Ensurepass

26. LDAP
26.1 Overview
1. Distributed directory service.
2. Plaintext is used by default, but can be configured to use TLS.
3. Packages
o openldap – Contains configuration files, libraries, and documentation needed for OpenLDAP to function.
o openldap-servers – Contains the slapd LDAP daemon and the slurpd replication daemon as well as several migration scripts.
o openldap-clients – Contains client programs needed for accessing and modifying openldap directories.
o nss_ldap – Contains two LDAP access clients, nss_ldap and pam_ldap.
o gq – Provides GUI LDAP client gq.
4. Ports
o slapd – TCP 389
o slurpd – ???
5. Terminology
o Distinguished Name (DN) – Used to reference a specific entry in the directory service. Example DN:
o uid=steve, ou=People, dc=somedomain, dc=com
o
o BaseDN – A server is responsible for all DNs that are within it’s BaseDN. Example BaseDN:
o dc=somedomain, dc=com
o
26.2 LDAP Server
1. slapd
o Stand-alone LDAP Daemon.
o Migration
1. Scripts to migrate existing system data to an LDAP server stored in /usr/share/openldap/migration.
2. migrate_common.ph – Contains common header information needed by migration scripts. Need to modify:
* $DEFAULT_MAIL_DOMAIN
* $DEFAULT_BASE
3. After changing defaults, modify /etc/openldap/slapd.conf (see below) and then run the appropriate migration script. For example:
* migrate_all_offline.sh – Migrates traditional UNIX flat files.
NOTE: Starting with RH 7.1, protocols and services were added that contain a + in their name. These must be commented out of /etc/protocols and /etc/services because they cause trouble with the migration scripts.
* migrate_all_nis_offline.sh – Migrates information from existing NIS services.
* See /usr/share/openldap/migration/README for an explanation of the various migration scripts.
4. Change the ownership of the ldap database files so slapd can access them:
5. chown -R ldap:ldap /var/lib/ldap
6.
o Configuration
1. Edit /etc/openldap/slapd.conf and specify the following:
* suffix – The BaseDN
* rootdn – The DN for the administrator
* rootpw – The password for the administrator
2. Access
* Default setup gives rootdn read/write access and read-only to all others.
* Highly Configurable.
* Compare, search, read, and write access can be configured for each entry.
26.3 LDAP Clients
1. Command Line
o Configured in /etc/openldap/ldap.conf.
1. Specify which server to bind to.
2. Specify the BaseDN to use.
3. Client utilities usually let you override these defaults.
o Utilities include:
1. ldapadd – Add directory entries.
2. ldapdelete – Delete directory entries.
3. ldapmodify – Modify directory entries.
4. ldappasswd – Change password of an entry.
5. ldapsearch – Searches directory entries.
2. GUI
o gq – Allows user to browse, search, modify, and display directory entries.
26.4 Using LDAP with NSS
1. Requires nss_ldap RPM.
2. Configuration
o /etc/nsswitch.conf – Add “ldap” to the search order of the entries that will be provided by LDAP.
o /etc/ldap.conf – Configuration file for nss ldap. Note that this is different from the client configuration file /etc/openldap/ldap.conf.
Common Entries:
host 192.168.1.5 # LDAP server
base dc=xyz,dc=com # Base DN of database
binddn cn=binduser,dc=xyz,dc=com # DN to bind to the server with. Default is anonymous access.
bindpw super_secret # Password for user to bind with
rootbinddn cn=root,dc=xyz,dc=com # DN to bind to the server with when the unix uid is 0.
# Password is stored in /etc/ldap.secret in plaintext (mode 600)
ssl # Use TLS instead of plaintext communication

The rootbinddn is the DN used to attach to the LDAP database when the userid = 0. It must be set to a DN with proper permissions (typically the rootdn specified in /etc/openldap/slapd.conf) in order for root to update user accounts using command line utilities like passwd, chsh, etc.
o /etc/pam.d/system-auth – PAM configuration file used for system authentication. This is configured by authconfig.
3. Troubleshooting
If, as root, you attempt to change the password of a user stored in the ldap database and you receive an error about the user being “Unknown”, verify the password in /etc/ldap.secret is correct. It must be in plain text. When the password is incorrect, root can’t bind to the LDAP database and therefor won’t be able to find the user.

Download the Ensurepass Latest 2013 RHCE EX300 Practise Test PDF to pass RHCE EX300 exam.

Comments are closed.