User:Sfiggins/RH-TACACS with LDAP Backend

From Labrats.us
< User:Sfiggins
Revision as of 18:30, 5 July 2019 by Sfiggins (talk | contribs) (→‎Installing a RADIUS Rpoxy Server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Install and Setup New CentOS 7 Server

Create base Centos 7 server, as documented below

New CentOS 7 Server Setup Commands

Edit /etc/ssh/sshd_config to enable X11 forwarding

edit /etc/ssh/sshd_config and replace:

X11Forwarding no
X11UseLocalhost yes

with:

X11Forwarding yes
X11UseLocalhost no

And add:

AddressFamily inet

Restart sshd

# service sshd restart

Setup CPAN

Instal GCC

# yum install gcc
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.4.7-16.el6 will be installed
--> Processing Dependency: libgomp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: cpp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: libgcc >= 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-16.el6.x86_64
--> Running transaction check
---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
---> Package cpp.x86_64 0:4.4.7-16.el6 will be installed
--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-16.el6.x86_64
---> Package glibc-devel.x86_64 0:2.12-1.166.el6_7.1 will be installed
--> Processing Dependency: glibc-headers = 2.12-1.166.el6_7.1 for package: glibc-devel-2.12-1.166.el6_7.1.x86_64
--> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.166.el6_7.1.x86_64
---> Package libgcc.x86_64 0:4.4.6-3.el6 will be updated
---> Package libgcc.x86_64 0:4.4.7-16.el6 will be an update
---> Package libgomp.x86_64 0:4.4.6-3.el6 will be updated
---> Package libgomp.x86_64 0:4.4.7-16.el6 will be an update
--> Running transaction check
---> Package glibc-headers.x86_64 0:2.12-1.166.el6_7.1 will be installed
--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.166.el6_7.1.x86_64
--> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.166.el6_7.1.x86_64
---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed
--> Running transaction check
---> Package kernel-headers.x86_64 0:2.6.32-573.1.1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                    Arch               Version                         Repository                              Size
============================================================================================================================
Installing:
 gcc                        x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6              10 M
Installing for dependencies:
 cloog-ppl                  x86_64             0.15.7-1.2.el6                  twtc-rhel-i386_64-server-6              93 k
 cpp                        x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             3.7 M
 glibc-devel                x86_64             2.12-1.166.el6_7.1              twtc-rhel-i386_64-server-6             985 k
 glibc-headers              x86_64             2.12-1.166.el6_7.1              twtc-rhel-i386_64-server-6             614 k
 kernel-headers             x86_64             2.6.32-573.1.1.el6              twtc-rhel-i386_64-server-6             3.9 M
 mpfr                       x86_64             2.4.1-6.el6                     twtc-rhel-i386_64-server-6             156 k
 ppl                        x86_64             0.10.2-11.el6                   twtc-rhel-i386_64-server-6             1.3 M
Updating for dependencies:
 libgcc                     x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             103 k
 libgomp                    x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             134 k

Transaction Summary
============================================================================================================================
Install       8 Package(s)
Upgrade       2 Package(s)

Total download size: 21 M
Is this ok [y/N]: y
Downloading Packages:
(1/10): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm                                                          |  93 kB     00:00     
(2/10): cpp-4.4.7-16.el6.x86_64.rpm                                                                  | 3.7 MB     00:00     
(3/10): gcc-4.4.7-16.el6.x86_64.rpm                                                                  |  10 MB     00:00     
(4/10): glibc-devel-2.12-1.166.el6_7.1.x86_64.rpm                                                    | 985 kB     00:00     
(5/10): glibc-headers-2.12-1.166.el6_7.1.x86_64.rpm                                                  | 614 kB     00:00     
(6/10): kernel-headers-2.6.32-573.1.1.el6.x86_64.rpm                                                 | 3.9 MB     00:00     
(7/10): libgcc-4.4.7-16.el6.x86_64.rpm                                                               | 103 kB     00:00     
(8/10): libgomp-4.4.7-16.el6.x86_64.rpm                                                              | 134 kB     00:00     
(9/10): mpfr-2.4.1-6.el6.x86_64.rpm                                                                  | 156 kB     00:00     
(10/10): ppl-0.10.2-11.el6.x86_64.rpm                                                                | 1.3 MB     00:00     
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       9.0 MB/s |  21 MB     00:02     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : libgcc-4.4.7-16.el6.x86_64                                                                              1/12 
  Installing : ppl-0.10.2-11.el6.x86_64                                                                                2/12 
  Installing : cloog-ppl-0.15.7-1.2.el6.x86_64                                                                         3/12 
  Installing : kernel-headers-2.6.32-573.1.1.el6.x86_64                                                                4/12 
  Installing : glibc-headers-2.12-1.166.el6_7.1.x86_64                                                                 5/12 
  Installing : glibc-devel-2.12-1.166.el6_7.1.x86_64                                                                   6/12 
  Installing : mpfr-2.4.1-6.el6.x86_64                                                                                 7/12 
  Installing : cpp-4.4.7-16.el6.x86_64                                                                                 8/12 
  Updating   : libgomp-4.4.7-16.el6.x86_64                                                                             9/12 
  Installing : gcc-4.4.7-16.el6.x86_64                                                                                10/12 
  Cleanup    : libgcc-4.4.6-3.el6.x86_64                                                                              11/12 
  Cleanup    : libgomp-4.4.6-3.el6.x86_64                                                                             12/12 

Installed:
  gcc.x86_64 0:4.4.7-16.el6                                                                                                 

Dependency Installed:
  cloog-ppl.x86_64 0:0.15.7-1.2.el6                             cpp.x86_64 0:4.4.7-16.el6                                   
  glibc-devel.x86_64 0:2.12-1.166.el6_7.1                       glibc-headers.x86_64 0:2.12-1.166.el6_7.1                   
  kernel-headers.x86_64 0:2.6.32-573.1.1.el6                    mpfr.x86_64 0:2.4.1-6.el6                                   
  ppl.x86_64 0:0.10.2-11.el6                                   

Dependency Updated:
  libgcc.x86_64 0:4.4.7-16.el6                                 libgomp.x86_64 0:4.4.7-16.el6                                

Complete!

Install CPAN

# yum install cpan

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.cs.uwp.edu
 * extras: mirror.cs.uwp.edu
 * updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package perl-CPAN.noarch 0:1.9800-293.el7 will be installed
--> Processing Dependency: perl(local::lib) for package: perl-CPAN-1.9800-293.el7.noarch
--> Processing Dependency: perl(ExtUtils::MakeMaker) for package: perl-CPAN-1.9800-293.el7.noarch
--> Processing Dependency: perl(Digest::SHA) for package: perl-CPAN-1.9800-293.el7.noarch
--> Running transaction check
---> Package perl-Digest-SHA.x86_64 1:5.85-4.el7 will be installed
--> Processing Dependency: perl(Digest::base) for package: 1:perl-Digest-SHA-5.85-4.el7.x86_64
---> Package perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7 will be installed
--> Processing Dependency: perl(Test::Harness) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch
--> Processing Dependency: perl(ExtUtils::Packlist) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch
--> Processing Dependency: perl(ExtUtils::Manifest) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch
--> Processing Dependency: perl(ExtUtils::Installed) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch
--> Processing Dependency: perl(ExtUtils::Install) for package: perl-ExtUtils-MakeMaker-6.68-3.el7.noarch
---> Package perl-local-lib.noarch 0:1.008010-4.el7 will be installed
--> Running transaction check
---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed
---> Package perl-ExtUtils-Install.noarch 0:1.58-293.el7 will be installed
--> Processing Dependency: perl-devel for package: perl-ExtUtils-Install-1.58-293.el7.noarch
---> Package perl-ExtUtils-Manifest.noarch 0:1.61-244.el7 will be installed
---> Package perl-Test-Harness.noarch 0:3.28-3.el7 will be installed
--> Running transaction check
---> Package perl-devel.x86_64 4:5.16.3-293.el7 will be installed
--> Processing Dependency: systemtap-sdt-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64
--> Processing Dependency: perl(ExtUtils::ParseXS) for package: 4:perl-devel-5.16.3-293.el7.x86_64
--> Processing Dependency: libdb-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64
--> Processing Dependency: gdbm-devel for package: 4:perl-devel-5.16.3-293.el7.x86_64
--> Running transaction check
---> Package gdbm-devel.x86_64 0:1.10-8.el7 will be installed
---> Package libdb-devel.x86_64 0:5.3.21-24.el7 will be installed
--> Processing Dependency: libdb(x86-64) = 5.3.21-24.el7 for package: libdb-devel-5.3.21-24.el7.x86_64
---> Package perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7 will be installed
---> Package systemtap-sdt-devel.x86_64 0:3.3-3.el7 will be installed
--> Processing Dependency: pyparsing for package: systemtap-sdt-devel-3.3-3.el7.x86_64
--> Running transaction check
---> Package libdb.x86_64 0:5.3.21-17.el7_0.1 will be updated
--> Processing Dependency: libdb(x86-64) = 5.3.21-17.el7_0.1 for package: libdb-utils-5.3.21-17.el7_0.1.x86_64
---> Package libdb.x86_64 0:5.3.21-24.el7 will be an update
---> Package pyparsing.noarch 0:1.5.6-9.el7 will be installed
--> Running transaction check
---> Package libdb-utils.x86_64 0:5.3.21-17.el7_0.1 will be updated
---> Package libdb-utils.x86_64 0:5.3.21-24.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================
 Package                          Arch            Version                      Repository     Size
===================================================================================================
Installing:
 perl-CPAN                        noarch          1.9800-293.el7               base          293 k
Installing for dependencies:
 gdbm-devel                       x86_64          1.10-8.el7                   base           47 k
 libdb-devel                      x86_64          5.3.21-24.el7                base           38 k
 perl-Digest                      noarch          1.17-245.el7                 base           23 k
 perl-Digest-SHA                  x86_64          1:5.85-4.el7                 base           58 k
 perl-ExtUtils-Install            noarch          1.58-293.el7                 base           74 k
 perl-ExtUtils-MakeMaker          noarch          6.68-3.el7                   base          275 k
 perl-ExtUtils-Manifest           noarch          1.61-244.el7                 base           31 k
 perl-ExtUtils-ParseXS            noarch          1:3.18-3.el7                 base           77 k
 perl-Test-Harness                noarch          3.28-3.el7                   base          302 k
 perl-devel                       x86_64          4:5.16.3-293.el7             base          453 k
 perl-local-lib                   noarch          1.008010-4.el7               base           64 k
 pyparsing                        noarch          1.5.6-9.el7                  base           94 k
 systemtap-sdt-devel              x86_64          3.3-3.el7                    base           74 k
Updating for dependencies:
 libdb                            x86_64          5.3.21-24.el7                base          720 k
 libdb-utils                      x86_64          5.3.21-24.el7                base          132 k

Transaction Summary
===================================================================================================
Install  1 Package  (+13 Dependent packages)
Upgrade             (  2 Dependent packages)

Total download size: 2.7 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/16): gdbm-devel-1.10-8.el7.x86_64.rpm                                    |  47 kB  00:00:00     
(2/16): libdb-devel-5.3.21-24.el7.x86_64.rpm                                |  38 kB  00:00:00     
(3/16): libdb-5.3.21-24.el7.x86_64.rpm                                      | 720 kB  00:00:00     
(4/16): libdb-utils-5.3.21-24.el7.x86_64.rpm                                | 132 kB  00:00:00     
(5/16): perl-CPAN-1.9800-293.el7.noarch.rpm                                 | 293 kB  00:00:00     
(6/16): perl-Digest-1.17-245.el7.noarch.rpm                                 |  23 kB  00:00:00     
(7/16): perl-Digest-SHA-5.85-4.el7.x86_64.rpm                               |  58 kB  00:00:00     
(8/16): perl-ExtUtils-Install-1.58-293.el7.noarch.rpm                       |  74 kB  00:00:00     
(9/16): perl-ExtUtils-MakeMaker-6.68-3.el7.noarch.rpm                       | 275 kB  00:00:00     
(10/16): perl-ExtUtils-Manifest-1.61-244.el7.noarch.rpm                     |  31 kB  00:00:00     
(11/16): perl-ExtUtils-ParseXS-3.18-3.el7.noarch.rpm                        |  77 kB  00:00:00     
(12/16): perl-Test-Harness-3.28-3.el7.noarch.rpm                            | 302 kB  00:00:00     
(13/16): perl-devel-5.16.3-293.el7.x86_64.rpm                               | 453 kB  00:00:00     
(14/16): perl-local-lib-1.008010-4.el7.noarch.rpm                           |  64 kB  00:00:00     
(15/16): systemtap-sdt-devel-3.3-3.el7.x86_64.rpm                           |  74 kB  00:00:00     
(16/16): pyparsing-1.5.6-9.el7.noarch.rpm                                   |  94 kB  00:00:00     
---------------------------------------------------------------------------------------------------
Total                                                              2.9 MB/s | 2.7 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : libdb-5.3.21-24.el7.x86_64                                                     1/18 
  Installing : libdb-devel-5.3.21-24.el7.x86_64                                               2/18 
  Installing : pyparsing-1.5.6-9.el7.noarch                                                   3/18 
  Installing : systemtap-sdt-devel-3.3-3.el7.x86_64                                           4/18 
  Installing : perl-Digest-1.17-245.el7.noarch                                                5/18 
  Installing : 1:perl-Digest-SHA-5.85-4.el7.x86_64                                            6/18 
  Installing : perl-ExtUtils-Manifest-1.61-244.el7.noarch                                     7/18 
  Installing : perl-Test-Harness-3.28-3.el7.noarch                                            8/18 
  Installing : perl-local-lib-1.008010-4.el7.noarch                                           9/18 
  Installing : gdbm-devel-1.10-8.el7.x86_64                                                  10/18 
  Installing : 1:perl-ExtUtils-ParseXS-3.18-3.el7.noarch                                     11/18 
  Installing : perl-ExtUtils-MakeMaker-6.68-3.el7.noarch                                     12/18 
  Installing : perl-ExtUtils-Install-1.58-293.el7.noarch                                     13/18 
  Installing : 4:perl-devel-5.16.3-293.el7.x86_64                                            14/18 
  Installing : perl-CPAN-1.9800-293.el7.noarch                                               15/18 
  Updating   : libdb-utils-5.3.21-24.el7.x86_64                                              16/18 
  Cleanup    : libdb-utils-5.3.21-17.el7_0.1.x86_64                                          17/18 
  Cleanup    : libdb-5.3.21-17.el7_0.1.x86_64                                                18/18 
  Verifying  : libdb-5.3.21-24.el7.x86_64                                                     1/18 
  Verifying  : gdbm-devel-1.10-8.el7.x86_64                                                   2/18 
  Verifying  : 1:perl-ExtUtils-ParseXS-3.18-3.el7.noarch                                      3/18 
  Verifying  : perl-local-lib-1.008010-4.el7.noarch                                           4/18 
  Verifying  : perl-CPAN-1.9800-293.el7.noarch                                                5/18 
  Verifying  : perl-Test-Harness-3.28-3.el7.noarch                                            6/18 
  Verifying  : 1:perl-Digest-SHA-5.85-4.el7.x86_64                                            7/18 
  Verifying  : perl-ExtUtils-Install-1.58-293.el7.noarch                                      8/18 
  Verifying  : perl-ExtUtils-Manifest-1.61-244.el7.noarch                                     9/18 
  Verifying  : libdb-utils-5.3.21-24.el7.x86_64                                              10/18 
  Verifying  : perl-Digest-1.17-245.el7.noarch                                               11/18 
  Verifying  : pyparsing-1.5.6-9.el7.noarch                                                  12/18 
  Verifying  : libdb-devel-5.3.21-24.el7.x86_64                                              13/18 
  Verifying  : perl-ExtUtils-MakeMaker-6.68-3.el7.noarch                                     14/18 
  Verifying  : systemtap-sdt-devel-3.3-3.el7.x86_64                                          15/18 
  Verifying  : 4:perl-devel-5.16.3-293.el7.x86_64                                            16/18 
  Verifying  : libdb-utils-5.3.21-17.el7_0.1.x86_64                                          17/18 
  Verifying  : libdb-5.3.21-17.el7_0.1.x86_64                                                18/18 

Installed:
  perl-CPAN.noarch 0:1.9800-293.el7                                                                

Dependency Installed:
  gdbm-devel.x86_64 0:1.10-8.el7                   libdb-devel.x86_64 0:5.3.21-24.el7             
  perl-Digest.noarch 0:1.17-245.el7                perl-Digest-SHA.x86_64 1:5.85-4.el7            
  perl-ExtUtils-Install.noarch 0:1.58-293.el7      perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7    
  perl-ExtUtils-Manifest.noarch 0:1.61-244.el7     perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7      
  perl-Test-Harness.noarch 0:3.28-3.el7            perl-devel.x86_64 4:5.16.3-293.el7             
  perl-local-lib.noarch 0:1.008010-4.el7           pyparsing.noarch 0:1.5.6-9.el7                 
  systemtap-sdt-devel.x86_64 0:3.3-3.el7          

Dependency Updated:
  libdb.x86_64 0:5.3.21-24.el7                  libdb-utils.x86_64 0:5.3.21-24.el7                 

Complete!

Auto Configure CPAN

When you first run CPAN, it will offer to automatically configure. Go ahead and let it do this, and we will fix it later.

Change some defaults

# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.

cpan[1]> o conf urllist
    urllist           
Type 'o conf' to view all configuration items

cpan[4]> o conf commit
commit: wrote '/root/.cpan/CPAN/MyConfig.pm'

# perl -npe 's/root\/.cpan/var\/spool\/cpan/g' -i /root/.cpan/CPAN/MyConfig.pm
# mkdir -p /var/spool/cpan

Update CPAN

# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.

cpan[1]> install CPAN

cpan[2]> reload cpan

Install Perl Modules (via yum)

Install the perm modules that are possible via yum

# yum install perl-Capture-Tiny perl-DBD-MySQL perl-DBI perl-Net-DNS perl-Time-Piece

Install Perl Modules (via CPAN)

Install the following modules via CPAN:

Array::Compare
Date::Calendar
Date::Calendar::Profiles
Date::Parse
IO::Select
MIME::Lite
Net::LDAP::Constant
Net::LDAP::Control::Paged
Net::LDAP::Entry
Net::LDAPS
Net::LDAP::Util

Command looks like this:

# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v2.10)
Enter 'h' for help.

cpan[1]> install Array::Compare Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select MIME::Lite Net::LDAP::Constant \
   Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util

Follow through the install process, hitting a million "Y".

Install 389-ds

Set your server fully qualified domain in /etc/hosts file

Edit file /etc/hosts/

# vi /etc/hosts

Add an entry for the local hostname and network IP address

10.255.7.37  centos-auth.home.labrats.us  centos-auth

Firewall Configuration

Allow the following ldap ports to your iptables

# firewall-cmd --permanent --add-port=389/tcp

# firewall-cmd --permanent --add-port=636/tcp

# firewall-cmd --permanent --add-port=9830/tcp

Restart firewall

# firewall-cmd --reload

Add EPEL and REMI Repository

EPEL is required, but I don't think that REMI is.

Install and Enable EPEL Repository on CentOS 7

# yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.cs.uwp.edu
 * extras: mirror.cs.uwp.edu
 * updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================
 Package                     Arch                  Version             Repository             Size
===================================================================================================
Installing:
 epel-release                noarch                7-11                extras                 15 k

Transaction Summary
===================================================================================================
Install  1 Package

Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm                                                |  15 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-11.noarch                                                        1/1 
  Verifying  : epel-release-7-11.noarch                                                        1/1 

Installed:
  epel-release.noarch 0:7-11                                                                       

Complete!

Install and enable REMI repository On CentOS 7

# yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Enable REMI repository

# vi /etc/yum.repos.d/remi.repo

Change enabled to 1

[...]
enabled=1
[...]

Performance and Security tuning for LDAP server

Before installing LDAP server, we have to adjust some files for performance and security.

Edit file “/etc/sysctl.conf”

# vi /etc/sysctl.conf

Add the following lines at the end

net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Load the new value

# sysctl -p

Edit file “/etc/security/limits.conf”

# vi /etc/security/limits.conf

Add the following lines at the end

*               soft     nofile          8192   
*               hard     nofile          8192

Edit file “/etc/profile”

vi /etc/profile

Add the line at the end

ulimit -n 8192

Edit file “/etc/pam.d/login”

vi /etc/pam.d/login

Add the line at the end

session    required     pam_limits.so

Now Restart the server.

# shutdown -r now

Install 389 Directory Server

Install 389-ds-base package using command

# yum install 389-ds-base openldap-clients idm-console-framework 389-admin 389-adminutil \
      389-admin-console 389-console 389-ds-console
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.cs.uwp.edu
 * epel: mirror.colorado.edu
 * extras: mirror.cs.uwp.edu
 * updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package 389-admin.x86_64 0:1.1.46-1.el7 will be installed
--> Processing Dependency: policycoreutils-python for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl-Mozilla-LDAP for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::Utils) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::LDIF) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::Conn) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(Mozilla::LDAP::API) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: perl(CGI) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: mod_nss for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicuuc.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicui18n.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
--> Processing Dependency: libicudata.so.50()(64bit) for package: 389-admin-1.1.46-1.el7.x86_64
---> Package 389-admin-console.noarch 0:1.1.12-1.el7 will be installed
---> Package 389-adminutil.x86_64 0:1.1.21-2.el7 will be installed
---> Package 389-console.noarch 0:1.1.18-1.el7 will be installed
--> Processing Dependency: java-headless >= 1.8.0 for package: 389-console-1.1.18-1.el7.noarch
--> Processing Dependency: jpackage-utils for package: 389-console-1.1.18-1.el7.noarch
---> Package 389-ds-base.x86_64 0:1.3.8.4-18.el7_6 will be installed
--> Processing Dependency: 389-ds-base-libs = 1.3.8.4-18.el7_6 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: svrcore >= 4.1.3 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: python-ldap for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl-NetAddr-IP for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(NetAddr::IP::Util) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(DB_File) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: perl(Archive::Tar) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsemanage-python for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: gperftools-libs for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: cyrus-sasl-plain for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: cyrus-sasl-md5 for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libtcmalloc.so.4()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsvrcore.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libslapd.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libsds.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libnunc-stans.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libns-dshttpd-1.3.8.4.so()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libldaputil.so.0()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
--> Processing Dependency: libevent-2.0.so.5()(64bit) for package: 389-ds-base-1.3.8.4-18.el7_6.x86_64
---> Package 389-ds-console.noarch 0:1.2.16-1.el7 will be installed
---> Package idm-console-framework.noarch 0:1.1.17-4.el7 will be installed
--> Processing Dependency: jss >= 4.2.6-35 for package: idm-console-framework-1.1.17-4.el7.noarch
--> Processing Dependency: java >= 1:1.6.0 for package: idm-console-framework-1.1.17-4.el7.noarch
--> Processing Dependency: ldapjdk for package: idm-console-framework-1.1.17-4.el7.noarch
---> Package openldap-clients.x86_64 0:2.4.44-20.el7 will be installed
--> Processing Dependency: openldap(x86-64) = 2.4.44-20.el7 for package: openldap-clients-2.4.44-20.el7.x86_64
--> Running transaction check
---> Package 389-ds-base-libs.x86_64 0:1.3.8.4-18.el7_6 will be installed
---> Package cyrus-sasl-md5.x86_64 0:2.1.26-23.el7 will be installed
---> Package cyrus-sasl-plain.x86_64 0:2.1.26-23.el7 will be installed
---> Package gperftools-libs.x86_64 0:2.6.1-1.el7 will be installed
---> Package java-1.8.0-openjdk.x86_64 1:1.8.0.191.b12-1.el7_6 will be installed
--> Processing Dependency: xorg-x11-fonts-Type1 for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: fontconfig(x86-64) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libpng15.so.15()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libgif.so.4()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXtst.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXrender.so.1()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXi.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXext.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libXcomposite.so.1()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: libX11.so.6()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-1.el7_6 will be installed
--> Processing Dependency: tzdata-java >= 2015d for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: copy-jdk-configs >= 2.2 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: chkconfig >= 1.7 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: chkconfig >= 1.7 for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
--> Processing Dependency: lksctp-tools(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be installed
--> Processing Dependency: python-javapackages = 3.4.1-11.el7 for package: javapackages-tools-3.4.1-11.el7.noarch
--> Processing Dependency: libxslt for package: javapackages-tools-3.4.1-11.el7.noarch
---> Package jss.x86_64 0:4.4.4-3.el7 will be installed
--> Processing Dependency: apache-commons-lang for package: jss-4.4.4-3.el7.x86_64
--> Processing Dependency: apache-commons-codec for package: jss-4.4.4-3.el7.x86_64
---> Package ldapjdk.noarch 0:4.19-5.el7 will be installed
---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
---> Package libicu.x86_64 0:50.1.2-17.el7 will be installed
---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be installed
---> Package mod_nss.x86_64 0:1.0.14-12.el7 will be installed
epel/x86_64/filelists                                                       |  10 MB  00:00:00     
base/7/x86_64/filelists_db                                                                                                                                        | 7.1 MB  00:00:03     
updates/7/x86_64/filelists_db                                                                                                                                     | 1.3 MB  00:00:00     
--> Processing Dependency: httpd-mmn = 20120211x8664 for package: mod_nss-1.0.14-12.el7.x86_64
--> Processing Dependency: httpd for package: mod_nss-1.0.14-12.el7.x86_64
---> Package openldap.x86_64 0:2.4.39-6.el7 will be updated
---> Package openldap.x86_64 0:2.4.44-20.el7 will be an update
---> Package perl-Archive-Tar.noarch 0:1.92-2.el7 will be installed
--> Processing Dependency: perl(IO::Zlib) >= 1.01 for package: perl-Archive-Tar-1.92-2.el7.noarch
--> Processing Dependency: perl(Package::Constants) for package: perl-Archive-Tar-1.92-2.el7.noarch
--> Processing Dependency: perl(IO::Zlib) for package: perl-Archive-Tar-1.92-2.el7.noarch
---> Package perl-CGI.noarch 0:3.63-4.el7 will be installed
--> Processing Dependency: perl(FCGI) >= 0.67 for package: perl-CGI-3.63-4.el7.noarch
---> Package perl-DB_File.x86_64 0:1.830-6.el7 will be installed
---> Package perl-Mozilla-LDAP.x86_64 0:1.5.3-12.el7 will be installed
---> Package perl-NetAddr-IP.x86_64 0:4.069-3.el7 will be installed
---> Package policycoreutils-python.x86_64 0:2.5-29.el7 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-4 for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-29.el7.x86_64
---> Package python-ldap.x86_64 0:2.4.15-2.el7 will be installed
---> Package svrcore.x86_64 0:4.1.3-2.el7 will be installed
--> Running transaction check
---> Package apache-commons-codec.noarch 0:1.8-7.el7 will be installed
---> Package apache-commons-lang.noarch 0:2.6-15.el7 will be installed
---> Package audit-libs-python.x86_64 0:2.8.4-4.el7 will be installed
--> Processing Dependency: audit-libs(x86-64) = 2.8.4-4.el7 for package: audit-libs-python-2.8.4-4.el7.x86_64
---> Package checkpolicy.x86_64 0:2.5-8.el7 will be installed
---> Package chkconfig.x86_64 0:1.3.61-4.el7 will be updated
---> Package chkconfig.x86_64 0:1.7.4-1.el7 will be an update
---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be installed
---> Package fontconfig.x86_64 0:2.13.0-4.3.el7 will be installed
--> Processing Dependency: freetype >= 2.8-7 for package: fontconfig-2.13.0-4.3.el7.x86_64
--> Processing Dependency: fontpackages-filesystem for package: fontconfig-2.13.0-4.3.el7.x86_64
--> Processing Dependency: dejavu-sans-fonts for package: fontconfig-2.13.0-4.3.el7.x86_64
---> Package giflib.x86_64 0:4.1.6-9.el7 will be installed
--> Processing Dependency: libSM.so.6()(64bit) for package: giflib-4.1.6-9.el7.x86_64
--> Processing Dependency: libICE.so.6()(64bit) for package: giflib-4.1.6-9.el7.x86_64
---> Package httpd.x86_64 0:2.4.6-88.el7.centos will be installed
--> Processing Dependency: httpd-tools = 2.4.6-88.el7.centos for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-88.el7.centos.x86_64
---> Package libX11.x86_64 0:1.6.5-2.el7 will be installed
--> Processing Dependency: libX11-common >= 1.6.5-2.el7 for package: libX11-1.6.5-2.el7.x86_64
--> Processing Dependency: libxcb.so.1()(64bit) for package: libX11-1.6.5-2.el7.x86_64
---> Package libXcomposite.x86_64 0:0.4.4-4.1.el7 will be installed
---> Package libXext.x86_64 0:1.3.3-3.el7 will be installed
---> Package libXi.x86_64 0:1.7.9-1.el7 will be installed
---> Package libXrender.x86_64 0:0.9.10-1.el7 will be installed
---> Package libXtst.x86_64 0:1.2.3-1.el7 will be installed
---> Package libcgroup.x86_64 0:0.41-20.el7 will be installed
---> Package libjpeg-turbo.x86_64 0:1.2.90-6.el7 will be installed
---> Package libpng.x86_64 2:1.5.13-7.el7_2 will be installed
---> Package libxslt.x86_64 0:1.1.28-5.el7 will be installed
---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be installed
---> Package perl-FCGI.x86_64 1:0.74-8.el7 will be installed
---> Package perl-IO-Zlib.noarch 1:1.10-293.el7 will be installed
---> Package perl-Package-Constants.noarch 1:0.02-293.el7 will be installed
---> Package python-IPy.noarch 0:0.75-6.el7 will be installed
---> Package python-javapackages.noarch 0:3.4.1-11.el7 will be installed
--> Processing Dependency: python-lxml for package: python-javapackages-3.4.1-11.el7.noarch
---> Package setools-libs.x86_64 0:3.3.8-4.el7 will be installed
---> Package tzdata-java.noarch 0:2018g-1.el7 will be installed
---> Package xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 will be installed
--> Processing Dependency: ttmkfdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: ttmkfdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: mkfontdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Processing Dependency: mkfontdir for package: xorg-x11-fonts-Type1-7.5-9.el7.noarch
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7_4.1 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package audit-libs.x86_64 0:2.4.1-5.el7 will be updated
--> Processing Dependency: audit-libs = 2.4.1-5.el7 for package: audit-2.4.1-5.el7.x86_64
---> Package audit-libs.x86_64 0:2.8.4-4.el7 will be an update
---> Package dejavu-sans-fonts.noarch 0:2.33-6.el7 will be installed
--> Processing Dependency: dejavu-fonts-common = 2.33-6.el7 for package: dejavu-sans-fonts-2.33-6.el7.noarch
---> Package fontpackages-filesystem.noarch 0:1.44-8.el7 will be installed
---> Package freetype.x86_64 0:2.4.11-9.el7 will be updated
---> Package freetype.x86_64 0:2.8-12.el7 will be an update
---> Package httpd-tools.x86_64 0:2.4.6-88.el7.centos will be installed
---> Package libICE.x86_64 0:1.0.9-9.el7 will be installed
---> Package libSM.x86_64 0:1.2.2-2.el7 will be installed
---> Package libX11-common.noarch 0:1.6.5-2.el7 will be installed
---> Package libxcb.x86_64 0:1.13-1.el7 will be installed
--> Processing Dependency: libXau.so.6()(64bit) for package: libxcb-1.13-1.el7.x86_64
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
---> Package python-lxml.x86_64 0:3.2.1-4.el7 will be installed
---> Package ttmkfdir.x86_64 0:3.0.9-42.el7 will be installed
---> Package xorg-x11-font-utils.x86_64 1:7.5-21.el7 will be installed
--> Processing Dependency: libfontenc.so.1()(64bit) for package: 1:xorg-x11-font-utils-7.5-21.el7.x86_64
--> Running transaction check
---> Package audit.x86_64 0:2.4.1-5.el7 will be updated
---> Package audit.x86_64 0:2.8.4-4.el7 will be an update
---> Package dejavu-fonts-common.noarch 0:2.33-6.el7 will be installed
---> Package libXau.x86_64 0:1.0.8-2.1.el7 will be installed
---> Package libfontenc.x86_64 0:1.1.3-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================================================================
 Package                                                Arch                              Version                                               Repository                          Size
=========================================================================================================================================================================================
Installing:
 389-admin                                              x86_64                            1.1.46-1.el7                                          epel                               391 k
 389-admin-console                                      noarch                            1.1.12-1.el7                                          epel                               204 k
 389-adminutil                                          x86_64                            1.1.21-2.el7                                          epel                                73 k
 389-console                                            noarch                            1.1.18-1.el7                                          epel                                75 k
 389-ds-base                                            x86_64                            1.3.8.4-18.el7_6                                      updates                            1.7 M
 389-ds-console                                         noarch                            1.2.16-1.el7                                          epel                               1.4 M
 idm-console-framework                                  noarch                            1.1.17-4.el7                                          epel                               1.1 M
 openldap-clients                                       x86_64                            2.4.44-20.el7                                         base                               190 k
Installing for dependencies:
 389-ds-base-libs                                       x86_64                            1.3.8.4-18.el7_6                                      updates                            699 k
 apache-commons-codec                                   noarch                            1.8-7.el7                                             base                               223 k
 apache-commons-lang                                    noarch                            2.6-15.el7                                            base                               276 k
 apr                                                    x86_64                            1.4.8-3.el7_4.1                                       base                               103 k
 apr-util                                               x86_64                            1.5.2-6.el7                                           base                                92 k
 audit-libs-python                                      x86_64                            2.8.4-4.el7                                           base                                76 k
 checkpolicy                                            x86_64                            2.5-8.el7                                             base                               295 k
 copy-jdk-configs                                       noarch                            3.3-10.el7_5                                          base                                21 k
 cyrus-sasl-md5                                         x86_64                            2.1.26-23.el7                                         base                                57 k
 cyrus-sasl-plain                                       x86_64                            2.1.26-23.el7                                         base                                39 k
 dejavu-fonts-common                                    noarch                            2.33-6.el7                                            base                                64 k
 dejavu-sans-fonts                                      noarch                            2.33-6.el7                                            base                               1.4 M
 fontconfig                                             x86_64                            2.13.0-4.3.el7                                        base                               254 k
 fontpackages-filesystem                                noarch                            1.44-8.el7                                            base                               9.9 k
 giflib                                                 x86_64                            4.1.6-9.el7                                           base                                40 k
 gperftools-libs                                        x86_64                            2.6.1-1.el7                                           base                               272 k
 httpd                                                  x86_64                            2.4.6-88.el7.centos                                   base                               2.7 M
 httpd-tools                                            x86_64                            2.4.6-88.el7.centos                                   base                                90 k
 java-1.8.0-openjdk                                     x86_64                            1:1.8.0.191.b12-1.el7_6                               updates                            254 k
 java-1.8.0-openjdk-headless                            x86_64                            1:1.8.0.191.b12-1.el7_6                               updates                             32 M
 javapackages-tools                                     noarch                            3.4.1-11.el7                                          base                                73 k
 jss                                                    x86_64                            4.4.4-3.el7                                           base                               1.1 M
 ldapjdk                                                noarch                            4.19-5.el7                                            base                               317 k
 libICE                                                 x86_64                            1.0.9-9.el7                                           base                                66 k
 libSM                                                  x86_64                            1.2.2-2.el7                                           base                                39 k
 libX11                                                 x86_64                            1.6.5-2.el7                                           base                               606 k
 libX11-common                                          noarch                            1.6.5-2.el7                                           base                               164 k
 libXau                                                 x86_64                            1.0.8-2.1.el7                                         base                                29 k
 libXcomposite                                          x86_64                            0.4.4-4.1.el7                                         base                                22 k
 libXext                                                x86_64                            1.3.3-3.el7                                           base                                39 k
 libXi                                                  x86_64                            1.7.9-1.el7                                           base                                40 k
 libXrender                                             x86_64                            0.9.10-1.el7                                          base                                26 k
 libXtst                                                x86_64                            1.2.3-1.el7                                           base                                20 k
 libcgroup                                              x86_64                            0.41-20.el7                                           base                                66 k
 libevent                                               x86_64                            2.0.21-4.el7                                          base                               214 k
 libfontenc                                             x86_64                            1.1.3-3.el7                                           base                                31 k
 libicu                                                 x86_64                            50.1.2-17.el7                                         base                               6.9 M
 libjpeg-turbo                                          x86_64                            1.2.90-6.el7                                          base                               134 k
 libpng                                                 x86_64                            2:1.5.13-7.el7_2                                      base                               213 k
 libsemanage-python                                     x86_64                            2.5-14.el7                                            base                               113 k
 libxcb                                                 x86_64                            1.13-1.el7                                            base                               214 k
 libxslt                                                x86_64                            1.1.28-5.el7                                          base                               242 k
 lksctp-tools                                           x86_64                            1.0.17-2.el7                                          base                                88 k
 mailcap                                                noarch                            2.1.41-2.el7                                          base                                31 k
 mod_nss                                                x86_64                            1.0.14-12.el7                                         base                               113 k
 perl-Archive-Tar                                       noarch                            1.92-2.el7                                            base                                73 k
 perl-CGI                                               noarch                            3.63-4.el7                                            base                               250 k
 perl-DB_File                                           x86_64                            1.830-6.el7                                           base                                74 k
 perl-FCGI                                              x86_64                            1:0.74-8.el7                                          base                                42 k
 perl-IO-Zlib                                           noarch                            1:1.10-293.el7                                        base                                51 k
 perl-Mozilla-LDAP                                      x86_64                            1.5.3-12.el7                                          base                               147 k
 perl-NetAddr-IP                                        x86_64                            4.069-3.el7                                           base                               125 k
 perl-Package-Constants                                 noarch                            1:0.02-293.el7                                        base                                45 k
 policycoreutils-python                                 x86_64                            2.5-29.el7                                            base                               456 k
 python-IPy                                             noarch                            0.75-6.el7                                            base                                32 k
 python-javapackages                                    noarch                            3.4.1-11.el7                                          base                                31 k
 python-ldap                                            x86_64                            2.4.15-2.el7                                          base                               159 k
 python-lxml                                            x86_64                            3.2.1-4.el7                                           base                               758 k
 setools-libs                                           x86_64                            3.3.8-4.el7                                           base                               620 k
 svrcore                                                x86_64                            4.1.3-2.el7                                           base                                19 k
 ttmkfdir                                               x86_64                            3.0.9-42.el7                                          base                                48 k
 tzdata-java                                            noarch                            2018g-1.el7                                           updates                            185 k
 xorg-x11-font-utils                                    x86_64                            1:7.5-21.el7                                          base                               104 k
 xorg-x11-fonts-Type1                                   noarch                            7.5-9.el7                                             base                               521 k
Updating for dependencies:
 audit                                                  x86_64                            2.8.4-4.el7                                           base                               250 k
 audit-libs                                             x86_64                            2.8.4-4.el7                                           base                               100 k
 chkconfig                                              x86_64                            1.7.4-1.el7                                           base                               181 k
 freetype                                               x86_64                            2.8-12.el7                                            base                               380 k
 openldap                                               x86_64                            2.4.44-20.el7                                         base                               355 k

Transaction Summary
=========================================================================================================================================================================================
Install  8 Packages (+64 Dependent packages)
Upgrade             (  5 Dependent packages)

Total download size: 59 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/epel/packages/389-admin-1.1.46-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY               ]  0.0 B/s |    0 B  --:--:-- ETA 
Public key for 389-admin-1.1.46-1.el7.x86_64.rpm is not installed
(1/77): 389-admin-1.1.46-1.el7.x86_64.rpm                                                                                                                         | 391 kB  00:00:00     
(2/77): 389-admin-console-1.1.12-1.el7.noarch.rpm                                                                                                                 | 204 kB  00:00:00     
(3/77): 389-adminutil-1.1.21-2.el7.x86_64.rpm                                                                                                                     |  73 kB  00:00:00     
(4/77): 389-console-1.1.18-1.el7.noarch.rpm                                                                                                                       |  75 kB  00:00:00     
(5/77): 389-ds-console-1.2.16-1.el7.noarch.rpm                                                                                                                    | 1.4 MB  00:00:00     
(6/77): 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64.rpm                                                                                                              | 699 kB  00:00:00     
(7/77): 389-ds-base-1.3.8.4-18.el7_6.x86_64.rpm                                                                                                                   | 1.7 MB  00:00:00     
(8/77): apache-commons-lang-2.6-15.el7.noarch.rpm                                                                                                                 | 276 kB  00:00:00     
(9/77): apache-commons-codec-1.8-7.el7.noarch.rpm                                                                                                                 | 223 kB  00:00:00     
(10/77): apr-util-1.5.2-6.el7.x86_64.rpm                                                                                                                          |  92 kB  00:00:00     
(11/77): audit-2.8.4-4.el7.x86_64.rpm                                                                                                                             | 250 kB  00:00:00     
(12/77): audit-libs-python-2.8.4-4.el7.x86_64.rpm                                                                                                                 |  76 kB  00:00:00     
(13/77): checkpolicy-2.5-8.el7.x86_64.rpm                                                                                                                         | 295 kB  00:00:00     
(14/77): chkconfig-1.7.4-1.el7.x86_64.rpm                                                                                                                         | 181 kB  00:00:00     
(15/77): copy-jdk-configs-3.3-10.el7_5.noarch.rpm                                                                                                                 |  21 kB  00:00:00     
(16/77): cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm                                                                                                                  |  57 kB  00:00:00     
(17/77): dejavu-fonts-common-2.33-6.el7.noarch.rpm                                                                                                                |  64 kB  00:00:00     
(18/77): cyrus-sasl-plain-2.1.26-23.el7.x86_64.rpm                                                                                                                |  39 kB  00:00:00     
(19/77): fontconfig-2.13.0-4.3.el7.x86_64.rpm                                                                                                                     | 254 kB  00:00:00     
(20/77): apr-1.4.8-3.el7_4.1.x86_64.rpm                                                                                                                           | 103 kB  00:00:00     
(21/77): fontpackages-filesystem-1.44-8.el7.noarch.rpm                                                                                                            | 9.9 kB  00:00:00     
(22/77): dejavu-sans-fonts-2.33-6.el7.noarch.rpm                                                                                                                  | 1.4 MB  00:00:00     
(23/77): freetype-2.8-12.el7.x86_64.rpm                                                                                                                           | 380 kB  00:00:00     
(24/77): gperftools-libs-2.6.1-1.el7.x86_64.rpm                                                                                                                   | 272 kB  00:00:00     
(25/77): audit-libs-2.8.4-4.el7.x86_64.rpm                                                                                                                        | 100 kB  00:00:00     
(26/77): httpd-tools-2.4.6-88.el7.centos.x86_64.rpm                                                                                                               |  90 kB  00:00:00     
(27/77): giflib-4.1.6-9.el7.x86_64.rpm                                                                                                                            |  40 kB  00:00:00     
(28/77): java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64.rpm                                                                                                      | 254 kB  00:00:00     
(29/77): httpd-2.4.6-88.el7.centos.x86_64.rpm                                                                                                                     | 2.7 MB  00:00:00     
(30/77): javapackages-tools-3.4.1-11.el7.noarch.rpm                                                                                                               |  73 kB  00:00:00     
(31/77): ldapjdk-4.19-5.el7.noarch.rpm                                                                                                                            | 317 kB  00:00:00     
(32/77): libICE-1.0.9-9.el7.x86_64.rpm                                                                                                                            |  66 kB  00:00:00     
(33/77): libSM-1.2.2-2.el7.x86_64.rpm                                                                                                                             |  39 kB  00:00:00     
(34/77): libX11-1.6.5-2.el7.x86_64.rpm                                                                                                                            | 606 kB  00:00:00     
(35/77): libXau-1.0.8-2.1.el7.x86_64.rpm                                                                                                                          |  29 kB  00:00:00     
(36/77): libX11-common-1.6.5-2.el7.noarch.rpm                                                                                                                     | 164 kB  00:00:00     
(37/77): libXcomposite-0.4.4-4.1.el7.x86_64.rpm                                                                                                                   |  22 kB  00:00:00     
(38/77): libXext-1.3.3-3.el7.x86_64.rpm                                                                                                                           |  39 kB  00:00:00     
(39/77): libXi-1.7.9-1.el7.x86_64.rpm                                                                                                                             |  40 kB  00:00:00     
(40/77): libXrender-0.9.10-1.el7.x86_64.rpm                                                                                                                       |  26 kB  00:00:00     
(41/77): libXtst-1.2.3-1.el7.x86_64.rpm                                                                                                                           |  20 kB  00:00:00     
(42/77): libcgroup-0.41-20.el7.x86_64.rpm                                                                                                                         |  66 kB  00:00:00     
(43/77): libevent-2.0.21-4.el7.x86_64.rpm                                                                                                                         | 214 kB  00:00:00     
(44/77): jss-4.4.4-3.el7.x86_64.rpm                                                                                                                               | 1.1 MB  00:00:00     
(45/77): libicu-50.1.2-17.el7.x86_64.rpm                                                                                                                          | 6.9 MB  00:00:00     
(46/77): libpng-1.5.13-7.el7_2.x86_64.rpm                                                                                                                         | 213 kB  00:00:00     
(47/77): libsemanage-python-2.5-14.el7.x86_64.rpm                                                                                                                 | 113 kB  00:00:00     
(48/77): libxcb-1.13-1.el7.x86_64.rpm                                                                                                                             | 214 kB  00:00:00     
(49/77): libxslt-1.1.28-5.el7.x86_64.rpm                                                                                                                          | 242 kB  00:00:00     
(50/77): libfontenc-1.1.3-3.el7.x86_64.rpm                                                                                                                        |  31 kB  00:00:00     
(51/77): libjpeg-turbo-1.2.90-6.el7.x86_64.rpm                                                                                                                    | 134 kB  00:00:00     
(52/77): lksctp-tools-1.0.17-2.el7.x86_64.rpm                                                                                                                     |  88 kB  00:00:00     
(53/77): mailcap-2.1.41-2.el7.noarch.rpm                                                                                                                          |  31 kB  00:00:00     
(54/77): openldap-2.4.44-20.el7.x86_64.rpm                                                                                                                        | 355 kB  00:00:00     
(55/77): mod_nss-1.0.14-12.el7.x86_64.rpm                                                                                                                         | 113 kB  00:00:00     
(56/77): perl-Archive-Tar-1.92-2.el7.noarch.rpm                                                                                                                   |  73 kB  00:00:00     
(57/77): openldap-clients-2.4.44-20.el7.x86_64.rpm                                                                                                                | 190 kB  00:00:00     
(58/77): perl-DB_File-1.830-6.el7.x86_64.rpm                                                                                                                      |  74 kB  00:00:00     
(59/77): perl-FCGI-0.74-8.el7.x86_64.rpm                                                                                                                          |  42 kB  00:00:00     
(60/77): perl-CGI-3.63-4.el7.noarch.rpm                                                                                                                           | 250 kB  00:00:00     
(61/77): idm-console-framework-1.1.17-4.el7.noarch.rpm                                                                                                            | 1.1 MB  00:00:00     
(62/77): perl-IO-Zlib-1.10-293.el7.noarch.rpm                                                                                                                     |  51 kB  00:00:00     
(63/77): perl-Mozilla-LDAP-1.5.3-12.el7.x86_64.rpm                                                                                                                | 147 kB  00:00:00     
(64/77): perl-Package-Constants-0.02-293.el7.noarch.rpm                                                                                                           |  45 kB  00:00:00     
(65/77): java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64.rpm                                                                                             |  32 MB  00:00:00     
(66/77): policycoreutils-python-2.5-29.el7.x86_64.rpm                                                                                                             | 456 kB  00:00:00     
(67/77): python-IPy-0.75-6.el7.noarch.rpm                                                                                                                         |  32 kB  00:00:00     
(68/77): perl-NetAddr-IP-4.069-3.el7.x86_64.rpm                                                                                                                   | 125 kB  00:00:00     
(69/77): python-javapackages-3.4.1-11.el7.noarch.rpm                                                                                                              |  31 kB  00:00:00     
(70/77): setools-libs-3.3.8-4.el7.x86_64.rpm                                                                                                                      | 620 kB  00:00:00     
(71/77): python-lxml-3.2.1-4.el7.x86_64.rpm                                                                                                                       | 758 kB  00:00:00     
(72/77): svrcore-4.1.3-2.el7.x86_64.rpm                                                                                                                           |  19 kB  00:00:00     
(73/77): ttmkfdir-3.0.9-42.el7.x86_64.rpm                                                                                                                         |  48 kB  00:00:00     
(74/77): tzdata-java-2018g-1.el7.noarch.rpm                                                                                                                       | 185 kB  00:00:00     
(75/77): xorg-x11-fonts-Type1-7.5-9.el7.noarch.rpm                                                                                                                | 521 kB  00:00:00     
(76/77): xorg-x11-font-utils-7.5-21.el7.x86_64.rpm                                                                                                                | 104 kB  00:00:00     
(77/77): python-ldap-2.4.15-2.el7.x86_64.rpm                                                                                                                      | 159 kB  00:00:00     
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                     18 MB/s |  59 MB  00:00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : openldap-2.4.44-20.el7.x86_64                                                                                                                                        1/82 
  Installing : apr-1.4.8-3.el7_4.1.x86_64                                                                                                                                           2/82 
  Installing : libicu-50.1.2-17.el7.x86_64                                                                                                                                          3/82 
  Installing : apr-util-1.5.2-6.el7.x86_64                                                                                                                                          4/82 
  Installing : perl-Mozilla-LDAP-1.5.3-12.el7.x86_64                                                                                                                                5/82 
  Updating   : chkconfig-1.7.4-1.el7.x86_64                                                                                                                                         6/82 
  Installing : gperftools-libs-2.6.1-1.el7.x86_64                                                                                                                                   7/82 
  Updating   : audit-libs-2.8.4-4.el7.x86_64                                                                                                                                        8/82 
  Installing : libxslt-1.1.28-5.el7.x86_64                                                                                                                                          9/82 
  Installing : libevent-2.0.21-4.el7.x86_64                                                                                                                                        10/82 
  Installing : libsemanage-python-2.5-14.el7.x86_64                                                                                                                                11/82 
  Installing : libICE-1.0.9-9.el7.x86_64                                                                                                                                           12/82 
  Installing : svrcore-4.1.3-2.el7.x86_64                                                                                                                                          13/82 
  Installing : libjpeg-turbo-1.2.90-6.el7.x86_64                                                                                                                                   14/82 
  Installing : fontpackages-filesystem-1.44-8.el7.noarch                                                                                                                           15/82 
  Installing : 2:libpng-1.5.13-7.el7_2.x86_64                                                                                                                                      16/82 
  Updating   : freetype-2.8-12.el7.x86_64                                                                                                                                          17/82 
  Installing : ttmkfdir-3.0.9-42.el7.x86_64                                                                                                                                        18/82 
  Installing : dejavu-fonts-common-2.33-6.el7.noarch                                                                                                                               19/82 
  Installing : dejavu-sans-fonts-2.33-6.el7.noarch                                                                                                                                 20/82 
  Installing : fontconfig-2.13.0-4.3.el7.x86_64                                                                                                                                    21/82 
  Installing : 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64                                                                                                                            22/82 
  Installing : libSM-1.2.2-2.el7.x86_64                                                                                                                                            23/82 
  Installing : python-lxml-3.2.1-4.el7.x86_64                                                                                                                                      24/82 
  Installing : python-javapackages-3.4.1-11.el7.noarch                                                                                                                             25/82 
  Installing : javapackages-tools-3.4.1-11.el7.noarch                                                                                                                              26/82 
  Installing : audit-libs-python-2.8.4-4.el7.x86_64                                                                                                                                27/82 
  Installing : httpd-tools-2.4.6-88.el7.centos.x86_64                                                                                                                              28/82 
  Installing : 389-adminutil-1.1.21-2.el7.x86_64                                                                                                                                   29/82 
  Installing : python-ldap-2.4.15-2.el7.x86_64                                                                                                                                     30/82 
  Installing : openldap-clients-2.4.44-20.el7.x86_64                                                                                                                               31/82 
  Installing : libfontenc-1.1.3-3.el7.x86_64                                                                                                                                       32/82 
  Installing : 1:xorg-x11-font-utils-7.5-21.el7.x86_64                                                                                                                             33/82 
  Installing : xorg-x11-fonts-Type1-7.5-9.el7.noarch                                                                                                                               34/82 
  Installing : libcgroup-0.41-20.el7.x86_64                                                                                                                                        35/82 
  Installing : tzdata-java-2018g-1.el7.noarch                                                                                                                                      36/82 
  Installing : libX11-common-1.6.5-2.el7.noarch                                                                                                                                    37/82 
  Installing : lksctp-tools-1.0.17-2.el7.x86_64                                                                                                                                    38/82 
  Installing : python-IPy-0.75-6.el7.noarch                                                                                                                                        39/82 
  Installing : perl-DB_File-1.830-6.el7.x86_64                                                                                                                                     40/82 
  Installing : 1:perl-IO-Zlib-1.10-293.el7.noarch                                                                                                                                  41/82 
  Installing : setools-libs-3.3.8-4.el7.x86_64                                                                                                                                     42/82 
  Installing : mailcap-2.1.41-2.el7.noarch                                                                                                                                         43/82 
  Installing : httpd-2.4.6-88.el7.centos.x86_64                                                                                                                                    44/82 
  Installing : mod_nss-1.0.14-12.el7.x86_64                                                                                                                                        45/82 

mod_nss certificate database generated.

  Installing : 1:perl-Package-Constants-0.02-293.el7.noarch                                                                                                                        46/82 
  Installing : perl-Archive-Tar-1.92-2.el7.noarch                                                                                                                                  47/82 
  Installing : cyrus-sasl-plain-2.1.26-23.el7.x86_64                                                                                                                               48/82 
  Installing : copy-jdk-configs-3.3-10.el7_5.noarch                                                                                                                                49/82 
  Installing : 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64                                                                                                          50/82 
  Installing : checkpolicy-2.5-8.el7.x86_64                                                                                                                                        51/82 
  Installing : policycoreutils-python-2.5-29.el7.x86_64                                                                                                                            52/82 
  Installing : perl-NetAddr-IP-4.069-3.el7.x86_64                                                                                                                                  53/82 
  Installing : libXau-1.0.8-2.1.el7.x86_64                                                                                                                                         54/82 
  Installing : libxcb-1.13-1.el7.x86_64                                                                                                                                            55/82 
  Installing : libX11-1.6.5-2.el7.x86_64                                                                                                                                           56/82 
  Installing : libXext-1.3.3-3.el7.x86_64                                                                                                                                          57/82 
  Installing : libXi-1.7.9-1.el7.x86_64                                                                                                                                            58/82 
  Installing : libXtst-1.2.3-1.el7.x86_64                                                                                                                                          59/82 
  Installing : giflib-4.1.6-9.el7.x86_64                                                                                                                                           60/82 
  Installing : libXrender-0.9.10-1.el7.x86_64                                                                                                                                      61/82 
  Installing : libXcomposite-0.4.4-4.1.el7.x86_64                                                                                                                                  62/82 
  Installing : 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64                                                                                                                   63/82 
  Installing : apache-commons-codec-1.8-7.el7.noarch                                                                                                                               64/82 
  Installing : apache-commons-lang-2.6-15.el7.noarch                                                                                                                               65/82 
  Installing : ldapjdk-4.19-5.el7.noarch                                                                                                                                           66/82 
  Installing : jss-4.4.4-3.el7.x86_64                                                                                                                                              67/82 
  Installing : idm-console-framework-1.1.17-4.el7.noarch                                                                                                                           68/82 
  Installing : 1:perl-FCGI-0.74-8.el7.x86_64                                                                                                                                       69/82 
  Installing : perl-CGI-3.63-4.el7.noarch                                                                                                                                          70/82 
  Installing : cyrus-sasl-md5-2.1.26-23.el7.x86_64                                                                                                                                 71/82 
  Installing : 389-ds-base-1.3.8.4-18.el7_6.x86_64                                                                                                                                 72/82 
  Installing : 389-admin-1.1.46-1.el7.x86_64                                                                                                                                       73/82 
  Installing : 389-ds-console-1.2.16-1.el7.noarch                                                                                                                                  74/82 
  Installing : 389-admin-console-1.1.12-1.el7.noarch                                                                                                                               75/82 
  Installing : 389-console-1.1.18-1.el7.noarch                                                                                                                                     76/82 
  Updating   : audit-2.8.4-4.el7.x86_64                                                                                                                                            77/82 
  Cleanup    : audit-2.4.1-5.el7.x86_64                                                                                                                                            78/82 
  Cleanup    : audit-libs-2.4.1-5.el7.x86_64                                                                                                                                       79/82 
  Cleanup    : chkconfig-1.3.61-4.el7.x86_64                                                                                                                                       80/82 
  Cleanup    : freetype-2.4.11-9.el7.x86_64                                                                                                                                        81/82 
  Cleanup    : openldap-2.4.39-6.el7.x86_64                                                                                                                                        82/82 
  Verifying  : libXext-1.3.3-3.el7.x86_64                                                                                                                                           1/82 
  Verifying  : cyrus-sasl-md5-2.1.26-23.el7.x86_64                                                                                                                                  2/82 
  Verifying  : dejavu-sans-fonts-2.33-6.el7.noarch                                                                                                                                  3/82 
  Verifying  : fontconfig-2.13.0-4.3.el7.x86_64                                                                                                                                     4/82 
  Verifying  : 1:perl-FCGI-0.74-8.el7.x86_64                                                                                                                                        5/82 
  Verifying  : giflib-4.1.6-9.el7.x86_64                                                                                                                                            6/82 
  Verifying  : libXau-1.0.8-2.1.el7.x86_64                                                                                                                                          7/82 
  Verifying  : libXrender-0.9.10-1.el7.x86_64                                                                                                                                       8/82 
  Verifying  : python-ldap-2.4.15-2.el7.x86_64                                                                                                                                      9/82 
  Verifying  : libXi-1.7.9-1.el7.x86_64                                                                                                                                            10/82 
  Verifying  : python-lxml-3.2.1-4.el7.x86_64                                                                                                                                      11/82 
  Verifying  : 2:libpng-1.5.13-7.el7_2.x86_64                                                                                                                                      12/82 
  Verifying  : 389-ds-console-1.2.16-1.el7.noarch                                                                                                                                  13/82 
  Verifying  : apache-commons-codec-1.8-7.el7.noarch                                                                                                                               14/82 
  Verifying  : 389-ds-base-libs-1.3.8.4-18.el7_6.x86_64                                                                                                                            15/82 
  Verifying  : perl-NetAddr-IP-4.069-3.el7.x86_64                                                                                                                                  16/82 
  Verifying  : dejavu-fonts-common-2.33-6.el7.noarch                                                                                                                               17/82 
  Verifying  : fontpackages-filesystem-1.44-8.el7.noarch                                                                                                                           18/82 
  Verifying  : ttmkfdir-3.0.9-42.el7.x86_64                                                                                                                                        19/82 
  Verifying  : openldap-2.4.44-20.el7.x86_64                                                                                                                                       20/82 
  Verifying  : libjpeg-turbo-1.2.90-6.el7.x86_64                                                                                                                                   21/82 
  Verifying  : checkpolicy-2.5-8.el7.x86_64                                                                                                                                        22/82 
  Verifying  : 389-admin-1.1.46-1.el7.x86_64                                                                                                                                       23/82 
  Verifying  : apache-commons-lang-2.6-15.el7.noarch                                                                                                                               24/82 
  Verifying  : 389-ds-base-1.3.8.4-18.el7_6.x86_64                                                                                                                                 25/82 
  Verifying  : openldap-clients-2.4.44-20.el7.x86_64                                                                                                                               26/82 
  Verifying  : copy-jdk-configs-3.3-10.el7_5.noarch                                                                                                                                27/82 
  Verifying  : python-javapackages-3.4.1-11.el7.noarch                                                                                                                             28/82 
  Verifying  : svrcore-4.1.3-2.el7.x86_64                                                                                                                                          29/82 
  Verifying  : 389-admin-console-1.1.12-1.el7.noarch                                                                                                                               30/82 
  Verifying  : freetype-2.8-12.el7.x86_64                                                                                                                                          31/82 
  Verifying  : libICE-1.0.9-9.el7.x86_64                                                                                                                                           32/82 
  Verifying  : jss-4.4.4-3.el7.x86_64                                                                                                                                              33/82 
  Verifying  : httpd-tools-2.4.6-88.el7.centos.x86_64                                                                                                                              34/82 
  Verifying  : libXtst-1.2.3-1.el7.x86_64                                                                                                                                          35/82 
  Verifying  : cyrus-sasl-plain-2.1.26-23.el7.x86_64                                                                                                                               36/82 
  Verifying  : libxcb-1.13-1.el7.x86_64                                                                                                                                            37/82 
  Verifying  : 1:perl-Package-Constants-0.02-293.el7.noarch                                                                                                                        38/82 
  Verifying  : 389-console-1.1.18-1.el7.noarch                                                                                                                                     39/82 
  Verifying  : perl-Mozilla-LDAP-1.5.3-12.el7.x86_64                                                                                                                               40/82 
  Verifying  : mailcap-2.1.41-2.el7.noarch                                                                                                                                         41/82 
  Verifying  : setools-libs-3.3.8-4.el7.x86_64                                                                                                                                     42/82 
  Verifying  : idm-console-framework-1.1.17-4.el7.noarch                                                                                                                           43/82 
  Verifying  : mod_nss-1.0.14-12.el7.x86_64                                                                                                                                        44/82 
  Verifying  : xorg-x11-fonts-Type1-7.5-9.el7.noarch                                                                                                                               45/82 
  Verifying  : libicu-50.1.2-17.el7.x86_64                                                                                                                                         46/82 
  Verifying  : libsemanage-python-2.5-14.el7.x86_64                                                                                                                                47/82 
  Verifying  : libevent-2.0.21-4.el7.x86_64                                                                                                                                        48/82 
  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                                                                                         49/82 
  Verifying  : libX11-1.6.5-2.el7.x86_64                                                                                                                                           50/82 
  Verifying  : 1:java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64                                                                                                                   51/82 
  Verifying  : 389-adminutil-1.1.21-2.el7.x86_64                                                                                                                                   52/82 
  Verifying  : 1:perl-IO-Zlib-1.10-293.el7.noarch                                                                                                                                  53/82 
  Verifying  : libXcomposite-0.4.4-4.1.el7.x86_64                                                                                                                                  54/82 
  Verifying  : httpd-2.4.6-88.el7.centos.x86_64                                                                                                                                    55/82 
  Verifying  : javapackages-tools-3.4.1-11.el7.noarch                                                                                                                              56/82 
  Verifying  : libxslt-1.1.28-5.el7.x86_64                                                                                                                                         57/82 
  Verifying  : apr-1.4.8-3.el7_4.1.x86_64                                                                                                                                          58/82 
  Verifying  : 1:java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64                                                                                                          59/82 
  Verifying  : audit-libs-python-2.8.4-4.el7.x86_64                                                                                                                                60/82 
  Verifying  : perl-DB_File-1.830-6.el7.x86_64                                                                                                                                     61/82 
  Verifying  : perl-CGI-3.63-4.el7.noarch                                                                                                                                          62/82 
  Verifying  : python-IPy-0.75-6.el7.noarch                                                                                                                                        63/82 
  Verifying  : lksctp-tools-1.0.17-2.el7.x86_64                                                                                                                                    64/82 
  Verifying  : libSM-1.2.2-2.el7.x86_64                                                                                                                                            65/82 
  Verifying  : audit-libs-2.8.4-4.el7.x86_64                                                                                                                                       66/82 
  Verifying  : policycoreutils-python-2.5-29.el7.x86_64                                                                                                                            67/82 
  Verifying  : gperftools-libs-2.6.1-1.el7.x86_64                                                                                                                                  68/82 
  Verifying  : libX11-common-1.6.5-2.el7.noarch                                                                                                                                    69/82 
  Verifying  : 1:xorg-x11-font-utils-7.5-21.el7.x86_64                                                                                                                             70/82 
  Verifying  : tzdata-java-2018g-1.el7.noarch                                                                                                                                      71/82 
  Verifying  : perl-Archive-Tar-1.92-2.el7.noarch                                                                                                                                  72/82 
  Verifying  : chkconfig-1.7.4-1.el7.x86_64                                                                                                                                        73/82 
  Verifying  : libcgroup-0.41-20.el7.x86_64                                                                                                                                        74/82 
  Verifying  : libfontenc-1.1.3-3.el7.x86_64                                                                                                                                       75/82 
  Verifying  : ldapjdk-4.19-5.el7.noarch                                                                                                                                           76/82 
  Verifying  : audit-2.8.4-4.el7.x86_64                                                                                                                                            77/82 
  Verifying  : openldap-2.4.39-6.el7.x86_64                                                                                                                                        78/82 
  Verifying  : freetype-2.4.11-9.el7.x86_64                                                                                                                                        79/82 
  Verifying  : audit-libs-2.4.1-5.el7.x86_64                                                                                                                                       80/82 
  Verifying  : chkconfig-1.3.61-4.el7.x86_64                                                                                                                                       81/82 
  Verifying  : audit-2.4.1-5.el7.x86_64                                                                                                                                            82/82 

Installed:
  389-admin.x86_64 0:1.1.46-1.el7            389-admin-console.noarch 0:1.1.12-1.el7      389-adminutil.x86_64 0:1.1.21-2.el7              389-console.noarch 0:1.1.18-1.el7           
  389-ds-base.x86_64 0:1.3.8.4-18.el7_6      389-ds-console.noarch 0:1.2.16-1.el7         idm-console-framework.noarch 0:1.1.17-4.el7      openldap-clients.x86_64 0:2.4.44-20.el7     

Dependency Installed:
  389-ds-base-libs.x86_64 0:1.3.8.4-18.el7_6                  apache-commons-codec.noarch 0:1.8-7.el7                              apache-commons-lang.noarch 0:2.6-15.el7             
  apr.x86_64 0:1.4.8-3.el7_4.1                                apr-util.x86_64 0:1.5.2-6.el7                                        audit-libs-python.x86_64 0:2.8.4-4.el7              
  checkpolicy.x86_64 0:2.5-8.el7                              copy-jdk-configs.noarch 0:3.3-10.el7_5                               cyrus-sasl-md5.x86_64 0:2.1.26-23.el7               
  cyrus-sasl-plain.x86_64 0:2.1.26-23.el7                     dejavu-fonts-common.noarch 0:2.33-6.el7                              dejavu-sans-fonts.noarch 0:2.33-6.el7               
  fontconfig.x86_64 0:2.13.0-4.3.el7                          fontpackages-filesystem.noarch 0:1.44-8.el7                          giflib.x86_64 0:4.1.6-9.el7                         
  gperftools-libs.x86_64 0:2.6.1-1.el7                        httpd.x86_64 0:2.4.6-88.el7.centos                                   httpd-tools.x86_64 0:2.4.6-88.el7.centos            
  java-1.8.0-openjdk.x86_64 1:1.8.0.191.b12-1.el7_6           java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-1.el7_6           javapackages-tools.noarch 0:3.4.1-11.el7            
  jss.x86_64 0:4.4.4-3.el7                                    ldapjdk.noarch 0:4.19-5.el7                                          libICE.x86_64 0:1.0.9-9.el7                         
  libSM.x86_64 0:1.2.2-2.el7                                  libX11.x86_64 0:1.6.5-2.el7                                          libX11-common.noarch 0:1.6.5-2.el7                  
  libXau.x86_64 0:1.0.8-2.1.el7                               libXcomposite.x86_64 0:0.4.4-4.1.el7                                 libXext.x86_64 0:1.3.3-3.el7                        
  libXi.x86_64 0:1.7.9-1.el7                                  libXrender.x86_64 0:0.9.10-1.el7                                     libXtst.x86_64 0:1.2.3-1.el7                        
  libcgroup.x86_64 0:0.41-20.el7                              libevent.x86_64 0:2.0.21-4.el7                                       libfontenc.x86_64 0:1.1.3-3.el7                     
  libicu.x86_64 0:50.1.2-17.el7                               libjpeg-turbo.x86_64 0:1.2.90-6.el7                                  libpng.x86_64 2:1.5.13-7.el7_2                      
  libsemanage-python.x86_64 0:2.5-14.el7                      libxcb.x86_64 0:1.13-1.el7                                           libxslt.x86_64 0:1.1.28-5.el7                       
  lksctp-tools.x86_64 0:1.0.17-2.el7                          mailcap.noarch 0:2.1.41-2.el7                                        mod_nss.x86_64 0:1.0.14-12.el7                      
  perl-Archive-Tar.noarch 0:1.92-2.el7                        perl-CGI.noarch 0:3.63-4.el7                                         perl-DB_File.x86_64 0:1.830-6.el7                   
  perl-FCGI.x86_64 1:0.74-8.el7                               perl-IO-Zlib.noarch 1:1.10-293.el7                                   perl-Mozilla-LDAP.x86_64 0:1.5.3-12.el7             
  perl-NetAddr-IP.x86_64 0:4.069-3.el7                        perl-Package-Constants.noarch 1:0.02-293.el7                         policycoreutils-python.x86_64 0:2.5-29.el7          
  python-IPy.noarch 0:0.75-6.el7                              python-javapackages.noarch 0:3.4.1-11.el7                            python-ldap.x86_64 0:2.4.15-2.el7                   
  python-lxml.x86_64 0:3.2.1-4.el7                            setools-libs.x86_64 0:3.3.8-4.el7                                    svrcore.x86_64 0:4.1.3-2.el7                        
  ttmkfdir.x86_64 0:3.0.9-42.el7                              tzdata-java.noarch 0:2018g-1.el7                                     xorg-x11-font-utils.x86_64 1:7.5-21.el7             
  xorg-x11-fonts-Type1.noarch 0:7.5-9.el7                    

Dependency Updated:
  audit.x86_64 0:2.8.4-4.el7       audit-libs.x86_64 0:2.8.4-4.el7       chkconfig.x86_64 0:1.7.4-1.el7       freetype.x86_64 0:2.8-12.el7       openldap.x86_64 0:2.4.44-20.el7      

Complete!

Configure LDAP server

# ulimit -n 8192
# setup-ds-admin.pl

Example looks like this:

# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: 

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 14-JULY-2016.

NOTICE : System is x86_64-unknown-linux3.10.0-957.1.3.el7.x86_64 (1 processor).

Would you like to continue? [yes]: 

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: 

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [centos-auth.home.labrats.us]: 

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [dirsrv]: 
System Group [dirsrv]: 

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: 

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: 
Password: 
Password (confirm): 

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [home.labrats.us]: home.labrats.us

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: 

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [den1-it-tacacs-01]: 

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=home, dc=labrats, dc=us]: dc=home, dc=labrats, dc=us

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: 

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: 
Creating directory server . . .
Your new DS instance 'den1-it-tacacs-01' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupsHaXM4.log'

Obtain SSL Certificate and Key

This may be a publicly signed certificate, but we will use a private / self-signed CA and certificate.

Follow instructions below to setup and deploy a self-signed CA and certificate.

User:Sfiggins/Self Signed CA Instructions

Convert Certificate to P12 Format

Convert your new certificate to the p12 format using the following command

(Passwords are likely blank, unless you setup a password when creating the key.)

# openssl pkcs12 -export -inkey private_key.pem  -in signed-cert.pem -name my_name \
    -out imported-certificate.p12
Enter Export Password:
Verifying - Enter Export Password:

If you followed the self-signed certificate instructions from above, it would look like this:

# openssl pkcs12 -export -inkey /CA/certs/newserver.pem  -in /CA/certs/newserver-cert.pem \
    -name newserver -out /CA/certs/newserver.p12
Enter Export Password:
Verifying - Enter Export Password:

Setup SSL

Process is obstracted from the following web page

http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html

!!! NOTE: Make sure you update for the correct directory instance !!!

Copy CA Certitifate

Copy your CA Certificate file to /etc/openldap/certs/cacerts/. You will need to get this from your certificate authority, or from your self-signed certificte authority. Be sure to change the filename to match your CA certificate file!

# mkdir -p /etc/openldap/certs/cacerts/
# cp private_ca.pem /etc/openldap/certs/cacerts/

using certutil

We'll use certutil to create and import certificates into the keystore.

# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Create the pin.txt file:

# echo "Internal (Software) Token:<password>" > /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt
# chown nobody.nobody /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt
# chmod 400 /etc/dirsrv/slapd-den1-it-tacacs-01/pin.txt

Import the key files:

# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01 -A -n "CA Certificate" -t CT,, -a -i /etc/openldap/cacerts/private_ca.pem
# pk12util -i /root/den1-it-tacacs-01.p12 -d /etc/dirsrv/slapd-den1-it-tacacs-01/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -d /etc/dirsrv/slapd-den1-it-tacacs-01/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Certificate                                               CT,, 
den1-it-tacacs-01                                            u,u,u

Turning on SSL

Turning on SSL will require that we write the following config. You need to change hte hostname int he config!

# cat > /tmp/ssl_enable.ldif << 'EOF'
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes_256_sha
-
add: nsKeyfile
nsKeyfile: alias/den1-it-tacacs-01-key3.db
-
add: nsCertfile
nsCertfile: alias/den1-it-tacacs-01-cert8.db

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ssl_enable.ldif

Create the following config file: You need to change hte hostname int he config!

# cat >  /tmp/addRSA.ldif << 'EOF'
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: den1-it-tacacs-01
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addRSA.ldif

Restart the Directory Server

# systemctl restart dirsrv.target
# systemctl status dirsrv.target
● dirsrv.target - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled)
   Active: active since Thu 2018-12-13 13:33:26 MST; 9s ago

Dec 13 13:33:26 centos-auth.home.labrats.us systemd[1]: Reached target 389 Directory Server.

Validate the server is listening on SSL

# netstat -lntup | grep slap
tcp        0      0 :::389                      :::*                        LISTEN      26518/ns-slapd
tcp        0      0 :::636                      :::*                        LISTEN      26518/ns-slapd

Testing LDAP

Test LDAP with the following command

# ldapsearch -x -b "dc=home,dc=labrats,dc=us"

Example output

# extended LDIF
#
# LDAPv3
# base <dc=home,dc=labrats,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# labrats.us
dn: dc=home,dc=labrats,dc=us
objectClass: top
objectClass: domain
dc: labrats

# Directory Administrators, labrats.us
dn: cn=Directory Administrators,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager

# Groups, labrats.us
dn: ou=Groups,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: organizationalunit
ou: Groups

# People, labrats.us
dn: ou=People,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: organizationalunit
ou: People

# Special Users, labrats.us
dn: ou=Special Users,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts

# Accounting Managers, Groups, labrats.us
dn: cn=Accounting Managers,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# HR Managers, Groups, labrats.us
dn: cn=HR Managers,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager

# QA Managers, Groups, labrats.us
dn: cn=QA Managers,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager

# PD Managers, Groups, labrats.us
dn: cn=PD Managers,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

Create Search Role Account

cat > /tmp/serviceadd.ldif << 'EOF'
dn: cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: tuser
userPassword: {crypt}x
gidNumber: 65000
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/serviceadd.ldif


Change user password

# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" "cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us"
New password: 
Re-enter new password: 
Enter LDAP Password: 

- or -

# LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" "cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us"
Enter LDAP Password: 
New password: <new password>

Create Test Account

cat > /tmp/groupadd.ldif << 'EOF'
dn: cn=tuser,ou=Groups,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: tuser
userPassword: {crypt}x
gidNumber: 2014
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/groupadd.ldif
cat > /tmp/useradd.ldif << 'EOF'
dn: uid=tuser,ou=People,dc=home,dc=labrats,dc=us
uid: tuser
cn: tuser
sn: user
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$1$QLoEkVTC$RHrUQKYbqtRi4cfoPtusT.
loginShell: /bin/bash
uidNumber: 2014
gidNumber: 2014
homeDirectory: /home/tuser
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/useradd.ldif

Change user password

# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" \
   "uid=tuser,ou=People,dc=home,dc=labrats,dc=us"
New password: 
Re-enter new password: 
Enter LDAP Password: 

- or -

# LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" \
   "uid=tuser,ou=People,dc=home,dc=labrats,dc=us"
Enter LDAP Password: 
New password: <new password>

Test binding with new test user

# LDAPTLS_REQCERT=never ldapsearch -ZZ -D "uid=tuser,ou=People,dc=home,dc=labrats,dc=us" \
    -W -x -b "uid=tuser,ou=People,dc=home,dc=labrats,dc=us"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=tuser,ou=People,dc=home,dc=labrats,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tuser, People, home.labrats.us
dn: uid=tuser,ou=People,dc=home,dc=labrats,dc=us
uid: tuser
cn: tuser
sn: user
objectClass: account
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
uidNumber: 2014
gidNumber: 2014
homeDirectory: /home/tuser
shadowLastChange: 17878

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Starting and Enabling Directory Server

To enable the Directory Server

# systemctl enable dirsrv.target
Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv.target to /usr/lib/systemd/system/dirsrv.target.

To enable the Admin Server

# systemctl enable dirsrv-admin
Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv-admin.service to /usr/lib/systemd/system/dirsrv-admin.service.

To start the Directory Server

# systemctl start dirsrv.target

To start the Admin Server

# systemctl start dirsrv-admin

NSS PAM and NSCD configuration

This section details how to setup PAM for TACACS and RADIUS authentication.

It is not needed unless the server you are installing TACACS or RADIUS on the server.

Install NSS-PAM-LDAP and NSCD.

For passing TACACS to LDAP via PAM, we need some packages. If we are not authenticating the entire system to LDAP, we will use the nss-pam-ldap and nscd packages, which will need to be installed.

# yum install nss-pam-ldapd nscd
Loaded plugins: fastestmirror
base                                                                                                                                                              | 3.6 kB  00:00:00     
extras                                                                                                                                                            | 3.4 kB  00:00:00     
updates                                                                                                                                                           | 3.4 kB  00:00:00     
Loading mirror speeds from cached hostfile
 * base: mirror.cs.uwp.edu
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirror.cs.uwp.edu
 * updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package nscd.x86_64 0:2.17-260.el7 will be installed
---> Package nss-pam-ldapd.x86_64 0:0.8.13-16.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================
 Package                           Arch                                Version                        Repository                  Size
========================================================================================================================================
Installing:
 nscd                              x86_64                              2.17-260.el7                   base                        281 k
 nss-pam-ldapd                     x86_64                              0.8.13-16.el7                  base                        160 k

Transaction Summary
========================================================================================================================================
Install  2 Packages

Total download size: 441 k
Installed size: 590 k
Is this ok [y/d/N]: y
Downloading packages:
(1/2): nss-pam-ldapd-0.8.13-16.el7.x86_64.rpm                                                                                                                     | 160 kB  00:00:00     
(2/2): nscd-2.17-260.el7.x86_64.rpm                                                                                                                               | 281 kB  00:00:00     
----------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                    1.1 MB/s | 441 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nscd-2.17-260.el7.x86_64                                                                                                                                              1/2 
  Installing : nss-pam-ldapd-0.8.13-16.el7.x86_64                                                                                                                                    2/2 
  Verifying  : nss-pam-ldapd-0.8.13-16.el7.x86_64                                                                                                                                    1/2 
  Verifying  : nscd-2.17-260.el7.x86_64                                                                                                                                              2/2 

Installed:
  nscd.x86_64 0:2.17-260.el7                                                             nss-pam-ldapd.x86_64 0:0.8.13-16.el7                                                            

Complete!


Configure NSLCD

NSLCD will use a service account to search the directory and locate the account to bind to authenticate, then switch to do a simple bind of the user to validate the password.

Be sure to copy your CA certificate file to /etc/openldap/certs/cacerts.

Configure for 389 Directory Server

Configure /etc/nslcd.conf

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid ldap

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  member           msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  member           posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd homeDirectory "/home/$cn"
#map    passwd gecos         displayName
#map    passwd loginShell    "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  gidNumber        gid
# This comment prevents repeated auto-migration of settings.
#
uri ldaps://centos-auth.home.labrats.us
base dc=home,dc=labrats,dc=us
binddn cn=LDAP Query,ou=Special Users,dc=home,dc=labrats,dc=us
bindpw <bindpasswd>
ssl on
tls_cacert /etc/openldap/cacerts/labrats_ca.pem
tls_cacertdir /etc/openldap/cacerts
#tls_checkpeer yes
tls_reqcert demand
timelimit 3
bind_timelimit 3

Configure for Microsoft Active Directory Server

If you did not want to have the TACACS+ server authenticate against 389-DS, but want it to authenticate to Active Directory instead, you merely need to configure nslcd with the correct mapping. Many Active Directory Domain Controllers have self-signed certificates, so you can tell nslcd to ignore the certificate. If you have signed certificates, you should use the correct CA certificate.

Configure /etc/nslcd.conf

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid ldap

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  member           msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  member           posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd homeDirectory "/home/$cn"
#map    passwd gecos         displayName
#map    passwd loginShell    "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  gidNumber        gid
# This comment prevents repeated auto-migration of settings.
#
filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
#
uri ldaps://dc1.home.labrats.us ldaps://dc2.home.labrats.us
base ou=People,dc=home,dc=labrats,dc=us
binddn CN=LDAP Query,OU=Service Accounts,DC=home,DC=labrats,DC=us
bindpw <bind password>
ssl on
tls_cacert /etc/openldap/cacerts/labrats_ca.pem
tls_cacertdir /etc/openldap/cacerts
#tls_checkpeer yes
tls_reqcert never
timelimit 3
bind_timelimit 3

Enable NSLCD

# systemctl enable nscd
Created symlink from /etc/systemd/system/multi-user.target.wants/nscd.service to /usr/lib/systemd/system/nscd.service.
Created symlink from /etc/systemd/system/sockets.target.wants/nscd.socket to /usr/lib/systemd/system/nscd.socket.

Start NSLCD

# systemctl start nscd

Installing TACACS

Download TACACS_PLUS

Download the TACACS package and source package

# wget https://github.com/abn/tac_plus-rpm/releases/download/vF4.0.4.28-2/tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm
# wget https://github.com/abn/tac_plus-rpm/releases/download/vF4.0.4.28-2/tac_plus-F4.0.4.28-2.el7.centos.src.rpm

Install TAC_PLUS

# yum install tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm
Loaded plugins: fastestmirror
Examining tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm: tac_plus-F4.0.4.28-2.el7.centos.x86_64
Marking tac_plus-F4.0.4.28-2.el7.centos.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package tac_plus.x86_64 0:F4.0.4.28-2.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================================================================
 Package                          Arch                           Version                                           Repository                                                       Size
=========================================================================================================================================================================================
Installing:
 tac_plus                         x86_64                         F4.0.4.28-2.el7.centos                            /tac_plus-F4.0.4.28-2.el7.centos.x86_64                         1.0 M

Transaction Summary
=========================================================================================================================================================================================
Install  1 Package

Total size: 1.0 M
Installed size: 1.0 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : tac_plus-F4.0.4.28-2.el7.centos.x86_64                                                                                                                                1/1 
  Verifying  : tac_plus-F4.0.4.28-2.el7.centos.x86_64                                                                                                                                1/1 

Installed:
  tac_plus.x86_64 0:F4.0.4.28-2.el7.centos                                                                                                                                               

Complete!

Reconfiguring for PAM

PAM support is enabled on a per-user basis by adding "login = PAM" for each "user = " definition.

Configure PAM service for TACACS

Add one of the following to the /etc/pam.d/tac_plus file:

If system login is also going to ldap

# cat > /etc/pam.d/tac_plus << 'EOF'
auth       include      password-auth

# account    required   pam_access.so accessfile=/etc/security/access.cron.conf
# account    include    password-auth
account     required      pam_unix.so broken_shadow
account     required      pam_access.so accessfile=/etc/security/access.cron.conf
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
EOF

If TACACS is going directly to LDAP

# cat > /etc/pam.d/tac_plus << 'EOF'
#%PAM-1.0
auth        sufficient    /usr/lib64/security/pam_unix.so likeauth nullok
auth        sufficient    /usr/lib64/security/pam_ldap.so use_first_pass
auth        required      /usr/lib64/security/pam_deny.so
account     [default=bad success=ok user_unknown=ignore] /usr/lib64/security/pam_ldap.so
account     required      /usr/lib64/security/pam_permit.so
EOF

Firewall Configuration

Allow the following TACACS ports to your iptables

# firewall-cmd --permanent --add-port=49/tcp

Restart firewall

# firewall-cmd --reload

Enabling and Starting TACACS

To enable the TACACS daemon

# systemctl enable tac_plus
Created symlink from /etc/systemd/system/multi-user.target.wants/tac_plus.service to /usr/lib/systemd/system/tac_plus.service.

To start the TACACS daemon

# systemctl start tac_plus

Testing TACACS

Install Authen::TacacsPlus Perl Module

Install via CPAN:

# cpan
Loading internal null logger. Install Log::Log4perl for logging messages
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v2.10)
Enter 'h' for help.

cpan[1]> install Authen::TacacsPlus

Create TACACS test script

Create this test file:

# cat > /root/tacacs-test.pl << 'EOF'
#!/usr/bin/perl

use Authen::TacacsPlus;

$username = "tuser";
$password = "JbUWP3TbwdHwNou";

$tac = new Authen::TacacsPlus(Host=>'localhost',Key=>'<tacacs key>');
unless ($tac){
        print "Error: ",Authen::TacacsPlus::errmsg(),"\n";
        exit(1);
}
if ($tac->authen($username,$password)){
        print "Granted\n";
} else {
        print "Denied: ",Authen::TacacsPlus::errmsg(),"\n";
}
$tac->close();
EOF

# chmod +x /root/tacacs-test.pl

Testing TACACAS

The following should test cleanly:

# /root/tacacs-test.pl 
Granted

It it fails, it will look like this:

# /root/tacacs-test.pl 
Denied: Authentication failed

Installing RADIUS

Install RADIUS from yum

# yum install freeradius freeradius-ldap freeradius-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.team-cymru.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirror.team-cymru.com
 * updates: mirror.dal10.us.leaseweb.net
Resolving Dependencies
--> Running transaction check
---> Package freeradius.x86_64 0:3.0.13-9.el7_5 will be installed
---> Package freeradius-ldap.x86_64 0:3.0.13-9.el7_5 will be installed
---> Package freeradius-utils.x86_64 0:3.0.13-9.el7_5 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                 Arch          Version                Repository   Size
================================================================================
Installing:
 freeradius              x86_64        3.0.13-9.el7_5         base        1.1 M
 freeradius-ldap         x86_64        3.0.13-9.el7_5         base        109 k
 freeradius-utils        x86_64        3.0.13-9.el7_5         base        221 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 1.4 M
Installed size: 4.0 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): freeradius-ldap-3.0.13-9.el7_5.x86_64.rpm           | 109 kB   00:00     
(2/3): freeradius-utils-3.0.13-9.el7_5.x86_64.rpm          | 221 kB   00:00     
(3/3): freeradius-3.0.13-9.el7_5.x86_64.rpm                | 1.1 MB   00:00     
--------------------------------------------------------------------------------
Total                                              2.4 MB/s | 1.4 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : freeradius-3.0.13-9.el7_5.x86_64                             1/3 
  Installing : freeradius-ldap-3.0.13-9.el7_5.x86_64                        2/3 
  Installing : freeradius-utils-3.0.13-9.el7_5.x86_64                       3/3 
  Verifying  : freeradius-ldap-3.0.13-9.el7_5.x86_64                        1/3 
  Verifying  : freeradius-3.0.13-9.el7_5.x86_64                             2/3 
  Verifying  : freeradius-utils-3.0.13-9.el7_5.x86_64                       3/3 

Installed:
  freeradius.x86_64 0:3.0.13-9.el7_5                                            
  freeradius-ldap.x86_64 0:3.0.13-9.el7_5                                       
  freeradius-utils.x86_64 0:3.0.13-9.el7_5                                      

Complete!

Reconfiguring for LDAP

LDAP Configuration consists of multiple file and configuration to be added.

First we enable the ldap module.

# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled

Edit /etc/raddb/sites-available/default. Add the following code to the authorize stansa in the LDAP section.

        #  The ldap module reads passwords from the LDAP database.
        # -ldap
        ldap
        if ((ok || updated) && User-Password) {
                update {
                        control:Auth-Type := ldap
                }
        }

Also in /etc/raddb/sites-available/default, uncomment the following in the authenticate stanza.

        Auth-Type LDAP {
                ldap
        }

Configure for 389 Directory Server

Configure the following options in /etc/raddb/mods-available/ldap. Leave all other attributes alone.

        server = "centos-auth.home.labrats.us"
        port = 389
        identity = "cn=LDAP Query,ou=Special Users,dc,home,dc=labrats,dc=us"
        password = mypass
        base_dn = 'dc=home,dc=labrats,dc=us'
        user {
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        group {
                filter = '(objectClass=posixGroup)'
                name_attribute = cn
                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
        }

For SSL, use the following:

        server = "ldaps://centos-auth.home.labrats.us:636"
        # port = 389
        identity = "cn=LDAP Query,ou=Special Users,dc,home,dc=labrats,dc=us"
        password = mypass
        base_dn = 'dc=home,dc=labrats,dc=us'
        user {
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        group {
                filter = '(objectClass=posixGroup)'
                name_attribute = cn
                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
        }
        tls {
                require_cert    = 'never'
        }

Configure for Microsoft Active Directory Server

Configure the following options in /etc/raddb/mods-available/ldap. Leave all other attributes alone.

        server = 'dc1.home.labrats.us dc2.home.labrats.u'
        port = 389
        identity = 'cn=admin,dc=example,dc=org'
        password = mypass
        base_dn = 'dc=example,dc=org'
        user {
                filter = "(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        group {
                filter = '(objectClass=group)'
                name_attribute = cn
                membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
        }

For SSL use:

        server = 'ldaps://dc1.home.labrats.us:636 ldaps://dc2.home.labrats.us:636'
        # port = 389
        identity = 'cn=admin,dc=example,dc=org'
        password = mypass
        base_dn = 'dc=example,dc=org'
        user {
                filter = "(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        group {
                filter = '(objectClass=group)'
                name_attribute = cn
                membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
        }
        tls {
                require_cert    = 'never'
        }

Reconfiguring for PAM Authentication

PAM Configuration consists of multiple file and configuration to be added.

First we enable the PAM module.

# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled

Edit /etc/raddb/sites-available/default. Add the following code to the end of the authorize stansa.

NOTE: THIS SUPLEMENTS WHAT WAS DONE FOR LDAP ABOVE.

	if (&User-Password) {
		update control {
			Auth-Type := PAM
		}
	}

Also in /etc/raddb/sites-available/default, uncomment the following in the authenticate stanza.

	#  Pluggable Authentication Modules.
	pam

Configure PAM service for RADIUS

Add one of the following to the /etc/pam.d/radiusd file:

If system login is also going to ldap

# cat > /etc/pam.d/radiusd << 'EOF'
auth       include      password-auth

# account    required   pam_access.so accessfile=/etc/security/access.cron.conf
# account    include    password-auth
account     required      pam_unix.so broken_shadow
account     required      pam_access.so accessfile=/etc/security/access.cron.conf
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
EOF

If RADIUS is going directly to LDAP

# cat > /etc/pam.d/radiusd << 'EOF'
#%PAM-1.0
auth        sufficient    /usr/lib64/security/pam_unix.so likeauth nullok
auth        sufficient    /usr/lib64/security/pam_ldap.so use_first_pass
auth        required      /usr/lib64/security/pam_deny.so
account     [default=bad success=ok user_unknown=ignore] /usr/lib64/security/pam_ldap.so
account     required      /usr/lib64/security/pam_permit.so
EOF

Firewall Configuration

Allow the following RADIUS ports to your iptables

# firewall-cmd --permanent --add-port=1812/udp

Restart firewall

# firewall-cmd --reload

Testing RADIUS

Starting RADIUS in debug mode

You will want to start the RADIUS service in debug mode to determine if it starts clean, and is halpful for testing.

# radiusd -d /etc/raddb -X

This will load a display a lot of messages, but if successful, it will display the following.

Ready to process requests

Create RADIUS test file

Create this test file:

echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test

Testing RADIUS

If you are running the service in debug mode, in another window, run the following command.

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 

The following should test cleanly:

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 
Sent Access-Request Id 162 from 0.0.0.0:44269 to 127.0.0.1:1812 length 44
Received Access-Accept Id 162 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

It it fails, it will look something like this:

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 
Sent Access-Request Id 193 from 0.0.0.0:41662 to 127.0.0.1:1812 length 44
Received Access-Reject Id 193 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Enabling and Starting RADIUS

To enable the RADIUS daemon

# systemctl enable radiusd
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

To start the RADIUS daemon

# systemctl start radiusd

Advanced RADIUS Configuration

TLS Configuration

In /etc/raddb/mods-available/ldap, make the follosing configuration changes to enable TLS.

        tls {
                start_tls = yes
                require_cert    = 'allow'
        }

Alternately, you can change to use SSL instead of TLS.

        server = "ldaps://dc1.home.labrats.us:636 ldaps://dc2.home.labrats.us:636"
#       port = 389
        tls {
                start_tls = no
                require_cert    = 'never'
        }

LDAP Group Membership

You can configure group matches in the /etc/raddb/mods-config/files/authorize file. Membership in these groups will cause RADIUS to assign the reply items.

DEFAULT Ldap-Group == "radius-deviceaccess-admin"
        Reply-Message = "Hello %{User-Name} (admin)",
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = No,
        Framed-Filter-Id=":group_name=admin"

DEFAULT Ldap-Group == "radius-deviceaccess-readonly"
        Reply-Message = "Hello %{User-Name} (readonly)",
        Cisco-AVPair = "shell:priv-lvl=1",
        Fall-Through = No,
        Framed-Filter-Id=":group_name=users"

LDAP Profiles

Extending the 389ds schema to include RADIUS attributes

Add the following to /etc/dirsrv/<instance>/schema/98radius.ldif file and restart the directory server.

# This is a LDAPv3 schema for RADIUS attributes.
#
# $Id: 98radius.ldif,v 1.1 2012/12/03 23:16:20 sfiggins Exp $
#
# Tested on OpenLDAP 2.0.7
# Posted by Javier Fernandez-Sanguino Pena <jfernandez@sgi.es>
# LDAP v3 version by Jochen Friedrich <jochen@scram.de>
# Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
#
# Ported to Red Hat DS by Sean W. Figgins, Manager, Security, tw telecom on 2008-11-25
#
#############
#
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalkLink' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalkNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalkZone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompression' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATService' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DESC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAction' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignmentId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPassword' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPreference' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivateGroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerEndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientEndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess ) )

Adding Reply Items to users

Create the following config file:

# cat >  /tmp/addattr.ldif << 'EOF'
dn: uid=test,ou=People,dc=home,dc=labrats,dc=us
changetype: modify
add: ObjectClass
ObjectClass: radiusprofile
-
add: radiusReplyItem
radiusReplyItem: Cambium-Canopy-UserLevel="2"
-
add: radiusReplyItem
radiusReplyItem: Cambium-Canopy-UserMode="0"
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addattr.ldif

Modify /etc/raddb/mods-enabled/ldap file

In the update section, change:

                reply:                          += 'radiusReplyAttribute'

to:

                reply:                          += 'radiusReplyItem'

In the profile section, uncomment filter and attribute:

        profile {
                #  Filter for RADIUS profile objects
                filter = '(objectclass=radiusprofile)'

                #  The default profile.  This may be a DN or an attribute
                #  reference.
                #  To get old v2.2.x style behaviour, or to use the
                #  &User-Profile attribute to specify the default profile,
                #  set this to &control:User-Profile.
#               default = 'cn=radprofile,dc=example,dc=org'

                #  The LDAP attribute containing profile DNs to apply
                #  in addition to the default profile above.  These are
                #  retrieved from the user object, at the same time as the
                #  attributes from the update section, are are applied
                #  if authorization is successful.
                attribute = 'radiusProfileDn'
        }

Extending RADIUS

It may be required to extend RADIUS to add some custom attributes that are not otherwise part of the above deployment. An example would be to allow RADIUS authentication for the Cambium cnMaestro server that does not use a VSA. If at possible, you should push the vendor to create a VSA, as utilizing standard or extended RADIUS attributes can cause conflict between different platforms utilizing the RADIUS deployment.

This example, we will be adding the RADIUS attribute "Role" to the deployment.

Edit the LDAP Schema

Edit /etc/dirsrv/<instance>/schema/98radius.ldif to add the following:

attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusRole' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Also change the following line:

objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess ) )

to the below:

objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusRole ) )

Once complete, restart the directory server and verify that is is running.

Edit the RADIUS configuration

Edit /etc/raddb/mods-available/ldap. Find the below section:

        update {
                control:Password-With-Header    += 'userPassword'
#               control:NT-Password             := 'ntPassword'
#               reply:Reply-Message             := 'radiusReplyMessage'
#               reply:Tunnel-Type               := 'radiusTunnelType'
#               reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
#               reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

Add the following configuration:

                reply:Role                      += 'radiusRole'

Edit /etc/raddb/dictionary. Add the following line:

ATTRIBUTE      Role                    209     string

Adding the RADIUS attrribute to the LDAP user

Create the following config file:

# cat >  /tmp/addattr2.ldif << 'EOF'
dn: uid=test,ou=People,dc=home,dc=labrats,dc=us
changetype: modify
add: radiusRole
radiusRole: super
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addattr2.ldif

Verifying that this worked

Start RADIUS server in debug mode"

# radiusd -d /etc/raddb -X

In another window, run the following command:

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123

You shoudl receive the following in the command window:

Sent Access-Request Id 51 from 0.0.0.0:20976 to 127.0.0.1:1812 length 44
Received Access-Accept Id 51 from 127.0.0.1:1812 to 0.0.0.0:0 length 51

In your debug window, you shoudl see the dollowing:

(0)   Role += "super"

Directory Server Modifications

ACIs

Creating a user that can manage the the directory users.

Creating the Special User:

# cat > /tmp/serviceadd.ldif << 'EOF'
dn: cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us
objectClass: posixGroup
objectClass: top
cn: adpdbadmin
userPassword: {crypt}x
gidNumber: 65000
EOF

Adding the user to the directory:

# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/serviceadd.ldif
Enter LDAP Password: 
adding new entry "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us"

Setting the user password:

# LDAPTLS_REQCERT=never ldappasswd -S -x -W -D "cn=directory manager" "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us"
New password: 
Re-enter new password: 
Enter LDAP Password: 

- or -

# LDAPTLS_REQCERT=never ldappasswd -W -D "cn=directory manager" "cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us"
Enter LDAP Password: 
New password: <new password>

Creating the ACI:

# cat > /tmp/aci.ldif << 'EOF'
dn: ou=People,dc=home,dc=labrats,dc=us
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "give adpdbadmin full rights"; allow (all) userdn =  "ldap:///cn=adpdbadmin,ou=Special Users,dc=home,dc=labrats,dc=us";)
EOF

Applying the ACI:

# ldapmodify -D "cn=Directory Manager" -W -f /tmp/aci.ldif
Processing MODIFY request for ou=People,dc=home,dc=labrats,dc=us
MODIFY operation successful for DN ou=People,dc=home,dc=labrats,dc=us


Replication

For replication to work, you need to have at least two directory servers setup. One will be the supplier (master) and the other will be the consumer (replica). The supplier will keep a log of all changes and will push those changes to the consumer. Other designs have multiple suppliers, consumers and hubs. We will only discuss the single supplier and consumer setup.

Create Replication Users

On both the suppliers and consumers, you need to add a replication user.

cat > /tmp/replicationuser.ldif << 'EOF'
dn: cn=replication manager,cn=config
objectClass: posixGroup
objectClass: top
cn: replication manager
userPassword: {crypt}x
gidNumber: 65000
EOF
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replicationuser.ldif


Change user password

# LDAPTLS_REQCERT=never ldappasswd -ZZ -S -x -W -D "cn=directory manager" "cn=replication manager,cn=config"
New password: 
Re-enter new password: 
Enter LDAP Password: 

- or -

# LDAPTLS_REQCERT=never ldappasswd -ZZ -W -D "cn=directory manager" "cn=replication manager,cn=config"
Enter LDAP Password: 
New password: <new password>

Create ChangeLog on Supplier

Create the following on every supplier (in our case just the single master) Remember to change the instance name in the file!

cat > /tmp/changelog.ldif << EOF
dn: cn=changelog5,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: changelog5
nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb
nsslapd-changelogmaxage: 10d
EOF
  • nsslapd-changelogdir sets the directory where the changelog is kept.
  • nsslapd-changelogmaxage sets how long the changelog is kept; since the changelog can get very large, this helps trim the changelog to prevent affecting server performance and using up disk space. If this parameter is not set, the default is for the changelog to be kept forever.

Add this to the server:

# ldapmodify -D "cn=Directory Manager" -W -f /tmp/changelog.ldif


Create the supplier replica

Create the following on every supplier (in our case just the single master) Remember to change the instance name and domain in the file!

cat > /tmp/supplier.ldif << EOF
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=example,dc=com
nsds5replicaid: 7
nsds5replicatype: 3
nsds5flags: 1
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=replication manager,cn=config
EOF
  • nsds5replicaroot sets the subtree (suffix) which is being replicated.
  • nsds5replicatype sets what kind of replica this database is. For either a single master or a multi-master supplier, this value must be 3.
  • nsds5replicaid sets the replica ID. The value must be unique among all suppliers and hubs; the valid range is 1 to 65534.
  • nsds5ReplicaPurgeDelay sets how long an entry holds its status information or how long a tombstone entry is kept before deleting the information. The default value is 604800 (one week).
  • nsds5flags sets whether the replica writes to the changelog. For a supplier, this value must be 1.

Add this to the server:

# ldapmodify -D "cn=Directory Manager" -W -f /tmp/supplier.ldif

Configuring Consumers

Create the following on every consumer (in our case just the single consumer) Remember to change the domain in the file!

cat > /tmp/consumer.ldif << EOF
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=example,dc=com
nsds5replicaid: 65535
nsds5replicatype: 2
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5flags: 0
EOF
  • nsds5replicaroot sets the subtree (suffix) which is being replicated.
  • nsds5replicatype sets what kind of replica this database is. For a consumer, this value must be 2.
  • nsds5ReplicaBindDN give the DN as which the supplier will bind to the consumer to make changes.
  • nsds5flags sets whether the replica writes to the changelog. For a consumer, this value must be 0.

Add this to the server:

# ldapmodify -D "cn=Directory Manager" -W -f /tmp/consumer.ldif

Configuring Replication Agreements

When setting up replication agreements, first set them up between all suppliers, then between the suppliers and the hubs, and last between the hub and the consumers.

Create the following on every supplier (in our case just the single master) Remember to change the password, consumer name and domain in the file!

cat > /tmp/replication.ldif << EOF
dn: cn=ExampleAgreement,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: ExampleAgreement
nsds5replicahost: consumer1
nsds5replicaport: 636
nsds5ReplicaTransportInfo: SSL
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaCredentials: <password>
nsds5replicabindmethod: SIMPLE
nsds5replicaroot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime
nsds5BeginReplicaRefresh: start
EOF

The replication agreement has to define eight separate attributes:

  • The consumer host (nsds5replicahost) and port (nsds5replicaport).
  • The DN for the supplier to use to bind with the consumer (nsds5ReplicaBindDN).
  • The way that the supplier binds (nsds5replicabindmethod).
  • Any credentials required (nsDS5ReplicaCredentials) for that bind method and specified DN.
  • The subtree being replicated (nsds5replicaroot).
  • The replication schedule (nsds5replicaupdateschedule).
  • Any attributes which will not be replicated (nsds5replicatedattributelist and nsDS5ReplicatedAttributeListTotal).

Add this to the server:

# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication.ldif

Initializing Consumers Online

An online initialization can be initiated from the command line by adding the nsds5replicarefresh attribute to the replication agreement entry. If the attribute is included when the replication agreement is created, initialization begins immediately. It can be added later to initialize the consumer at any time. This attribute is absent by default, and it will be automatically deleted once the consumer initialization is complete.

Find the replication agreeemnt DN

ldapsearch -x -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"

Start the replication

Edit the replication agreement, and add the nsds5BeginReplicaRefresh attribute: Remember to change the DN to match the above result!

cat > /tmp/replication-start.ldif << EOF
dn: cn=ExampleAgreement,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
EOF

Add this to the server:

# ldapmodify -D "cn=Directory Manager" -W -f /tmp/replication-start.ldif

When the initialization is complete, the nsds5BeginReplicaRefresh attribute is automatically deleted from the replication agreement entry.

Monitoring the replication

Top check the replication, you perform the following command on the supplier.

# ldapsearch -x -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"

You will want to look for the following entries:

nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20190625000337Z
nsds5replicaLastUpdateEnd: 20190625000337Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme
 ntal update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20190624235803Z
nsds5replicaLastInitEnd: 20190624235806Z
nsds5replicaLastInitStatus: Error (0) Total update succeeded

The nsds5replicaLastUpdateStart and nsds5replicaLastUpdateEnd dates should be updating.

Installing a RADIUS Rpoxy Server

This is along the same lines of authentication, but will be done on a separate server. It may be created in conjunction with the overall authentication deployment, or may be done afterwards to add RADIUS proxy to the deployment.

Create base Centos 7 server, as documented below

New CentOS 7 Server Setup Commands

Install RADIUS from yum

# yum install freeradius freeradius-ldap freeradius-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.team-cymru.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirror.team-cymru.com
 * updates: mirror.dal10.us.leaseweb.net
Resolving Dependencies
--> Running transaction check
---> Package freeradius.x86_64 0:3.0.13-9.el7_5 will be installed
---> Package freeradius-ldap.x86_64 0:3.0.13-9.el7_5 will be installed
---> Package freeradius-utils.x86_64 0:3.0.13-9.el7_5 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                 Arch          Version                Repository   Size
================================================================================
Installing:
 freeradius              x86_64        3.0.13-9.el7_5         base        1.1 M
 freeradius-ldap         x86_64        3.0.13-9.el7_5         base        109 k
 freeradius-utils        x86_64        3.0.13-9.el7_5         base        221 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 1.4 M
Installed size: 4.0 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): freeradius-ldap-3.0.13-9.el7_5.x86_64.rpm           | 109 kB   00:00     
(2/3): freeradius-utils-3.0.13-9.el7_5.x86_64.rpm          | 221 kB   00:00     
(3/3): freeradius-3.0.13-9.el7_5.x86_64.rpm                | 1.1 MB   00:00     
--------------------------------------------------------------------------------
Total                                              2.4 MB/s | 1.4 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : freeradius-3.0.13-9.el7_5.x86_64                             1/3 
  Installing : freeradius-ldap-3.0.13-9.el7_5.x86_64                        2/3 
  Installing : freeradius-utils-3.0.13-9.el7_5.x86_64                       3/3 
  Verifying  : freeradius-ldap-3.0.13-9.el7_5.x86_64                        1/3 
  Verifying  : freeradius-3.0.13-9.el7_5.x86_64                             2/3 
  Verifying  : freeradius-utils-3.0.13-9.el7_5.x86_64                       3/3 

Installed:
  freeradius.x86_64 0:3.0.13-9.el7_5                                            
  freeradius-ldap.x86_64 0:3.0.13-9.el7_5                                       
  freeradius-utils.x86_64 0:3.0.13-9.el7_5                                      

Complete!

Configure for Proxy

In /etc/raddb/proxy.conf file, configure as follows:

#  Proxy server configuration
#
#  This entry controls the servers behaviour towards ALL other servers
#  to which it sends proxy requests.
#
proxy server {

        #  Setting this to "yes" may have issues for authentication.
        #  i.e. If you are proxying for two different ISP's, and then
        #  act as a general dial-up for Gric.  If one of the first two
        #  ISP's has their RADIUS server go down, you do NOT want to
        #  proxy those requests to GRIC.  Instead, you probably want
        #  to just drop the requests on the floor.  In that case, set
        #  this value to 'no'.
        #
        #  allowed values: {yes, no}
        #
        default_fallback = no

}

home_server den1-radius1 {
        type = auth
        ipaddr = 199.26.60.50
        port = 1812
        secret = motoPMP320
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server dal1-radius1 {
        type = auth
        ipaddr = 199.26.61.50
        port = 1812
        secret = motoPMP320
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server den1-radius1-acct {
        type = acct
        ipaddr = 199.26.60.50
        port = 1813
        secret = motoPMP320
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server dal1-radius1-acct {
        type = acct
        ipaddr = 199.26.61.50
        port = 1813
        secret = motoPMP320
        require_message_authenticator = yes
        response_window = 20
        zombie_period = 40
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server_pool freeradius_auth_loadbalance {
        #
        #  The type of this pool controls how home servers are chosen.
        #
        type = load-balance

        #  Next, a list of one or more home servers.  The names
        #  of the home servers are NOT the hostnames, but the names
        #  of the sections.  (e.g. home_server foo {...} has name "foo".
        #
        home_server = den1-radius1
        home_server = dal1-radius1

        #  If ALL home servers are dead, then this "fallback" home server
        #  is used.  If set, it takes precedence over any realm-based
        #  fallback, such as the DEFAULT realm.
        #
        #fallback = virtual.example.com
}

home_server_pool freeradius_acct_loadbalance {
        #
        #  The type of this pool controls how home servers are chosen.
        #
        type = load-balance

        #  Next, a list of one or more home servers.  The names
        #  of the home servers are NOT the hostnames, but the names
        #  of the sections.  (e.g. home_server foo {...} has name "foo".
        #
        home_server = den1-radius1-acct
        home_server = dal1-radius1-acct

        #  If ALL home servers are dead, then this "fallback" home server
        #  is used.  If set, it takes precedence over any realm-based
        #  fallback, such as the DEFAULT realm.
        #
        #fallback = virtual.example.com
}

#
#  This realm is for requests which don't have an explicit realm
#  prefix or suffix.  User names like "bob" will match this one.
#
realm NULL {
        auth_pool = freeradius_auth_loadbalance
        acct_pool = freeradius_acct_loadbalance
        nostrip
}

Configure the /etc/raddb/clients.conf file.

client remote-node-1 {
        ipaddr          = 10.1.2.3/32
        secret          = some-shared-secret
}

Add any VSAs and RADIUS extensions.

Copy any dictionary files to /etc/raddb:

# cp /tmp/dictionary.vendor1 /etc/raddb/
# echo '$INCLUDE /etc/raddb/dictionary.vendor1' >> /etc/raddb/dictionary

Also, add and RADIUS extensions (as detailed in an above section) to the /etc/raddb/dictionary file.

Start and Test

Start the RADIUS server in debug mode:

# radiusd -d /etc/raddb/ -X

In another window, run the following commands:

# echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test
# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123

If successful, we will see the following.

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 
Sent Access-Request Id 162 from 0.0.0.0:44269 to 127.0.0.1:1812 length 44
Received Access-Accept Id 162 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

It it fails, it will look something like this:

# cat /root/rad-test | radclient 127.0.0.1:1812 auth testing123 
Sent Access-Request Id 193 from 0.0.0.0:41662 to 127.0.0.1:1812 length 44
Received Access-Reject Id 193 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Adding Firewall Configuration

Allow the following RADIUS ports to your iptables

# firewall-cmd --permanent --add-port=1812/udp

Restart firewall

# firewall-cmd --reload

!!! If you are deploying a RADIUS proxy to an outside IP address, please secure it further with more granular firewall configuration !!!

Enabling and Starting RADIUS

To enable the RADIUS daemon

# systemctl enable radiusd
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

To start the RADIUS daemon

# systemctl start radiusd