Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7
Abstract: dc=local" -f base.ldif The ldapadd command will prompt you for the password of ldapadm (LDAP root user). Output/// -f db.ldif Make a changes to /etc/o
OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.
It functions as a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for 「single sign-on」 where one password for a user is shared between many services.
In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in to multiple servers.
This post covers only the OpenLDAP configuration without SSL. If you would like to configure OpenLDAP with SSL, then follow the below link after you complete this post.READ: How to configure OpenLDAP with SSL on CentOS 7 / RHEL 7
Environment Host Name IP Address OS Purpose server.itzgeek.local 192.168.1.10 CentOS 7 LDAP Server client.itzgeek.local 192.168.1.20 CentOS 7 LDAP Client Prerequisites1. Make sure both LDAP server 「server.itzgeek.local」 (192.168.1.10) and LDAP client 「client.itzgeek.local」 (192.168.1.20) are accessible.
2. Make an host entry on each machine in /etc/hosts
for name resolution.
192.168.1.10 server.itzgeek.local server 192.168.1.20 client.itzgeek.local client
OR
If you plan to use a hostname instead of IP address, then configure DNS server using the article on How to Configure DNS Server on CentOS 7 / RHEL 7.
Here I will use IP address for all the configuration.
If you are planning to Build LDAP server with Replication, then skip this tutorial and visit Configure OpenLDAP Multi-Master Replication on Linux. Install OpenLDAP PackagesInstall the following LDAP RPM packages on LDAP server (server.itzgeek.local).
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Start the LDAP service and enable it for the auto start of service on system boot.
systemctl start slapd systemctl enable slapd
Verify the LDAP.
netstat -antup | grep -i 389
Output:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1520/slapd tcp6 0 0 :::389 :::* LISTEN 1520/slapd
READ: netstat command not found on CentOS 7 / RHEL 7 – Quick Fix
Setup LDAP admin passwordRun below command to create an LDAP root password. We will use this LDAP admin (root) password throughout this article.
Replace ldppassword with your password.
slappasswd -h {SSHA} -s ldppassword
The above command will generate an encrypted hash of entered password which you need to use in LDAP configuration file. So make a note of this and keep it aside.
Output:
{SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3Configure OpenLDAP server
OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/
. To start with the configuration of LDAP, we would need to update the variables 「olcSuffix」 and 「olcRootDN「.
olcSuffix – Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
name.
olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
olcRootPW – LDAP admin password for the above RootDN.
The above entries need to be updated in/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.
Please create a .ldif file.
vi db.ldif
Add the below entries.
Replace the encrypted password ({SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3) with the password you generated in the previous step.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Once you are done with the ldif file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.
vi monitor.ldif
Use the below information.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldifSet up LDAP database
Copy the sample database configuration file to /var/lib/ldap
and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Generate base.ldif
file for your domain.
vi base.ldif
Use the below information. You can modify it according to your requirement.
dn: dc=itzgeek,dc=local dc: itzgeek objectClass: top objectClass: domain dn: cn=ldapadm ,dc=itzgeek,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=itzgeek,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=itzgeek,dc=local objectClass: organizationalUnit ou: Group
Build the directory structure.
ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldifThe ldapadd command will prompt you for the password of ldapadm (LDAP root user).
Output:
Enter LDAP Password: adding new entry "dc=itzgeek,dc=local" adding new entry "cn=ldapadm ,dc=itzgeek,dc=local" adding new entry "ou=People,dc=itzgeek,dc=local" adding new entry "ou=Group,dc=itzgeek,dc=local"Pages: 1 2