LDAP Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘LDAP’

How to Run Your Own Windows Domain Authentication on Linux

Thursday, October 2nd, 2025

Run Your Own Domain Authentication on Linux

Running your own domain authentication system on Linux can significantly enhance security and manageability in your IT environment. Whether you're setting up centralized login for a small network or a more complex domain environment, Linux provides powerful tools to become your own domain controller using open-source software.

In this guide, we’ll walk you through setting up Samba as an Active Directory (AD) Domain Controller on a Linux server.
These tutorial should work fine on Debian 12 (Bookworm), though it should work with minor modifications on pretty much most of recent Debs and deb based distros.

What is Domain Authentication?

Domain authentication allows users to log in to any authorized machine within a network using the same set of credentials. It provides centralized management of:

Users and groups
Computer accounts
Group policies
File and printer sharing
Access control

Microsoft's Active Directory is the most well-known implementation, but you can achieve similar functionality using Samba on Linux.

Pre-requirements

A fresh Linux installation (Ubuntu Server 22.04 LTS or Debian 12 recommended)
Static IP address
Root or sudo access
Domain name (e.g., mydomain.local)

1. Update System and Set proper Hostname

# apt update && sudo apt upgrade -y

# hostnamectl set-hostname dc1.mydomain.local

Add the hostname to /etc/hosts:

# vim /etc/hosts

Add the local network IP the SMB Domain controller will have locally on the machine:

192.168.1.100 dc1.mydomain.local dc1

2. Install Samba and Required Packages

# apt install samba krb5-config krb5-user winbind smbclient dnsutils -y

During the installation, you may be prompted for Kerberos configuration:

Default realm: MYDOMAIN.LOCAL
KDC: dc1.mydomain.local
Admin server: dc1.mydomain.local

3. Provision Samba as a Domain Controller

First, stop any running Samba services:

# systemctl stop smbd nmbd winbind

# systemctl disable smbd nmbd winbind

Move default config:

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

Now provision the domain:

# samba-tool domain provision –use-rfc2307 –interactive

Answer prompts:

Realm: MYDOMAIN.LOCAL
Domain: MYDOMAIN
Server role: dc
DNS backend: SAMBA_INTERNAL
Admin password: (choose a strong one)

Once done, configure Kerberos using the samba krb5.conf template file:

# mv /etc/krb5.conf /etc/krb5.conf.bak

# cp /var/lib/samba/private/krb5.conf /etc/

4. Start and Enable Samba AD Services

# systemctl unmask samba-ad-dc

# systemctl enable samba-ad-dc –now

Verify it’s working by running:

# samba-tool domain level show

Check Kerberos authentication is OK:

# kinit administrator

# klist

You should see a valid Kerberos ticket.

5. Configure DNS (Optional but Recommended)

If using SAMBA_INTERNAL DNS backend:

Check DNS resolution is OK:

# host -t A dc1.mydomain.local

# host -t SRV _kerberos._udp.mydomain.local

If you want clients to resolve domain names, configure them to use the Samba DC's IP as their DNS server.

6. Add Users and Join Client Machines

Add a new user:

# samba-tool user add your.samba.user

Join a Windows client:

Go to System Properties → Computer Name → Change settings
Click Domain, enter MYDOMAIN
Authenticate with Administrator and the password you set
Reboot

7. Managing the Domain

You can manage users, groups, and policies simply via commands or GUI interface or LDAP tools:

samba-tool (CLI)
RSAT tools on Windows (for GUI management)
via LDAP tools (if you have to stick to RFC2307)

Example commands:

# samba-tool user list

# samba-tool group list

# samba-tool user setpassword your.samba.user

8. Managing Samba AD Samba Linux Domain easily with UI

You can manage a Samba domain (especially when it's running as an Active Directory Domain Controller) via a web interface — but not directly through Samba itself, since it doesn't come with a built-in web UI.

Instead, you can integrate Samba with third-party web-based tools that provide management interfaces for:

Users and groups
Computer accounts
LDAP directory entries
Domain policies (to a limited extent)

Popular Web Interfaces to Manage a Samba Domain

Here are the most reliable options:

8.1. [Cockpit + 389 Directory Server or FreeIPA (for LDAP-based domains)]

Cockpit is a modern web admin interface for Linux servers.
When paired with FreeIPA, you can manage users, groups, policies, and more.
However, this is more suited for FreeIPA-based domains, not Samba AD.

✅ Great for: Linux-native domains
❌ Not compatible with Windows-style Samba AD

8.2. [LDAP Account Manager (LAM)] – RECOMMENDED FOR SAMBA + AD

Website: https://www.ldap-account-manager.org/

LDAP Account Manager (LAM) is one of the best tools to manage a Samba domain via LDAP, especially when:

You use Samba in AD DC mode with RFC2307 extensions (for Unix attributes)
Or, you're using Samba as a member server with an external LDAP backend

Features:

Web-based GUI to manage:
- Users and groups
- Samba-specific attributes (like SID, RID, home directories)
- POSIX and Windows-compatible accounts
Can bind directly to the Samba LDAP directory

Authentication: Admin binds via LDAP (either over plain or TLS)

✅ Works with Samba AD (with some config)
✅ Handles Samba3/4 user schemas
✅ Active development and documentation

8.3. Samba Web Administration Tool (SWAT) ❌ Deprecated

SWAT was the original web interface for Samba but:

It was deprecated and removed from Samba after version 4.1
It's no longer secure or maintained
Not suitable for Samba AD DC environments

Recommendation: Do not use SWAT

8.4. Webmin (Partial Support)

Webmin is a general Linux web admin tool
It has a Samba module, but:
- Designed for traditional Samba file sharing (not AD/DC mode)
- Cannot manage Samba AD users/groups
- Doesn’t interact with samba-tool or the AD schema

✅ Works for standalone Samba file servers
❌ Not suitable for Samba AD DCs

Can You really Use RSAT Instead ?

If you want full Active Directory-style control (like Group Policy, OU structure, DNS, etc.), the best GUI tool is actually RSAT (Remote Server Administration Tools) on Windows
but for that of course you will have to have an own Windows Server setup especailly for it.

Connects to your Samba AD DC
Fully supports:
- Users and groups
- Group Policy Objects (GPO)
- DNS management (if using internal Samba DNS)

Install RSAT on a Windows machine and run dsa.msc (Active Directory Users and Computers).

✅ Officially supported
✅ Full compatibility with Samba AD
❌ Requires a Windows machine

Summary: Web UI for Samba Domain Management

Tool	Works with Samba AD DC?	Features	Notes
LDAP Account Manager (LAM)	Yes	User/group management	Best web option
Cockpit + FreeIPA	❌ No (not Samba AD)	Excellent for FreeIPA domains	Not compatible with Samba AD
Webmin	❌ Not fully	File shares only	No AD/DC management
RSAT (Windows)	✅ Yes	Full AD management	Not web-based

Recommendation

If you're running a Samba AD DC and want a web-based interface:

Use LAM (LDAP Account Manager) for basic account management
Use RSAT tools on Windows for full domain administration
Avoid SWAT and Webmin for this purpose

Security Considerations

Ensure firewall allows relevant ports (e.g., 53, 88, 389, 445, etc.) with Iptables / firewalld or whatever firewall solution you have present on the server and in the Network in which you hosted the server
Keep the system updated
Use secure passwords and rotate them regularly
Consider setting up replication if high availability is needed

Conclusion

Running your own domain authentication system on Linux using Samba is a powerful way to control user access in a centralized manner. It’s ideal for small to mid-sized networks, homelabs, or even enterprise environments looking for a cost-effective alternative to Windows Server.

With Samba acting as your domain controller, you can enjoy the benefits of centralized authentication, integrated DNS, and a high degree of compatibility with Windows clients — all while staying in the open-source ecosystem.

References

Samba Wiki: Setting up Samba as an AD Domain Controller
man samba-tool
man smb.conf

Notes and things to consider:

/var/lib/samba/private/krb5.conf file is generated only after you provision Samba as an Active Directory (AD) Domain Controller using:

# samba-tool domain provision

After provisioning, Samba creates a custom Kerberos config at:

/var/lib/samba/private/krb5.conf

This is true for both Debian and Ubuntu because it's handled by the Samba package itself, not the distro.

Why use that krb5.conf instead of Debian's default?

Well because:

The default /etc/krb5.conf on Debian isn't tailored for Samba AD.
The one Samba generates includes correct realm, KDC, and admin server settings.
It avoids subtle issues like failed kinit or broken Kerberos trust.

So you copy it over Debian’s default:

Gotchas on Debian to be aware of

Do not install samba via tasksel (like tasksel's “Samba file server” role), as it sets up a traditional SMB server, not AD.

Only use samba-tool domain provision if you're setting up AD DC.

Debian sometimes separates systemd services (e.g., samba-ad-dc might not be enabled by default). So make sure to enable samba-ad-dc instead of smbd/nmbd.

Tags: Active Directory Domain Controller, configure, Debian, DNS, LDAP, linux?, mydomain, OK, options, Start, Users
Posted in Everyday Life, Linux, Samba, System Administration, Various | No Comments »

LDAP Server Installation and Configuration on CentOS 7.9 Linux or howto simply Store and use SSH User account credentials from LDAP

Tuesday, April 5th, 2022

In this article you will learn how to install and configure LDAP on CentOS 7.9 Linux with standard packages and later on create a sample user to be read from LDAP as well as how to configure SSH login to not only query local stored users under /etc/passwd and /etc/shadow but how to store user credentials and passwords inside LDAP.
The usage and storage of users inside LDAP usually when you have a great number of UNIX user accounts already created on the system or you want to be able to authenticate a single set of SSH UNIX / Samba / Kerberos / Email / Windows / Courier / NIS users with the same account credentials across mutliple servers. Having an LDAP database is longly used in corporate world to store accounts and various sensitive data, information, phonebooks, personal user data and login credentials for various Web systems used to administer or use Local Company infrastructure. The other added value of storing user base in LDAP is the Account and Infrastructure centralization which becomes so vital with the time as a company grows. By having LDAP the administrator a single person could easily, create new Users for employees across company infrastructure without bothering to login physically on each and every host on lets say the existing 3000+ servers.
There is much to be said about LDAP but the main thing to know is LDAP is simply a tree Database where you can store various Objects and assign them values. On a first glimse nothing complex, but if you dig into its administration suddenly you start becoming lost in a true ocean of complex.
Lets proceed and setupall necessery components.

Preparing the Freshly installed Server OS hostname to become host of LDAP

First, include hostname of LDAP Server and Client to /etc/hosts

Supposingly you have already configured a special Physical or Virtual Machine with CentOS 7 Linux with some fqdn
lets say ldapserver next you will have to have a proper objects inside /etc/hosts so the ldap server OS could see the
host: ldapserver with a local LAN domain .local onwards in this article. If you're about to use a Public IP on the internet just put your fully qualified domain name correctly with the respective IPs in /etc/hosts

My Linux server has configured IP and OS Host.

IP: 192.168.1.50
Host: ldapserver

If for some reason you have some other Machine hostname set on install time, change it to the desired one:

[root@ldapserver:~]# hostnamectl set-hostname ldap.mydomain.local

[root@ldapserver:~]# hostnamectl
   Static hostname: ldapserver
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 20edc97971064b70a488a3222ab3cdd4
           Boot ID: e327dea155844bcd9fe8d68b759ff1c7
    Virtualization: xen
Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-1160.59.1.el7.x86_64
      Architecture: x86-64

[root@ldapserver:~]# grep -i ldapserver /etc/hosts
192.168.1.50 ldapserver.local server
192.168.1.60 client.ldapserver.local client

[root@ldapserver:~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.1.50 netmask 255.255.255.0 broadcast 192.168.1.255
        inet6 fe80::216:3eff:fe53:5d12 prefixlen 64 scopeid 0x20<link>
        ether 00:16:3e:54:5d:12 txqueuelen 1000 (Ethernet)
        RX packets 22958463 bytes 12911026009 (12.0 GiB)
        RX errors 0 dropped 3 overruns 0 frame 0
        TX packets 319557 bytes 24259117 (23.1 MiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Disable firewall on LDAP

Before we start, make sure both LDAP server and LDAP clients are visible (e.g. no network firewall preventing the the Machines on the network see each other on TCP / UDP port 389 or whatever port you will be using.

# firewall-cmd –permanent –add-service=ldap
# firewall-cmd –reload

1. Install required LDAP server RPMs

# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
…

1.1 Start & Enable ldap service

The openldap server is run by running the slapd systemd service

# systemctl start slapd

To make the service automatically load on every server boot

# systemctl enable slapd

# slaptest -u
config file testing succeeded

1.2 Verify ldap port listener exists

# netstat -antup | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1520/slapd
tcp6 0 0 :::389 :::* LISTEN 1520/slapd

1.3 Generate LDAP Admin Password

# slappasswd -h {SSHA} -s your_secret_password_here

It will generate encrypted hash string

Output will be something like:

{SSHA}d/thexcQUuSfe3rx3gPaEhHpNJ52N8D3

2. Configuring LDAP Server admin and basic structure

2.1. Create LDAP Admin user / password pair

Using the SSHA generated encrypted password string copy paste it to the right location in db.ldif

# cd /etc/openldap/slapd.d/

# vi db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldapserver,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=ldapserver,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gPaEhHpNJ52N8D3

If you want to have another admin user besides ldapadm, substitute the string to the user you like.

Replace the encrypted password ({SSHA}d/thexcQUuSfe3rx3gPaEhHpNJ52N8D3) with the password you generated in the previous step.

Caution !!! Be careful when copy paste, the blank lines have to be exactly as shown here !!! This applies for all the .ldif files !

Above LDIF will modify the current objects (records) existing already in LDAP.

2.2 Send the configuration to the LDAP Server listener

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.

# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=ldapserver,dc=local" read by * none

Load the configuration in LDAP memory

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

3. Setup LDAP Database and schemas

3.1 Copy the DB_CONFIG initial ldap database config from default example template

Set the ldap:ldap permissionsto prevent other users except ldap to read your LDAP database files .dbd / .mdb etc. files

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*

From their on the basic binary database of LDAP is under /var/lib/ldap , therein you will find a dbd and mdb files where the actual database tree structure is stored.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Including, below schemas are optional but recommended to include if you want to have extended support for things in LDAP Server:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif

3.2 Create base.ldif configuration and Apply it

# vi base.ldif

dn: dc=ldapserver,dc=local
dc: ldapserver

objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=ldapserver,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=ldapserver,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ldapserver,dc=local
objectClass: organizationalUnit
ou: Group

3.3 Build the configuration (you will be required for your ldapadm earlier set password

# ldapadd -x -W -D "cn=ldapadm,dc=ldapserver,dc=local" -f base.ldif

Output:

Enter LDAP Password:
adding new entry "dc=ldapserver,dc=local"

adding new entry "cn=ldapadm ,dc=ldapserver,dc=local"

adding new entry "ou=People,dc=ldapserver,dc=local"

adding new entry "ou=Group,dc=ldapserver,dc=local"

4. Creating LDAP Users stored on server

4.1 Create .ldif for UNIX users

Create the username.ldif / username1.ldif / username3.ldif files as many as you need for the initial users to be imported under /etc/openldap/slap.d

# cd /etc/openldap/slapd.d/

# vi username.ldif

dn: uid=username,ou=People,dc=ldapserver,dc=local

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: dihr

uid: dihr

uidNumber: 9999

gidNumber: 500

homeDirectory: /home/username

loginShell: /bin/bash

gecos: dihr [ Admin (at) PcFreak ]

userPassword: {crypt}x

shadowLastChange: 17058

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

The userPassword: {crypt}x is there as the password will be in encrypted form stored in ldap.

As LDIF files are quite messy and from copy pasting from the web your copy paste could end up with some garbled symbol that could break up your LDAP initial configuration, a copy archive containing the above .LDIF files used to apply is here ldif-configs.tar.gz

4.2 Check the group admins with Group ID (GID) 500 exists and if not create one

# grep -i 500 /etc/group
admins:x:500:

!!! You have to create admin group 500 in order the user to be able to become root. !!!

# groupadd -g 500 admins

4.3 Prepare sudoers configuration for users belonging to LDAP group to be able to become super users

To make the LDAP users to be able to become super users you need to add also following configuration to /etc/sudoers

# vim /etc/sudoers

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file – just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem

## Command Aliases
## These are groups of related commands…

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Cmnd_Alias PASSWD = /usr/bin/passwd [a-zA-Z][a-zA-Z0-9_-]*, \
                    !/usr/bin/passwd root

Cmnd_Alias SU_ROOT = /bin/su root, \
                     /bin/su – root, \
                     /bin/su -l root, \
                     /bin/su -p root

%admins ALL = SU_ROOT, NOPASSWD: PASSWD

You can also download a copy of above /etc/sudoers prepared for the admin group to be able to elevate to superuser here.

4.4 Process and Include the username to the LDAP server

Send the command to the ldap server:

# ldapadd -x -W -D "cn=ldapadm,dc=ldapserver,dc=local" -f username.ldif

Output:

Enter LDAP Password:
adding new entry "uid=username,ou=People,dc=ldapserver,dc=local"

Change (Create) new password for the user:

# ldappasswd -s newpassw321 -W -D "cn=ldapadm,dc=ldapserver,dc=local" -x "uid=username,ou=People,dc=ldapserver,dc=local"

4.5 Verify the user is properly created and querable from LDAP server db

# ldapsearch -x cn=username -b dc=ldapserver,dc=local

If you want to delete a user, it is up to authentication to the ldap server with -D and your admin user,and LDAP base and wiping out the LDAP objects (change in below username with your actual username:

# ldapdelete -W -D "cn=ldapadm,dc=ldapserver,dc=local" "uid=username,ou=People,dc=ldapserver,dc=local"

4.6. Create LDAP User Password change policy

In order users to be able to change their own passwords create .ldif file

# vi passchange.ldif

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: to attrs=userPassword by self write by dn.base="cn=ldapadm,dc=ldapserver,dc=local" write by anonymous auth by * none

olcAccess: {1}to * by dn.base="cn=ldapadm,dc=ldapserver,dc=local" write by self write by * read

Run:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f passchange.ldif

Check

# cd /etc/openldap/slapd.d/cn=config

# cat olcDatabase\=\{2\}hdb.ldif

You have to see the lines that we have added with the previous command

olcAccess: {0}to * by dn.base="cn=ldapadm,dc=ldapserver,dc=local" write by s

elf write by * read

olcAccess: {1}to attrs=userPassword by self write by dn.base="cn=ldapadm,ldapserver,dc=local" write by anonymous auth by * none

4.7 Change user password for newly created user "username"

# ldappasswd -H ldap://192.168.1.50 -x -D "cn=ldapadm,dc=ldapserver,dc=local" -W -S "uid=username,ou=People,dc=ldapserver,dc=local"

After that enter new user password and confirmed it for username.

Enter admin ldap password when asked

5. Install LDAP users client configuration to be served by local services

5.1. Install required RPMs

To be able to use the LDAP just imported user directly via ssh logins e.g. have a user be red from ldap daemon without having a record inside /etc/{passwd,shadow,group}

Yuu have to install openldap client and nssp-pam-ldapd (required for PAM authentication to work properly):

# yum install openldap-clients nss-pam-ldapd

5.2 Authenticate LDAP server

Execute the following command, replace the IP or the domain name of the ldap machine

# authconfig –enableldap –enableldapauth –ldapserver=192.168.1.50 –ldapbasedn="dc=ldapserver,dc=local" –enablemkhomedir –update

5.3 Check LDAP server present LDIF definitions

Once all the .ldif files and schemes are applied to the LDAP you can check what was configured and known by the LDAP with slapcat cmd

# slapcat
624c2093 The first database does not allow slapcat; using the first available one (2)
dn: dc=ldapserver,dc=local
dc: ldapserver
objectClass: top
objectClass: domain
structuralObjectClass: domain
entryUUID: ea740fce-1a7c-103b-92a5-f1649bb38b90
creatorsName: cn=ldapadm,dc=ldapserver,dc=local
createTimestamp: 20210316082531Z
entryCSN: 20210316082531.267019Z#000000#000#000000
modifiersName: cn=ldapadm,dc=ldapserver,dc=local
modifyTimestamp: 20210316082531Z

dn: cn=ldapadm,dc=ldapserver,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
structuralObjectClass: organizationalRole
entryUUID: ea7674e4-1a7c-103b-92a6-f1649bb38b90
creatorsName: cn=ldapadm,dc=ldapserver,dc=local
createTimestamp: 20210316082531Z
entryCSN: 20210316082531.282715Z#000000#000#000000
modifiersName: cn=ldapadm,dc=ldapserver,dc=local
modifyTimestamp: 20210316082531Z

dn: ou=People,dc=ldapserver,dc=local
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: ea785f66-1a7c-103b-92a7-f1649bb38b90
creatorsName: cn=ldapadm,dc=ldapserver,dc=local
createTimestamp: 20210316082531Z
entryCSN: 20210316082531.295274Z#000000#000#000000
modifiersName: cn=ldapadm,dc=ldapserver,dc=local
modifyTimestamp: 20210316082531Z

dn: ou=Group,dc=ldapserver,dc=local
objectClass: organizationalUnit
ou: Group
structuralObjectClass: organizationalUnit
entryUUID: ea7a94ca-1a7c-103b-92a8-f1649bb38b90
creatorsName: cn=ldapadm,dc=ldapserver,dc=local
createTimestamp: 20210316082531Z
entryCSN: 20210316082531.309750Z#000000#000#000000
modifiersName: cn=ldapadm,dc=ldapserver,dc=local
modifyTimestamp: 20210316082531Z

dn: uid=hipo,ou=People,dc=ldapserver,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: hipo
uid: hipo
uidNumber: 9999
gidNumber: 500
homeDirectory: /home/hipo
loginShell: /bin/bash
gecos: hipo [Admin (at) PCFreak]
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
structuralObjectClass: account
entryUUID: 0b93de5a-1a7d-103b-92a9-f1649bb38b90
creatorsName: cn=ldapadm,dc=ldapserver,dc=local
createTimestamp: 20210316082626Z
userPassword:: e1NTSEF9K2dreklhN1l6YVZtcldhazFrZ2FOT0plcGdvN1FjKzU=
shadowLastChange: 18704
entryCSN: 20210317110729.482931Z#000000#000#000000
modifiersName: uid=hipo,ou=People,dc=ldapserver,dc=local
modifyTimestamp: 20210317110729Z
…
As minimum at least you should see a correct FQDN LDAP domain server and the configured LDAP administrator ldapadm listed among the multiple objects.

5.4 Enable LDAP User Caching Daemon and Check slapd config

# systemctl enable nslcd
# systemctl restart nslcd

Verify LDAP stored username is visible:

# getent passwd -s files username
# getent passwd -s ldap username

username:x:9999:500:dihr [Admin (at) PcFreak]:/home/username:/bin/bash

As you can see the query to the files e.g. to local /etc/passwd, /etc/shadow records for user returns empty as the user is in LDAP.

If the user returns empty also when you're asking the LDAP server for the user existence, it could be that getent is not configured to
check on the right place check /etc/nsswitch.conf if you see records like default query service records like

passwd:     files
shadow:     files
group:      files

automount: files

To:

passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap

automount: files sss ldap

6. Enable LDAP logging via rsyslog

To enable ldap logging via rsyslog create a new local4 logging interface via which logging will occur to rsyslogd.

If you have never used local{1-6} logging interfaces I recommend you check out my previous article how to configure haproxy logging to separate log files on Redhat

# vi /etc/rsyslog.conf

local4.* /var/log/ldap.log

# chown root:root /var/log/ldap.log
# ls -al /var/log/ldap.log
-rw——- 1 root root 23293740 Apr 5 13:35 /var/log/ldap.log

# systemctl restart rsyslog

If you have never used local{1-6} logging interfaces I recommend you check out my previous article how to configure haproxy logging to separate log files on Redhat

Check slapd is producing logs inside ldap.log

# tail -n 50 /var/log/ldap.log

Apr 4 15:40:39 ldapserver slapd[7888]: slapd shutdown: waiting for 0 operations/tasks to finish
Apr 4 15:40:39 ldapserver slapd[7888]: slapd stopped.
Apr 4 15:40:56 ldapserver slapd[8234]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Apr 4 15:40:56 ldapserver slapd[8236]: slapd starting

7. Setting LDAP server host and Troubleshooting LDAP connectivity issues

Check /etc/openldap/ldap.conf content as a minum you had to have configured URI ldap and BASE vars

TLS_CACERTDIR /etc/openldap/cacerts#
TLS_REQCERT allow

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

URI ldap://192.168.1.50/
BASE dc=ldapserver,dc=local

Sometimes you might have issues withslapd.conf suffic usually configuring the suffix is done via LDAB DB, however for legacy purposes the old /etc/openldap/slapd.conf can also be created to work around.

# vi /etc/openldap/slapd.conf
suffix "dc=ldapserver,dc=local"

Make sure the nslcd – local LDAP name service daemon is up and running properly

# ps -ef|grep -i nslcd
nslcd    22016     1 0 15:34 ?        00:00:00 /usr/sbin/nslcd

# systemctl status nslcd
● nslcd.service – Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-04-01 15:34:37 CEST; 2min 47s ago
     Docs: man:nslcd(8)
           man:nslcd.conf(5)
Main PID: 22016 (nslcd)
   CGroup: /system.slice/nslcd.service
           └─22016 /usr/sbin/nslcd

Apr 05 13:30:38 ldapserver systemd[1]: Stopped Naming services LDAP client daemon..
Apr 05 13:30:38 ldapserver systemd[1]: Starting Naming services LDAP client daemon….
Apr 05 13:30:38 ldapserver nslcd[23882]: version 0.8.13 starting
Apr 05 13:30:38 ldapserver systemd[1]: Started Naming services LDAP client daemon..

Check configuration in /etc/nslcd.conf is correct. As minimum the URI address to ldap server should be correct. Sometimes if there is no record configured and LDAP server does not respond on 127.0.0.1 that might cause you issues.

Minimum values that should be filled are:

uid nslcd
gid ldap

uri ldap://192.168.1.50/

base dc=ldapserver,dc=local

NB: nslcd system admon is provided by nss-pam-ldapd package containing NSS and PAM libraries for name lookups and authentication using LDAP and is required
for LDAP users to be seen by system services.

7.1 .Connect to LDAP with LDAPAdmin from Windows host

Test whether you can view the Tree structure of the LDAP server with a look like LDAPAdmin. It is really easy to install and Use if you have a Windows machine and even have a portable version if you don't' want to install it.

ldapadmin-windows-screenshot

!!! Make Selected LDAP User a SuperUser !!!

If you want the earlier added LDAP UNIX user to be able to become root using above /etc/sudoers configuration you will have the to modify the UserAccount with LDAPAdmin and change the selected user to be UID 500 (that is the previously added admins group).

ldapadmin-change-usergroup-to-sysadmins-group-to-500-previously-added-in-sudo-screenshot

7.2 Install phpldapadmin LDAP Web management interface

[root@ldapserver config]# yum install epel-release
[root@ldapserver config]# yum -y install phpldapadmin httpd php php-fpm php-mysqlnd httpd-tools php-opcache php-gd php-xml php-mbstring php-json php-gmp php-zip php-ldap
[root@ldapserver config]# systemctl enable httpd && systemctl start httpd

Modify the preinstalled phpldapadmin.conf to look as follows (notice the commented Deny rules, you have to comment them to allow access to ldapadmin from anywhere, or
keep them on and only Allow a single IPs from where you plan to access the phpldapadmin)

[root@ldapserver config]# cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpLDAPadmin/htdocs
Alias /ldapadmin /usr/share/phpLDAPadmin/htdocs

<Directory /usr/share/phpLDAPadmin/htdocs>
<IfModule mod_authz_core.c>
    # Apache 2.4
    Require all granted
</IfModule>
## <IfModule !mod_authz_core.c>
    # Apache 2.2
##    Order Deny,Allow
##    Deny from all
##    Allow from 127.0.0.1
##    Allow from ::1
## </IfModule>
</Directory>

I've been having issues with the default provided phpldapadmin version to properly run with php74 – getting various errors, after managed to succesfully login, tried to modify multiple files
as prescribed by people online but once I could solve some strange error due to deprecated functions in PHP a new one poped up.
To resolve it I've tried to downgrade to php72* packages but this did not completely solved the errors eithe resolve it. As this did not work removed the installed php72
and installed back php74 and the surrounding required packs xml* etc.
Have to mention, the problem of phpldapadmin's with PHP stems that this project seems to be abandoned since 6+ years.

Luckily there was a workoround to make it work – (clone) the latest version of phpLDAPadmin from github repository and copy it to /usr/share

# yum install git
# cd /usr/local/src/
# git clone https://github.com/leenooks/phpLDAPadmin

# cp -rpf /usr/local/src/phpLDAPadmin /usr/share/phpLDAPadmin/

Next step is to set proper configuration with the DC (Domain Control) and CN (Common Name) Admin use, which in my case is ldapadm

[root@ldapserver config]# vi /usr/share/phpldapadmin/config/config.php

Add following lines before the php file end-tag i.e. ?>
This will overwrite the previously configured phpldapadmin default settings

$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldapserver.ldapserver');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=ldapserver,dc=local'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=ldapadm,dc=ldapserver,dc=local');
$servers->setValue('login','bind_pass','secretpass123');
$servers->setValue('server','tls',false);

To test configuration

Open URL http://fqdn-server.com/phpldapadmin

and try to login with cn=ldapadm,ldapserver as username and the LDAP admin password, hopefully it will work

you should no longer get PHP errors while expanding the LDAP Tree structure

phpldapadmin-screenshot-centos-linux-dc-tree-structure

8. Troubleshooting / Testing the new LDAP Test User created works logging in locally and remote via SSH

8.1. Try user locally

root@ldap:~# su – username

$ id
uid=10000(georgiev) gid=500(admins) groups=500(admins)
georgiev@ldap:~$

Either remotely connect or if already on the machine do to 127.0.0.1:

# ssh username@localhost -vv

8.2. Test sudo superuser credentials works

If you can login normally, you should be able to become root via sudo as well

username@ldap:~$ sudo su -l
[sudo] password for georgiev:
username@ldap:~$ sudo -l
Matching Defaults entries for georgiev on ldapserver:
    !visiblepw, always_set_home, match_group_by_gid, env_reset,
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User georgiev may run the following commands on ldapserver:
    (root) /bin/su root, /bin/su – root, /bin/su -l root, /bin/su -p root,
        NOPASSWD: /usr/bin/passwd [a-zA-Z][a-zA-Z0-9_-]*, !/usr/bin/passwd root

8.3. Check secure / ldap.log / messages log files for more insight

If for some strange reason you cannot login you should further debug what is going via error and success login messages produced in /var/log/secure , /var/log/ldap.log and /var/log/messages.

8.4. Connect via local console and run sshd in debug mode

For Physical servers or VM Machines hosted on Hypervisors where you have direct access via console, a good test is to.

shut off sshd completely and run it in debug mode

# systemctl stop sshd
# /usr/sbin/sshd -ddd -p 22

debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='22'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2208 on 0.0.0.0.
Server listening on 0.0.0.0 port 2208.

Then open again ssh new session and check what is the output error msgs in the sshd debug session, i.e.:

# ssh username@localhost -v

The new debug sshd instance will terminate when the client closes the connection, or the connection can be manually terminated using Crtl-C.
Note: You might want to run the sshd -ddd multiple times as it will be closed on every erroneous login attempt.

8.5. Check PAM login is enabled in /etc/ssh/sshd_config

Open /etc/ssh/sshd_config and make sure you have configured

UsePAM yes

If UsePAM no switch it on and restart sshd service.

8.6. Check ldap configuration in /etc/pam.d/* files is correct

You should have a configuration as follows already existing across /etc/pam.d/* files

# cd /etc/pam.d/
# grep -ri ldap *

/etc/openldap/check_password.conf:# OpenLDAP pwdChecker library configuration

/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so

/etc/pam.d/fingerprint-auth-ac:session optional pam_ldap.so

/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so

/etc/pam.d/smartcard-auth-ac:session optional pam_ldap.so

/etc/pam.d/password-auth-ac:auth sufficient pam_ldap.so use_first_pass

/etc/pam.d/password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so

/etc/pam.d/password-auth-ac:password sufficient pam_ldap.so use_authtok

/etc/pam.d/password-auth-ac:session optional pam_ldap.so

/etc/pam.d/system-auth-ac:auth sufficient pam_ldap.so use_first_pass

/etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so

/etc/pam.d/system-auth-ac:password sufficient pam_ldap.so use_authtok

/etc/pam.d/system-auth-ac:session optional pam_ldap.so

The full set of configured PAM rules that should be in /etc/pam.d files as prescribed by nss-pam-ldapd documentation are:

auth   sufficient   pam_unix.so
auth   sufficient   pam_ldap.so use_first_pass
auth   required     pam_deny.so

account   required     pam_unix.so
account   sufficient   pam_ldap.so
account   required     pam_permit.so

session   required   pam_unix.so
session   optional   pam_ldap.so

password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so try_first_pass
password   required     pam_deny.so

Usually you should not worry about these records as they should be already added by the package post-install conmfiguration definitions of the previously installed
nss-pam-ldapd, I mention them so you're aware that they're already in.

8.7 Debug what nslcd is doing?

As the user login authentication to LDAP is handled via nslcd (LDAPlocal caching daemon), you can stop the service and run it in debug mode and try to relogin with the user and see the whether the debug messages can give you some hint on what is going wrong, to do so:

# systemctl stop nslcd

# nslcd -d
nslcd: DEBUG: add_uri(ldap://127.0.0.1/)
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

Try to open in another console ssh session

# ssh georgiev@localhost

nslcd: [8b4567] DEBUG: connection from pid=21954 uid=28 gid=28
nslcd: [8b4567] <passwd="georgiev"> DEBUG: myldap_search(base="dc=ldapserver,dc=local", filter="(&(objectClass=posixAccount)(uid=georgiev))")
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://127.0.0.1/")
nslcd: [8b4567] <passwd="georgiev"> ldap_result() failed: No such object

In the debug nslcd debug session you will immediately should get error messages like:

nslcd: [8b4567] DEBUG: connection from pid=21954 uid=28 gid=28
nslcd: [8b4567] <passwd="georgiev"> DEBUG: myldap_search(base="dc=ldapserver,dc=local", filter="(&(objectClass=posixAccount)(uid=georgiev))")
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="georgiev"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://127.0.0.1/")
nslcd: [8b4567] <passwd="georgiev"> ldap_result() failed: No such object

9. Setting up ldap authentication from LDAP server from other Linux servers

If you want to have other machines than the default machine where you run the server to be authenticating using the user / password credentials stored in the LDAP server on each host

you will have to login as root and have installed packages nss-pam-ldapd and openldap-clients.

# yum install -y nss-pam-ldapd openldap-clients
…

Enable LDAP authentication to remote host and set each never logged in user to automatically create home directory on first loginwith authconfig cmd.

# authconfig –enableldap –enableldapauth –ldapserver=192.168.1.50 –ldapbasedn="dc=ldapserver,dc=local" –enablemkhomedir –update

10. Installing LAM (LDAP Account Manager) Web based Account Management Graphical Interface

LDAP and its surrounding .LDIF files is a true nightmare as even a small mistype in character from the file imported could seriously break things and
make your LDAP server partially or completely unusable. Therefore there is almost noone who does anything serious with LDAP via the command line but a GUI
has to be set in. The most simple one phpldapadmin does resemble more or less the phpmyadmin interface and gives you basic ways to manage LDAP database. However for more advanced use you will have to install and use LDAP Account Manager.

(LAM) is a web frontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. The LDAP Account Manager tool was designed to make LDAP management as easy as possible for the user.

LDAP Account Manager Supported Features

Manage Unix, Samba 3/4, Kolab 3, Kopano, DHCP, SSH keys, a group of names and much more
Has support for 2-factor authentication
Support for account creation profiles
CSV file upload
Automatic creation/deletion of home directories
setting file system quotas
PDF output for all accounts
Schema and LDAP browser
Manages multiple servers with different configurations

Unfortunately LAM Is a freeware and if you want the full set of features it supports, you will need to buy the LDAP Account Manager pro edition. But for a starter it makes a great difference to use it instead of doing everything manually.

10.1 Installing LAM Admin GUI

Assuming that you already followed up steps and you have a functioning LDAP server at hand on your machine, you will
further have to install Apache Webserver + PHP

yum install -y httpd httpd-tools php php-fpm php-mysqlnd php-opcache php-gd php-xml php-mbstring php-json php-gmp php-zip php-ldap

Enable HTTPD / PHP services

# systemctl enable –now php-fpm
# systemctl enable –now httpd

Check the status of just run services is fine

# systemctl status php-fpm
# systemctl status httpd

If you happen to have a selinux enabled (hopefully not) also you will have to enable PHP-FPM to serve files through PHP

# setsebool -P httpd_execmem 1

# systemctl restart httpd

If you have firewall on the machine enable httpd to be publicly visible via local LAN or the Internet

# firewall-cmd –permanent –zone=public –add-service=http
# firewall-cmd –reload

Download the latest version of LDAP Account Manager from sourceforge

# wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-7.7-0.fedora.1.noarch.rpm

Install the RPM

# yum localinstall ldap-account-manager-*.rpm

10.2 Configure LDAP Account Manager

Assuming that your Webserver is reachable via an IP address or already configured hostname access in browser

http://(server IP or hostname)/lam

The best practice is to setup a separate subdomain for your mail domain as it is easier to remember, i.e.,

http://ldapserver.fully-qualified-domain-name.com/lam

lam-account-manager-login-screen-linux

Click on LAM configuration option on the upper right corner to configure your LDAP manager instance.

On the page that appears, click on “Edit Server Profiles”.

install-LAM-on-centos-linux-screensho

This will ask for profile name password and password.

The default password is same as the username:

lam

install-LAM-on-centos-linux-login-server-preferences

Change the default password as soon as you have gained access in order to protect your installation

This is in the General settings page under Profile password.

Walk around through the menus and

set the LDAP server address and Tree Suffix to match the details of your LDAP configured domain.
Configure the dashboard login user by specifying the admin user account and domain components in the Security settings.
Navigate to “Account Types” page and configure Active account types for users and groups.
You can enable several other user and group modules in the “Modules” page.
Finally don't forget to click "Save" at the bottom to write the changes.

Finally set up the account and groups as desired

ldap-account-manager-web-gui-for-ldap-administration-linux

setup-shadow-on-LAM-ldap-manager-centos-web-screenshot

ldap-account-manager-web-gui-for-ldap-administration-groups-screenshot-linux

11. Backing up and Restoring LDAP database

OpenLDAP database can be backed up by simply exporting the directory to an LDIF file, which can then be imported later to restore the database.
slapcat exports the LDAP database's contents to LDIF-formatted output. The content is sent to STDOUT by default, so you should either capture it using the shell's redirect operators.

To back up an LDAP directory, export the directory using the slapcat utility:

# slapcat -b "dc=ldap,dc=example,dc=com" -l backup.ldif

To rebuild the directory from an export, follow these steps:

11.1 Stop the LDAP server

# service stop slapd.service

11.2 Import the file using slapadd

# slapadd -f backup.ldif

Ensure the data files are owned by the ldap user:

# chown -R ldap.ldap /var/lib/ldap/*

11.3 Restart the LDAP server

# service restart slapd.service

Sum it up

In this article it was shown how to install simple LDAP server and configure it to store User / Password / Groups credentials authenticatation with PAM through nss-pam-ldapd helper using the nscld (Local LDAP name service daemon) service.
We have further shown how to setup the initial LDAP Administartor (Super-User) and configure the basic required LDAP base and Db together with the schemes to extend capabilities of openldap such as to have basic support for UNIX User, Password and Groups creation etc.

Further on a sample UNIX user was created in LDAP Tree via username.ldif and admins groups. The UID 500 admins was added to /etc/groups as well as included a standard configuration to /etc/sudoers in order to allow LDAP adde UNIX users to execute predefined commands via sudo such as sudo su – root.

To enable login of the LDAP user required openldap-clients were installed and authconfig used to authorize user queries to LDAP to authenticate.

LDAP Logging was configured via rsyslog local4 interface. Onwards it was shown how to test and troubleshoot possible issues after the installation is complete.
Next it was shown you can configure other Linux servers to remotely query the configured LDAP server as a mean of user authentication and only grant access if the user and its encrypted password is found in the LDAP Database on ldapserver. It was further explained how to test the LDAP is connectable with LDAPAdmin and how to manage the database by installing and managing it through phpLDAPAdmin.

Finally you've seen how to install and configure LAM (LDAP Account Manager) Web GUI that will make the hell of Administrating your LDAP database much more pleasurable.

If you have luck (or better say) Pray fervantly to the Good God, all described in the article steps will work together and you will have a working LDAP User authentication.
However I have to say my experience with OpenLDAP the free software version of the (Lightweight
Directory Access Protocol) is a true nightmare.
This piece of software was created IMHO overly complex and truely chaotic by its creators.

The documentation of openldap is also not the best one I've seen but if you have a tons of free time and a desire, after few days you might start understanding something.
Don't expect it that you have the clear picture, as I believe even the creators of OpenLDAP was not sure what they've created 🙂

Hopefully once you set it up you will have a little joy after the innumerable hours of hectic try outs to make it work. Having all setup to assure yourself, implement a script or a cron job
to dump its database with slapcat regularly to make sure you don't loose youruser data.
I''ve spend quite a lot of hours writting this piece of article reading tons of other articles on the topic, tried many of which and most of them worked partially or something was broken. Therefore I hope this article will not be the next OpenLDAP article but will truly work. If it works for you please drop me a comment and give me a feedback, telling it worked. If you get any errors with the article also let me know and I will fix it ASAP. The goal is to make this Guide a good working guide so the FSF community can benefit.
Also seeing openldap's complete it makes one too much scared to try to upgrade it 🙂

That's all folks Cheers !

Tags: Account Management Graphical Interface, adding, Click, Configuration, configuration files, Configuring, connection, credentials, Database, description, direct access, dn, download, Edit Server Profiles, etc passwd, guide, howto, ifconfig eth0, Install, installed, LDAP, linux?, Load, location, Luckily, Modify, monitor, network, Networking, nsswitch.conf, Output, passwords, predefined commands, read, reading, rsyslog, security, sensitive data, SSHA, systemctl, top, uid, upload, username, utility
Posted in LDAP, Linux, Remote System Administration, System Administration | 1 Comment »

How to query LDAP (Windows Domain Controller) directory entries from Linux – ldapsearch common searche examples

Tuesday, November 18th, 2014

If you have a hybrid network of Windows servers and computers in Active Directory (AD) Domain Names and Linux hosts hosting various Java / PHP / Python applications like many of the middle and big companies (organization) have, sooner or later you will have to deploy an application which uses some some user authentication from the Linux host to Windows Domain Controller, you will end up in need to be able to query the AD, which is using LDAP (Lightweight Directory Access Protocol) to store the AD user credentials and tons of other information important for proper Active Directory operations.

LDAP is a key industry standard for storing and accessing distributed directory information services over Internet Protocol (IP). LDAP is great for sharing of information about users, systems, networks, services, and applications throughout the network. The corporate world nowadays would have been impossible without LDAP.
As of time of writting latest RFC (Resource for Comment) 4511 document describes industrial specification of LDAP version 3.0 and therefore this is the most often used and implemented version.

LDAP protocol supports generally following operations:

Adding, Delete, Bind (Authenticate to LDAP server), Delete Search and Compare, Modify and Modify DN (Distringuished Name)
Deleting recordsh

On Linux to retrieve / locate AD entries, there is ldapsearch command which opens connection to LDAP host server port, with set username and password. ldapsearch tool makes its search based on a filter.

To have make and modify queries in LDAP from GNU / Linux you will have to have installed ldap-utils on Debian, i.e.:

apt-get –yes install ldap-utils

to have ldapseach, ldapmodify, ldapsearch ldappasswd on CentOS / Redhat Linux, you need openldap-clients.x86_64

yum -y install openldap-clients.x86_64

Returned result from ldapsearch clients will be returned in LDIF format (LDAP Data Interchange format).

ldapsearch basic format is like thsi:

ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes]

ldapsearch could query (LDAP – ADs) in unencrypted form simple LDAP, encrypted form with SSL certificate (LDAPs) or through LDAP with STARTTLS.
Logically most organizations nowadays are using LDAPs, as it offers the highest level of security. Unencrypted LDAP servers listen usually on port 389, LDAPs communicates on port 636 once an SSL handshake is made between client and server and LDAP with STARTTLS communicates on standard port 389.

Here is 3 examples of common ldapsearch queries

1. Return all entries in LDAP server

ldapsearch -D "cn=directory manager" -w secret -p 389 -h ldap.your-organization.org -b "dc=your-organization,dc=com" -s sub "(objectclass=*)"

"objectclass=*" is a serch filter matching all entries in the directory (time and size limits on output limit set for the server will take affect)

2. Searching the Root DSE Entry

root DSE is special entry containing list of all suffixes supported by local Directory Server. Getting root DSE is done with base of "", a search scope of base, and a filter of "objectclass=*"

ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org -b "dc=your-organization,dc=com" -s sub "cn=babs jensen"

3. Searching Directory Server Schema Entry

LDAP server stores all directory server schema in special entry cn=schema.
schema entry contains information on every object class and attribute defined for the Directory Server. Command to searches contents of the cn=schema entry is:

ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org -b "cn=schema" -s base "objectclass=*"

4. Check whether cn=My-Account1 account is working and enabled

ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=My-Acount1)(objectclass=my-org-Account))'

5. check all members of cn=MY_ADMINISTRATION

ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=MY_ADMINISTRATION)(member=*))'

6. check all members of all groups belonging to user

ldapsearch -H ldaps://ldaps.your-organization.org -b ou=ABC,ou=ABC1,ou=ABC2,ou=groups,ou=ABC,o=my-org,c=ABC -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(cn=*)'

Whether ldapsearch queries are to be common and scripted or just for simplification of readability of query to LDAP it is useful to use LDAP_BASEDN – a query search base. By setting search base you can further omit in query -b

export LDAP_BASEDN="dc=your-organization,dc=com"
ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldap.your-organization.org "cn=labs jordan"

In Linux LDAP's open-source implementation is called OpenLDAP.
On Linux LDAP protocol can be easily integrated / used in combination with FTP servers (such as proftpd), DNS servers, Mail Servers (Courier), Samba servers, Radius (IP Telephony), sudo, as well as most programming languages such as PHP, Python etc.

Tags: AD, CentOS, check, How to, information, LDAP, ldap basics explained, ldap domain controller, ldapsearch common examples, Lightweight Directory Access Protocol, linux ldap, linux query ldap servers, queries, query windows domain controller linux, Returned, server port, what is basic to know about ldap
Posted in Everyday Life, Linux, Windows | 1 Comment »

Configure SSH LDAP Linux one login authentication across company servers and Apache webservers – howto

Wednesday, December 3rd, 2014

Configure_SSH_LDAP_Linux_one_login_authentication_across_company-servers-install-enable-ldap-on-apache-php-and-perl-howto.png
If you're working as Linux sys-admin in a small or middle-sized company (80-300 people) whose personal and hosted infrastructure is quicly growing, you will soon face a requirement that all running Linux servers hosting applications requires unification in existing single / clustered Users Applications to be able to Login with same User / Password across all company Linux / UNIX servers.
Having single id / passwords across multiple servers is also handy for various routine sys-admin purposes as this simplifies daily maintanance tasks and deployment of "one view" server monitoring and bunch of software easily to be replicated on new server nodes.

This is where LDAP ( Lightweight Directory Access Protocol ) comes at help. LDAP authentication with use of PAM (Pluggable Authentication Module), allows to easily achieve a common centralized login mechanism across a Linux server "farm" using SSH or Xlogin (if X some kind of GUI environment) is to be used.

Configuring Linux servers to use a centralized LDAP server to store user / passwords and other user information is also very useful whenever you want to have a common login mechanism of a group of users across both Heterogenous network with Windows / Linux and UNIX servers. By keeping the users into a centralized LDAP server, users have access with same User / Pass to both Windows / Linux ,UNIX Sun OS / HP-UX / Unix / FreeBSD etc. Centralized LDAP for Production environment and a Testing one is a common thing to see in large IT infrastructure (hosting / support) companies such as IBM / HP / Google / Yahoo etc. .

LDAP credentials centralization is common in Telecommunication companies, many universities such as Berkley / MIT and in all kind of big business-es or anywhere where its needed to have in a common database replicated across servers hundreds of thousands of users.

Here is how to Configure SSH LDAP Linux login authentication:

1. Install LDAP client and configuring it to use remote LDAP server on Debian / Ubuntu Linux

– On Debian Linux servers install the classical way to configure LDAP authentication is:

apt-get install –yes libpam-ldap libnss-ldap nscd ldap-utils

You will be asked a variety of configuration questions in the good old ncurses on LDAP server to be used:

LDAP server Uniform Resource Identifier: ldap://LDAP-server-IP-Address
Change the initial string from "ldapi:///" to "ldap://" before inputing your server's information
Distinguished name of the search base:
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root:
LDAP root account password: Your-LDAP-root-password

If you have inputted some wrong data to make the configuration interface pop-up again issue as root:

dpkg-reconfigure ldap-auth-config

Then to make aware the system LDAP database is to be used to through NSS (Name Services Switch) configured in /etc/nsswitch.conf

vim /etc/nsswitch.conf

To make /etc/passwd /etc/shadow and /etc/group not be queried from local system but to query LDAP defined server

passwd: ldap compat
group: ldap compat
shadow: ldap compat

Linux makes authentication to remote LDAP server through PAM (Pluggable Authentication Module) that provides authentication via series of modules which return Yes / No responce in Windows NT / XP something similar was called GINA in Windows 7 / 8 / 2012 a similar technology is used called Credential Provider.
LDAP authentication is done by using PAM, to make it possible:

vim /etc/pam.d/common-session

Place

session required pam_mkhomedir.so skel=/etc/skel umask=0022

This line makes PAM on login to create home directory for logged in user via LDAP and copy all files from /etc/skel/* to /home/username/*

To make new settings affective restart nscd service (handles passwd, group and host lookups caching previous credential results).

/etc/init.d/nscd restart

However this method of configuration is probably to be soon be obsoleted in future Debian releases the modern way to configure servers to authenticate to central LDAP server is with SSSD, i.e.

apt-get install sssd libnss-sss libpam-sss
apt-get remove nscd

vim /etc/sssd/sssd.conf

domains = LDAP

[…]

[domain/LDAP]
enumerate = true
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307
ldap_uri = ldap://server1.mydom.com/
ldap_search_base = dc=mydom,dc=intern
#ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ldap/ssl/cacert.pem

2. Install LDAP client and configuring it to use remote LDAP server on CentOS / Fedora / RPM based Linux

yum -y install libpam-ldap nscd ldap-utils

On client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
There is a quick way to configure LDAP use with authconfig

[root@www ~]# authconfig –enableldap
–enableldapauth
–ldapserver=dlp.server.world
–ldapbasedn="dc=server,dc=world"
–enablemkhomedir
–update
Starting nslcd: [ OK ]

[root@www ~]# exit
logout
CentOS Linux release 7.0.1406 (Core)
3.10.0-123.4.2.el7.x86_64 on an x86_64
www login:ldap-user # LDAP user
Password:# password
Creating directory '/home/rldap-user'.
[ldap-user@www ~]$ # logined normally
[ldap-user@www ~]$ passwd # change LDAP user password (LDAP server will be notified about change)
Changing password for user redhat.
Enter login(LDAP) password: # current password
New password: # new password
Retype new password:
LDAP password information changed for redhat
passwd: all authentication tokens updated successfully.

When using authconfig to configure LDAP server authentication will be managed by SSSD (System Security Services) Daemon for more check out man sssd.

To be working sssd will require you to have following list of RPM packages installed

sssd-client
sssd-common
sssd-common-pac
sssd-ldap
sssd-proxy
python-sssdconfig
authconfig
authconfig-gtk

SSSD configuration includingn the filled in LDAP server hostname generated by authconfig is stored in /etc/sssd/sssd.conf

To reload new SSSD settings:

systemctl restart sssd

Using sssd is the new way to enable LDAP Linux authentication and people who use it should not use the old already obsolete nslcd method

3. Enabling Apache web application to authenticate to LDAP server

If you further want LDAP authorization to also work on installed and functioning Apache webserver on the host you need to load mod_auth_ldap.so
in httpd.conf

vim /etc/httpd/conf/httpd.conf

There should be a record like:

LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so

On Debian / Ubuntu Linux to enable LDAP auth in Apache2:

root@www:~# a2enmod ldap authnz_ldap
Enabling module ldap.
Considering dependency ldap for authnz_ldap:
Module ldap already enabled
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
service apache2 restart

Finally to make Apache load new config:

On Redhat based distro:

/etc/init.d/httpd restart

On Debian

/etc/init.d/apache2 restart

If you want to use LDAP auth within PHP/ Perl applications you will also need to install php5-ldap, libnet-ldap-perl (debs)- on Debian / Ubuntu or php-ldap, perl-LDAP.noarch (rpm) on CentOS / Fedora.

To set LDAP credentials authentication from LDAP, in Virtualhost/s or .htaccess of certain directory use config like:

AuthName "Restricted"

AuthType Basic

AuthLDAPURL ldap://ldap.domain.com:389/ou=People,dc=domain,dc=com?uid

AuthLDAPBindDN "cn=Manager,dc=domain,dc=com"

AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"

require valid-user

4. Debug Test LDAP server remote connection

Once LDAP auth is setup to debug / test users within server use ldapsearch (part of ldap-uitls):

ldapsearch -h <ldapserver> -b dc=<your>,dc=<domain> -x uid=<username>

Tags: apache ldap authentication, authentication, company, company servers, configure, configure ldap login centos, configure ldap login debian, distro, etc passwd, howto central ldap linux, LDAP, ldap authentication linux, ldap configure linux, login, make, passwords, user information, Windows Linux, www
Posted in Computer Security, Everyday Life, Linux, System Administration, Various, Web and CMS | 2 Comments »

On God and computers and how computers copy God’s creation

Friday, October 25th, 2013

People are copying Gods creation the-tree model people don't invent they copy

I've been thinking for a long time. How computers and involved technology copy God's creation. This kind of thoughts poped up in my mind right after I became a believer. As I'm having a strong IT background I tend to view thinks in world via the prism of my IT knowledge. If I have to learn a new science my mind tend to compare how this translates to my previous knowledge obtained in IT. Probably some other people out there has the same kind of thinking? I'm not sure if this is a geek thinking or it is usual and people from other fields of science tend to also understand the world by using accommodated knowledge in field of profession they practice. Anyways since my days I believed in Jesus Christ, I started to also to compare my so far knowledge with what I've red in Holy Bible and in the book of The Living of Saints (which btw is unknown to most protestant world). It is very interesting that if you deeply look into how all Information Technology knowledge is organized you can see how Computers resembles the visible God's creation. In reality I came to realization how Moden Man self-deceives himself. We think with every new modern technology we achieved something new revolutionory which didn't existed before. But is it really true? Lets take some technology like Microsoft Active Directory (using LDAP) for example. LDAP structures data in a tree form where each branch could have a number of sub branches (variables). In reality it appears LDAP is not new it a translation of previous already existent knowledge in universe served in a different kind of form. Let me give some other examples, lets pick up the Internet, we claim its a new invention and from human point of view it is. But if we look on it via the prism of existing created world. It is just a interconnection between "BIG DATA" in real world it is absolutely the same latest researches already know all in world is data and all data in world is interconnected. So obviously the internet is another copying of the wonderful things God created in material and for those who can accept (the spiritual world) world. Many who are hard-core atheists will argue that we copy things in the world but all the material world is just a co-incidence. But having in mind that the world is so perfectly tuned "for living beings to exist" it is near to impossible that all this life and perfection emerged by random. The tree structure model is existing everywhere in OS and programming. We can see it in hiearchy of a file system, we can see it in hashes (arrays) in programming and all this just copies the over-simplified model of a real tree (which we know well from Biology is innemous times more complex). Probably the future of computing is in Biotechnologies and people's attempts to copy how living organism works. We know from well from science-fiction and cyberpunk the future should be mostly in Bio-technologies and computer as we know it but even this high-tech next generation technology will be based on existent things. Meaning man doesn't invent something so different he does copy a model and then modify the model according to environment or just makes a combination of a number of models to achieve a next one. Sorry for the rant post but I'm thinking on this for quite a while and I thought i should spit it here and interested to hear what people think and what are the arguments for or against my thesis?

Tags: copy, God's creation, holy bible, IT, jesus christ, kind, knowledge, LDAP, Saints, structure, technology, tree
Posted in Christianity, Everyday Life, Various | No Comments »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘LDAP’

On God and computers and how computers copy God’s creation

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites