Hello there! In this post, I’m going to cover the installation and initial configuration of open-source directory server called OpenLDAP. The platform I’m using here is CentOS 7. So, if you’re on different distribution or maybe in different version, the mentioned steps might slightly vary.
What is OpenLDAP?
OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol, which is developed and maintained by OpenLDAP Project. LDAP is a platform-independent protocol and most of the linux distribution utilizes it for directory service. It also runs on various BSD and Microsoft platforms as well.
Installation
Now, without any further adieu, let’s get into the installation of OpenLDAP server in CentOS. OpenLDAP packages can be installed from CentOS’s base repository as well.
[code language=”bash”]
$ sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
[/code]
Once installed, let’s run the server and also set it to run in system startup.
[code language=”bash”]
$ sudo systemctl start slapd
$ sudo systemctl enable slapd
[/code]
Before getting into configuration of directory service, let’s create a password for admin user i.e. ldapadm.
[code language=”bash”]
$ sudo slappasswd
[/code]
This will display a SHA1 hash value, which we need to keep safely for future use. Next, let’s define our domain suffix and admin password for our directory server.
[code language=”bash”]
$ vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sajjan,dc=com,dc=np
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=sajjan,dc=com,dc=np
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <output of slappasswd>
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
[/code]
In above config, olcSuffix defines the domain name of the server. olcRootDn defines the root/admin user to manage this domain. And olcRootPW defines the password of the root user.
Then, let’s restrict monitor access to ldapadm user so that other users cannot do that.
[code language=”bash”]
$ vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=sajjan,dc=com,dc=np" read by * none
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
[/code]
It is also a best practice to use SSL for LDAP communications. In this post, I’m using a self-signed certificate for this purpose. You may prefer to use a commercial one.
[code language=”bash”]
$ sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/sajjan.pem -keyout /etc/openldap/certs/sajjankey.pem -days 365
# Change certifcates’ owner to ldap
$ sudo chown -R ldap:ldap /etc/openldap/certs/*.pem
[/code]
Configure OpenLDAP server to use this certificate.
[code language=”bash”]
$ vi certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/sajjan.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/sajjankey.pem
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
[/code]
This completes the basic setup of OpenLDAP server. We can verify the correctness of our configuration like this:
[code language=”bash”]
$ sudo slaptest -u
config file testing succeeded
[/code]
Next, let’s also populate our directory server with a sample database. To do so, we need to copy the sample database into /var/lib/ldap with updated file permissions.
[code language=”bash”]
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown ldap:ldap /var/lib/ldap/*
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
[/code]
Then, let’s create a base database for our domain and insert it to our directory.
[code language=”bash”]
$ vi base.ldif
dn: dc=sajjan,dc=com,dc=np
dc: sajjan
objectClass: top
objectClass: domain
dn: cn=ldapadm ,dc=sajjan,dc=com,dc=np
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
dn: ou=People,dc=sajjan,dc=com,dc=np
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=dristi,dc=com,dc=np
objectClass: organizationalUnit
ou: Group
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f base.ldif
# Enter the password that you set using slappasswd above
[/code]
Now, I’m adding a user account for myself in this directory server. First, I define a ldif file and then add it to the directory.
[code language=”bash”]
$ vi sajjan.ldif
dn: uid=sajjan,ou=People,dc=sajjan,dc=com,dc=np
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: sajjan
uid: sajjan
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/sajjan
loginShell: /bin/bash
gecos: Sajjan [Admin (at) Sajjan.com.np]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f sajjan.ldif
# Set password for this user
$ sudo ldappasswd -s sajjan123 -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -x "uid
=sajjan,ou=People,dc=sajjan,dc=com,dc=np"
[/code]
Finally, let’s confirm that the user sajjan has been successfully added.
[code language=”bash”]
$ ldapsearch -x cn=sajjan -b dc=sajjan,dc=com,dc=np
[/code]
This completes the initial configuration of OpenLDAP server. To assist with the administration task, it is also useful to enable its logging.
[code language=”bash”]
$ sudo vi /etc/rsyslog.conf
# Append this line to the end
local4.* /var/log/ldap.log
$ sudo systemctl restart rsyslog
[/code]
Finally, let’s also permit LDAP connections to this server from the network.
[code language=”bash”]
$ sudo firewall-cmd –permanent –add-service=ldap
$ sudo firewall-cmd –reload
[/code]
Authentication in Linux System Using OpenLDAP Server
Now that we’ve got our OpenLDAP server ready,we can perform external authentication in our Linux servers using user accounts defined in our directory server. In my case, the IP address of LDAP server is 192.168.1.10 and that of the client server is 192.168.1.20. Now, let’s configure the client machine to authenticate with LDAP server.
[code language=”bash”]
# In client machine, first install client packages
$ sudo yum install -y openldap-clients nss-pam-ldapd
$ sudo authconfig –enableldap –enableldapauth –ldapserver=192.168.1.10 –ldapbasedn="dc=sajjan,dc=com,dc=np" –enablemkhomedir –update
$ sudo systemctl restart nslcd
[/code]
If you’ve completed all the earlier steps correctly, your client machine should now be connected with the OpenLDAP server. We can verify this by querying for the user account in LDAP server. In my case, I had created a user called sajjan in LDAP server earlier. I can also login to this client machine using the LDAP user and once I login, a home directory is created in client machine for this user.
[code language=”bash”]
$ sudo getent passwd sajjan
sajjan:x:9999:100:Sajjan [Admin (at) Sajjan.com.np]:/home/sajjan:/bin/bash
$ su – sajjan
[sajjan@ldap ~]$ pwd
/home/sajjan
[/code]
Well, this is it for this post. To summarize, we’ve learned about the OpenLDAP, its installation, basic configuration and integration with LDAP clients. I hope this has been useful for you. If you’ve any question or feedback, please let me know in the Comments section below. Thank you for reading!
Leave a Reply