Table of Contents
Install and Configure OpenLDAP directory service – Overview
LDAP stands for “Lightweight Directory Access Protocol”. OpenLDAP is an open-source implementation of the LDAP developed by the OpenLDAP Project. As part of LDAP function, it has the ability to authenticate a connection using a username and password.
The OpenLDAP suite can be broken up into four components:
- Servers: Provide LDAP services
- Clients: Manipulate LDAP data
- Utilities: Support LDAP servers
- Libraries: provide programming interfaces to LDAP
If you are a beginner, please refer to the below links to know more about LDAP:
Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Basic LDAP Concepts
Step-1: Lab Environment and Prerequisites
1.1: Install Rocky Linux 8
I have created two Virtual Machines using Oracle Virtual Box with Rocky Linux 8. Here are my Server OS and kernel details:
1.2: Update /etc/hosts
To install and configure LDAP server and client, we require 2 virtual or physical servers connected to LAN or WAN. If you do not have your BIND DNS Server then you can update your /etc/hosts
file with the IP details of both LDAP Server and Client.
Do not worry about the domain names for testing purposes. Here 192.168.1.3
is the IP of our LDAP Server VM and 192.168.1.4
is from LDAP Client.
# vi /etc/hosts
192.168.1.3 ldapmaster.example.com
192.168.1.4 ldapclient.example.com
In this tutorial, I have used the domain example.com
. We need to change it to our own domain in the production environment. You can replace your own domain name for [dc=,dc=]
section. The .ldif
file names in the tutorial are custom. We can use any filenames as per our convenience. Use your favorite editor to create an LDIF format file.
1.3: Update the system and enable the repo
The Rocky Linux 8 base repositories do not have the openldap-servers
package. You will end up getting the below error if the existing repositories do not have the packages.
[root@ldapmaster ~]# dnf -y install openldap-servers openldap-clients
Last metadata expiration check: 0:04:15 ago on Thursday 05 August 2021 02:45:28 AM EDT.
No match for argument: openldap-servers
Error: Unable to find a match: openldap-servers
Sample Output:
You need to install openldap-servers
from the Plus repo, which is disabled by default. Run the following commands for system update and enable the ‘Rocky Linux 8 plus’ repository.
[root@ldapmaster ~]# dnf update [root@ldapmaster ~]# dnf config-manager --set-enabled plus [root@ldapmaster ~]# dnf clean all
dnf clean all
removes cache files generated from the repository metadata. We have used the DNF software package manager for installing packages.
1.4: Install OpenLDAP packages on Rocky Linux 8
The following packages are required for the ldap master server.
[root@ldapmaster ~]# dnf -y install openldap-servers openldap-clients
Once you have installed, confirm the packages are on the server
[root@ldapmaster ~]# rpm -qa | grep ldap
In the below snippet, it shows when all the required packages are installed.
Prepare the database template DB_CONFIG
and enable slapd service to start the service automatically after every reboot.
[root@ldapmaster ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldapmaster ~]# chown ldap. /var/lib/ldap/DB_CONFIG [root@ldapmaster ~]# systemctl enable --now slapd [root@ldapmaster ~]# systemctl restart slapd
Yay! The LDAP server is installed and running. You will see that in the below image.
[root@ldapmaster ~]# systemctl status slapd
Sample Output:
Step-2: Configure SLAPD Server
Following are some of the common LDAP attributes used across this tutorial inside the .ldif
files.
cn
- Common Nameo
- Organizationalou
- Organizational Unitsn
-Last Namedc
- Domain Component(DC often comes with two entries dc=example,dc=com Please note that the dc=example.com is wrong)dn
- Distinguished Name
2.1: Generate admin password using slappasswd
slappasswd
is the password utility used to generate a user password value suitable for use with ldapadd
or ldapmodify
. The slappasswd
utility generates a correct hash for the password that we want to use. The password hash starting with {SSHA}. This is an encrypted format of passwords. You can generate the password hash just by typing the command slappasswd
like below:
[root@ldapmaster ~]# slappasswd
New password:
Re-enter new password:
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX
LDIF or LDAP Data Interchange Format is used to describe a directory and directory entries in text format in Directory Servers. The filenames are created with .ldif
extention.
TheolcRootPW
directive can be used to specify a password for the DN for the rootdn
. Now let's update this password. Specify the password generated above in olcRootPW
section of the below code. Create a .ldif
file changerootpw.ldif
with the following contents.
# changerootpw.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Run the below command to modify the password of admin
user using the above file changerootpw.ldif
.
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changerootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
2.2: Import basic Schemas
OpenLDAP is distributed with a set of schema specifications for multiple purposes. LDAP Schemas are the information about the data on the directory server. Schemas include Attribute Syntaxes, Matching Rules, Attribute Types, types of objects that a directory may have. These schemas will be under the folder /etc/openldap/schema/
. For now, we can import only the basic required schemas like cosine.ldif
, nis.ldif
, inetorgperson.ldif
.
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Here is the output for the above commands :
2.3: Update your domain name on LDAP DB
In this stage, let’s update our domain name on the LDAP DB. Create another LDIF file named setdomainname.ldif
with the below contents. We are using a dummy domain name example.com
. You can change it as per your needs.
DC or domain component often comes with two entries dc=example,dc=com
. Please note that using it as dc=example.com
is wrong. We are creating an LDAP admin user Manager
in this file. You need to generate a new encrypted password using slappasswd
as explained in the previous steps. Specify the newly generated password in the below file under olcRootPW
section (Replace the existing one starting with {SSHA})
# setdomainname.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
Now, let’s run ldapmodify
using setdomainname.ldif
[root@ldapmaster ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f setdomainname.ldif
Sample Output:
It will update the configurations upon the successful execution of the above command. The databases are will be under the directory /etc/openldap/slapd.d
. We can list config databases like below:
[root@ldapmaster ~]# ls -ld /etc/openldap/slapd.d/cn\=config/*
Sample Output:
2.4: Create Organizational Unit
Let us create some organizational unit (OU). Add the below entries in a file called adddomain.ldif
# vi adddomain.ldif dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: My example Organisation dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: OpenLDAP Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Run the below command to import these entries into the directory server.
[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f adddomain.ldif
Sample Output:
Step-3: Managing User accounts to the OpenLDAP Server
3.1: Add Users in LDAP Database
We can add the users and groups to LDAP by creating an LDIF file addtestuser.ldif
# vi addtestuser.ldif dn: uid=testuser,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: testuser sn: temp userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXX loginShell: /bin/bash uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/testuser shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 dn: cn=testuser,ou=Group,dc=example,dc=com objectClass: posixGroup cn: testuser gidNumber: 2000 memberUid: testuser
Import the changes from the file addtestuser.ldif
using ldapadd
utility. You will be prompted to update the LDAP Manager password for adding the user.
[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f addtestuser.ldif
Sample Output:
Test the configurations if the user ‘testuser
’ is present. It will show a long list of details about the user and groups.
[root@ldapmaster ~]# ldapsearch -x cn=testuser -b dc=example,dc=com # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: cn=testuser # requesting: ALL # # testuser, People, example.com dn: uid=testuser,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: testuser sn: temp loginShell: /bin/bash uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/testuser shadowMax: 0 shadowWarning: 0 uid: testuser # testuser, Group, example.com dn: cn=testuser,ou=Group,dc=example,dc=com objectClass: posixGroup cn: testuser gidNumber: 2000 memberUid: testuser # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
3.2: Delete user from LDAP database
We can remove an user or group from the LDAP server using ldapdelete
In the below example, I have deleted the user ‘testuser1’. You will be prompted to update the LDAP Manager password for deletion.
[root@ldapmaster ~]# ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' "uid=testuser1,ou=People,dc=example,dc=com" [root@ldapmaster ~]# ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' "cn=testuser1,ou=Group,dc=example,dc=com"
Here is the snippet for deletion of user testuser1 and I have confirmed that the user has been deleted.
Step-4: Test LDAP configurations
To test the LDAP configuration files, we can use slaptest
command. If the output is config file testing succeeded
it is safe to restart the slapd service. If the test fails, we need to troubleshoot the issues using the logs.
[root@ldapmaster ~]# slaptest -u config file testing succeeded
[root@ldapmaster ~]# systemctl restart slapd
We can test whether the LDAP ports are listening or not by using netstat
the command. LDAP connection occurs over port 389
and LDAPS communication occurs over port 636
. LDAPS uses SSL or TLS to secure communication between LDAP clients and LDAP servers by encrypting the connections.
[root@ldapmaster ~]# netstat -tunlp | grep slapd
It should show the output as shown in the below image
Step-5: Configure OpenLDAP with TLS certificates
5.1: Generate certificates
Please refer to the below URL for generating a self-signed certificate in Linux using OpenSSL
OpenSSL create self signed certificate Linux with example
I have generated a CA certificate and used this CA certificate to sign other certificates and placed them inside /etc/openldap/certs/
:
~]# ls -l /etc/openldap/certs/ total 16 -rw-r--r--. 1 root root 2053 Aug 12 10:41 ca.cert.pem -rw-r--r--. 1 root root 8162 Aug 12 10:39 ldap.example.com.crt -rw-------. 1 root root 3243 Aug 12 10:39 ldap.example.com.key
Copy the certificates to a directory (/etc/openldap/certs/
in the example) and fix the permissions.
[root@ldapmaster ~]# chown -R ldap:ldap /etc/openldap/certs/
5.2: Add Certificates to LDAP Server
Once you copy the certificates, create a file updateSSSL.ldif
with the below contents to update it to LDAP. Make sure you are mentioning the proper file names and absolute path for the SSL files. You can also exclude the CA-bundle option if you are trying to install a self-signed SSL certificate. However, it is important to have a Trusted CA certificate on production servers.
# vi updateSSSL.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key
Run the ldapmodify
to import the SSL configurations.
[root@ldapmaster ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f updateSSSL.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
5.3: Enable TLS in SLAPD Configuration file
In Rocky Linux the ldaps:///
is by default configured which you can verify in /usr/lib/systemd/system/slapd.service
file as shown below:
If this entry is missing then you can manually add and then execute
# systemctl daemon-reload
to activate the changes.
Next update /etc/openldap/ldap.conf
and provide the path of the CA certificate:
TLS_CACERT /etc/openldap/certs/ca.cert.pem
Restart the slapd service to activate the changes
[root@ldapmaster ~]# systemctl restart slapd
5.4: Test TLS connectivity
At this point, we can use ldapsearch
to test a connection. To instruct a client to use StartTLS, we need to use the -Z
flag. But if just -Z
is specified, if the client fails TLS negotiation with the server, it will continue with the transaction in clear text. In other words, with -Z
, TLS is preferred, but not required. To make TLS required, we will add an extra z
to the flag, making it -ZZ
:
ldap_start_tls: Connect error (-11)
additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
So if you are creating your own CA certificate then you can follow Create Certificate Authority and sign a certificate with Root CA to generate and sign certificate properly.
[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: My example Organisation dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: OpenLDAP Manager # People, example.com dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People # Group, example.com dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group # testuser, People, example.com dn: uid=testuser,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: testuser sn: temp loginShell: /bin/bash uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/testuser shadowMax: 0 shadowWarning: 0 uid: testuser # testuser, Group, example.com dn: cn=testuser,ou=Group,dc=example,dc=com objectClass: posixGroup cn: testuser gidNumber: 2000 memberUid: testuser # search result search: 3 result: 0 Success # numResponses: 7 # numEntries: 6
To make sure the request was served using TLS, you can check your journalctl
logs from another terminal while making ldap request:
# journalctl -f .... Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 ACCEPT from IP=[::1]:50990 (IP=[::]:389) Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 STARTTLS Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 RESULT oid= err=0 text= Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 TLS established tls_ssf=256 ssf=256 Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=1 BIND dn="" method=128 Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=1 RESULT tag=97 err=0 text= Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=6 text= Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=3 UNBIND Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 closed ...
Step-6: Update the firewall for remote access
Rocky Linux 8 has the firewalld application as its default firewall. We can enable the ldap and ldaps services as below.
[root@ldapmaster ~]# firewall-cmd --add-service={ldap,ldaps} [root@ldapmaster ~]# firewall-cmd --runtime-to-permanent
Step-7: Configure LDAP client on Rocky Linux 8
Before configuring the LDAP client, make sure you are able to connect to the LDAP server. You can test the remote connections using network tools such as ping and With the telnet command, you can test the connections to the LDAP ports. Please refer the article 9 commands to check if connected to internet with shell script examples
The below snippet shows how I did test connections to the LDAP server from the LDAP client.
Once you confirm the LDAP connection is working, You should be able to Configure LDAP Client in order to share users' accounts in your local networks. You can refer the article 8 simple steps to configure ldap client RHEL/CentOS 8
Configuring the LDAP client on Rocky Linux 8 is the same as RHEL/CentOS 8
Summary
In this tutorial we covered basics of OpenLDAP server and steps to install and configure OpenLDAP server on Rocky Linux 8. We also covered the steps to configure OpenLDAP server with TLS certificates, created and added users to our LDAP Server. Later we also learned how to delete user from the LDAP database.
Thank you for this article. It’s really well written and helpful. However, as I run through it, I’m getting an error when Adding the TLS cert.
Below is my updateSSSL.ldif file
Can you help me figure out why I’m getting this error when the example doesn’t?
Thank you
There was one minor typo, We have to use
Earlier it was
chmod
. Please let me know if it still failsI have also updated the section to configure TLS with more details and output.
I see you are not adding CA certificate and instead using self signed. You can also try to create your own CA and then use that CA to sign the certs instead of self signed. I have provided all the relevant links to follow.
Thank you for your response. I noticed that and resolved that myself.
However, I’m getting a connection error when connecting with -ZZ. With only 1 Z (-Z), it works because it fails back to non-encrypted connection. I’m using a self-signed cert with no CA cert, but it should still work, right?
I am yet to verify connection using self signed certificate so can’t help at the moment.
For anyone who is getting the same error, here is another article with step by step instructions to configure openldap over SSL/TLS using either self-signed certificate or RootCA signed certificate
trying this out on rocky linux
My question is the migrationtools previously on rhel7 no longer exist on rhel8 (or rocky)
How others doing this?
To move/create a ldap account
I would assume, may be because Red Hat stopped shipping openldap-servers in RHEL 8 and the same was followed by CentOS and Rocky Linux due to same code base. But openldap-server package is still available through open source so there should to be a migration tool also available.
Let me search more on this and if this is possible then I will write an article on this topic
I posted a lengthy question but the page asked to confirm my humanity then said page moved…
Anyway, long story short, rfc2307bis.schema/rfc2307bis.ldif supposedly should work, but I can’t get them to do so in Centos Rocky Linux 8. If you’re able to get it working, please let me know. I’ll post back if I find a solution. Thanks!
Sample from the schema file which I obained from github:
So far it seems I didn’t need that rfc b’i’s anyway. groupOfNames seems to work just as well. The only difference is the member attribute is required and you have to use samba group attributes to get the gidNumber attribute.
Also, so far as I can see, the yum obtained slapd’s ldif procedure doesn’t work:
Procedure may work for openldap.org tar ball version. I don’t know, I couldn’t try it because wiredtiger was a req that I was having trouble finding. I digress.
Hopefully this saves someone some trouble down the line. My resolution was to create my own ldif file (skipped the slapcat from schema file process). It’s nearly identical to NIS, so I trimmed out all of the duplicate attributes/classes and was able to import this with ldapadd:
The openldap-servers package actually requires the PowerTools repository to be enabled.
Thanks christophe it helped me.