this command for a second time, it is possible that some of the entries succeeded the first time. In this case, the error message will indicate that the entry could not be added because it already exists. You can safely ignore this error message.

Configuring the Automount Base Maps

The final piece of base configuration is to introduce the necessary base maps for the automounter. We will add individual maps for each user later on.

cat <<EOF >/root/initial-autofs.ldif
dn: nisMapName=auto.master,ou=Maps,BASE-DN
nisMapName: auto.master
objectclass: nisMap

dn: cn=/home,nisMapName=auto.master,ou=Maps,BASE-DN
cn: /home
objectClass: nisObject
nisMapName: auto.master
nisMapEntry: auto.home

dn: nisMapName=auto.home,ou=Maps,BASE-DN
nisMapName: auto.home
objectClass: nisMap

dn: cn=/,nisMapName=auto.home,ou=Maps,BASE-DN
cn: /
objectClass: nisObject
nisMapName: auto.home
nisMapEntry: -fstype=nfs,rw,hard,intr files.YOUR-DOMAIN:/export/home/&
EOF
ldapadd –a –f /root/initial-autofs.ldif –H ldap:/// -D "cn=Manager,BASE-DN" –W

As with the prior ldapadd, you will be prompted for the password and then the records will be added.

Testing the Configuration

At this point, pause and test the OpenLDAP server in isolation. You should receive two records from the following command - one for auto.master and one for auto.home:

ldapsearch -x -H ldap:/// -b BASE-DN "(objectclass=nisMap)"

Assuming all is ok, you can open up your server to the rest of your network.

iptables -A INPUT -m state --state new -m tcp -p tcp --dport 389 -j ACCEPT

Creating User Records

In order to log in to a client system, you will need a user record with an auto.home record. Here is an example for my user ID "ahall":

cat <<EOF >/root/ahall.ldif
dn: cn=ahall, nisMapName=auto.home, ou=Maps, BASE-DN
cn: ahall
objectclass: nisObject
nisMapName: auto.home
nisMapEntry: -fstype=nfs,rw,hard,intr files.YOUR-DOMAIN:/export/home/ahall

dn: uid=ahall, ou=Users, BASE-DN
uid: ahall
displayName: Adrian Hall
cn: Adrian Hall
givenName: Adrian
sn: Hall
initials: AH
mail: ahall@YOUR-DOMAIN
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ahall
loginShell: /bin/bash
gecos: Adrian Hall,,,,
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
EOF
echo "userPassword: $(slappasswd -s TOPSECRET)" >> /root/ahall.ldif
ldapadd -a -f /root/ahall.ldif -H ldap:/// -D "cn=Manager,BASE-DN" -W

By now, you should be familiar with the usage of ldapadd. We introduce two records - one for the user that contains all the information you would normally place in the password file, and another that you would normally place in /etc/auto.home file. You will need to create the home directory yourself:

mount files:/export/home /mnt
cd /mnt
mkdir ahall
cp /etc/skel/.[a-z]* ahall
chown -R ahall.users ahall
chmod 0755 ahall

Creating Group Records

Groups can also be stored in LDAP. However, they cannot conflict with system groups already in /etc/groups. If they do, the system groups will take precedence. Once again, we create an LDIF file and then add it using ldapadd.

cat <<EOF >/root/grp-sysusers.ldif
dn: cn=sysusers, ou=Groups, BASE-DN
cn: sysusers
gidNumber: 500
memberUid: root
memberUid: ahall
description: Group can sudo without restriction
objectclass: posixGroup
EOF
ldapadd -a -f /root/grp-sysusers.ldif -H ldap:/// -D "cn=Manager,BASE-DN" -W

Once the client is installed (which is the next step), you should be able to add the following line to the sudoers file (using visudo):

%sysusers ALL=(ALL) ALL

This will allow root and ahall to use sudo if it is installed.

Configuring the Client

We have finally got a working OpenLDAP server. We now need to configure the client systems. Bear in mind that the OpenLDAP authentication server can also be a client of itself. The first step is to install necessary packages:

yum -y install openldap openldap-clients nss-pam-ldapd pam_ldap nscd autofs rpcbind nfs-utils

The authentication portion uses authconfig:

authconfig --enableldap --enableldapauth --ldapserver=ldap://ldap.YOUR-DOMAIN:389/ \
  --ldapbasedn="BASE-DN" --enablecache --disablefingerprint --kickstart

The automount part is a little more involved:

perl -npe 's/^automount:.*/automount: ldap/' -i /etc/nsswitch.conf
cat <<EOF >>/etc/sysconfig/autofs
LDAP_URI="ldap://ldap.YOUR-DOMAIN:389/"
SEARCH_BASE="ou=Maps,BASE-DN"
MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
EOF
service nscd restart
service autofs start
chkconfig autofs on

I have a final additional step just in case DNS goes down - add the authentication server and file server to /etc/hosts.

cat <<EOF >>/etc/hosts
192.168.1.4    ldap.YOUR-DOMAIN ldap
192.168.1.5    files.YOUR-DOMAIN files
EOF

Adjust for your IP Address allocation.

Testing the Environment

You should be able to use the getent command at this point to obtain information about your user:

# getent passwd ahall
ahall:*:500:100:Adrian Hall,,,,:/home/ahall:/bin/bash
# getent shadow ahall
ahall:{SSHA}encrypted-stuff::::::::0

If this does not work, there is either a problem with your LDAP server or a problem with your authconfig. To determine which, do a ldapsearch for the user in question:

ldapsearch -x -H ldap://ldap.YOUR-DOMAIN:389/ -b BASE-DN "(uid=ahall)"

If this command returns results, then your LDAP server is fine - it's your authconfig. If this command does not return results, then the problem is with your OpenLDAP server.

You should also be able to "cd /home/ahall" and see the contents of the user directory. If this does not work, check the autofs debug messages in /var/log/messages.

You can also test group support in LDAP:

# getent group sysusers
sysusers:*:500:root,ahall

If you do not see results, then perform an ldap search to see the information, and refer back to either the OpenLDAP server configuration or authconfig.

Things Still to Do

These will be follow-on documents to this one.

AdrianHall/CentralizedLDAPAuth (last edited 2014-04-04 11:55:26 by PaulCombs)