19/06/2021

Set-Up OpenLDAP on CentOS 7

Installing the Server

1. Install OpenLDAP
For CentOS 8.0:

# yum install openldap openldap-clients openldap-servers

2. Allow LDAP through firewall:

# firewall-cmd –add-service-ldap

3. Start and check status of OpenLDAP

# systemctl start slapd
# systemctl status slapd

Configuring the server

4. Create an admistrative user and assign a password for that user:

# slappaswd

Take note of the hash generated.

5. Now create an LDIF file which wil be used to add an entry to the LDAP directory.

# vim ldaprootpasswd.ldif

And paste the following content:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

  • olcDatabase: indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.
  • cn=config: indicates global config options
  • PASSWORD: The hashed sting obtained while creating administrative user.
  • -u: perform dry run.

6. Now to add the LDAP entry run:

# ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

You will see the following:

Configuring the Database

Replace example with your domain

7. Copy the configuration file for slapd into the /var/lib/ldap

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
# systemctl restart slapd

8. Next, import some basic LDAP schemas from the /etc/openldap/schema directory as follows:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif


9. Now to add your domain in the LDAP create a file:

# vim ldapdomain.ldif

And paste the following (replace PASSWORD with the hashed value obtained before):

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
  read by dn.base=”cn=Manager,dc=example,dc=com” read by * none
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn=”cn=Manager,dc=example,dc=com” write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=”” by * read
olcAccess: {2}to * by dn=”cn=Manager,dc=example,dc=com” write by * read


10. Add above configuration to LDAP database:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

11. Now we need to add some entries to the LDAP

# vim baseldapdomain.ldif

And paste the following:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
 
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
 
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
 
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

To add above entries to LDAP directory:

# ldapadd -x -D “dn=Manager,dc=example,dc=com” -W -f baseldapdomain.ldif

When prompted for password, enter the password you have set to in step 4.

12. Create an LDAP user and set a password:

# useradd nissaar
# passwd nissaar

13. Create definitions for LDAP Group:

# vim ldapgroup.ldif

And paste the following:

dn: cn=Manager,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: gidnumber

To find gid of the user nissaar I used:

# cat /etc/group | grep nissaar

Then load the configuration to the LDAP Directory:

# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f ldapgroup.ldif

14. Create definitions for User: Nissaar:

# vim ldapuser.ldif

And paste the following:

dn: uid=nissaar,ou=People,dc=nissaar,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: nissaar
uid: nissaar
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/nissaar
userPassword: {SSHA}1kHSgRu1slyIdL1IJC25jnpoINi1f4oQ
loginShell: /bin/bash
gecos: nissaar
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

To find uid of the user nissaar I used:

# cat /etc/passwd | grep nissaar

Then load the configuration to the LDAP Directory:

# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f ldapuser.ldif

Leave a Reply

Your email address will not be published.