RHCSA Series: Setting Up LDAP-based Authentication in RHEL 7 – Part 14

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

26 Responses

  1. avinesh says:

    How to change DN attribute in openldap-2.4.39

    from dn: uid=66003310,ou=users,dc=hcl,dc=com
    to dn: employeeNumber=66003310,ou=users,dc=hcl,dc=com

  2. Ankit says:

    Facing issue in step 6

    [[email protected] ~]# ldapmodify -H ldapi:/// -f ldapdomain.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    ldapmodify: invalid format (line 5) entry: “olcDatabase={1}monitor,cn=config”

    vi ldapdomain.ldif
    dn: olcDatabase={1}monitor,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
    read by dn.base=”cn=Manager,dc=rhe7,dc=local” read by * none
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcSuffix
    olcSuffix: dc=rhe7,dc=local
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootDN
    olcRootDN: cn=Manager,dc=rhe7,dc=local
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}My password
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange by
    dn=”cn=Manager,dc=rhe7,dc=local” write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base=”” by * read
    olcAccess: {2}to * by dn=”cn=Manager,dc=rhe7,dc=local” write by * read

  3. Khushal Bisht says:

    Can you just show example me how to create new ldapuser and how to reset ldapuser passwd?

    one more think i have setup ldapuser server successfully and mounted on client machine every think is fine but i try to login as ldapuser using other console but it don’t working. I mean its not login

  4. Bhanu P Singh says:

    Very nice article. However, it seems that every dn entry in the file ldapdomain.ldif needed to be separated by an empty line.

  5. Andhika Rama says:

    i am having problem in point 6 when load as follow.

    [[email protected] ~]# ldapmodify -H ldapi:/// -f ldapdomain.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    ldapmodify: invalid format (line 5) entry: “olcDatabase={1}monitor,cn=config”

    i am following the script, excep for password and domain component / dc=

    im stuck in that point.

    by the way, it was a great tutorial for me to learn before facing exam.

    thanks a lot and very apreciate for your response.

  6. Chris says:

    Having problems with step 5 on a Linux server that is using LDAP already for user authentication. I have installed openLDAP as a local authentication provider for an application but can not configure it:

    ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

  7. Anand says:

    how to migrate “389 directory server” from one machine to another?

    • Gabriel A. Cánepa says:

      That is out of the scope of the exam so we did not cover it in this article. We offer professional support services to help our readers in requirements like this if you’re interested.

  8. JUAN says:

    Hi Everyone, in step 4 to create a LDIF file ( ldaprootpasswd.ldif ) these files created under that directory ?

  9. Ryan Mullett says:

    I am having the same issue as several others in the comments are. I have to use “-Y EXTERNAL” in order for any of the commands with ldapadd or ldapmodify to work. That being said, I get stuck on step 7, when running that command it asks for a password. I input the password I used to generate the hashed string and I get “Invalid credentials (49)” every time. I have tried changing the -x to -Y EXTERNAL but it still has issue on that command. I do have everything you recommend installing and I have dug around and installed some extra packages that people elsewhere citing similar bugs mention possibly needing but to no avail, still stuck on step 7.

  10. Olga says:

    Hi! Your article is very useful, thanx. But I have a problem with my client. After adding ldapuser I try to login by ldapuser and there is a promt where I should type a password for him. But I haven’t set it. In your ldif file there is userPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3M. So what password should I type? Or how can I login without password and then set it?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *