Table of Contents
In this article, I will take you through the Steps to Install and Configure OpenLDAP Server on RHEL / CentOS 7. LDAP is known as Lightweight Directory Access Protocol which is generally used for Client Authentication to establish a session for running operations like search, read, write etc. LDAP Server are widely used in the Organizations to store the User name and password in a Centralized Server against which User can authenticate to further use the Applications and Services present on the Network. It is mainly based on X.500 directory services architecture. Over the time it is modified and upgraded to the lightweight version to improve the lookup up response time, hence it is called Lightweight Directory Access Protocol.
What is LDAP
LDAP is Known as Lightweight Directory Access Protocol. It is used for consolidating all the services in one directory services which will be further accessed and managed by the LDAP Client like email client, mail servers, web browsers. LDAP uses TCP/IP stack to access and manage the directory services.
What is LDIF
A LDIF(LDAP Interchange Format) file is Known as a standard text file which can be used for configuring and storing information in LDAP directory. This file is usually used for the addition or modification of data inside the LDAP Directory Server based on Schema rules accepted by the Directory.
What is an Attribute
An attribute is like a variable which holds the value. It can be different types based on the different values it holds just like the variable in Programming Paradigms where it could be of type int, char, float, double etc.
Install and Configure OpenLDAP Server on Linux
Also Read: 18 Popular mount/umount command examples in Linux
Step 1: Prerequisites
a)You need to have running RHEL/CentOS 7
based Systems.
b)You should have yum
tool installed in your System. Please Check Top 22 YUM Command Examples in RedHat/CentOS 7 to know more about yum utility.
c)You should have root
or sudo
access to run Privileged Commands. Please Check How to Add User to Sudoers to know more about providing sudo
access to the User.
Step 2: Update Your System
Before going through the steps to setup OpenLDAP Server, it is always recommended to update your Server. This can be done by using yum update -y
command as shown below. This will download and install all the latest available updates from Repo.
[root@localhost ~]# yum update -y Loaded plugins: fastestmirror Determining fastest mirrors * base: d36uatko69830t.cloudfront.net * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 205 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 3.0 MB 00:00:00 (4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package acl.x86_64 0:2.2.51-14.el7 will be updated ---> Package acl.x86_64 0:2.2.51-15.el7 will be an update ---> Package bash.x86_64 0:4.2.46-33.el7 will be updated ---> Package bash.x86_64 0:4.2.46-34.el7 will be an update openldap server ---> Package bind-export-libs.x86_64 32:9.11.4-9.P2.el7 will be updated ---> Package bind-export-libs.x86_64 32:9.11.4-16.P2.el7_8.6 will be an update ---> Package binutils.x86_64 0:2.27-41.base.el7_7.2 will be updated ---> Package binutils.x86_64 0:2.27-43.base.el7_8.1 will be an update ---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be updated ---> Package ca-certificates.noarch 0:2020.2.41-70.0.el7_8 will be an update ---> Package centos-release.x86_64 0:7-7.1908.0.el7.centos will be updated ---> Package centos-release.x86_64 0:7-8.2003.0.el7.centos will be an update ---> Package cloud-init.x86_64 0:18.5-3.el7.centos will be updated ---> Package cloud-init.x86_64 0:18.5-6.el7.centos.5 will be an update ---> Package cryptsetup-libs.x86_64 0:2.0.3-5.el7 will be updated ---> Package cryptsetup-libs.x86_64 0:2.0.3-6.el7 will be an update ---> Package curl.x86_64 0:7.29.0-54.el7_7.2 will be updated
Step 3: Install OpenLDAP Server
After successfully updating the Server you can now install the LDAP Packages using yum install openldap openldap-servers -y command as shown below. This command will download and install the Open LDAP Server packages from Enabled Repository.
[root@localhost ~]# yum install openldap openldap-servers -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: d36uatko69830t.cloudfront.net * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net Package openldap-2.4.44-21.el7_6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package openldap-servers.x86_64 0:2.4.44-21.el7_6 will be installed --> Processing Dependency: perl(warnings) for package: openldap-servers-2.4.44-21.el7_6.x86_64 --> Processing Dependency: perl(strict) for package: openldap-servers-2.4.44-21.el7_6.x86_64 --> Processing Dependency: perl(POSIX) for package: openldap-servers-2.4.44-21.el7_6.x86_64 --> Processing Dependency: libperl.so()(64bit) for package: openldap-servers-2.4.44-21.el7_6.x86_64 openldap server --> Processing Dependency: libltdl.so.7()(64bit) for package: openldap-servers-2.4.44-21.el7_6.x86_64 openldap server --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.4.2-22.el7_3 will be installed ---> Package perl.x86_64 4:5.16.3-295.el7 will be installed --> Processing Dependency: perl(Socket) >= 1.3 for package: 4:perl-5.16.3-295.el7.x86_64 --> Processing Dependency: perl(Scalar::Util) >= 1.10 for package: 4:perl-5.16.3-295.el7.x86_64 openldap server --> Processing Dependency: perl-macros for package: 4:perl-5.16.3-295.el7.x86_64 openldap server --> Processing Dependency: perl(threads::shared) for package: 4:perl-5.16.3-295.el7.x86_64 openldap server --> Processing Dependency: perl(threads) for package: 4:perl-5.16.3-295.el7.x86_64 --> Processing Dependency: perl(constant) for package: 4:perl-5.16.3-295.el7.x86_64 --> Processing Dependency: perl(Time::Local) for package: 4:perl-5.16.3-295.el7.x86_64 --> Processing Dependency: perl(Time::HiRes) for package: 4:perl-5.16.3-295.el7.x86_64 --> Processing Dependency: perl(Storable) for package: 4:perl-5.16.3-295.el7.x86_64
Step 4: Install OpenLDAP Client
Then you have to install the OpenLDAP Client Packages in your Client System using yum install openldap-clients -y command as shown below.
[root@localhost ~]# yum install openldap-clients -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: d36uatko69830t.cloudfront.net * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package openldap-clients.x86_64 0:2.4.44-21.el7_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: openldap-clients x86_64 2.4.44-21.el7_6 base 190 k Transaction Summary ======================================================================================================================================================================== Install 1 Package Total download size: 190 k Installed size: 571 k Downloading packages: openldap-clients-2.4.44-21.el7_6.x86_64.rpm | 190 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : openldap-clients-2.4.44-21.el7_6.x86_64 1/1 Verifying : openldap-clients-2.4.44-21.el7_6.x86_64 1/1 Installed: openldap-clients.x86_64 0:2.4.44-21.el7_6 Complete!
Step 5: Start and Enable OpenLDAP Services
Start slapd service by using systemctl start slapd
command as shown below.
[root@localhost ~]# systemctl start slapd
Then enable the slapd service by using systemctl enabled slapd
command.
[root@localhost ~]# systemctl enable slapd Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
Check the status by using systemctl status slapd command.
[root@localhost ~]# systemctl status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-07-26 05:43:17 UTC; 14s ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Main PID: 8620 (slapd) CGroup: /system.slice/slapd.service └─8620 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Jul 26 05:43:17 localhost systemd[1]: Starting OpenLDAP Server Daemon... Jul 26 05:43:17 localhost runuser[8604]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jul 26 05:43:17 localhost runuser[8604]: pam_unix(runuser:session): session closed for user ldap Jul 26 05:43:17 localhost slapd[8618]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd Jul 26 05:43:17 localhost slapd[8618]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will b...rmissions. Jul 26 05:43:17 localhost slapd[8620]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2). Expect poor performance for suffix "dc=my-domain,dc=com". Jul 26 05:43:17 localhost slapd[8620]: slapd starting Jul 26 05:43:17 localhost systemd[1]: Started OpenLDAP Server Daemon. Hint: Some lines were ellipsized, use -l to show in full.
Step 6: Setup OpenLDAP root user password
Next step is to setup the OpenLDAP root password using slappasswd command as shown below.
[root@localhost ~]# slappasswd New password: Re-enter new password: {SSHA}8me5NZZz1LfgLIfUTezj/01TKiBMZUux
Step 7: Configure OpenLDAP Server
You can add the data to directory service using below ldif file.
[root@localhost ~]# vi ldaprootpasswd.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD_CREATED
oldcDatabase={0} : database instance which can be found in /etc/openldap/slapd.d/cn=config.
changetype : type of operations needs to perform - add/modify/delete
add : perform add operation
olcRootPW : Specify the Administrative user hashed password.
Add the above entry by using ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
command as shown below.
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
-Y : Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. More can be checked on ldapadd Man Page.
-H : Specify URI(s) referring to the ldap server(s) only the protocol/host/port fields are allowed.
-f : Read the entry modification information from file instead of from standard input.
Step 8: Configure OpenLDAP Sample Database
Copy the DB_CONFIG Example.
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Change the permission.
[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
Restart the slapd service by using systemctl restart slapd
command.
[root@localhost ~]# systemctl restart slapd
Now add the configuration using below ldapadd command.
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
Step 9: Add Domain Configuration
To add the domain configuration, you need to use below ldif file.
[root@localhost ~]# vi ldapdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=service,dc=test,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=service,dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=service,dc=test,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=service,dc=test,dc=com" write by * read
Now modify the entry by using below ldapmodify command.
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"
Step 10: Add Entries to OpenLDAP Database
You can add few more entries to the directory service using below ldif file.
[root@localhost ~]# cat baseldapdomain.ldif dn: dc=test,dc=com objectClass: top objectClass: dcObject objectclass: organization o: test com dc: test dn: cn=service,dc=test,dc=com objectClass: organizationalRole cn: service description: Service Account dn: ou=service1,dc=test,dc=com objectClass: organizationalUnit ou: Account dn: ou=servicegroup,dc=test,dc=com objectClass: organizationalUnit ou: Group dn: ou=servicegroup1,dc=test,dc=com objectClass: organizationalUnit ou: Group
Now add the above entry by using ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif
command as shown below.
[root@localhost ~]# ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif Enter LDAP Password: adding new entry "dc=test,dc=com" adding new entry "cn=service,dc=test,dc=com" adding new entry "ou=service1,dc=test,dc=com" adding new entry "ou=servicegroup,dc=test,dc=com" adding new entry "ou=servicegroup1,dc=test,dc=com"
Step 11: Create a LDAP User
In the next step, you need to create a user and set the password for that user. Here we are creating a user cyberithub
by using useradd cyberithub
command and then setting its password by using passwd cyberithub
command as shown below.
[root@localhost ~]# useradd cyberithub [root@localhost ~]# passwd cyberithub Changing password for user cyberithub. New password: Retype new password: passwd: all authentication tokens updated successfully.
Step 12: Create LDAP Group Definitions
You can use below ldif file to create Group Definitions.
[root@localhost ~]# vi ldapgroup.ldif dn: cn=service,ou=servicegroup,dc=test,dc=com objectClass: top objectClass: posixGroup gidNumber: 1005
Then add the above group definition using ldapadd -x -W -D "cn=service,dc=test,dc=com" -f ldapgroup.ldif
command as shown below.
[root@localhost ~]# ldapadd -x -W -D "cn=service,dc=test,dc=com" -f ldapgroup.ldif Enter LDAP Password: adding new entry "cn=service,ou=servicegroup,dc=test,dc=com"
Step 13: Create LDAP User Definitions
You can use below ldif file to create User definitions.
[root@localhost ~]# vi ldapuser.ldif dn: uid=cyberithub,ou=servicegroup,dc=test,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: cyberithub uid: cyberithub uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/cyberithub userPassword: {SSHA}8me5NZZz1LfgLIfUTezj/01TKiBMZUux loginShell: /bin/bash gecos: cyberithub shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
Now Add the entry by using ldapadd -x -D cn=service,dc=test,dc=com -W -f ldapuser.ldif
command as shown below.
[root@localhost ~]# ldapadd -x -D cn=service,dc=test,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=cyberithub,ou=servicegroup,dc=test,dc=com"
Step 14: Test OpenLDAP Server Authentication
Now it is the time to test the OpenLDAP Server authentication by using authconfig
command as shown below.
[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap.test.com --ldapbasedn="dc=test,dc=com" --enablemkhomedir --update
Popular Recommendations:-
How to Disable IPV6 on Linux (CentOS / RHEL 7/8) Using 4 Best Steps
How to Set MariaDB root Password in RHEL/CentOS 7/8 Using Simple mysql_secure_installation
Introduction to SQL Injection Attacks in MySQL (v5.5)
How to Create Table in MySQL 5.5 with Easy Steps
How to Limit CPU Limit of a Process Using CPULimit in Linux (RHEL/CentOS 7/8)
How to Install Rust Programming Language in Linux Using 6 Best Steps
How to Install LEMP Stack on CentOS 8
Openssl Tutorial: Generate and Install Certificate on Apache Server in 8 Easy Steps
How to Enable or Disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8
Top 12 Nmap Commands to Scan Remote Host with Best Practices
when creating and executing ldapdomain.ldif file. I see below error
ldapmodify invalid format (line 5) entry: "olcDatabase={1}monitor,cn=config"
same message for me
Hi Rey,
Could you also please provide more information about the error you are getting ? Please check if you are using spaces properly.
Hi Jacob,
Could you please provide more information about the error you are getting ? Could you please check if you are using spaces properly ?
the problem is you need to have in the ldapdomain.ldif file line 4 and 5 in the same line;
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=service,dc=test,dc=com" read by * none
вам нужно отформатировать текст, строки копируются неправильно.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=service,dc=test,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=service,dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=service,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=service,dc=test,dc=com" write by * read
Hi, Just find out, use the below entry in ldapdomain.ldif file. It's working for me!
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
If you are installing on version Centos 8, in some cases, the default databse is mbd instead hbd
After fire below command
authconfig --enableldap --enableldapauth --ldapserver=ldap.test.com --ldapbasedn="dc=test,dc=com" --enablemkhomedir --update
Getting below message
Warning: Unsupported locale setting.
authconfig: Authentication module /usr/lib64/security/pam_ldap.so is missing. Authentication process might not work correctly.
Same issue I am getting.
yum install -y pam_ldap
yum install pam_ldap* then execute above command
Adding password policy ... any document
I am getting below error when I am starting slapd service. I have disabled the selinux.
Nov 14 09:01:58 ldap systemd[1]: slapd.service: control process exited, code=exited status=1
Nov 14 09:01:58 ldap systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit slapd.service has failed.
--
-- The result is failed.
Nov 14 09:01:58 ldap systemd[1]: Unit slapd.service entered failed state.
Nov 14 09:01:58 ldap systemd[1]: slapd.service failed.
Nov 14 09:01:58 ldap polkitd[610]: Unregistered Authentication Agent for unix-process:1100:30037 (system bus name :1.28, object path /org/freedesk
lines 1851-1867/1867 (END)
when running ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif, I receive "invalid password"
What is the proper way to reset the slapd password?