LDAP stands for “Lightweight Directory Access Protocol”. OpenLDAP is an open-source implementation of the LDAP developed by the OpenLDAP Project. As part of LDAP function, it has the ability to authenticate a connection using a username and password.
The OpenLDAP suite can be broken up into four components:
- Servers: Provide LDAP services
- Clients: Manipulate LDAP data
- Utilities: Support LDAP servers
- Libraries: provide programming interfaces to LDAP
If you are new to OpenLDAP then I would also recommend you to read Basics OpenLDAP Tutorial for Beginners
Prepare Lab Environment
This is my environment where I will be performing the demonstration:
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
I will be using the same VM as OpenLDAP server as well as client. I have updated my /etc/hosts so that I can use an FQDN to connect to OpenLDAP server instead of IP Address.
10.10.1.17 server server.example.com
Here 10.10.1.17
is my LDAP server IP. This step is optional and can be skipped if you prefer to directly use IP address for LDAP communication instead of FQDN.
Step 1: Update Your System
Start by updating your system to ensure all existing packages are up to date:
sudo dnf update -y
Step 2: Install OpenLDAP Packages
Install the OpenLDAP server, client, and necessary utilities:
sudo dnf config-manager --set-enabled plus
sudo dnf install openldap openldap-servers openldap-clients -y
You need to install openldap-servers
from the Plus repo, which is disabled by default.
Post installation I have following packages:
openldap-2.6.6-3.el9.x86_64
openldap-devel-2.6.6-3.el9.x86_64
openldap-servers-2.6.6-3.el9.x86_64
openldap-clients-2.6.6-3.el9.x86_64
Step 3: Enable and Start the LDAP Service
Enable and start the slapd
service:
sudo systemctl enable slapd --now
Verify that the service is running:
sudo systemctl status slapd
Step 4: Configure OpenLDAP
Generate a hashed password for the LDAP administrator:
slappasswd
Enter a secure password when prompted and save the output.
Before modifying the database configuration, it's crucial to check the existing database backends. Use the following command to list the current databases:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
This will provide a list of databases. Look for olcDatabase
entries.
Create an LDIF file db.ldif
to configure the domain and admin credentials. Add the following content, adjusting dc=example,dc=com
and YourHashedPasswordHere
:
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: YourHashedPasswordHere
Apply the configuration:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Step 5: Add Basic Schemas
Add the necessary schemas to the LDAP directory:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
To verify if custom schemas were applied, you can use the ldapsearch
command to query the LDAP server for the loaded schemas.
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
Step 6: Add Base and Organizational Units
To check existing OUs, use the following command:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(objectClass=organizationalUnit)" dn
Since this is a new installation so there are no OU configured.
No such object (32)
First let's create and add a base DN. Create add-base.ldif
and add following content:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example
Add the base DN:
sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add-base.ldif
Create another LDIF file ou.ldif
to define organizational units:
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
Apply the organizational units configuration:
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f ou.ldif
To verify new OUs added to the LDAP directory, you can use a similar ldapsearch
command:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(ou=*)" dn
Step 7: Managing User Accounts
Add New Users and Groups
Create an LDIF file new_user.ldif
to create a new user. Add the following content to create a new user:
dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: John Doe
sn: Doe
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/jdoe
loginShell: /bin/bash
mail: jdoe@example.com
userPassword: {SSHA}YourHashedPasswordHere
Apply the changes:
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_user.ldif
Verify the changes:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"
Create an LDIF file new_group.ldif
to create a new group. Add the following content to create a new group:
dn: cn=developers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: developers
gidNumber: 1001
Apply the changes:
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_group.ldif
Verify the changes:y
sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"
Modify Users and Groups
Create an LDIF file modify_user.ldif
to modify a user. Add the modifications, for example, changing the user's shell:
dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: modify
replace: loginShell
loginShell: /bin/zsh
Apply the changes:
sudo ldapmodify -x -D cn=admin,dc=example,dc=com -W -f modify_user.ldif
Verify the changes:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"
Create an LDIF file modify_group.ldif
to modify a group. Add the modifications, for example, adding a member:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: jdoe
Apply the changes:
sudo ldapmodify -x -D cn=admin,dc=example,dc=com -W -f modify_group.ldif
Verify the changes:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"
Delete Users and Groups
Create an LDIF file delete_user.ldif
to delete a user. Add the following content:
dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: delete
Apply the changes:
sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W uid=jdoe,ou=people,dc=example,dc=com
Verify the changes:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"
You should see empty response.
Create an LDIF file delete_group.ldif
to delete a group. Add the following content:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: delete
Apply the changes:
sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W cn=developers,ou=groups,dc=example,dc=com
Verify the changes:
sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"
You should not get any response for this as the group will be deleted.
In this tutorial, we covered the comprehensive steps to install and configure OpenLDAP on Rocky Linux 9. We began with updating the system and installing the necessary OpenLDAP packages. After ensuring the LDAP service was enabled and running, we proceeded to configure OpenLDAP by generating a secure admin password and creating a configuration file that includes domain details and the hashed password. The configuration was then applied to the LDAP server. We verified the applied schemas and organizational units to ensure the setup was correct. Additionally, we discussed adding, modifying, and deleting users and groups within the LDAP directory. This setup provides a robust foundation for centralized user and group management.
For more detailed instructions and further information, you can refer Official OpenLDAP Admin Guide.
Thanks christophe it helped me.
The openldap-servers package actually requires the PowerTools repository to be enabled.
I posted a lengthy question but the page asked to confirm my humanity then said page moved…
Anyway, long story short, rfc2307bis.schema/rfc2307bis.ldif supposedly should work, but I can’t get them to do so in Centos Rocky Linux 8. If you’re able to get it working, please let me know. I’ll post back if I find a solution. Thanks!
Sample from the schema file which I obained from github:
So far it seems I didn’t need that rfc b’i’s anyway. groupOfNames seems to work just as well. The only difference is the member attribute is required and you have to use samba group attributes to get the gidNumber attribute.
Also, so far as I can see, the yum obtained slapd’s ldif procedure doesn’t work:
Procedure may work for openldap.org tar ball version. I don’t know, I couldn’t try it because wiredtiger was a req that I was having trouble finding. I digress.
Hopefully this saves someone some trouble down the line. My resolution was to create my own ldif file (skipped the slapcat from schema file process). It’s nearly identical to NIS, so I trimmed out all of the duplicate attributes/classes and was able to import this with ldapadd:
trying this out on rocky linux
My question is the migrationtools previously on rhel7 no longer exist on rhel8 (or rocky)
How others doing this?
To move/create a ldap account
I would assume, may be because Red Hat stopped shipping openldap-servers in RHEL 8 and the same was followed by CentOS and Rocky Linux due to same code base. But openldap-server package is still available through open source so there should to be a migration tool also available.
Let me search more on this and if this is possible then I will write an article on this topic
Thank you for this article. It’s really well written and helpful. However, as I run through it, I’m getting an error when Adding the TLS cert.
Below is my updateSSSL.ldif file
Can you help me figure out why I’m getting this error when the example doesn’t?
Thank you
There was one minor typo, We have to use
Earlier it was
chmod
. Please let me know if it still failsI have also updated the section to configure TLS with more details and output.
I see you are not adding CA certificate and instead using self signed. You can also try to create your own CA and then use that CA to sign the certs instead of self signed. I have provided all the relevant links to follow.
Thank you for your response. I noticed that and resolved that myself.
However, I’m getting a connection error when connecting with -ZZ. With only 1 Z (-Z), it works because it fails back to non-encrypted connection. I’m using a self-signed cert with no CA cert, but it should still work, right?
I am yet to verify connection using self signed certificate so can’t help at the moment.
For anyone who is getting the same error, here is another article with step by step instructions to configure openldap over SSL/TLS using either self-signed certificate or RootCA signed certificate