DEV Community

Cover image for Setup an OpenLDAP Server in Centos
Syamkumar
Syamkumar

Posted on

Setup an OpenLDAP Server in Centos

Alt Text

OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.

Follow the following steps to setup an OpenLDAP server in centos

  • login as Sudo. sudo --login

  • Run package updates yum update -y

  • Install Epel Release yum install -y epel-release

  • Install nano editor yum install -y nano

  • Install OpenLDAP

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Enter fullscreen mode Exit fullscreen mode
  • start the LDAP daemon and enable it on boot
systemctl start slapd
systemctl enable slapd
systemctl status slapd 
Enter fullscreen mode Exit fullscreen mode
  • Now create an OpenLDAP administrative user and assign a password for that user
    slappasswd will generate a hashed value for a given password which we can use to configure admin auth

  • create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.

nano ldaprootpasswd.ldif
Enter fullscreen mode Exit fullscreen mode

Add the following contents in it:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
Enter fullscreen mode Exit fullscreen mode
  • add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Enter fullscreen mode Exit fullscreen mode
  • copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd
Enter fullscreen mode Exit fullscreen mode
  • import some basic LDAP schemas from the /etc/openldap/schema directory
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Enter fullscreen mode Exit fullscreen mode
  • add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=auth,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read
Enter fullscreen mode Exit fullscreen mode
  • add the above configuration to the LDAP database
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
Enter fullscreen mode Exit fullscreen mode
  • create baseldapdomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 
Enter fullscreen mode Exit fullscreen mode
  • add the entries to the LDAP directory.
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif
Enter fullscreen mode Exit fullscreen mode
  • create an LDAP User
useradd tomahawk
passwd tomahawk
Enter fullscreen mode Exit fullscreen mode
  • create an LDAP group create a file called ldapgroup.ldif
dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005
Enter fullscreen mode Exit fullscreen mode

gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.

  • Add to OpenLDAP directory.
ldapadd -Y EXTERNAL -x  -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif
Enter fullscreen mode Exit fullscreen mode
  • Create an LDAP user create a file named tomahawk.ldif
dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Enter fullscreen mode Exit fullscreen mode

** Run slappasswd to generate a hashed password **

  • Add the above file to LDAP directory
ldapadd -Y EXTERNAL  -x -D cn=auth,dc=example,dc=com -W -f  tomahawk.ldif
Enter fullscreen mode Exit fullscreen mode

You can also download Tools like
Apache Directory Studio to manage LDAP after following the above steps to add more user and groups without creating config files.

Optional Steps

LDAPS ( LDAP via SSL)

  • Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL
openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365
Enter fullscreen mode Exit fullscreen mode
  • Change the owner and group permissions so OpenLDAP can read the files:
chown -R ldap:ldap /etc/openldap/certs
Enter fullscreen mode Exit fullscreen mode
  • Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key
Enter fullscreen mode Exit fullscreen mode
  • Add the above file to LDAP directory
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
Enter fullscreen mode Exit fullscreen mode
  • Test SSL configuration using
slaptest -u
Enter fullscreen mode Exit fullscreen mode

You have completed Openldap Setup in Centos 7

Top comments (0)