OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.
Follow the following steps to setup an OpenLDAP server in centos
login as Sudo.
sudo --login
Run package updates
yum update -y
Install Epel Release
yum install -y epel-release
Install nano editor
yum install -y nano
Install OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
- start the LDAP daemon and enable it on boot
systemctl start slapd
systemctl enable slapd
systemctl status slapd
Now create an OpenLDAP administrative user and assign a password for that user
slappasswd
will generate a hashed value for a given password which we can use to configure admin authcreate an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.
nano ldaprootpasswd.ldif
Add the following contents in it:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
- add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
- copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd
- import some basic LDAP schemas from the /etc/openldap/schema directory
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
- add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=auth,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read
- add the above configuration to the LDAP database
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
- create baseldapdomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
- add the entries to the LDAP directory.
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif
- create an LDAP User
useradd tomahawk
passwd tomahawk
- create an LDAP group
create a file called ldapgroup.ldif
dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005
gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.
- Add to OpenLDAP directory.
ldapadd -Y EXTERNAL -x -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif
- Create an LDAP user
create a file named tomahawk.ldif
dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
** Run slappasswd
to generate a hashed password **
- Add the above file to LDAP directory
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f tomahawk.ldif
You can also download Tools like
Apache Directory Studio to manage LDAP after following the above steps to add more user and groups without creating config files.
Optional Steps
LDAPS ( LDAP via SSL)
- Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL
openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365
- Change the owner and group permissions so OpenLDAP can read the files:
chown -R ldap:ldap /etc/openldap/certs
- Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key
- Add the above file to LDAP directory
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
- Test SSL configuration using
slaptest -u
You have completed Openldap Setup in Centos 7
Top comments (0)