Installing and configuring OpenLDAP on CentOS 7

OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. This tool can be used for authenticating users to Linux OpenLDAP clients connected to OpenLDAP centralized server.

Topology

Our test configuration consists of one OpenLDAP server and one client:

  • 10.10.1.101 - OpenLDAP server
  • 10.10.1.102 - OpenLDAP client

Install the necessary packages on our server

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
service slapd start
systemctl enable slapd.service

Configure LDAP server

Generate password for LDAP administrative access. This is accomplished via the tool slappasswd:

slappasswd New password: Re-enter new password: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG

Our main working directory will be the following:

/etc/openldap/slapd.d

The configuration we need to change is placed in /etc/openldap/slapd.d/cn=config/cn\=config/olcDatabase\={2}hdb.ldif. Do not edit this file directly! If you do that, the changes will be rewritten after LDAP database is reloaded. In order to properly modify these values, we need to create a separate .ldiff file, which we will use to import via LDAP's API. Create the file /etc/openldap/slapd.d/database.ldiff with the following contents (take note to "dc" , "cn" and "olcRootPW" which you will need to change according to your preferences:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=dzhorov,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=dzhorov,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG

Where the configuration variables have the following purpose:

  • dn: - The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas. The most basic method of defining new entries to add to LDAP is to simply list the entries in their entirety, exactly as they would typically displayed using LDAP tools. This starts with the DN (distinguished name) where the entry will be created, after the dn: indicator.
  • changetype: modify - Modifying an entry's attributes is a very common change to make and is made possible by specifying changetype: modify after the DN of the entry.
  • replace: olcSuffix - Replace the property "olcSuffix"
  • olcSuffix: dc=dzhorov,dc=com - The new value of "olcSuffix" that will be put in place of the old one.
  • olcRootPW: - The password that we previously generated with slappasswd utility.
  • olcSuffix - Database Suffix, it is the domain name for which the LDAP server provides the information. This should be changed to your organization's domain name.
  • olcRootDN - Root Distinguished Name (DN) entry for the user who has the full access to perform all administration tasks on LDAP. For example the root user.
  • olcRootPW - Password for the above mentioned RootDN.

Make the changes to your LDAP database using LDAP's API using the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/database.ldiff

You should then see similar output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

After that we need to make changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif. Again. Do not edit this file directly, we need to create new file to make the changes. Create new file in /etc/openldap/slapd.d/monitor.ldiff with the following contents (again, take note of "dc" and "cn", which you will need to change according to your configuration):

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=dzhorov,dc=com" read by * none

And make the changes with the command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/monitor.ldiff 

You will see the following output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

Create LDAP SSL certificate:

Lets create our self-signed SSL certificate, which will be used by our LDAP server. Use the following command:

openssl req -new -sha256 -nodes -out /etc/openldap/certs/dzhorov-cert.pem -keyout /etc/openldap/certs/dzhorov-key.pem -days 365

You need to fill out our certificate information like in this example:

ldap-1

Then adjust the appropriate user and group rights to the newly created certificate since we issued the command with root:

chown ldap: /etc/openldap/certs/*.pem

After successfully issuing our self-signed SSL certificate, we need to tell our OpneLDAP database about that. The file in which this information is stored is located in /etc/openldap/spad.d/cn=config.ldif which should not be edited directly. Create the file certificates.ldiff in the directory /etc/openldap/slapd.d/ with the following content:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/dzhorov-cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/dzhorov-key.pem

Make the changes with the similar command, which we used above:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/certificates.ldiff

Verify the current configuration with the command:

slaptest -u

You should see the following output:

config file testing succeeded

Configure OpenLDAP database

Copy the example database, provided by OpenLDAP to /var/lib/ldap:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

And change its permissions the user and group "ldap":

chown ldap: /var/lib/ldap/*

Add the cosine and nis LDAP schemas:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Create base.ldiff in /etc/openldap/spapd.d:

dn: dc=dzhorov,dc=com
dc: dzhorov
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=dzhorov,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Administrator

dn: ou=People,dc=dzhorov,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=dzhorov,dc=com
objectClass: organizationalUnit
ou: Group

Append the changes with the following command. Note that you will be asked for the previously generated root password (in our case that is the user "ldapadm", which we used in our examples and which we generated in the beginning with slappasswd):

ldapadd -x -W -D "cn=ldapadm,dc=dzhorov,dc=com" -f /etc/openldap/slapd.d/base.ldiff

If everything is done correctly, you should see something similar:

Enter LDAP Password: 
adding new entry "dc=dzhorov,dc=com"

adding new entry "cn=ldapadm ,dc=dzhorov,dc=com"

adding new entry "ou=People,dc=dzhorov,dc=com"

adding new entry "ou=Group,dc=dzhorov,dc=com"

Creating new user that will authenticate from our OpenLDAP server

Lets add user called "dzhorov" to our organization's database. Create a file called dzhorov.ldiff in /etc/openldap/slapd.d/ with the following contents:

dn: uid=dzhorov,ou=People,dc=dzhorov,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: dzhorov
uid: dzhorov
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/dzhorov
loginShell: /bin/bash
gecos: Some information for that user
userPassword: {crypt}x
shadowLastChange: 17023
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Add the configuration using the command (you will need to enter the password for lpadadm):

ldapadd -x -W -D "cn=ldapadm,dc=dzhorov,dc=com" -f /etc/openldap/slapd.d/dzhorov.ldiff

Assign password to the new user:

ldappasswd -s verystrongpass123 -W -D "cn=ldapadm,dc=dzhorov,dc=com" -x "uid=dzhorov,ou=People,dc=dzhorov,dc=com"

The -s flag is for setting the password, -x flag is for assigning that password to a username and -D is DN (Distinguished name) for authenticating to the server.

Verify that the user exists in our database:

ldapsearch -x cn=dzhorov -b dc=dzhorov,dc=com

ldap-2

If you need to delete a user from your database, you can do so by using the following command:

ldapdelete -W -D "cn=ldapadm,dc=dzhorov,dc=com" "uid=dzhorov,ou=People,dc=dzhorov,dc=com"

Enable logging

A good idea is to enable logging for your OpenLDAP server. In order to do so, open /etc/rsyslogd.conf and add this entry at the bottom:

local4.*                                                /var/log/ldap.log

And restart rsyslog:

service rsyslog restart

Firewall configuration for OpenLDAP

Add OpenLDAP to the current firewall configuration:

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Configuring the OpenLDAP client

Begin by installing the necessary packages:

yum install -y openldap-clients nss-pam-ldapd

Add the client to the OpenLDAP server. Replace the IP address in the bellow command with the one which you assigned to your OpenLDAP server:

authconfig --enableldap --enableldapauth --ldapserver=10.10.1.101 --ldapbasedn="dc=dzhorov,dc=com" --enablemkhomedir --update

Restart nscld:

systemctl restart nslcd

That's it! you can now test your login to your newly added client by using SSH with the username and password which we added previously. You can check the output of /var/log/ldap.log on the LDAP server to monitor user's activity.

Comments