Deploying OpenLDAP server on CentOS7 – Getting Started Guide

Deploying OpenLDAP server on CentOS7 – Getting Started Guide

Hello there! In this post, I’m going to cover the installation and initial configuration of open-source directory server called OpenLDAP. The platform I’m using here is CentOS 7. So, if you’re on different distribution or maybe in different version, the mentioned steps might slightly vary.

What is OpenLDAP?

OpenLDAP logo
OpenLDAP logo

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol, which is developed and maintained by OpenLDAP Project. LDAP is a platform-independent protocol and most of the linux distribution utilizes it for directory service. It also runs on various BSD and Microsoft platforms as well.

Installation

Now, without any further adieu, let’s get into the installation of OpenLDAP server in CentOS. OpenLDAP packages can be installed from CentOS’s base repository as well.

$ sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Once installed, let’s run the server and also set it to run in system startup.

$ sudo systemctl start slapd
$ sudo systemctl enable slapd

Before getting into configuration of directory service, let’s create a password for admin user i.e. ldapadm.

$ sudo slappasswd

This will display a SHA1 hash value, which we need to keep safely for future use. Next, let’s define our domain suffix and admin password for our directory server.

$ vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sajjan,dc=com,dc=np

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=sajjan,dc=com,dc=np

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <output of slappasswd>

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

In above config, olcSuffix defines the domain name of the server. olcRootDn defines the root/admin user to manage this domain. And olcRootPW defines the password of the root user.

Then, let’s restrict monitor access to ldapadm user so that other users cannot do that.

$ vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=sajjan,dc=com,dc=np" read by * none

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

It is also a best practice to use SSL for LDAP communications. In this post, I’m using a self-signed certificate for this purpose. You may prefer to use a commercial one.

$ sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/sajjan.pem -keyout /etc/openldap/certs/sajjankey.pem -days 365
# Change certifcates' owner to ldap
$ sudo chown -R ldap:ldap /etc/openldap/certs/*.pem

Configure OpenLDAP server to use this certificate.


$ vi certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/sajjan.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/sajjankey.pem

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif

This completes the basic setup of OpenLDAP server. We can verify the correctness of our configuration like this:

$ sudo slaptest -u
config file testing succeeded

Next, let’s also populate our directory server with a sample database. To do so, we need to copy the sample database into /var/lib/ldap with updated file permissions.

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown ldap:ldap /var/lib/ldap/*
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Then, let’s create a base database for our domain and insert it to our directory.

$ vi base.ldif
dn: dc=sajjan,dc=com,dc=np
dc: sajjan
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=sajjan,dc=com,dc=np
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=sajjan,dc=com,dc=np
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=dristi,dc=com,dc=np
objectClass: organizationalUnit
ou: Group
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f base.ldif
# Enter the password that you set using slappasswd above

Now, I’m adding a user account for myself in this directory server. First, I define a ldif file and then add it to the directory.

$ vi sajjan.ldif
dn: uid=sajjan,ou=People,dc=sajjan,dc=com,dc=np
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: sajjan
uid: sajjan
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/sajjan
loginShell: /bin/bash
gecos: Sajjan [Admin (at) Sajjan.com.np]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f sajjan.ldif
# Set password for this user
$ sudo ldappasswd -s sajjan123 -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -x "uid
=sajjan,ou=People,dc=sajjan,dc=com,dc=np"

Finally, let’s confirm that the user sajjan has been successfully added.

$ ldapsearch -x cn=sajjan -b dc=sajjan,dc=com,dc=np

This completes the initial configuration of OpenLDAP server. To assist with the administration task, it is also useful to enable its logging.

$ sudo vi /etc/rsyslog.conf
# Append this line to the end
local4.* /var/log/ldap.log
$ sudo systemctl restart rsyslog

Finally, let’s also permit LDAP connections to this server from the network.

$ sudo firewall-cmd --permanent --add-service=ldap
$ sudo firewall-cmd --reload

Authentication in Linux System Using OpenLDAP Server

Now that we’ve got our OpenLDAP server ready,we can perform external authentication in our Linux servers using user accounts defined in our directory server. In my case, the IP address of LDAP server is 192.168.1.10 and that of the client server is 192.168.1.20. Now, let’s configure the client machine to authenticate with LDAP server.

# In client machine, first install client packages
$ sudo yum install -y openldap-clients nss-pam-ldapd
$ sudo authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=sajjan,dc=com,dc=np" --enablemkhomedir --update
$ sudo systemctl restart nslcd

If you’ve completed all the earlier steps correctly, your client machine should now be connected with the OpenLDAP server. We can verify this by querying for the user account in LDAP server. In my case, I had created a user called sajjan in LDAP server earlier. I can also login to this client machine using the LDAP user and once I login, a home directory is created in client machine for this user.

$ sudo getent passwd sajjan
sajjan:x:9999:100:Sajjan [Admin (at) Sajjan.com.np]:/home/sajjan:/bin/bash
$ su - sajjan
[sajjan@ldap ~]$ pwd
/home/sajjan

Well, this is it for this post. To summarize, we’ve learned about the OpenLDAP, its installation, basic configuration and integration with LDAP clients. I hope this has been useful for you. If you’ve any question or feedback, please let me know in the Comments section below. Thank you for reading!