Cyberithub

Best Steps to Install and Configure OpenLDAP Server on RHEL/CentOS 7

Advertisements

In this article, I will take you through the Steps to Install and Configure OpenLDAP Server on RHEL / CentOS 7. LDAP is known as Lightweight Directory Access Protocol which is generally used for Client Authentication to establish a session for running operations like search, read, write etc. LDAP Server are widely used in the Organizations to store the User name and password in a Centralized Server against which User can authenticate to further use the Applications and Services present on the Network. It is mainly based on X.500 directory services architecture. Over the time it is modified and upgraded to the lightweight version to improve the lookup up response time, hence it is called Lightweight Directory Access Protocol.

What is LDAP

LDAP is Known as Lightweight Directory Access Protocol. It is used for consolidating all the services in one directory services which will be further accessed and managed by the LDAP Client like email client, mail servers, web browsers. LDAP uses TCP/IP stack to access and manage the directory services.

What is LDIF

A LDIF(LDAP Interchange Format) file is Known as a standard text file which can be used for configuring and storing information in LDAP directory. This file is usually used for the addition or modification of data inside the LDAP Directory Server based on Schema rules accepted by the Directory.

What is an Attribute

An attribute is like a variable which holds the value. It can be different types based on the different values it holds just like the variable in Programming Paradigms where it could be of type int, char, float, double etc.

Best Steps to Install and Configure OpenLDAP Server on RHEL/CentOS 7

Install and Configure OpenLDAP Server on Linux

Also Read: 18 Popular mount/umount command examples in Linux

Step 1: Prerequisites

a)You need to have running RHEL/CentOS 7 based Systems.

b)You should have yum tool installed in your System. Please Check Top 22 YUM Command Examples in RedHat/CentOS 7 to know more about yum utility.

c)You should have root or sudo access to run Privileged Commands. Please Check How to Add User to Sudoers to know more about providing sudo access to the User.

 

Step 2: Update Your System

Before going through the steps to setup OpenLDAP Server, it is always recommended to update your Server. This can be done by using yum update -y command as shown below. This will download and install all the latest available updates from Repo.

[root@localhost ~]# yum update -y
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: d36uatko69830t.cloudfront.net
* extras: d36uatko69830t.cloudfront.net
* updates: d36uatko69830t.cloudfront.net
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 205 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 3.0 MB 00:00:00
(4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package acl.x86_64 0:2.2.51-14.el7 will be updated
---> Package acl.x86_64 0:2.2.51-15.el7 will be an update
---> Package bash.x86_64 0:4.2.46-33.el7 will be updated
---> Package bash.x86_64 0:4.2.46-34.el7 will be an update openldap server
---> Package bind-export-libs.x86_64 32:9.11.4-9.P2.el7 will be updated
---> Package bind-export-libs.x86_64 32:9.11.4-16.P2.el7_8.6 will be an update
---> Package binutils.x86_64 0:2.27-41.base.el7_7.2 will be updated
---> Package binutils.x86_64 0:2.27-43.base.el7_8.1 will be an update
---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be updated
---> Package ca-certificates.noarch 0:2020.2.41-70.0.el7_8 will be an update
---> Package centos-release.x86_64 0:7-7.1908.0.el7.centos will be updated
---> Package centos-release.x86_64 0:7-8.2003.0.el7.centos will be an update
---> Package cloud-init.x86_64 0:18.5-3.el7.centos will be updated
---> Package cloud-init.x86_64 0:18.5-6.el7.centos.5 will be an update
---> Package cryptsetup-libs.x86_64 0:2.0.3-5.el7 will be updated
---> Package cryptsetup-libs.x86_64 0:2.0.3-6.el7 will be an update
---> Package curl.x86_64 0:7.29.0-54.el7_7.2 will be updated

 

Step 3: Install OpenLDAP Server

After successfully updating the Server you can now install the LDAP Packages using yum install openldap openldap-servers -y command as shown below. This command will download and install the Open LDAP Server packages from Enabled Repository.

[root@localhost ~]# yum install openldap openldap-servers -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: d36uatko69830t.cloudfront.net
* extras: d36uatko69830t.cloudfront.net
* updates: d36uatko69830t.cloudfront.net
Package openldap-2.4.44-21.el7_6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openldap-servers.x86_64 0:2.4.44-21.el7_6 will be installed
--> Processing Dependency: perl(warnings) for package: openldap-servers-2.4.44-21.el7_6.x86_64
--> Processing Dependency: perl(strict) for package: openldap-servers-2.4.44-21.el7_6.x86_64
--> Processing Dependency: perl(POSIX) for package: openldap-servers-2.4.44-21.el7_6.x86_64
--> Processing Dependency: libperl.so()(64bit) for package: openldap-servers-2.4.44-21.el7_6.x86_64 openldap server
--> Processing Dependency: libltdl.so.7()(64bit) for package: openldap-servers-2.4.44-21.el7_6.x86_64 openldap server
--> Running transaction check
---> Package libtool-ltdl.x86_64 0:2.4.2-22.el7_3 will be installed
---> Package perl.x86_64 4:5.16.3-295.el7 will be installed
--> Processing Dependency: perl(Socket) >= 1.3 for package: 4:perl-5.16.3-295.el7.x86_64
--> Processing Dependency: perl(Scalar::Util) >= 1.10 for package: 4:perl-5.16.3-295.el7.x86_64 openldap server
--> Processing Dependency: perl-macros for package: 4:perl-5.16.3-295.el7.x86_64 openldap server
--> Processing Dependency: perl(threads::shared) for package: 4:perl-5.16.3-295.el7.x86_64 openldap server
--> Processing Dependency: perl(threads) for package: 4:perl-5.16.3-295.el7.x86_64
--> Processing Dependency: perl(constant) for package: 4:perl-5.16.3-295.el7.x86_64
--> Processing Dependency: perl(Time::Local) for package: 4:perl-5.16.3-295.el7.x86_64
--> Processing Dependency: perl(Time::HiRes) for package: 4:perl-5.16.3-295.el7.x86_64
--> Processing Dependency: perl(Storable) for package: 4:perl-5.16.3-295.el7.x86_64

 

Step 4: Install OpenLDAP Client

Then you have to install the OpenLDAP Client Packages in your Client System using yum install openldap-clients -y command as shown below.

[root@localhost ~]# yum install openldap-clients -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: d36uatko69830t.cloudfront.net
* extras: d36uatko69830t.cloudfront.net
* updates: d36uatko69830t.cloudfront.net
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.x86_64 0:2.4.44-21.el7_6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
openldap-clients x86_64 2.4.44-21.el7_6 base 190 k

Transaction Summary
========================================================================================================================================================================
Install 1 Package

Total download size: 190 k
Installed size: 571 k
Downloading packages:
openldap-clients-2.4.44-21.el7_6.x86_64.rpm | 190 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : openldap-clients-2.4.44-21.el7_6.x86_64 1/1
Verifying : openldap-clients-2.4.44-21.el7_6.x86_64 1/1

Installed:
openldap-clients.x86_64 0:2.4.44-21.el7_6

Complete!

 

Step 5: Start and Enable OpenLDAP Services

Start slapd service by using systemctl start slapd command as shown below.

[root@localhost ~]# systemctl start slapd

Then enable the slapd service by using systemctl enabled slapd command.

[root@localhost ~]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

Check the status by using systemctl status slapd command.

[root@localhost ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-07-26 05:43:17 UTC; 14s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 8620 (slapd)
CGroup: /system.slice/slapd.service
└─8620 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jul 26 05:43:17 localhost systemd[1]: Starting OpenLDAP Server Daemon...
Jul 26 05:43:17 localhost runuser[8604]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 26 05:43:17 localhost runuser[8604]: pam_unix(runuser:session): session closed for user ldap
Jul 26 05:43:17 localhost slapd[8618]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jul 26 05:43:17 localhost slapd[8618]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will b...rmissions.
Jul 26 05:43:17 localhost slapd[8620]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
Jul 26 05:43:17 localhost slapd[8620]: slapd starting
Jul 26 05:43:17 localhost systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.

 

Step 6: Setup OpenLDAP root user password

Next step is to setup the OpenLDAP root password using slappasswd command as shown below.

[root@localhost ~]# slappasswd
New password:
Re-enter new password:
{SSHA}8me5NZZz1LfgLIfUTezj/01TKiBMZUux

 

Step 7: Configure OpenLDAP Server

You can add the data to directory service using below ldif file.

[root@localhost ~]# vi ldaprootpasswd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

oldcDatabase={0} : database instance which can be found in /etc/openldap/slapd.d/cn=config.

changetype : type of operations needs to perform - add/modify/delete

add : perform add operation

olcRootPW :  Specify the Administrative user hashed password.

Add the above entry by using ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif command as shown below.

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

-Y : Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. More can be checked on ldapadd Man Page.

-H : Specify URI(s) referring to the ldap server(s) only the protocol/host/port fields are allowed.

-f : Read the entry modification information from file instead of from standard input.

 

Step 8: Configure OpenLDAP Sample Database

Copy the DB_CONFIG Example.

[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Change the permission.

[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/DB_CONFIG

Restart the slapd service by using systemctl restart slapd command.

[root@localhost ~]# systemctl restart slapd

Now add the configuration using below ldapadd command.

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

 

Step 9: Add Domain Configuration

To add the domain configuration, you need to use below ldif file.

[root@localhost ~]# vi ldapdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=service,dc=test,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=service,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=service,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=service,dc=test,dc=com" write by * read

Now modify the entry by using below ldapmodify command.

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

 

Step 10: Add Entries to OpenLDAP Database

You can add few more entries to the directory service using below ldif file.

[root@localhost ~]# cat baseldapdomain.ldif
dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: test com
dc: test

dn: cn=service,dc=test,dc=com
objectClass: organizationalRole
cn: service
description: Service Account

dn: ou=service1,dc=test,dc=com
objectClass: organizationalUnit
ou: Account

dn: ou=servicegroup,dc=test,dc=com
objectClass: organizationalUnit
ou: Group

dn: ou=servicegroup1,dc=test,dc=com
objectClass: organizationalUnit
ou: Group

Now add the above entry by using ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif command as shown below.

[root@localhost ~]# ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"

adding new entry "cn=service,dc=test,dc=com"

adding new entry "ou=service1,dc=test,dc=com"

adding new entry "ou=servicegroup,dc=test,dc=com"

adding new entry "ou=servicegroup1,dc=test,dc=com"

 

Step 11: Create a LDAP User

In the next step, you need to create a user and set the password for that user. Here we are creating a user cyberithub by using useradd cyberithub command and then setting its password by using passwd cyberithub command as shown below.

[root@localhost ~]# useradd cyberithub
[root@localhost ~]# passwd cyberithub
Changing password for user cyberithub.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

 

Step 12: Create LDAP Group Definitions

You can use below ldif file to create Group Definitions.

[root@localhost ~]# vi ldapgroup.ldif
dn: cn=service,ou=servicegroup,dc=test,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

Then add the above group definition using ldapadd -x -W -D "cn=service,dc=test,dc=com" -f ldapgroup.ldif command as shown below.

[root@localhost ~]# ldapadd -x -W -D "cn=service,dc=test,dc=com" -f ldapgroup.ldif
Enter LDAP Password:
adding new entry "cn=service,ou=servicegroup,dc=test,dc=com"

 

Step 13: Create LDAP User Definitions

You can use below ldif file to create User definitions.

[root@localhost ~]# vi ldapuser.ldif
dn: uid=cyberithub,ou=servicegroup,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: cyberithub
uid: cyberithub
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/cyberithub
userPassword: {SSHA}8me5NZZz1LfgLIfUTezj/01TKiBMZUux
loginShell: /bin/bash
gecos: cyberithub
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Now Add the entry by using ldapadd -x -D cn=service,dc=test,dc=com -W -f ldapuser.ldif command as shown below.

[root@localhost ~]# ldapadd -x -D cn=service,dc=test,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=cyberithub,ou=servicegroup,dc=test,dc=com"

 

Step 14: Test OpenLDAP Server Authentication

Now it is the time to test the OpenLDAP Server authentication by using authconfig command as shown below.

[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap.test.com --ldapbasedn="dc=test,dc=com" --enablemkhomedir --update

 

 

Popular Recommendations:-

How to Disable IPV6 on Linux (CentOS / RHEL 7/8) Using 4 Best Steps

How to Set MariaDB root Password in RHEL/CentOS 7/8 Using Simple mysql_secure_installation

Introduction to SQL Injection Attacks in MySQL (v5.5)

How to Create Table in MySQL 5.5 with Easy Steps

How to Limit CPU Limit of a Process Using CPULimit in Linux (RHEL/CentOS 7/8)

How to Install Rust Programming Language in Linux Using 6 Best Steps

How to Install LEMP Stack on CentOS 8

Openssl Tutorial: Generate and Install Certificate on Apache Server in 8 Easy Steps

How to Enable or Disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8

Top 12 Nmap Commands to Scan Remote Host with Best Practices

15 thoughts on “Best Steps to Install and Configure OpenLDAP Server on RHEL/CentOS 7”

  1. when creating and executing ldapdomain.ldif file. I see below error
    ldapmodify invalid format (line 5) entry: "olcDatabase={1}monitor,cn=config"

    Reply
      • Hi Rey,

        Could you also please provide more information about the error you are getting ? Please check if you are using spaces properly.

        Reply
    • Hi Jacob,

      Could you please provide more information about the error you are getting ? Could you please check if you are using spaces properly ?

      Reply
    • the problem is you need to have in the ldapdomain.ldif file line 4 and 5 in the same line;

      olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=service,dc=test,dc=com" read by * none

      Reply
    • вам нужно отформатировать текст, строки копируются неправильно.
      dn: olcDatabase={1}monitor,cn=config
      changetype: modify
      replace: olcAccess
      olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=service,dc=test,dc=com" read by * none

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcSuffix
      olcSuffix: dc=test,dc=com

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcRootDN
      olcRootDN: cn=service,dc=test,dc=com

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      add: olcRootPW
      olcRootPW: {SSHA}PASSWORD

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      add: olcAccess
      olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=service,dc=test,dc=com" write by anonymous auth by self write by * none
      olcAccess: {1}to dn.base="" by * read
      olcAccess: {2}to * by dn="cn=service,dc=test,dc=com" write by * read

      Reply
    • Hi, Just find out, use the below entry in ldapdomain.ldif file. It's working for me!

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcSuffix
      olcSuffix: dc=itzgeek,dc=local

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcRootDN
      olcRootDN: cn=ldapadm,dc=itzgeek,dc=local

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcRootPW
      olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3

      Reply
  2. After fire below command
    authconfig --enableldap --enableldapauth --ldapserver=ldap.test.com --ldapbasedn="dc=test,dc=com" --enablemkhomedir --update

    Getting below message
    Warning: Unsupported locale setting.
    authconfig: Authentication module /usr/lib64/security/pam_ldap.so is missing. Authentication process might not work correctly.

    Reply
  3. I am getting below error when I am starting slapd service. I have disabled the selinux.

    Nov 14 09:01:58 ldap systemd[1]: slapd.service: control process exited, code=exited status=1
    Nov 14 09:01:58 ldap systemd[1]: Failed to start OpenLDAP Server Daemon.
    -- Subject: Unit slapd.service has failed
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit slapd.service has failed.
    --
    -- The result is failed.
    Nov 14 09:01:58 ldap systemd[1]: Unit slapd.service entered failed state.
    Nov 14 09:01:58 ldap systemd[1]: slapd.service failed.
    Nov 14 09:01:58 ldap polkitd[610]: Unregistered Authentication Agent for unix-process:1100:30037 (system bus name :1.28, object path /org/freedesk
    lines 1851-1867/1867 (END)

    Reply
  4. when running ldapadd -x -D cn=service,dc=test,dc=com -W -f baseldapdomain.ldif, I receive "invalid password"

    What is the proper way to reset the slapd password?

    Reply

Leave a Comment