OpenLDAP Server Configuration on CentOS 7 / RHEL 7

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.

It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.

We will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.

Prerequisites:

Make sure both LDAP server “master.atlas.local” (192.168.xx.xx).

Make an entry for each machine in /etc/hosts for name resolution

vi /etc/hosts
192.168.12.10 master.atlas.local server

Here I will use IP address for all the configuration.

Install the following LDAP RPM packages to get started. Run below command on LDAP server (master.atlas.local).

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Start the LDAP service and enable it for the auto start of service on system boot.

#systemctl start slapd.service
#systemctl enable slapd.service

Verify the LDAP.

#netstat -antup | grep -i 389

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1520/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      1520/slapd

Setup LDAP root password:

Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.

[root@server ~]# slappasswd

New password:
Re-enter new password:
{SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3

[root@server ~]#
Configure OpenLDAP server:

OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.

olcSuffix –  Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain name.

olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.

olcRootPW – Password for the above RootDN.

Please create a .ldif file and add the below entries.

# vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=atlas,dc=local
dn: olcDatabase={2}hdb,cn=config

changetype: modify
replace: olcRootDN
olcRootDN: cn=atlas.com,dc=atlas,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}QF+jBFJ/RWGVwPuDzQI87YJfJtKOYGhK

Once you are done with the ldif file, send the configuration to the LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.

# vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth” read by dn.base=”cn=ldapadm,dc=atlas,dc=local” read by * none

Once you have updated the file, send the configuration to the LDAP server.
ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

Create LDAP certificate:

Let’s create a self-signed certificate for our LDAP server, below command, generates both certificate and private key in /etc/openldap/certs/ directory.

openssl req -new -x509 -nodes -out /etc/openldap/certs/Filenamecert.pem -keyout /etc/openldap/certs/Filenamekey.pem -days 365

Generating a 2048 bit RSA private key
…+++
……………………………….+++

writing new private key to ‘/etc/openldap/certs/Filenamekey.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank

For some fields there will, be a default value,

If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]: XX
State or Province Name (full name) []: XX
Locality Name (eg, city) [Default City]: XXXXXX
Organization Name (eg, company) [Default Company Ltd]:MaddySystems
Organizational Unit Name (eg, section) []:IT Infra
Common Name (eg, your name or your server’s hostname) []:server.atlas.local
Email Address []:admin@maddy.co.in

Set the owner and group permissions to ldap.
chown -R ldap:ldap /etc/openldap/certs/*.pem

Verify the created LDAP certificate under /etc/openldap/certs/.

ll /etc/openldap/certs/*.pem

-rw-r–r–. 1 ldap ldap 1440 Oct 10 02:31 /etc/openldap/certs/Filenameert.pem
-rw-r–r–. 1 ldap ldap 1704 Oct 10 02:31 /etc/openldap/certs/Filenamekey.pem

Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.

# vi certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/Filenamecert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/Filenamekey.pem

Import the configurations to LDAP server.
ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

Verify the configuration:

slaptest -u
You should get the following message confirms the verification is complete.
config file testing succeeded

Set up LDAP database:

Copy the sample database configuration file to /var/lib/ldap and update the file permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap /var/lib/ldap/*
Add the cosine and nis LDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

# vi base.ldif

dn: dc=atlas,dc=local
dc: atlas
objectClass: top
objectClass: domain
dn: cn=atlas.com ,dc=atlas,dc=local
objectClass: organizationalRole
cn: atlas.com
description: LDAP Manager

dn: ou=People,dc=atlas dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=atlas,dc=local
objectClass: organizationalUnit
ou: Group

Build the directory structure.

ldapadd -x -W -D “cn=atlas.com,dc=atlas,dc=local” -f base.ldif
ldapadd command will prompt you for the password of atlas.com (LDAP root user).
Enter LDAP Password:
Output

adding new entry “dc=atlas,dc=local”
adding new entry “cn=atlas.com,dc=atlas,dc=local”
adding new entry “ou=People,dc=atlas,dc=local”
adding new entry “ou=Group,dc=atlas,dc=local”

Let’s create an LDIF file for a new user called raj

vi raj.ldif

Paste the below lines to above LDIF file.

dn: uid=raj,ou=People,dc=atlas,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) AtlasSystems]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D “cn=atlas.com,dc=atlas,dc=local” -f raj.ldif
Enter LDAP Password:
adding new entry “uid=raj,ou=People,dc=atlas,dc=local”
Assign a password to the user.
ldappasswd -s password123 -W -D “cn=atlas.com,dc=atlas,dc=local” -x “uid=raj,ou=People,dc=atlas,dc=local”

Where,
-s specify the password for the username
-x username for which the password is changed
-D Distinguished name to authenticate to the LDAP server
Verify LDAP entries.

ldapsearch -x cn=raj -b dc=atlas,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=atlas,dc=local> with scope subtree
# filter: cn=raj
# requesting: ALL
# raj, People, atlas.local
dn: uid=raj,ou=People,dc=atlas,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raj
uid: raj
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raj
loginShell: /bin/bash
gecos: Raj [Admin (at) AtlasSystems]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9MkE2eUhIS0pJQVRnMHBCdkpVWjR5Q3JvTkJLTzdBTWY=

# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
To delete an entry from LDAP (Optional).

ldapdelete -W -D “cn=atlas.com,dc=atlas,dc=local” “uid=raj,ou=People,dc=atlas,dc=local”

Firewall:

firewall-cmd –permanent –add-service=ldap
firewall-cmd –reload

Enable LDAP logging:

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.
Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

Restart the rsyslog service.

systemctl restart rsyslog

LDAP client configuration to use LDAP Server:

Install the necessary LDAP client packages on the client machine.

# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.12.10” with your LDAP server’s IP address or hostname.

# authconfig –enableldap –enableldapauth –ldapserver=192.168.12.10 –ldapbasedn=”dc=atlas,dc=local” –enablemkhomedir –update

Restart the LDAP client service.

# systemctl restart  nslcd

Verify LDAP Login:

Use getent command to get the LDAP entries from the LDAP server

# getent passwd raj

raj:x:9999:100:Raj [Admin (at) AtasSystem]:/home/raj:/bin/bash

WE CAN CHECK CONFIGURATION WITH APACHE DIRECTORY STUDIO

Leave a Reply

Your email address will not be published. Required fields are marked *