Skip to content

Instantly share code, notes, and snippets.

@tomahawk-pilot

tomahawk-pilot/openldap.md

Created July 29, 2020 08:16
Show Gist options
  • Save tomahawk-pilot/073df90f18172dc24816247222749fad to your computer and use it in GitHub Desktop.
Save tomahawk-pilot/073df90f18172dc24816247222749fad to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openldap.md

Follow the following steps to setup an OpenLDAP server in centos

  • login as Sudo. sudo - login
  • Run package updates yum update -y
  • Install Epel Release yum install -y epel-release
  • Install nano editor yum install -y nano
  • Install OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
  • start the LDAP daemon and enable it on boot
systemctl start slapd
systemctl enable slapd
systemctl status slapd 
  • Now create an OpenLDAP administrative user and assign a password for that user slappasswd will generate a hashed value for a given password which we can use to configure admin auth
  • create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.
nano ldaprootpasswd.ldif

Add the following contents in it:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
  • add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
  • copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd
  • import some basic LDAP schemas from the /etc/openldap/schema directory 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  • add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
 read by dn.base="cn=auth,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
 dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read
  • add the above configuration to the LDAP database
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
  • create baseldapdomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 
  • add the entries to the LDAP directory. 
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif
  • create an LDAP User
useradd tomahawk
passwd tomahawk
  • create an LDAP group create a file called ldapgroup.ldif
dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.

  • Add to OpenLDAP directory.
ldapadd -Y EXTERNAL -x -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif
  • Create an LDAP user  create a file named tomahawk.ldif
dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

** Run slappasswd to generate a hashed password **

  • Add the above file to LDAP directory
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f tomahawk.ldif

You can also download Tools like Apache Directory Studio to manage LDAP after following the above steps to add more user and groups without creating config files.

Optional Steps

LDAPS ( LDAP via SSL)

  • Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL
openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365
  • Change the owner and group permissions so OpenLDAP can read the files:
chown -R ldap:ldap /etc/openldap/certs
  • Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key
  • Add the above file to LDAP directory
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
  • Test SSL configuration using 
slaptest -u
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment