Install and configure OpenLDAP server on CentOS 8

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

This tutorial will introduce how to install OpenLDAP on CentOS 8. LDAP is a lightweight domain authentication protocol. This means you can use LDAP as a central authentication system for users and systems such as Postfix. It can be compared with Microsoft’s Active Directory. OpenLDAP is an open source LDAP system running on Linux systems.

Install OpenLDAP on CentOS 8

In this guide, we will build the latest source version of OpenLDAP instead of using the available version provided by PowerTools.

Please follow the steps below to set up an OpenLDAP server on CentOS 8.

Update system

Run system updates and upgrade packages.

sudo dnf update
sudo dnf upgrade -y

Install the required packages

Install the required packages that will enable you to successfully build OpenLDAP.

sudo dnf install wget vim cyrus-sasl-devel libtool-ltdl-devel openssl-devel libdb-devel make libtool autoconf  tar gcc perl perl-devel 

Create LDAP system account

We need to create a non-privileged system user for OpenLDAP.

sudo useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin ldap

Download OpenLDAP source files

At the time of writing this tutorial, the latest version of OpenLDAP is 2.4.57.

Declare the version to your shell

VER=2.4.57

Download the latest version from here page.

wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$VER.tgz

Unzip the downloaded file:

tar xzf openldap-$VER.tgz

Install OpenLDAP

Move the extracted files to /opt/, and then compile the source files.

sudo mv openldap-$VER /opt
cd /opt/openldap-$VER

Compile the source file

sudo ./configure --prefix=/usr --sysconfdir=/etc --disable-static 
--enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic 
--enable-crypt --enable-spasswd --enable-slapd --enable-modules 
--enable-rlookups --enable-backends=mod --disable-ndb --disable-sql 
--disable-shell --disable-bdb --disable-hdb --enable-overlays=mod

After successful compilation, you should see the following output: “Please run “make dependent” to establish a dependency”

Run makeDepend to build OpenLDAP dependencies.

sudo make depend

Compile

sudo make

Install OpenLDAP

sudo make install

Successful installation will create a configuration file in the following location /etc/openldap. The following files can be used after installation:

certs  ldap.conf  ldap.conf.default  schema  slapd.conf  slapd.conf.default  slapd.ldif  slapd.ldif.default

Configure OpenLDAP

Let us continue to configure OpenLDAP.

First, we need to create an OpenLDAP database directory.

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set proper permissions for the OpenLDAP directory

sudo chown -R ldap:ldap /var/lib/openldap
sudo chown root:ldap /etc/openldap/slapd.conf
sudo chmod 640 /etc/openldap/slapd.conf

Create OpenLDAP SUDO schema

Check if your sudo version supports LDAP.

sudo -V |  grep -i "ldap"

If your system supports LDAP, you should see the following lines in the output.

ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Confirm whether the LDAP sudo mode is available on your system

rpm -ql sudo |  grep -i schema.openldap

Sample output

/usr/share/doc/sudo/schema.OpenLDAP

Install OPENLDAP on centos8

Copy the pattern to the ldap pattern directory.

sudo cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Create a sudo mode ldif file.

sudo su -

Do the following to add lines to the file:

cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOL

Configure SLAPD database

Update the content of /etc/openldap/slapd.ldif

sudo mv /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif.bak
sudo vi /etc/openldap/slapd.ldif

Paste the following data:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/sudo.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

Do a dry run to check the configuration

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

Execute command to write changes

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

The above command creates the slapd database configuration and places it in /etc/openldap/slapd.d.

$ ls /etc/openldap/slapd.d
'cn=config'  'cn=config.ldif'

Set the correct ownership to the slapd directory

sudo chown -R ldap:ldap /etc/openldap/slapd.d

Create OpenLDAP service

Create system service

$ sudo vim /etc/systemd/system/slapd.service

[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

Restart the daemon

sudo systemctl daemon-reload

Start tapping service

sudo systemctl enable --now slapd

Check status

$ systemctl status slapd

Install openldap on centos8 1Configure OpenLDAP default root DN

Use the root DN and ACL to create the MDB database.

Generate root password:

$ sudo slappasswd

Copy the generated hash password to a text editor.This will be in rootdn.ldif File at olcRootPW Entrance.

vim rootdn.ldif

Add content replacement below dc=ldapmaster,dc=computingforgeeks,dc=com With your domain information.

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootPW: {SSHA}0phayAb6bQA9rONibLb97O5B89KPeNlW
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none

Update the slapd database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Define your organizational structure

create basedn.ldif Files to define your organizational structure.

vim basedn.ldif

Use information similar to the following-update to suit your domain.

dn: dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: computingforgeeks
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

Update the database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Configure SSL/TLS

You can protect the client-server communication between OpenLDAP and the client system by enabling TLS/SSL.

You can use a self-signed certificate or “Let’s Encrypt” for this. We will use self-signed certificates in this guide.

$ sudo openssl req -x509 -nodes -days 365 
  -newkey rsa:2048 
  -keyout /etc/pki/tls/ldapserver.key 
  -out /etc/pki/tls/ldapserver.crt

Set the correct ownership.

sudo chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

Create SSL configuration file:

$ sudo vi add-tls.ldif

Have the following information:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Update flap database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif

Update the CA location of OpenLDAP.

$ sudo vim /etc/openldap/ldap.conf

...
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

Create OpenLDAP user

Define your users in the users.ldif file as follows:

$ sudo vim users.ldif

This is sample data:

dn: uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: vshamallah
cn: Vic
sn: Shamallah
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/vshamallah
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=vshamallah,ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: posixGroup
cn: vshamallah
gidNumber: 10000
memberUid: vshamallah

Update the LDAP database to add new users

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Use the following command to set a password for the above user:

sudo ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com"

Create LDAP bind user

Create OpenLDAP bind DN and bind users. This is a user that will be used to perform LDAP opening hours (such as parsing user ID and group ID).

Create a BindDN password.

$ sudo slappasswd
New password: 
Re-enter new password: 
{SSHA}9Sx4MzBieiojFsXLgXDVnJavwt4vql4p

Get the hashed password and save it somewhere.

Create the bindDNuser.ldif file and add the following content, remember to replace the hashed password and domain information with your details.

vim bindDNuser.ldif

This is my configuration:

dn: ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}9Sx4MzBieiojFsXLgXDVnJavwt4vql4p
description: Bind DN user for LDAP Operations

Update the ldap database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Allow OpenLDAP through firewall

Allow OpenLDAP through the firewall to allow connections.

sudo firewall-cmd --add-service={ldap,ldaps} --permanent
sudo firewall-cmd --reload

At this point, OpenLDAP has been configured and ready to use. You need to configure the OpenLDAP client on the system to be able to connect to the OpenLDAP server.

Please follow the guide below to configure the OpenLDAP client:

Configure LDAP client on Ubuntu

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Sidebar