Weeks 6-7: LDAP Directories and Accounts

Weeks 6-7: LDAP Directories and Accounts

Mentor: Hung

Training Topics

1. Use CentOS 7

Centos7 Clone is cloned to make Centos7 Clone LDAP


Prior to installing LDAP, modify /etc/hosts on both the server and client with the line:
192.168.56.101 server.biohpc.swmed.edu
Then, use hostnamectl to change the names of server and client accordingly.

To set up the /etc/hosts file and change the hostnames on both the server and client before installing LDAP, follow these steps:

On the Server

sudo nano /etc/hosts
# Add the line: 192.168.56.101 server.biohpc.swmed.edu
sudo hostnamectl set-hostname server.biohpc.swmed.edu
hostnamectl status



On the Client

sudo nano /etc/hosts
# Add the line: 192.168.56.101 server.biohpc.swmed.edu
sudo hostnamectl set-hostname client.biohpc.swmed.edu
hostnamectl status


This configuration ensures that both machines can resolve the specified hostname to the given IP address, which is useful for LDAP and other network services.


2. LDAP: Models, Schema, and Attributes
understand schema

The LDAP Naming Model
LDAP uses a hierarchical structure for storing entries. Each entry is identified by its Distinguished Name (DN), composed of the entry's Relative Distinguished Name (RDN) and the names of its parent entries.

LDAP Schema
Schemas define the types of objects that can be stored in the directory and the attributes those objects can have.



LDAP server configuration

Step 1: Install LDAP and Required Packages

sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

Step 2: Start and Enable slapd Service
Start the LDAP service (slapd) and enable it to start on boot:

sudo systemctl start slapd
sudo systemctl enable slapd

Step 3: Configure the Firewall
Allow LDAP service through the firewall:

sudo firewall-cmd --add-service=ldap --permanent
sudo firewall-cmd --reload


Step 4: Verify the LDAP Service with netstat

Ensure LDAP is listening on port 389:

netstat -antup | grep -i 389


Step 5: Set Up the LDAP Root Password
Generate the LDAP root password:

sudo slappasswd

This command will prompt for a password and return a hashed password, e.g., {SSHA}5EN9YS0gR2RnPzddI5KkPjOwh3BQgHmH. Save this hashed password.


Step 6: Configure LDAP Database


Create the db.ldif file (make sure that there are no empty character spaces in each of the text files created. LDAP is very sensitive to that)
Create a file named db.ldif with the following content:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=biohpc,dc=swmed,dc=edu

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=biohpc,dc=swmed,dc=edu

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}j/y+TU9sX7Bp8luh1rVd/HIdilyrBTUI


Apply the configuration using ldapmodify

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Step 7: Restrict Monitor Access


Create the monitor.ldif file
Create a file named monitor.ldif with the following content:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" read by * none

Apply the configuration using ldapmodify

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif


Step 8: Create LDAP Certificate

Generate the certificate

sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/biohpcldapcert.pem -keyout /etc/openldap/certs/biohpcldapkey.pem -days 365

Follow the prompts to provide the necessary information for the certificate.


Set the ownership of the certificate files

sudo chown -R ldap:ldap /etc/openldap/certs/*.pem


Step 9: Configure LDAP to Use the Certificate


Create the certs.ldif file
Create a file named certs.ldif with the following content:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/biohpcldapkey.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/biohpcldapcert.pem




Apply the configuration using ldapmodify

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif

(this keeps returning: modifyinf entr: "cn=config" ldapmodify: Other (eg: implementation specific) error (80))

Verify the configuration

sudo slaptest -u


The output should indicate config file testing succeeded.

Step 10: Set Up LDAP Database

Copy the database configuration file

sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown ldap:ldap /var/lib/ldap/


Add LDAP schemas

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif


Create the base.ldif file (make sure that there are no empty characters in any line for any of the .ldif files)
Create a file named base.ldif with the following content:

dn: dc=biohpc,dc=swmed,dc=edu
dc: biohpc
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=biohpc,dc=swmed,dc=edu
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=biohpc,dc=swmed,dc=edu
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=biohpc,dc=swmed,dc=edu
objectClass: organizationalUnit
ou: Group


Add the directory structure

sudo ldapadd -x -W -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -f base.ldif

will show:

Enter LDAP Password: (it is time)
adding new entry "dc=biohpc,dc=swmed,dc=edu"

adding new entry "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu"

adding new entry "ou=People,dc=biohpc,dc=swmed,dc=edu"

adding new entry "ou=Group,dc=biohpc,dc=swmed,dc=edu"



Step 11: Create User Accounts and Add to LDAP


sudo groupadd bioinformatics
sudo useradd s123456 -g bioinformatics
sudo useradd s654321 -g bioinformatics
sudo passwd s123456
sudo passwd s654321


password for s123456= user1
password for s654321=user2

Configure migration tools
Edit /usr/share/migrationtools/migrate_common.ph and set the domain components:

$DEFAULT_MAIL_DOMAIN = "biohpc.swmed.edu";
$DEFAULT_BASE = "dc=biohpc,dc=swmed,dc=edu";
$EXTENDED_SCHEMA = 1;

Extract user and group information

grep ":10[0-9][0-9]" /etc/passwd > /root/passwd
grep ":10[0-9][0-9]" /etc/group > /root/group

Convert user and group information to LDAP format

/usr/share/migrationtools/migrate_passwd.pl /root/passwd /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/group /root/groups.ldif


Verify the LDAP entries

ldapsearch -x -b 'dc=biohpc,dc=swmed,dc=edu' '(objectclass=*)'

Following these steps will configure your LDAP server, set up a root password, enable certificate-based security, and populate the LDAP directory with users and groups.


LDAP Client Configuration

Install Required Packages
Install the necessary packages for the LDAP client:

sudo yum install -y openldap-clients nss-pam-ldapd sssd authconfig-gtk


Step 2: Configure Authentication

sudo authconfig --enableldap --enableldapauth --ldapserver=server.biohpc.swmed.edu --ldapbasedn="dc=biohpc,dc=swmed,dc=edu" --enablemkhomedir --update

--enableldap: Enable LDAP for user account information.

--enableldapauth: Enable LDAP for user authentication.

--ldapserver=server.biohpc.swmed.edu: Specify the LDAP server.

--ldapbasedn="dc=biohpc,dc=swmed,dc=edu": Specify the LDAP base DN.

--enablemkhomedir: Enable the creation of home directories on login.

--update: Apply the changes.


sudo systemctl restart nslcd

getent passwd s123456

This should return the LDAP account information for user s123456

THIS DID NOT RETURN ANYTHING. I WENT BACK TO THE SERVER, IT DID NOT SHOW BIOINFORMATICS AND USERS (S123456) USING THE ldapsearch -x -b 'dc=biohpc,dc=swmed,dc=edu' '(objectclass=*)' COMMAND, BUT INSTEAD IT SHOWED ALL THE OTHER USERS FROM WEEK 2-3. AT THE SAME TIME IT ALSO SHOWED THE GROUP BIOINFORMATICS AND USER S123456 ALREADY EXISTS.
SO, I CREATED A NEW FILE AS FOLLOWS

sudo vi add_group.ldif

dn: cn=bioinformatics,ou=Group,dc=biohpc,dc=swmed,dc=edu
objectClass: posixGroup
objectClass: top
cn: bioinformatics
gidNumber: 10000

sudo ldapadd -x -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -f add_group.ldif

sudo vi add_user.ldif

dn: uid=s123456,ou=People,dc=biohpc,dc=swmed,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: s123456
sn: User
uid: s123456
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/s123456
loginShell: /bin/bash
userPassword: {SSHA}your_generated_ssha_hash

sudo ldapadd -x -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -f add_user.ldif

AND VERIFY USING
ldapsearch -x -LLL -H ldap://server.biohpc.swmed.edu -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -b "ou=People,dc=biohpc,dc=swmed,dc=edu" "(uid=s123456)"

ldapsearch -x -LLL -H ldap://server.biohpc.swmed.edu -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -b "ou=Group,dc=biohpc,dc=swmed,dc=edu" "(cn=bioinformatics)"

NOW GO TO THE CLIENT AND CHECK:

ldapsearch -x -LLL -H ldap://server.biohpc.swmed.edu -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -b "ou=People,dc=biohpc,dc=swmed,dc=edu" "(uid=s123456)"

it should show the group, user etc.

getent passwd s123456


Install Additional Packages for Home Directory Creation
Install the required packages to create home directories automatically:

sudo yum install -y sssd oddjob-mkhomedir

Configure PAM for Home Directory Creation
Add the line to /etc/pam.d/system-auth to enable home directory creation via PAM:

sudo echo 'session required pam_oddjob_mkhomedir.so' >> /etc/pam.d/system-auth


Enable and Start oddjobd Service
Enable and start the oddjobd service to handle home directory creation:

sudo systemctl enable --now oddjobd

Update Authentication Configuration
Update the authentication configuration to ensure home directory creation is enabled:

sudo authconfig --enablemkhomedir --updateall

sudo systemctl restart sssd


Test LDAP User Login and Home Directory Creation
Switch to an LDAP user account to verify that the home directory is created automatically:

su - s123456

Creating home directory for s123456. message is displayed


Samba configuration on server

Install Samba and Samba LDAP Tools

sudo yum install -y samba smbldap-tools


Configure SELinux for Samba
Set the SELinux booleans for Samba:

sudo setsebool -P samba_export_all_ro=1
sudo setsebool -P samba_export_all_rw=1


 Configure the Firewall for Samba
Add the Samba service to the firewall and reload the firewall:

sudo firewall-cmd --add-service=samba --permanent
sudo firewall-cmd --reload


Copy and Add the Samba Schema to LDAP
Copy the Samba schema file to the LDAP schema directory and add it to the LDAP server:

sudo cp /usr/share/doc/samba-4.10.16/LDAP/samba.ldif /etc/openldap/schema/
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif


Create and Add Samba Indexes
Create a file samba_index.ldif with the following content to add the necessary indexes:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub


Add these indexes to the LDAP server:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif
sudo systemctl restart slapd


Configure Samba (/etc/samba/smb.conf)
Back up the existing smb.conf file and create a new configuration file with the following content:

[global]
workgroup = server
netbios name = ldap
deadtime = 10
log level = 1
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes
security = user
domain logons = yes
os level = 64
logon path =
logon home =
logon drive = H:
logon script =
passdb backend = ldapsam:"ldap://127.0.0.1/"
ldap ssl = no
ldap admin dn = cn=ldapadm,dc=biohpc,dc=swmed,dc=edu
ldap delete dn = no
ldap password sync = yes
ldap suffix = dc=biohpc,dc=swmed,dc=edu
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
admin users = domainadmin
idmap uid = 10000-20000
idmap gid = 10000-20000

[NETLOGON]
path = /var/lib/samba/netlogon
browseable = no

[PROFILES]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
create mask = 0611
directory mask = 0700
csc policy = disable
map system = yes
map hidden = yes

[bioinformatics]
comment = bioinformatics material
path = /bioinformatics
force group = bioinformatics
read only = no
create mask = 0770
directory mask = 0770
browseable = no
writable = yes

[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0770
directory mask = 0775
browseable = Yes
writable = Yes


sudo testparm


Create Necessary Directories and Start Samba Services
Create the required directories and start the Samba services:

sudo mkdir -p /var/lib/samba/netlogon /var/lib/samba/profiles
sudo smbpasswd -W


asks for new SMB Passwd: timer

sudo systemctl enable --now nmb
sudo systemctl enable --now smb

sudo smbldap-config

the following is what happened (a couple of passwords are set and are below)

[root@server cmurali]# sudo smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
  workgroup name [server] >
. netbios name: netbios name of the samba controller
  netbios name [ldap] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [H:] >
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\ldap\%U'
  logon home (press the "." character if you don't want homeDirectory) [\\ldap\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\ldap\profiles\%U'
  logon path (press the "." character if you don't want roaming profiles) [\\ldap\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
. default password validation time (time in days) [45] >
. ldap suffix [dc=biohpc,dc=swmed,dc=edu] >
. ldap group suffix [ou=Group] >
. ldap user suffix [ou=People] >
. ldap machine suffix [ou=Computers] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=server] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
  ldap master server [127.0.0.1] >
. ldap master port [389] >
. ldap master bind dn [cn=ldapadm,dc=biohpc,dc=swmed,dc=edu] >
. ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
  ldap slave server [127.0.0.1] >
. ldap slave port [389] >
. ldap slave bind dn [cn=ldapadm,dc=biohpc,dc=swmed,dc=edu] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain server: SID of the domain (can be obtained with 'net getlocalsid ldap')
  SID for domain server [] >
. unix password hash: hash used for unix passwords
  If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
  unix password hash (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] >
. treat shadowAccount object or not (1/0) [1] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.


ldap master bind passwd : time

ldap slave bind passwd : time


[root@server cmurali]# smbldap-populate

this kept giving root user errors, so i created a file named delete_root.ldif and ran the following commands:

[root@server cmurali]# ldapmodify -x -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -f delete_root.ldif
Enter LDAP Password:
deleting entry "uid=root,ou=People,dc=biohpc,dc=swmed,dc=edu"

[root@server cmurali]# vi add_root.ldif
[root@server cmurali]# vi add_root.ldif
[root@server cmurali]# ldapadd -x -D "cn=ldapadm,dc=biohpc,dc=swmed,dc=edu" -W -f add_root.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=biohpc,dc=swmed,dc=edu"

[root@server cmurali]# sudo smbpasswd root
WARNING: The "syslog" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
New SMB password:
Retype new SMB password:
[root@server cmurali]# sudo smbldap-populate
Populating LDAP directory for domain server (S-1-5-21-2992222943-225343144-3374008937)
(using builtin directory structure)

entry dc=biohpc,dc=swmed,dc=edu already exist.
entry ou=People,dc=biohpc,dc=swmed,dc=edu already exist.
entry ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry ou=Computers,dc=biohpc,dc=swmed,dc=edu already exist.
entry ou=Idmap,dc=biohpc,dc=swmed,dc=edu already exist.
entry sambaDomainName=server,dc=biohpc,dc=swmed,dc=edu already exist. Updating it...
entry uid=root,ou=People,dc=biohpc,dc=swmed,dc=edu already exist.
entry uid=nobody,ou=People,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Domain Admins,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Domain Users,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Domain Guests,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Domain Computers,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Administrators,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Account Operators,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Print Operators,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Backup Operators,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.
entry cn=Replicators,ou=Group,dc=biohpc,dc=swmed,dc=edu already exist.

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@server cmurali]# systemctl status smb.service
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2024-07-04 09:40:57 CDT; 1h 59min ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1429 (smbd)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/smb.service
           ├─1429 /usr/sbin/smbd --foreground --no-process-group
           ├─1915 /usr/sbin/smbd --foreground --no-process-group
           ├─1916 /usr/sbin/smbd --foreground --no-process-group
           └─1920 /usr/sbin/smbd --foreground --no-process-group

Jul 04 09:40:55 server.biohpc.swmed.edu systemd[1]: Starting Samba SMB Daemon...
Jul 04 09:40:57 server.biohpc.swmed.edu systemd[1]: Started Samba SMB Daemon.
[root@server cmurali]# sudo smbclient -L localhost -U root
WARNING: The "syslog" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter SERVER\root's password:

        Sharename       Type      Comment
        ---------       ----      -------
        homes           Disk      Home Directories
        IPC$            IPC       IPC Service (Samba 4.10.16)
        root            Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------
        LDAP                 Samba 4.10.16

        Workgroup            Master
        ---------            -------
        SERVER               LDAP
	
ALL PASSWORDS AT THIS POINT ARE : time 



Add Samba Users and Groups
Use smbldap-groupadd, smbldap-useradd, and smbldap-passwd to manage Samba users and groups:

sudo smbldap-groupadd bioinformatics
sudo smbldap-useradd -a -g bioinformatics s123456
sudo smbldap-passwd s123456
this command did not work, so I created the file :

update_s123456.ldif with content:

dn: uid=s123456,ou=People,dc=biohpc,dc=swmed,dc=edu
changetype: modify
add: objectClass
objectClass: shadowAccount
-
add: objectClass
objectClass: sambaSamAccount
-
replace: cn
cn: s123456
-
replace: sn
sn: User
-
replace: uidNumber
uidNumber: 10001
-
replace: gidNumber
gidNumber: 10000
-
replace: homeDirectory
homeDirectory: /home/s123456
-
replace: loginShell
loginShell: /bin/bash
-
replace: gecos
gecos: s123456 User
-
replace: userPassword
userPassword: e1NTSEF9YXYzVlhWVTNOemRmVFFFTHZ3Uk55WUxsOTFWcVRFVmE=  # Ensure this is the correct password hash
-
add: sambaSID
sambaSID: S-1-5-21-2992222943-225343144-3374008937-10001  # Ensure this is the correct SID
-
add: sambaNTPassword
sambaNTPassword: e3c50dfb2f82ea7e70138b11c5fac667  # Ensure this is the correct NT password hash
-
add: sambaPwdLastSet
sambaPwdLastSet: 0
-
add: sambaAcctFlags
sambaAcctFlags: [U]



[root@server cmurali]# smbldap-passwd s123456
Changing UNIX and samba passwords for s123456
New password: sambauser1
Retype new password:sambauser1


Set SELinux Context for Shared Directory
Ensure the shared directory has the correct SELinux context:

sudo chcon -t samba_share_t /bioinformatics

this was not working, i changed the /etc/selinux/config to enforcing, instead of disabled. now it is not giving any error.


now on the client machine, 

On the client site, connection on client site can be confirmed by:
smbclient //server/bioinformatics -U root




Master/Slave Replication in OpenLDAP
To set up Master/Slave replication in OpenLDAP, you need to configure both the master and the slave servers. Below are the steps to achieve this:

I cloned the Centos7 LDAP Server to make both Centos7 Master 1 and Centos7 Slave 1

Configure the Master Server
Step 1: Load the Syncprov Module
Create a file named syncprov_mod.ldif with the following content:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la


Load the module using ldapadd:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif

Configure the Syncprov Overlay
Create another file named syncprov.ldif with the following content:

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100


Add this configuration to the LDAP server:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


Configure the Slave Server
Step 1: Create the Syncreplication Configuration
Create a file named syncrep.ldif with the following content, replacing {Master_IP} with the IP address of your master LDAP server:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
 provider=ldap://192.168.56.101:389/
 bindmethod=simple
 binddn="cn=ldapadm,dc=biohpc,dc=swmed,dc=edu"
 credentials=password
 searchbase="dc=biohpc,dc=swmed,dc=edu"
 scope=sub
 schemachecking=on
 type=refreshAndPersist
 retry="30 5 300 3"
 interval=00:00:05:00


Apply this configuration to the slave LDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrep.ldif


Testing Master/Slave Replication
To test that the replication is working, perform an ldapsearch on the slave server to see if it contains the same data as the master server:

ldapsearch -x -b 'ou=People,dc=biohpc,dc=swmed,dc=edu'

verified.



I cloned the LDAP Server to create Mater2 and changed its ip address to 192.168.56.103
Now, cloned NFS Server and changed its ip address to 192.168.56.104 -Master3


Master/Master Replication in OpenLDAP
Master/Master replication allows multiple LDAP servers to be synchronized with each other, providing high availability and fault tolerance. Here are the detailed steps to configure Master/Master replication for OpenLDAP.

Prerequisites

Ensure that the firewall is configured to allow LDAP traffic.
Both LDAP servers should have the same initial configuration.


master-master initial configuration

Firewall

[sudo systemctl start firewalld
sudo systemctl enable firewalld

sudo firewall-cmd --zone=public --add-port=389/tcp --permanent
sudo firewall-cmd --zone=public --add-port=636/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-ports

nc -zv 192.168.56.104 389
sudo yum install -y nmap-ncat

Configuration Steps

1. Prepare Both LDAP Servers
Step 1: Load the Syncprov Module
Create a file named syncprov_mod.ldif with the following content:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la


Add the module using ldapadd:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif



2. Configure olcServerID for Each Server
Each server needs a unique olcServerID. Create the olcserverid.ldif file for each server. For example, for the first server:

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1


For the second server:

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 2


Apply the configuration on each server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f olcserverid.ldif



3. Set Up Replication Configuration
Create a file named configrep.ldif with the following content:

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldpsrv1.biohpc.swmed.edu
olcServerID: 2 ldap://ldpsrv2.biohpc.swmed.edu

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldpsrv1.biohpc.swmed.edu binddn="cn=config"
bindmethod=simple credentials=password searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldpsrv2.biohpc.swmed.edu binddn="cn=config"
bindmethod=simple credentials=password searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1

add: olcMirrorMode
olcMirrorMode: TRUE


Replace password with the appropriate credentials.
Send the configuration to each LDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif


Enable syncprov Overlay

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

this command repeatedly gave me error, but the servers seem to be synchronized.