Armour Infosec Certified Linux Server Administrator Exam Report
- Rishabh Soni
- email@rishabhsoni.in
- 09-June-2025
Table of Contents
- Linux Server Administrator Exam Report
- Question
- Server Configurations
- Client Configuration
- Server Configuration Steps
- Step 1: Initial Server Setup and DNS Configuration
- Step 2: LDAP Server Installation and Configuration
- Step 3: FTP Server with LDAP Authentication
- Step 4: Centralized Home Directory with NFS
- Step 5: Apache Web Server Installation
- Step 6: WordPress Installation and HTTPS Configuration
- Step 7: GitLab Installation with LDAP Integration
- Step 8: LDAPS Implementation
- Client Configuration Steps
- Testing and Verification
Question
Your organization is focused on upgrading its Linux server infrastructure, prioritizing both security and operational efficiency. Begin by setting up an LDAP server to centralize authentication across the network. Then, deploy WordPress and ensure it is securely accessible over HTTPS on port 443 using a designated domain name. Additionally, integrate GitLab with LDAP for user authentication and make it available via its own domain. To finalize the setup, implement a file-sharing service for user home directories using FTP with LDAP-based authentication, and configure the SSH server to authenticate users through LDAP as well.
Server Configurations
OS: CentOS 9
IPv4: 192.168.1.128/24
Gateway: 192.168.1.1
Hostname: centos.rs.local
Domains: rs.local, ldap.rs.local, wordpress.rs.local, gitlab.rs.local
Credentials
Server Users:
| Users | Password | Type |
|---|---|---|
| root | Rish@bh123 | admin |
| rsoni | Rish@bh123 | admin |
LDAP Admin:
| User | Password |
|---|---|
| cn=admin,dc=rs,dc=local | Rish@bh123 |
LDAP Users:
| Department | Username | Password | UID | GID | Group Name | Home Directory |
|---|---|---|---|---|---|---|
| HR | hr1 | Hr1@123 | 3001 | 2005 | hr | /home/hr1 |
| HR | hr2 | Hr2@123 | 3002 | 2005 | hr | /home/hr2 |
| IT | it1 | It1@123 | 3003 | 2004 | it | /home/it1 |
| IT | it2 | It2@123 | 3004 | 2004 | it | /home/it2 |
| Admin | admin1 | Admin1@123 | 3005 | 2003 | admin | /home/admin1 |
| Admin | admin2 | Admin2@123 | 3006 | 2003 | admin | /home/admin2 |
LDAP Groups
| Group Name | GID | Members | Purpose |
|---|---|---|---|
| admin | 2003 | admin1, admin2 | Administrative users |
| it | 2004 | it1, it2 | IT department users |
| hr | 2005 | hr1, hr2 | HR department users |
Service Credentials
| Service | Username | Password | Access URL/Port | Notes |
|---|---|---|---|---|
| MySQL | root | Rish@bh123 | localhost:3306 | Database root access |
| WordPress | wpadmin | Rish@bh123 | https://wordpress.rs.local | WordPress Administrator |
| GitLab | root | Rish@bh123 | https://gitlab.rs.local | GitLab Administrator |
| phpMyAdmin | root (MySQL) | Rish@bh123 | Non accessible by URL | Web database management |
Service Access Matrix
| Service | Local Users | LDAP Users | Authentication Method | Access Type |
|---|---|---|---|---|
| SSH | ✓ root, rsoni | ✓ All LDAP users | PAM + SSSD | Terminal access |
| FTP | ✗ | ✓ All LDAP users | PAM + SSSD | File transfer |
| GitLab | ✓ root (admin) | ✓ All LDAP users | LDAP/LDAPS | Web access |
| WordPress | ✓ wpadmin | ✗ | Local WordPress DB | Web access |
| NFS Home Dirs | N/A | ✓ All LDAP users | LDAP UID/GID | Auto-mounted |
WordPress Installation Details
| Configuration Item | Value |
|---|---|
| Access URL | https://wordpress.rs.local |
| Database Name | wordpress.rs.local |
| Database Username | root |
| Database Password | Rish@bh123 |
| Table Prefix | wp_rs_ |
| Site Title | wordpress.rs.local |
| Admin Username | wpadmin |
| Admin Password | Rish@bh123 |
Client Configuration
OS: CentOS 9
IPv4: 192.168.1.201/24
Gateway: 192.168.1.1
DNS: 192.168.1.128
Hostname: c1.rs.local
Credential
| Users | Password |
|---|---|
| root | Rish@bh123 |
| rsoni | Rish@bh123 |
| LDAP users | Same as server |
Server Configuration Steps
Step 1: Initial Server Setup and DNS Configuration
1.1 Configure Network Settings
Set static IP using nmtui
nmtui
Configure:
- IPv4: 192.168.1.128/24
- Gateway: 192.168.1.1
- DNS: 127.0.0.1
Set hostname
hostnamectl set-hostname centos.rs.local
hostnamectl status
Enable root SSH access
vim /etc/ssh/sshd_config
Set: PermitRootLogin yes
systemctl restart sshd
Install basic tools
dnf install bash* wget unzip net-tools
1.2 Install and Configure DNS Server
Install BIND
dnf install bind bind-utils
Configure named.conf
vim /etc/named.conf
Add the following configuration:
options {
listen-on port 53 { 127.0.0.1; 192.168.1.128; };
allow-query { localhost; 192.168.1.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; };
};
Configure zones
vim /etc/named.rfc1912.zones
Add:
zone "rs.local" {
type master;
file "/var/named/rs.local.zone";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/var/named/1.168.192.rev";
};
Create forward zone file
vim /var/named/rs.local.zone
$TTL 86400
@ IN SOA centos.rs.local. admin.rs.local. (
2024010103 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
IN NS centos.rs.local.
IN A 192.168.1.128
centos IN A 192.168.1.128
ldap IN CNAME centos
wordpress IN A 192.168.1.128
www.wordpress IN CNAME wordpress
gitlab IN A 192.168.1.128
www.gitlab IN CNAME gitlab
c1 IN A 192.168.1.201
Create reverse zone file
vim /var/named/1.168.192.rev
$TTL 86400
@ IN SOA centos.rs.local. admin.rs.local. (
2024010101 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
IN NS centos.rs.local.
128 IN PTR centos.rs.local.
201 IN PTR c1.rs.local.
Enable and start DNS service
systemctl enable named --now
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
Test DNS
dig centos.rs.local
dig ldap.rs.local
dig wordpress.rs.local
dig gitlab.rs.local
Step 2: LDAP Server Installation and Configuration
2.1 Install OpenLDAP Packages
Install required repositories
dnf install -y epel-release
dnf config-manager --set-enabled crb
dnf makecache
Install OpenLDAP
dnf install -y openldap-servers openldap-clients openldap-devel sssd-tools
systemctl enable slapd --now
Configure firewall
firewall-cmd --add-service=ldap --permanent
firewall-cmd --add-service=ldaps --permanent
firewall-cmd --reload
2.2 Configure LDAP Database
Create LDIF directory
mkdir /root/ldif
Generate admin password
slappasswd
Enter password: Rish@bh123 Output: {SSHA}OUMtfIbsWAltpieoq8WuXMooVmwM8nW2
Configure database
vim /root/ldif/db-config.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=rs,dc=local
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=rs,dc=local
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}OUMtfIbsWAltpieoq8WuXMooVmwM8nW2
Apply configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/db-config.ldif
Load schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
2.3 Configure Access Control Lists
vim /root/ldif/acl.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=rs,dc=local" write
by * none
olcAccess: {1}to attrs=shadowLastChange
by self write
by * read
olcAccess: {2}to *
by dn="cn=admin,dc=rs,dc=local" write
by self read
by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/acl.ldif
Check
ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={2}mdb,cn=config" olcAccess
2.4 Create LDAP Directory Structure
Create base domain
vim /root/ldif/base.ldif
dn: dc=rs,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: RS
dc: rs
ldapadd -x -D "cn=admin,dc=rs,dc=local" -W -f /root/ldif/base.ldif
Enter password: Rish@bh123
Create organizational units
vim /root/ldif/base_structure.ldif
dn: ou=it,dc=rs,dc=local
objectClass: organizationalUnit
ou: it
dn: ou=hr,dc=rs,dc=local
objectClass: organizationalUnit
ou: hr
dn: ou=admin,dc=rs,dc=local
objectClass: organizationalUnit
ou: admin
dn: ou=groups,dc=rs,dc=local
objectClass: organizationalUnit
ou: groups
ldapadd -x -D "cn=admin,dc=rs,dc=local" -W -f /root/ldif/base_structure.ldif
2.5 Create Groups and Users
Create groups
vim /root/ldif/create_group.ldif
dn: cn=it,ou=groups,dc=rs,dc=local
objectClass: posixGroup
cn: it
gidNumber: 2004
dn: cn=hr,ou=groups,dc=rs,dc=local
objectClass: posixGroup
cn: hr
gidNumber: 2005
dn: cn=admin,ou=groups,dc=rs,dc=local
objectClass: posixGroup
cn: admin
gidNumber: 2003
ldapadd -x -D "cn=admin,dc=rs,dc=local" -W -f /root/ldif/create_group.ldif
Generate user passwords
slappasswd -s 'Hr1@123'
{SSHA}us8Pn4pKI+iDSGFyyHcsaoLig5WZTBTl
slappasswd -s 'Hr2@123'
{SSHA}S9/u4SZLPNVpLNVe+7DZ/GQxL48rOm2W
slappasswd -s 'It1@123'
{SSHA}T31pWHMqcK7Av6O7wMk2UqbpzliYIKYg
slappasswd -s 'It2@123'
{SSHA}YuhinO4tIYnru9P3OeUQuC99R2XHdiW5
slappasswd -s 'Admin1@123'
{SSHA}NrNSslavho991v3whXrr8lyiyU4JD89T
slappasswd -s 'Admin2@123'
{SSHA}L4C1pXV4+hvAHk+JyRi+Kuk9eAAlSdok
Create users
vim /root/ldif/add_users.ldif
dn: uid=hr1,ou=hr,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: HR One
sn: One
uid: hr1
uidNumber: 3001
gidNumber: 2005
homeDirectory: /home/hr1
loginShell: /bin/bash
userPassword: {SSHA}us8Pn4pKI+iDSGFyyHcsaoLig5WZTBTl
dn: uid=hr2,ou=hr,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: HR Two
sn: Two
uid: hr2
uidNumber: 3002
gidNumber: 2005
homeDirectory: /home/hr2
loginShell: /bin/bash
userPassword: {SSHA}S9/u4SZLPNVpLNVe+7DZ/GQxL48rOm2W
dn: uid=it1,ou=it,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: IT One
sn: One
uid: it1
uidNumber: 3003
gidNumber: 2004
homeDirectory: /home/it1
loginShell: /bin/bash
userPassword: {SSHA}T31pWHMqcK7Av6O7wMk2UqbpzliYIKYg
dn: uid=it2,ou=it,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: IT Two
sn: Two
uid: it2
uidNumber: 3004
gidNumber: 2004
homeDirectory: /home/it2
loginShell: /bin/bash
userPassword: {SSHA}YuhinO4tIYnru9P3OeUQuC99R2XHdiW5
dn: uid=admin1,ou=admin,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Admin One
sn: One
uid: admin1
uidNumber: 3005
gidNumber: 2003
homeDirectory: /home/admin1
loginShell: /bin/bash
userPassword: {SSHA}NrNSslavho991v3whXrr8lyiyU4JD89T
dn: uid=admin2,ou=admin,dc=rs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Admin Two
sn: Two
uid: admin2
uidNumber: 3006
gidNumber: 2003
homeDirectory: /home/admin2
loginShell: /bin/bash
userPassword: {SSHA}L4C1pXV4+hvAHk+JyRi+Kuk9eAAlSdok
ldapadd -x -D "cn=admin,dc=rs,dc=local" -W -f /root/ldif/add_users.ldif
Add users to groups
vim /root/ldif/add_member_to_group.ldif
dn: cn=it,ou=groups,dc=rs,dc=local
changetype: modify
add: memberUid
memberUid: it1
memberUid: it2
dn: cn=hr,ou=groups,dc=rs,dc=local
changetype: modify
add: memberUid
memberUid: hr1
memberUid: hr2
dn: cn=admin,ou=groups,dc=rs,dc=local
changetype: modify
add: memberUid
memberUid: admin1
memberUid: admin2
ldapmodify -x -D "cn=admin,dc=rs,dc=local" -W -f /root/ldif/add_member_to_group.ldif
Test LDAP authentication
ldapwhoami -x -D "uid=it1,ou=it,dc=rs,dc=local" -W
Enter password: It1@123
LDAP Directory Structure Tree:
dc=rs,dc=local
├── ou=hr
│ ├── uid=hr1 (member of hr group)
│ └── uid=hr2 (member of hr group)
├── ou=it
│ ├── uid=it1 (member of it group)
│ └── uid=it2 (member of it group)
├── ou=admin
│ ├── uid=admin1 (member of admin group)
│ └── uid=admin2 (member of admin group)
└── ou=groups
├── cn=hr (memberUid: hr1, hr2)
├── cn=it (memberUid: it1, it2)
└── cn=admin (memberUid: admin1, admin2)
Step 3: FTP Server with LDAP Authentication
Install vsftpd and SSSD
dnf install vsftpd ftp sssd sssd-ldap -y
Configure SSSD
vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = rs.local
[domain/rs.local]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://localhost
ldap_search_base = dc=rs,dc=local
ldap_schema = rfc2307
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
ldap_auth_disable_tls_never_use_in_production = true
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=admin,dc=rs,dc=local
ldap_default_authtok = Rish@bh123
[nss]
homedir_substring = /home
filter_groups = root
filter_users = root
[pam]
Set permissions and enable SSSD
chmod 600 /etc/sssd/sssd.conf
systemctl enable sssd --now
authselect select sssd with-mkhomedir --force
Configure vsftpd
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
use_localtime=YES
xferlog_enable=YES
xferlog_std_format=YES
pam_service_name=vsftpd
ssl_enable=NO
listen=YES
listen_ipv6=NO
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list_rs
tcp_wrappers=NO
local_root=/home/$USER
user_sub_token=$USER
Create FTP user access list
vim /etc/vsftpd/user_list_rs
it1
it2
admin1
admin2
hr1
hr2
Create home directories
mkdir -p /home/{it1,it2,hr1,hr2,admin1,admin2}
Enable services
systemctl enable vsftpd --now
systemctl enable oddjobd --now
Configure firewall and SELinux
firewall-cmd --add-service=ftp --permanent
firewall-cmd --reload
getsebool -a | grep ftp
setsebool -P ftpd_full_access on
Step 4: Centralized Home Directory with NFS
Install NFS
dnf install nfs-utils -y
Configure NFS exports
vim /etc/exports
/home *(rw,sync,no_root_squash,no_subtree_check)
Enable NFS services
systemctl enable nfs-server --now
systemctl enable rpcbind --now
exportfs -arv
Configure firewall
firewall-cmd --add-service=nfs --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --add-service=mountd --permanent
firewall-cmd --reload
Step 5: Apache Web Server Installation
Install Apache and SSL module
dnf install httpd mod_ssl
systemctl enable httpd
systemctl start httpd
Disable welcome page
mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.notinclude
Configure firewall
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
Step 6: WordPress Installation and HTTPS Configuration
6.1 Install PHP
Install PHP repositories
dnf install epel-release yum-utils
dnf install http://rpms.remirepo.net/enterprise/remi-release-9.rpm
Install PHP and modules
dnf install php php-common php-cli php-opcache php-gd php-curl php-mysqlnd php-xml php-mbstring php-pear php-pecl-http php-session
systemctl restart httpd
6.2 Install MySQL
Download MySQL repository
wget https://dev.mysql.com/get/mysql84-community-release-el9-1.noarch.rpm
dnf install ./mysql84-community-release-el9-1.noarch.rpm
Enable MySQL 8.0 repository
dnf config-manager --enable mysql80-community
Install MySQL
yum install mysql-community-server mysql-community-devel
Enable and start MySQL
systemctl enable mysqld.service
systemctl restart mysqld.service
Get temporary root password
grep 'temporary password' /var/log/mysqld.log
Note the temporary password (e.g., KwWyoOPqn3?i)
Secure MySQL installation
mysql_secure_installation
Change root password to: Rish@bh123 Remove anonymous users: y Disallow root login remotely: y Remove test database: y Reload privilege tables: y
6.3 Install phpMyAdmin
Download and install phpMyAdmin
wget https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.zip
unzip phpMyAdmin-5.1.0-all-languages.zip
mv phpMyAdmin-5.1.0-all-languages /var/www/html/phpmyadmin
Configure phpMyAdmin
cp /var/www/html/phpmyadmin/config.sample.inc.php /var/www/html/phpmyadmin/config.inc.php
Generate blowfish secret
dnf install pwgen
pwgen 32 -1
Use generated password (e.g., OoFahguchoh7ohsohThaelau0Olah8ch)
Edit configuration
vim /var/www/html/phpmyadmin/config.inc.php
####line 16
-$cfg['blowfish_secret'] = 'eephoo8ey8EuQu6Jiewee1ietaew6Eit'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Update line 16 with generated blowfish_secret
Set permissions
chown -Rv apache:apache /var/www/html/phpmyadmin
systemctl restart httpd
Create WordPress database via phpMyAdmin Access: http://192.168.1.128/phpmyadmin/ Create database: wordpress.rs.local
6.4 Install WordPress
Download and install WordPress
wget https://wordpress.org/latest.zip
unzip latest.zip
mv wordpress/ /var/www/html/
Set permissions
chown -Rv apache:apache /var/www/html/wordpress/
chmod -Rv 0755 /var/www/html/wordpress/wp-includes/ /var/www/html/wordpress/wp-admin/js/ /var/www/html/wordpress/wp-content/themes/ /var/www/html/wordpress/wp-content/plugins/
systemctl restart httpd
6.5 Configure SSL and Virtual Hosts
Create SSL directory
mkdir /opt/ssl
cd /opt/ssl/
Generate self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout rs.local.key.pem -out rs.local.cert.pem -days 365
Passphrase: Rish@bh123 Fill in certificate details with appropriate values
Copy certificates to proper locations
cp -v /opt/ssl/rs.local.cert.pem /etc/pki/tls/certs/rs.local.cert.pem
cp -v /opt/ssl/rs.local.key.pem /etc/pki/tls/private/rs.local.key.pem
Configure Apache main configuration
vim /etc/httpd/conf/httpd.conf
Change: Listen 192.168.1.128:80 In <Directory “/var/www/html”> section: Options -Indexes +FollowSymLinks AllowOverride All
Create WordPress virtual host
vim /etc/httpd/conf.d/wordpress.rs.conf
<VirtualHost 192.168.1.128:80>
ServerName wordpress.rs.local
ServerAlias www.wordpress.rs.local
<If "%{HTTP_HOST} != 'wordpress.rs.local' && %{HTTP_HOST} != 'www.wordpress.rs.local'">
Require all denied
</If>
DocumentRoot /var/www/html/wordpress/
DirectoryIndex index.php index.html
Redirect permanent / https://wordpress.rs.local/
<Directory /var/www/html/wordpress/>
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.1.128:443>
ServerName wordpress.rs.local
ServerAlias www.wordpress.rs.local
<If "%{HTTP_HOST} != 'wordpress.rs.local' && %{HTTP_HOST} != 'www.wordpress.rs.local'">
Require all denied
</If>
DocumentRoot /var/www/html/wordpress/
DirectoryIndex index.php index.html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/rs.local.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/rs.local.key.pem
<Directory /var/www/html/wordpress/>
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress-ssl-error.log
CustomLog /var/log/httpd/wordpress-ssl-access.log combined
</VirtualHost>
Restart Apache
systemctl restart httpd
Complete WordPress installation via web interface Access: https://wordpress.rs.local Database Name: wordpress.rs.local Username: root Password: Rish@bh123 Table Prefix: wp_rs_ Site Title: wordpress.rs.local Admin Username: wpadmin Admin Password: Rish@bh123
Step 7: GitLab Installation with LDAP Integration
Install required packages
dnf install -y curl policycoreutils perl
Download and install GitLab repository
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh -o gitlab-repo-installation-script.sh
chmod +x gitlab-repo-installation-script.sh
./gitlab-repo-installation-script.sh
Install GitLab
dnf install -y gitlab-ce
Configure GitLab
vim /etc/gitlab/gitlab.rb
# Disable GitLab's built-in nginx
nginx['enable'] = false
# Configure GitLab to work with Apache
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
# Set external URL
external_url 'https://gitlab.rs.local'
# LDAP Configuration
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: 'centos.rs.local'
port: 389
uid: 'uid'
bind_dn: 'cn=admin,dc=rs,dc=local'
password: 'Rish@bh123'
encryption: 'plain'
verify_certificates: false
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'dc=rs,dc=local'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
group_base: 'ou=groups,dc=rs,dc=local'
admin_group: 'admin'
sync_ssh_keys: false
EOS
gitlab_rails['smtp_enable'] = false
Create GitLab virtual host
vim /etc/httpd/conf.d/gitlab.rs.conf
<VirtualHost 192.168.1.128:80>
ServerName gitlab.rs.local
ServerAlias www.gitlab.rs.local
<If "%{HTTP_HOST} != 'gitlab.rs.local' && %{HTTP_HOST} != 'www.gitlab.rs.local'">
Require all denied
</If>
Redirect permanent / https://gitlab.rs.local/
</VirtualHost>
<VirtualHost 192.168.1.128:443>
ServerName gitlab.rs.local
ServerAlias www.gitlab.rs.local
<If "%{HTTP_HOST} != 'gitlab.rs.local' && %{HTTP_HOST} != 'www.gitlab.rs.local'">
Require all denied
</If>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/rs.local.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/rs.local.key.pem
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Ssl on
ErrorLog /var/log/httpd/gitlab-ssl-error.log
CustomLog /var/log/httpd/gitlab-ssl-access.log combined
</VirtualHost>
Reconfigure and start GitLab
gitlab-ctl reconfigure
gitlab-ctl start
Get initial root password
cat /etc/gitlab/initial_root_password
Save the generated password
Test LDAP connection
gitlab-rake gitlab:ldap:check
Access GitLab and change root password URL: https://gitlab.rs.local Username: root Password: (from initial_root_password file) Change password to: Rish@bh123
Step 8: LDAPS Implementation
Create SSL certificates for LDAP
mkdir -p /etc/openldap/certs
cd /etc/openldap/certs
Generate certificate
openssl req -new -x509 -nodes -out ldapserver.crt -keyout ldapserver.key -days 365 -subj "/C=IN/ST=MP/L=City/O=RS/CN=centos.rs.local"
Set permissions
chown ldap:ldap /etc/openldap/certs/*
chmod 600 /etc/openldap/certs/ldapserver.key
chmod 644 /etc/openldap/certs/ldapserver.crt
Copy certificate to trust store
cp /etc/openldap/certs/ldapserver.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
Configure LDAP for TLS
vim ~/ldif/tls-config.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ldapserver.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key
Apply TLS configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/ldif/tls-config.ldif
Configure LDAP to listen on LDAPS port
vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
Remove ldap:/// to only allow secure connections:
SLAPD_URLS="ldapi:/// ldaps:///"
Restart LDAP service
systemctl restart slapd
Verify LDAPS port
ss -nltp | grep 636
Test LDAPS connection
ldapsearch -x -H ldaps://centos.rs.local -b "dc=rs,dc=local" -D "cn=admin,dc=rs,dc=local" -W
Default VirtualHost Configuration
This configuration creates a catch-all VirtualHost that denies access to any hostname not explicitly configured, preventing unauthorized access via IP address or unintended hostnames.
vim /etc/httpd/conf.d/00-default.conf
<VirtualHost 192.168.1.128:80>
ServerName default
DocumentRoot /var/www/default
# Deny all requests
<Directory /var/www/default>
Require all denied
</Directory>
# Alternative: Return 403 immediately for any request
<Location />
Require all denied
</Location>
ErrorLog /var/log/httpd/default-error.log
CustomLog /var/log/httpd/default-access.log combined
</VirtualHost>
<VirtualHost 192.168.1.128:443>
ServerName default
DocumentRoot /var/www/default
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/rs.local.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/rs.local.key.pem
# Deny all requests
<Directory /var/www/default>
Require all denied
</Directory>
# Alternative: Return 403 immediately for any request
<Location />
Require all denied
</Location>
ErrorLog /var/log/httpd/default-ssl-error.log
CustomLog /var/log/httpd/default-ssl-access.log combined
</VirtualHost>
8.1 Update Server-Side Services for LDAPS
Update SSSD configuration
vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = rs.local
[domain/rs.local]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://centos.rs.local:636
ldap_search_base = dc=rs,dc=local
ldap_schema = rfc2307
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/openldap/certs/ldapserver.crt
ldap_id_use_start_tls = false
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=admin,dc=rs,dc=local
ldap_default_authtok = Rish@bh123
[nss]
homedir_substring = /home
filter_groups = root
filter_users = root
[pam]
Restart SSSD
systemctl restart sssd
sssctl cache-expire -E
Update GitLab for LDAPS
vim /etc/gitlab/gitlab.rb
Update the LDAP configuration section:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: 'centos.rs.local'
port: 636 # Changed from 389
uid: 'uid'
bind_dn: 'cn=admin,dc=rs,dc=local'
password: 'Rish@bh123'
encryption: 'simple_tls' # Changed from 'plain'
verify_certificates: true # Changed from false
ca_file: '/etc/openldap/certs/ldapserver.crt' # Added
ssl_version: 'TLSv1_2' # Added
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'dc=rs,dc=local'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
group_base: 'ou=groups,dc=rs,dc=local'
admin_group: 'admin'
sync_ssh_keys: false
EOS
Copy certificate for GitLab
cp /etc/openldap/certs/ldapserver.crt /etc/gitlab/trusted-certs/
Reconfigure GitLab
gitlab-ctl reconfigure
gitlab-ctl restart
Test GitLab LDAP connection
gitlab-rake gitlab:ldap:check
Fix Apache startup issue
mkdir -p /etc/systemd/system/httpd.service.d/
vim /etc/systemd/system/httpd.service.d/network-wait.conf
[Unit]
After=network-online.target
Wants=network-online.target
Reload systemd and restart Apache
systemctl daemon-reload
systemctl restart httpd
Client Configuration Steps
Step 1: Initial Client Setup
Configure network settings
nmtui
IPv4: 192.168.1.201/24 Gateway: 192.168.1.1 DNS: 192.168.1.128
Set hostname
hostnamectl set-hostname c1.rs.local
Install basic tools
dnf install bash* wget unzip net-tools bind-utils vim
Test DNS resolution
nslookup centos.rs.local
ping centos.rs.local
Step 2: LDAP Client Configuration
Install LDAP client packages
dnf install openldap-clients sssd sssd-ldap oddjob-mkhomedir sssd-tools -y
Configure SSSD
vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = rs.local
[domain/rs.local]
debug_level = 9
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://centos.rs.local:389
ldap_search_base = dc=rs,dc=local
ldap_schema = rfc2307
ldap_tls_reqcert = never
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=admin,dc=rs,dc=local
ldap_default_authtok = Rish@bh123
[nss]
homedir_substring = /home
filter_groups = root
filter_users = root
[pam]
offline_credentials_expiration = 60
[sudo]
Set permissions
chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf
Enable SSSD
systemctl enable sssd --now
Configure authentication
- Configure pam to use sssd for authentication and auto home dir creation on user login
authselect select sssd with-mkhomedir --force
systemctl enable oddjobd --now
Test LDAP user lookup
getent passwd it1
Test FTP access
ftp centos.rs.local
Login with LDAP credentials
SSH Configuration for LDAP Authentication
Verify SSH is configured to use PAM for LDAP authentication
vim /etc/ssh/sshd_config
Ensure the following is set:
UsePAM yes
Restart SSH service to apply changes
systemctl restart sshd
FTP Client Testing
Install FTP client
dnf install ftp
Test FTP connection using hostname
ftp centos.rs.local
Alternative test using IP address
ftp 192.168.1.128
Test FTP commands after login:
- Username: hr1
- Password: Hr1@123
pwd
ls
Create a test file and upload
put testfile.txt
Download a file from server
get testfile.txt
Exit FTP session
quit
Step 3: Centralized Home Directory Client Configuration
Install NFS and AutoFS
dnf install nfs-utils autofs -y
Remove local home directories
rm -rf /home/it1 /home/it2 /home/hr1 /home/hr2 /home/admin1 /home/admin2
Configure AutoFS master
vim /etc/auto.master
Add:
/home /etc/auto.home --timeout=60
Configure AutoFS home mapping
vim /etc/auto.home
* -rw,soft,intr centos.rs.local:/home/&
Enable AutoFS
systemctl enable autofs --now
Test centralized home directories
ls /home/hr1
su - it1
Step 4: LDAPS Client Configuration
Copy LDAP certificate from server
scp root@centos.rs.local:/etc/openldap/certs/ldapserver.crt /tmp/
cp /tmp/ldapserver.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
Update SSSD for LDAPS
vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = rs.local
[domain/rs.local]
debug_level = 9
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://centos.rs.local:636
ldap_search_base = dc=rs,dc=local
ldap_schema = rfc2307
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/ca-trust/source/anchors/ldapserver.crt
ldap_id_use_start_tls = false
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=admin,dc=rs,dc=local
ldap_default_authtok = Rish@bh123
[nss]
homedir_substring = /home
filter_groups = root
filter_users = root
[pam]
offline_credentials_expiration = 60
[sudo]
Restart SSSD
systemctl restart sssd
sssctl cache-expire -E
Test LDAPS authentication
getent passwd it1
su - it1
Optional: Install GUI
Install GUI
yum group install "Server with GUI"
Set graphical target
systemctl set-default graphical.target
systemctl isolate graphical.target
Install VirtualBox Guest Additions (if running in VirtualBox) Insert Guest Additions CD in VirtualBox
dnf install -y kernel-headers kernel-devel
mount /dev/sr0 /mnt/
/mnt/VBoxLinuxAdditions.run
Testing and Verification
DNS Testing
From client
dig centos.rs.local
dig wordpress.rs.local
dig gitlab.rs.local
LDAP/LDAPS Authentication
Test user authentication
ssh it1@c1.rs.local
Password: It1@123
Test FTP access
ftp centos.rs.local
Username: hr1 Password: Hr1@123
Web Services Testing
- WordPress: https://wordpress.rs.local
- Admin login: wpadmin / Rish@bh123
- GitLab: https://gitlab.rs.local
- Root login: root / Rish@bh123
- LDAP user login: it1 / It1@123
Centralized Home Directory
From client, create file as LDAP user
su - it2
echo "Test file" > test-from-client.txt
exit
From server, verify file exists
ls -la /home/it2/test-from-client.txt
Service Status Verification
On server
systemctl status named slapd httpd vsftpd nfs-server
gitlab-ctl status
On client
systemctl status sssd autofs