1
-----
Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7
Environment
Prerequisites
1. Make sure both LDAP server “server.itzgeek.local” (192.168.1.10) and LDAP client “client.itzgeek.local” (192.168.1.20) are accessible.
2. Make an host entry on each machine in /etc/hosts for name resolution.
192.168.1.10 server.itzgeek.local server 192.168.1.20 client.itzgeek.local client
OR
If you plan to use a hostname instead of IP address, then configure DNS server using the article on How to Configure DNS Server on CentOS 7 / RHEL 7.
Here I will use IP address for all the configuration.
If you are planning to Build LDAP server with Replication, then skip this tutorial and visit Configure OpenLDAP Multi-Master Replication on Linux.
Install OpenLDAP Packages
Install the following LDAP RPM packages on LDAP server (server.itzgeek.local).
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Start the LDAP service and enable it for the auto start of service on system boot.
systemctl start slapd systemctl enable slapd
Verify the LDAP.
netstat -antup | grep -i 389
Output:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1520/slapd tcp6 0 0 :::389 :::* LISTEN 1520/slapd
READ: netstat command not found on CentOS 7 / RHEL 7 – Quick Fix
Setup LDAP admin password
Run below command to create an LDAP root password. We will use this LDAP admin (root) password throughout this article.
Replace ldppassword with your password.
slappasswd -h {SSHA} -s ldppassword
The above command will generate an encrypted hash of entered password which you need to use in LDAP configuration file. So make a note of this and keep it aside.
Output:
{SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Configure OpenLDAP server
OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.
olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
name.
olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
olcRootPW – LDAP admin password for the above RootDN.
The above entries need to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.
Please create a .ldif file.
vi db.ldif
Add the below entries.
Replace the encrypted password ({SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3) with the password you generated in the previous step.
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=itzgeek,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=itzgeek,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Once you are done with the ldif file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.
vi monitor.ldif
Use the below information.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
Set up LDAP database
Copy the sample database configuration file to /var/lib/ldap and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Generate base.ldif file for your domain.
vi base.ldif
Use the below information. You can modify it according to your requirement.
dn: dc=itzgeek,dc=local dc: itzgeek objectClass: top objectClass: domain dn: cn=ldapadm ,dc=itzgeek,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=itzgeek,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=itzgeek,dc=local objectClass: organizationalUnit ou: Group
Build the directory structure.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif
The ldapadd command will prompt you for the password of ldapadm (LDAP root user).
Output:
Enter LDAP Password: adding new entry "dc=itzgeek,dc=local" adding new entry "cn=ldapadm ,dc=itzgeek,dc=local" adding new entry "ou=People,dc=itzgeek,dc=local" adding new entry "ou=Group,dc=itzgeek,dc=local"
------------------------------------------------------------------------------
Setting up OpenLdap and phpldapadmin
Getting Started.
01. Install the required packages.
# yum install -y openldap openldap-clients openldap-servers
02. Generate root LDAP password
# slappasswd -s osradar -n {SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj[root@localhost ~]#
You will have a similar above output, and then the root password for the Ldap will be;
{SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj
03. Next, create a TLS certificate to be used by LDAP server
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \ -keyout /etc/openldap/certs/priv.pem -days 365 Generating a 2048 bit RSA private key ...........................................................................................................................................................+++ .........................+++ writing new private key to '/etc/openldap/certs/priv.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:LK State or Province Name (full name) []:CMB Locality Name (eg, city) [Default City]:colombo Organization Name (eg, company) [Default Company Ltd]:osradar Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:ldap-server.osradar.com Email Address []:
04. Now, its time to initialize the LDAP database. First, you need to copy given example schema to a another working directory
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
05. Generating DB files
# slaptest 5c5c5740 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2). 5c5c5740 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch)
Dont worry about the errors.
06. Next, go into the directory where we generate the Certificate in above step. Then apply basic security.
# cd /etc/openldap/certs # chown ldap:ldap * # chmod 600 priv.pem # chown ldap:ldap /var/lib/ldap/*
07. Starting up the server
# systemctl start slapd.service
08. Check the network socket is up & running
# ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::389 :::*
NOTE the 389/tcp which is the default for LDAP server.
09. Generate cosine & nis LDAP schemas:
# cd /etc/openldap/schema # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
10. Its time to add the details that govern our LDAP service. You should take a note on the domain because LDAP always binds to a domain once built.
# vim /etc/openldap/changes.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=osradar,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=osradar,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: -1 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=osradar,dc=com" read by * none
olcRootPW => should be replace with the password that we generated at step 02
dc=osradar,dc=com => should be replace with the domain you want the LDAP to be in
11. Apply the changes to LDAP server
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "cn=config" modifying entry "cn=config" modifying entry "olcDatabase={1}monitor,cn=config"
12. Finally, we will need to setup a base to work with LDAP service. So, first create a file with enough details.
# vim /etc/openldap/base.ldif dn: dc=osradar,dc=com dc: osradar objectClass: top objectClass: domain dn: ou=adminGroup,dc=osradar,dc=com ou: adminGroup objectClass: top objectClass: organizationalUnit
13. Apply the changes now via ‘ldapadd’ command
# ldapadd -x -w osradar -D cn=Manager,dc=osradar,dc=com -f /etc/openldap/base.ldif
14. Restart the LDAP service
# systemctl restart slapd.service
Setup phpLdapAdmin:
15. Install apache and php
yum -y install httpdphp php-mbstring php-pear
16. Change the main apache configuration
# vim etc/httpd/conf/httpd.conf ServerAdmin root@srv.world ServerName www.srv.world:80 AllowOverride All DirectoryIndex index.html index.cgi index.php
Note: the required changes line are at line numbers 86, 95, 151 and 164 respectively.
17. Install “phpldapadmin”. (For this we will have to add new repository call “epel”)
# yum install -y epel-release # yum install -y phpldapadmin
18. Changing the default settings
# vim /etc/phpldapadmin/config.php $servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid');
The above changes are in line numbers 397 to 398
19. Lets change the default VirtualHost that is coming under phpldapadmin
# vim /etc/httpd/conf.d/phpldapadmin.conf Require all granted
The change suppose to happen at line number 11
That’s it for setting up “phpldapadmin”. Make sure you enable the required firewall configuration. That’s being done, let go ahead and visit our newly setup phpLDAPAdmin interface.
http://{ip address of the server}/ldapadmin
To login, you will have to provide the
– Login DN: cn=Manager,dc=osradar,dc=com
– Password: in our case, it is “osradar” which we given at step 02 of the
------------------------------
How To Install OpenLDAP Server for Centralized Authentication
Lightweight Directory Access Protocol (LDAP in short) is an industry standard, lightweight, widely used set of protocols for accessing directory services. A directory service is a shared information infrastructure for accessing, managing, organizing, and updating everyday items and network resources, such as users, groups, devices, emails addresses, telephone numbers, volumes and many other objects.
The LDAP information model is based on entries. An entry in a LDAP directory represents a single unit or information and is uniquely identified by what is called a Distinguished Name (DN). Each of the entry’s attributes has a type and one or more values.
An attribute is a piece of information associated with an entry. The types are typically mnemonic strings, such as “cn” for common name, or “mail” for email address. Each attribute is assigned one or more values consisting in a space-separated list.
The following is an illustration of how information is arranged in the LDAP directory.
Ldap Information Model
In this article, we will show how to install and configure OpenLDAP server for centralized authentication in Ubuntu 16.04/18.04 and CentOS 7.
Step 1: Installing LDAP Server
1. First start by installing OpenLDAP, an open source implementation of LDAP and some traditional LDAP management utilities using the following commands.
# yum install openldap openldap-servers #CentOS 7 $ sudo apt install slapd ldap-utils #Ubuntu 16.04/18.04
On Ubuntu, during the package installation, you will be prompted to enter the password for the admin entry in your LDAP directory, set a secure password and confirm it.
Configure Slapd Admin Password
When the installation is complete, you can start the service as explained next.
2. On CentOS 7, run the following commands to start the openldap server daemon, enable it to auto-start at boot time and check if its up and running (on Ubuntu the service should be auto-started under systemd, you can simply check its status):
$ sudo systemctl start slapd $ sudo systemctl enable slapd $ sudo systemctl status slapd
3. Next, allow requests to the LDAP server daemon through the firewall as shown.
# firewall-cmd --add-service=ldap #CentOS 7 $ sudo ufw allow ldap #Ubuntu 16.04/18.04
Step 2: Configuring LDAP Server
Note: It is not recommended to manually edit the LDAP configuration, you need to add the configurations in a file and use the ldapadd or ldapmodify command to load them to the LDAP directory as shown below.
4. Now create a OpenLDAP administrative user and assign a password for that user. In the below command, a hashed value is created for the given password, take note of it, you will use it in the LDAP configuration file.
$ slappasswd
Create Ldap Admin User
5. Then create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.
$ sudo vim ldaprootpasswd.ldif
Add the following contents in it:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD_CREATED
explaining the attribute-value pairs above:
olcDatabase: indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.
cn=config: indicates global config options.
PASSWORD: is the hashed string obtained while creating the administrative user.
6. Next, add the corresponding LDAP entry by specifying the URI referring to the ldap server and the file above.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Add Parameters from Root Password File
Step 3: Configuring LDAP Database
7. Now copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG $ sudo systemctl restart slapd
8. Next, import some basic LDAP schemas from the /etc/openldap/schema directory as follows.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
9. Now add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
$ sudo vim ldapdomain.ldif
Add the following content in it (replace example with your domain and PASSWORD with the hashed value obtained before):
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
10. Then add the above configuration to the LDAP database with the following command.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
Load Domain Configuration
11. In this step, we need to add some entries to our LDAP directory. Create another file called baseldapdomain.ldif with the following content.
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Save the file and then add the entries to the LDAP directory.
$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif
12. The next step is to create a LDAP user for example, tecmint, and set a password for this user as follows.
$ sudo useradd tecmint $ sudo passwd tecmint
13. Then create the definitions for a LDAP group in a file called ldapgroup.ldif with the following content.
dn: cn=Manager,ou=Group,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 1005
In the above configuration, gidNumber is the GID in /etc/group for tecmint and add it to the OpenLDAP directory.
$ sudo ldapadd -Y EXTERNAL -x -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif
14. Next, create another LDIF file called ldapuser.ldif and add the definitions for user tecmint.
dn: uid=tecmint,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: tecmint uid: tecmint uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/tecmint userPassword: {SSHA}PASSWORD_HERE loginShell: /bin/bash gecos: tecmint shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
then load fthe configuration to the LDAP directory.
$ ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f ldapuser.ldif
Once you have setup a central server for authentication, the final part is to enable the client to authenticate using LDAP as explained in this guide:
For more information, see the appropriate documentation from OpenLDAP Software document catalog and Ubuntu users can refer to the OpenLDAP server guide.
Summary
OpenLDAP is a open source implementation of LDAP in Linux. In this article, we have shown how to install and configure OpenLDAP server for centralized authentication, in Ubuntu 16.04/18.04 and CentOS 7. If you have a question or thoughts to share, do not hesitate to reach us via the comment form below.
TagsInstall Openldap Server, Ldap TipsPost navigation
If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.
------