Follow the following steps to setup an OpenLDAP server in centos
- login as Sudo.
sudo - login
- Run package updates
yum update -y
- Install Epel Release
yum install -y epel-release
- Install nano editor
yum install -y nano
- Install OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
- start the LDAP daemon and enable it on boot
systemctl start slapd
systemctl enable slapd
systemctl status slapd
- Now create an OpenLDAP administrative user and assign a password for that user
slappasswd
will generate a hashed value for a given password which we can use to configure admin auth - create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.
nano ldaprootpasswd.ldif
Add the following contents in it:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
- add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
- copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd
- import some basic LDAP schemas from the /etc/openldap/schema directory
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
- add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=auth,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read
- add the above configuration to the LDAP database
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
- create baseldapdomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
- add the entries to the LDAP directory.
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif
- create an LDAP User
useradd tomahawk
passwd tomahawk
- create an LDAP group
create a file called ldapgroup.ldif
dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005
gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.
- Add to OpenLDAP directory.
ldapadd -Y EXTERNAL -x -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif
- Create an LDAP user
create a file named tomahawk.ldif
dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
** Run slappasswd
to generate a hashed password **
- Add the above file to LDAP directory
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f tomahawk.ldif
You can also download Tools like Apache Directory Studio to manage LDAP after following the above steps to add more user and groups without creating config files.
- Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL
openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365
- Change the owner and group permissions so OpenLDAP can read the files:
chown -R ldap:ldap /etc/openldap/certs
- Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key
- Add the above file to LDAP directory
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
- Test SSL configuration using
slaptest -u