Setup an OpenLDAP Server in Centos

OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.

Follow the following steps to setup an OpenLDAP server in centos

• login as Sudo.sudo --login
• Run package updates
  yum update -y
• Install Epel Releaseyum install -y epel-release
• Install nano editoryum install -y nano
• Install OpenLDAP

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

• start the LDAP daemon and enable it on boot

systemctl start slapd
systemctl enable slapd
systemctl status slapd 

• Now create an OpenLDAP administrative user and assign a password for that user

slappasswdwill generate a hashed value for a given password which we can use to configure admin auth

• create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.

nano ldaprootpasswd.ldif

Add the following contents in it:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

• add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.

ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

• copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd

• import some basic LDAP schemas from the /etc/openldap/schema directory

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

• add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=auth,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read

• add the above configuration to the LDAP database

ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

• create baseldapdomain.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 

• add the entries to the LDAP directory.

ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif

• create an LDAP User

useradd tomahawk
passwd tomahawk

• create an LDAP group

create a file called ldapgroup.ldif

dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.

• Add to OpenLDAP directory.

ldapadd -Y EXTERNAL -x  -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif

• Create an LDAP user

create a file named tomahawk.ldif

dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

** Runslappasswdto generate a hashed password **

• Add the above file to LDAP directory

ldapadd -Y EXTERNAL  -x -D cn=auth,dc=example,dc=com -W -f  tomahawk.ldif

You can also download Tools likeApache Directory Studioto manage LDAP after following the above steps to add more user and groups without creating config files.

Optional Steps

LDAPS ( LDAP via SSL)

• Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL

openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365

• Change the owner and group permissions so OpenLDAP can read the files:

chown -R ldap:ldap /etc/openldap/certs

• Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key

• Add the above file to LDAP directory

ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif

• Test SSL configuration using

slaptest -u

You have completed Openldap Setup in Centos 7

This post is also available on DEV.