Configure OpenLDAP on Rocky Linux 8 [Step-by-Step]

Install and Configure OpenLDAP directory service – Overview

LDAP stands for “Lightweight Directory Access Protocol”. OpenLDAP is an open-source implementation of the LDAP developed by the OpenLDAP Project. As part of LDAP function, it has the ability to authenticate a connection using a username and password.

The OpenLDAP suite can be broken up into four components:

• Servers: Provide LDAP services
• Clients: Manipulate LDAP data
• Utilities: Support LDAP servers
• Libraries: provide programming interfaces to LDAP

If you are a beginner, please refer to the below links to know more about LDAP:

Basics LDAP Tutorial for Beginners – Understanding Terminologies & Usage
Basic LDAP Concepts

Step-1: Lab Environment and Prerequisites

1.1: Install Rocky Linux 8

I have created two Virtual Machines using Oracle Virtual Box with Rocky Linux 8. Here are my Server OS and kernel details:

1.2: Update /etc/hosts

To install and configure LDAP server and client, we require 2 virtual or physical servers connected to LAN or WAN. If you do not have your BIND DNS Server then you can update your /etc/hosts file with the IP details of both LDAP Server and Client.

Do not worry about the domain names for testing purposes.  Here 192.168.1.3 is the IP of our LDAP Server VM and 192.168.1.4 is from LDAP Client.

# vi /etc/hosts

192.168.1.3 ldapmaster.example.com
192.168.1.4 ldapclient.example.com

In this tutorial, I have used the domain example.com. We need to change it to our own domain in the production environment. You can replace your own domain name for [dc=,dc=]section. The .ldif file names in the tutorial are custom. We can use any filenames as per our convenience. Use your favorite editor to create an LDIF format file.

1.3: Update the system and enable the repo

The Rocky Linux 8 base repositories do not have the openldap-servers package. You will end up getting the below error if the existing repositories do not have the packages.

[root@ldapmaster ~]# dnf -y install openldap-servers openldap-clients
Last metadata expiration check: 0:04:15 ago on Thursday 05 August 2021 02:45:28 AM EDT.
No match for argument: openldap-servers
Error: Unable to find a match: openldap-servers

Sample Output:

You need to install openldap-servers from the Plus repo, which is disabled by default. Run the following commands for system update and enable the ‘Rocky Linux 8 plus’ repository.

[root@ldapmaster ~]# dnf update
[root@ldapmaster ~]# dnf config-manager --set-enabled plus
[root@ldapmaster ~]# dnf clean all

dnf clean all removes cache files generated from the repository metadata. We have used the DNF  software package manager for installing packages.

1.4: Install OpenLDAP packages on Rocky Linux 8

The following packages are required for the ldap master server.

[root@ldapmaster ~]# dnf -y install openldap-servers openldap-clients

Once you have installed, confirm the packages are on the server

[root@ldapmaster ~]# rpm -qa | grep ldap

In the below snippet, it shows when all the required packages are installed.

Prepare the database template DB_CONFIG and enable slapd service to start the service automatically after every reboot.

[root@ldapmaster ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 

[root@ldapmaster ~]# chown ldap. /var/lib/ldap/DB_CONFIG 

[root@ldapmaster ~]# systemctl enable --now slapd

[root@ldapmaster ~]# systemctl restart slapd

Yay! The LDAP server is installed and running. You will see that in the below image.

[root@ldapmaster ~]# systemctl status slapd

Sample Output:

Step-2: Configure SLAPD Server

Following are some of the common LDAP attributes used across this tutorial inside the .ldif files.

• cn - Common Name
• o - Organizational
• ou - Organizational Unit
• sn -Last Name
• dc - Domain Component(DC often comes with two entries dc=example,dc=com Please note that the dc=example.com is wrong)
• dn - Distinguished Name

2.1: Generate admin password using slappasswd

slappasswd is the password utility used to generate a user password value suitable for use with ldapadd or ldapmodify. The slappasswd utility generates a correct hash for the password that we want to use. The password hash starting with {SSHA}. This is an encrypted format of passwords. You can generate the password hash just by typing the command slappasswd like below:

[root@ldapmaster ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX

LDIF or LDAP Data Interchange Format is used to describe a directory and directory entries in text format in Directory Servers. The filenames are created with .ldif extention.

TheolcRootPW directive can be used to specify a password for the DN for the rootdn. Now let's update this password. Specify the password generated above in olcRootPW section of the below code.  Create a .ldif file changerootpw.ldif with the following contents.

# changerootpw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Run the below command to modify the password of admin user using the above file changerootpw.ldif.

[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changerootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

2.2: Import basic Schemas

OpenLDAP is distributed with a set of schema specifications for multiple purposes. LDAP Schemas are the information about the data on the directory server. Schemas include Attribute Syntaxes, Matching Rules, Attribute Types, types of objects that a directory may have. These schemas will be under the folder /etc/openldap/schema/. For now, we can import only the basic required schemas like cosine.ldif, nis.ldif, inetorgperson.ldif.

[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Here is the output for the above commands :

2.3: Update your domain name on LDAP DB

In this stage, let’s update our domain name on the LDAP DB. Create another LDIF file named setdomainname.ldif with the below contents. We are using a dummy domain name example.com. You can change it as per your needs.

DC or domain component often comes with two entries dc=example,dc=com. Please note that using it as dc=example.com is wrong. We are creating an LDAP admin user Manager in this file. You need to generate a new encrypted password using slappasswdas explained in the previous steps. Specify the newly generated password in the below file under olcRootPW section (Replace the existing one starting with {SSHA})

# setdomainname.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

Now, let’s run ldapmodify using setdomainname.ldif

[root@ldapmaster ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f setdomainname.ldif

Sample Output:

It will update the configurations upon the successful execution of the above command. The databases are will be under the directory /etc/openldap/slapd.d. We can list config databases like below:

[root@ldapmaster ~]# ls -ld /etc/openldap/slapd.d/cn\=config/*

Sample Output:

2.4: Create Organizational Unit

Let us create some organizational unit (OU). Add the below entries in a file called adddomain.ldif

# vi adddomain.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: My example Organisation
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: OpenLDAP Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Run the below command to import these entries into the directory server.

[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f adddomain.ldif

Sample Output:

Step-3: Managing User accounts to the OpenLDAP Server

3.1: Add Users in LDAP Database

We can add the users and groups to LDAP by creating an LDIF file addtestuser.ldif 

# vi addtestuser.ldif
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
sn: temp
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXX
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/testuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

dn: cn=testuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: testuser
gidNumber: 2000
memberUid: testuser

Import the changes from the file addtestuser.ldif using ldapadd utility. You will be prompted to update the LDAP Manager password for adding the user.

[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f addtestuser.ldif 

Sample Output:

Test the configurations if the user ‘testuser’ is present. It will show a long list of details about the user and groups.

[root@ldapmaster ~]# ldapsearch -x cn=testuser -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
sn: temp
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/testuser
shadowMax: 0
shadowWarning: 0
uid: testuser

# testuser, Group, example.com
dn: cn=testuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: testuser
gidNumber: 2000
memberUid: testuser

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

3.2: Delete user from LDAP database

We can remove an user or group from the LDAP server using ldapdelete In the below example, I have deleted the user ‘testuser1’. You will be prompted to update the LDAP Manager password for deletion.

[root@ldapmaster ~]# ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' "uid=testuser1,ou=People,dc=example,dc=com"

[root@ldapmaster ~]# ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' "cn=testuser1,ou=Group,dc=example,dc=com" 

Here is the snippet for deletion of user testuser1 and I have confirmed that the user has been deleted.

Step-4: Test LDAP configurations

To test the LDAP configuration files, we can use slaptest command. If the output is config file testing succeeded it is safe to restart the slapd service. If the test fails, we need to troubleshoot the issues using the logs.

[root@ldapmaster ~]# slaptest -u
config file testing succeeded

[root@ldapmaster ~]# systemctl restart slapd

We can test whether the LDAP ports are listening or not by using netstat the command. LDAP connection occurs over port 389 and  LDAPS communication occurs over port 636.  LDAPS uses SSL or TLS to secure communication between LDAP clients and LDAP servers by encrypting the connections.

[root@ldapmaster ~]# netstat -tunlp | grep slapd

It should show the output as shown in the below image

Step-5: Configure OpenLDAP with TLS certificates

5.1: Generate certificates

Please refer to the below URL for generating a self-signed certificate in Linux using OpenSSL

OpenSSL create self signed certificate Linux with example

I have generated a CA certificate and used this CA certificate to sign other certificates and placed them inside /etc/openldap/certs/:

~]# ls -l /etc/openldap/certs/
total 16
-rw-r--r--. 1 root root 2053 Aug 12 10:41 ca.cert.pem
-rw-r--r--. 1 root root 8162 Aug 12 10:39 ldap.example.com.crt
-rw-------. 1 root root 3243 Aug 12 10:39 ldap.example.com.key

Copy the certificates to a directory (/etc/openldap/certs/ in the example) and fix the permissions.

[root@ldapmaster ~]# chown -R ldap:ldap /etc/openldap/certs/

5.2: Add Certificates to LDAP Server

Once you copy the certificates, create a file updateSSSL.ldif with the below contents to update it to LDAP. Make sure you are mentioning the proper file names and absolute path for the SSL files. You can also exclude the CA-bundle option if you are trying to install a self-signed SSL certificate. However, it is important to have a Trusted CA certificate on production servers.

# vi updateSSSL.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key

Run the ldapmodify to import the SSL configurations.

[root@ldapmaster ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f updateSSSL.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

5.3: Enable TLS in SLAPD Configuration file

In Rocky Linux the ldaps:/// is by default configured which you can verify in /usr/lib/systemd/system/slapd.service file as shown below:

If this entry is missing then you can manually add and then execute

# systemctl daemon-reload

to activate the changes.

Next update /etc/openldap/ldap.conf and provide the path of the CA certificate:

TLS_CACERT     /etc/openldap/certs/ca.cert.pem

Restart the slapd service to activate the changes

[root@ldapmaster ~]# systemctl restart slapd

5.4: Test TLS connectivity

At this point, we can use ldapsearch to test a connection. To instruct a client to use StartTLS, we need to use the -Z flag. But if just -Z is specified, if the client fails TLS negotiation with the server, it will continue with the transaction in clear text. In other words, with -Z, TLS is preferred, but not required. To make TLS required, we will add an extra z to the flag, making it -ZZ:

ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

[root@ldapmaster ~]# ldapsearch -x -b dc=example,dc=com -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: My example Organisation
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: OpenLDAP Manager

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

# Group, example.com
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
sn: temp
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/testuser
shadowMax: 0
shadowWarning: 0
uid: testuser

# testuser, Group, example.com
dn: cn=testuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: testuser
gidNumber: 2000
memberUid: testuser

# search result
search: 3
result: 0 Success

# numResponses: 7
# numEntries: 6

To make sure the request was served using TLS, you can check your journalctl logs from another terminal while making ldap request:

# journalctl -f
....
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 ACCEPT from IP=[::1]:50990 (IP=[::]:389)
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 STARTTLS
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=0 RESULT oid= err=0 text=
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 TLS established tls_ssf=256 ssf=256
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=1 BIND dn="" method=128
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=1 RESULT tag=97 err=0 text=
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=6 text=
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 op=3 UNBIND
Aug 12 11:01:56 ldapmaster.example.com slapd[36256]: conn=1007 fd=15 closed
...

Step-6: Update the firewall for remote access

Rocky Linux 8 has the firewalld application as its default firewall. We can enable the ldap and ldaps services as below.

[root@ldapmaster ~]#  firewall-cmd --add-service={ldap,ldaps}
[root@ldapmaster ~]#  firewall-cmd --runtime-to-permanent

Step-7: Configure LDAP client on Rocky Linux 8

Before configuring the LDAP client, make sure you are able to connect to the LDAP server. You can test the remote connections using network tools such as ping and With the telnet command, you can test the connections to the LDAP ports. Please refer the article 9 commands to check if connected to internet with shell script examples

The below snippet shows how I did test connections to the LDAP server from the LDAP client.

Once you confirm the LDAP connection is working, You should be able to Configure LDAP Client in order to share users' accounts in your local networks. You can refer the article 8 simple steps to configure ldap client RHEL/CentOS 8

Configuring the LDAP client on Rocky Linux 8 is the same as RHEL/CentOS 8

Summary

In this tutorial we covered basics of OpenLDAP server and steps to install and configure OpenLDAP server on Rocky Linux 8. We also covered the steps to configure OpenLDAP server with TLS certificates, created and added users to our LDAP Server. Later we also learned how to delete user from the LDAP database.

References

OpenLDAP Software 2.4 Administrator's Guide