OpenLDAP Server Configuration on CentOS 7 / RHEL 7

Openldap is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is promising for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller where it replaces /etc/passwd) and basically holds the user data.

In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.

  PREREQUITIES

Host Name	IP Address	OS	Purpose
server.openpath.local	192.168.0.237	CentOS 7	LDAP Server
server.aman.local	192.168.0.231	CentOS 6.5	LDAP Client

1.       Make sure that both LDAP server and client are able to ping each other so that connectivity between them will established.

2.       Do the entry in /etc/hosts in both server as the given following

192.168.0.231 server.aman.local

192.168.0.237 server.openpath.local

   Install LDAP

 Install the below packages on LDAP server(server.openpath.local)

 

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Now start the LDAP service and enable the service for the next reboot.

systemctl start slapd.service

systemctl enable slapd.service

Verify that LDAP service is listening on its default port or not

netstat -antup | grep -i 389

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN       1520/slapd         

tcp6      0      0 :::389                           :::*                    LISTEN      1520/slapd

Setup LDAP root password

Set the root password for the LDAP server by the below command. Remember that this password is a very important password as it will use in the whole post. Kindly note it carefully and keep it aside.

 

[root@server ~]# slappasswd

New password:

Re-enter new password:

{SSHA}JSJKMIABU6avqO0bOFzk7MO6v8DhRF72

[root@server ~]#

Configure OpenLDAP server:

OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.

olcSuffix –  Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain

olcRootDN – Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.

olcRootPW – Password for the above RootDN.

Now create .ldif file in /etc/openldap/slapd.conf directory to enter the database of Your LDAP server.

# vi db.ldif

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=openpath,dc=local

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=ldapadm,dc=openpath,dc=local

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootPW

olcRootPW: {SSHA}JSJKMIABU6avqO0bOFzk7MO6v8DhRF72

Once you are done with the ldif file, send the configuration to the LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others

# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=openpath,dc=local" read by * none

Once you have updated the file, send the configuration to the LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

Create LDAP certificate

Let’s create self-signed certificate for our LDAP server.

openssl req -new -x509 -nodes -out /etc/openldap/certs/openpathldapcert.pem -keyout /etc/openldap/certs/openpathldapkey.pem -days 365

Generating a 2048 bit RSA private key

...+++

.....................................+++

writing new private key to '/etc/openldap/certs/openpathldapkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]: XX

State or Province Name (full name) []: XX

Locality Name (eg, city) [Default City]: XXXXXX

Organization Name (eg, company) [Default Company Ltd]:OPENPATH

Organizational Unit Name (eg, section) []:IT IT

Common Name (eg, your name or your server's hostname) []:server.openpath.local

Email Address []:amanshukla0903@gmail.com

Set owner and group permission to the LDAP

chown -R ldap:ldap /etc/openldap/certs/*.pem

Verify the permissions and ownership of LDAP

[root@server slapd.d]# ll /etc/openldap/certs/*.pem

-rw-r--r-- 1 ldap ldap 1367 Nov  7 20:34 /etc/openldap/certs/openpathldapcert.pem

-rw-r--r-- 1 ldap ldap 1704 Nov  7 20:34 /etc/openldap/certs/openpathldapkey.pem

Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.

# vi certs.ldif

dn: cn=config

changetype: modify

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/certs/openpathldapcert.pem

dn: cn=config

changetype: modify

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/certs/openpathldapkey.pem

Once you have updated the file, send the configuration to the LDAP server.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

Verify the configuration

[root@server slapd.d]# slaptest -u

config file testing succeeded

Set up LDAP database

Copy the sample database configuration file to /var/lib/ldap and update the file permissions.

cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap /var/lib/ldap/*

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

# vi base.ldif

dn: dc=openpath,dc=local

dc: openpath

objectClass: top

objectClass: domain

dn: cn=ldapadm ,dc=openpath,dc=local

objectClass: organizationalRole

cn: ldapadm

description: LDAP Manager

dn: ou=People,dc=openpath,dc=local

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=openpath,dc=local

objectClass: organizationalUnit

ou: Group

Build the directory structure.

ldapadd -x -W -D "cn=ldapadm,dc=openpath,dc=local" -f base.ldif

Output:

Enter LDAP Password:

adding new entry "dc=openpath,dc=local"

adding new entry "cn=ldapadm ,dc=openpath,dc=local"

adding new entry "ou=People,dc=openpath,dc=local"

adding new entry "ou=Group,dc=openpath,dc=local"

Create LDAP user

Let’s create now an LDAP user. Create an .ldif file for user say aman.ldif

 

vi aman.ldif

dn: uid=aman,ou=People,dc=openpath,dc=local

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: aman

uid: aman

uidNumber: 520

gidNumber: 100

homeDirectory: /home/aman

loginShell: /bin/bash

gecos: Aman [Admin (at) openpath]

userPassword: {crypt}x

shadowLastChange: 17058

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

Use the ldapadd command with the above file to create a new user called “raj” in OpenLDAP directory.

ldapadd -x -W -D "cn=ldapadm,dc=openpath,dc=local" -f aman.ldif

Enter LDAP Password:

adding new entry "uid=aman,ou=People,dc=openpath,dc=local"

Assign a password to the user.

ldappasswd -s redhat@123 -W -D "cn=ldapadm,dc=openpath,dc=local" -x "uid=aman,ou=People,dc=openpath,dc=local"

Where,

-s specify the password for the username

-x username for which the password is changed

-D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

[root@server slapd.d]# ldapsearch -x cn=aman -b dc=openpath,dc=local

# extended LDIF

#

# LDAPv3

# base <dc=openpath,dc=local> with scope subtree

# filter: cn=aman

# requesting: ALL

#

# aman, People, openpath.local

dn: uid=aman,ou=People,dc=openpath,dc=local

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: aman

uid: aman

uidNumber: 520

gidNumber: 100

homeDirectory: /home/aman

loginShell: /bin/bash

gecos: Aman [Admin (at) openpath]

shadowLastChange: 17058

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

userPassword:: e1NTSEF9ZjduU2x4V0Q3OS9kSUoxNFRzYUVpak5uTUp4bk1LNjU=

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

[root@server slapd.d]#

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=openpath,dc=local" "uid=aman,ou=People,dc=openpath,dc=local"

Firewall

Add the LDAP service to the firewall (tcp 389).

firewall-cmd --permanent --add-service=ldap

firewall-cmd --reload

Enable LDAP logging

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf

Add below line to /etc/rsyslog.conf file.

local4.* /var/log/ldap.log

LDAP client configuration to use LDAP Server

Install the necessary LDAP client packages on the client machine.

# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.0.237”with your LDAP server’s IP address or hostname.

 

# authconfig --enableldap --enableldapauth --ldapserver=192.168.0.237 --ldapbasedn="dc=openpath,dc=local" --enablemkhomedir --update

Restart the LDAP client service

# systemctl restart  nslcd

Verify LDAP Login

[root@server ~]# getent passwd aman

aman:x:520:100:Aman [Admin (at) openpath]:/home/aman:/bin/bash

Now try to login on client server by user aman and give its password. If you are successfully login then your LDAP server is working otherwise see the log files to catch the error.