Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]


Rocky Linux, OpenLDAP

LDAP stands for “Lightweight Directory Access Protocol”. OpenLDAP is an open-source implementation of the LDAP developed by the OpenLDAP Project. As part of LDAP function, it has the ability to authenticate a connection using a username and password.

The OpenLDAP suite can be broken up into four components:

  • Servers: Provide LDAP services
  • Clients: Manipulate LDAP data
  • Utilities: Support LDAP servers
  • Libraries: provide programming interfaces to LDAP

If you are new to OpenLDAP then I would also recommend you to read Basics OpenLDAP Tutorial for Beginners

 

Prepare Lab Environment

This is my environment where I will be performing the demonstration:

NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

I will be using the same VM as OpenLDAP server as well as client. I have updated my /etc/hosts so that I can use an FQDN to connect to OpenLDAP server instead of IP Address.

10.10.1.17 server server.example.com

Here 10.10.1.17 is my LDAP server IP. This step is optional and can be skipped if you prefer to directly use IP address for LDAP communication instead of FQDN.

 

Step 1: Update Your System

Start by updating your system to ensure all existing packages are up to date:

sudo dnf update -y

 

Step 2: Install OpenLDAP Packages

Install the OpenLDAP server, client, and necessary utilities:

sudo dnf config-manager --set-enabled plus
sudo dnf install openldap openldap-servers openldap-clients -y

You need to install openldap-servers from the Plus repo, which is disabled by default.

Post installation I have following packages:

openldap-2.6.6-3.el9.x86_64
openldap-devel-2.6.6-3.el9.x86_64
openldap-servers-2.6.6-3.el9.x86_64
openldap-clients-2.6.6-3.el9.x86_64

 

Step 3: Enable and Start the LDAP Service

Enable and start the slapd service:

sudo systemctl enable slapd --now
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Verify that the service is running:

sudo systemctl status slapd
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

 

Step 4: Configure OpenLDAP

Generate a hashed password for the LDAP administrator:

slappasswd

Enter a secure password when prompted and save the output.

Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Before modifying the database configuration, it's crucial to check the existing database backends. Use the following command to list the current databases:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

This will provide a list of databases. Look for olcDatabase entries.

Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Create an LDIF file db.ldif to configure the domain and admin credentials. Add the following content, adjusting dc=example,dc=com and YourHashedPasswordHere:

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: YourHashedPasswordHere

Apply the configuration:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

 

Step 5: Add Basic Schemas

Add the necessary schemas to the LDAP directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

To verify if custom schemas were applied, you can use the ldapsearch command to query the LDAP server for the loaded schemas.

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

 

Step 6: Add Base and Organizational Units

To check existing OUs, use the following command:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(objectClass=organizationalUnit)" dn

Since this is a new installation so there are no OU configured.

No such object (32)

First let's create and add a base DN. Create add-base.ldif and add following content:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

Add the base DN:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add-base.ldif
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Create another LDIF file ou.ldif to define organizational units:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

Apply the organizational units configuration:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f ou.ldif
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

To verify new OUs added to the LDAP directory, you can use a similar ldapsearch command:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(ou=*)" dn

 

Step 7: Managing User Accounts

Add New Users and Groups

Create an LDIF file new_user.ldif to create a new user. Add the following content to create a new user:

dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: John Doe
sn: Doe
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/jdoe
loginShell: /bin/bash
mail: jdoe@example.com
userPassword: {SSHA}YourHashedPasswordHere

Apply the changes:

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_user.ldif

Verify the changes:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Create an LDIF file new_group.ldif to create a new group. Add the following content to create a new group:

dn: cn=developers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: developers
gidNumber: 1001

Apply the changes:

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_group.ldif

Verify the changes:y

sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

 

Modify Users and Groups

Create an LDIF file modify_user.ldif to modify a user. Add the modifications, for example, changing the user's shell:

dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: modify
replace: loginShell
loginShell: /bin/zsh

Apply the changes:

sudo ldapmodify -x -D cn=admin,dc=example,dc=com -W -f modify_user.ldif

Verify the changes:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

Create an LDIF file modify_group.ldif to modify a group. Add the modifications, for example, adding a member:

dn: cn=developers,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: jdoe

Apply the changes:

sudo ldapmodify -x -D cn=admin,dc=example,dc=com -W -f modify_group.ldif

Verify the changes:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"
Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]

 

Delete Users and Groups

Create an LDIF file delete_user.ldif to delete a user. Add the following content:

dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: delete

Apply the changes:

sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W uid=jdoe,ou=people,dc=example,dc=com

Verify the changes:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(uid=jdoe)"

You should see empty response.

Create an LDIF file delete_group.ldif to delete a group. Add the following content:

dn: cn=developers,ou=groups,dc=example,dc=com
changetype: delete

Apply the changes:

sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W cn=developers,ou=groups,dc=example,dc=com

Verify the changes:

sudo ldapsearch -x -LLL -b dc=example,dc=com "(cn=developers)"

You should not get any response for this as the group will be deleted.

 

In this tutorial, we covered the comprehensive steps to install and configure OpenLDAP on Rocky Linux 9. We began with updating the system and installing the necessary OpenLDAP packages. After ensuring the LDAP service was enabled and running, we proceeded to configure OpenLDAP by generating a secure admin password and creating a configuration file that includes domain details and the hashed password. The configuration was then applied to the LDAP server. We verified the applied schemas and organizational units to ensure the setup was correct. Additionally, we discussed adding, modifying, and deleting users and groups within the LDAP directory. This setup provides a robust foundation for centralized user and group management.

For more detailed instructions and further information, you can refer Official OpenLDAP Admin Guide.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

12 thoughts on “Install and Configure OpenLDAP on Rocky Linux 9 [Step-by-Step]”

  1. I posted a lengthy question but the page asked to confirm my humanity then said page moved…

    Anyway, long story short, rfc2307bis.schema/rfc2307bis.ldif supposedly should work, but I can’t get them to do so in Centos Rocky Linux 8. If you’re able to get it working, please let me know. I’ll post back if I find a solution. Thanks!
    Sample from the schema file which I obained from github:

    olcObjectClasses: {17}( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group w
     ith members (DNs)' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ seeAls
     o $ owner $ ou $ o $ description $ member ) )
    Reply
    • So far it seems I didn’t need that rfc b’i’s anyway. groupOfNames seems to work just as well. The only difference is the member attribute is required and you have to use samba group attributes to get the gidNumber attribute.

      Also, so far as I can see, the yum obtained slapd’s ldif procedure doesn’t work:

      slaptest -f conf.conf -F destinationdir/ 

      Procedure may work for openldap.org tar ball version. I don’t know, I couldn’t try it because wiredtiger was a req that I was having trouble finding. I digress.

      Reply
    • Hopefully this saves someone some trouble down the line. My resolution was to create my own ldif file (skipped the slapcat from schema file process). It’s nearly identical to NIS, so I trimmed out all of the duplicate attributes/classes and was able to import this with ldapadd:

      dn: cn=rfc2307bis,cn=schema,cn=config
      objectClass: olcSchemaConfig
      cn: rfc2307bis
      olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
      olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
      olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
      olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
      olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
      olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
      olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) )
      olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain )
      olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST automountMapName MAY description )
      olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description )
      olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group with members like DNs' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description $ member ) )
      Reply
  2. trying this out on rocky linux

    My question is the migrationtools previously on rhel7 no longer exist on rhel8 (or rocky)

    How others doing this?
    To move/create a ldap account

    Reply
    • I would assume, may be because Red Hat stopped shipping openldap-servers in RHEL 8 and the same was followed by CentOS and Rocky Linux due to same code base. But openldap-server package is still available through open source so there should to be a migration tool also available.

      Let me search more on this and if this is possible then I will write an article on this topic

      Reply
  3. Thank you for this article. It’s really well written and helpful. However, as I run through it, I’m getting an error when Adding the TLS cert.

    # ldapmodify -Y EXTERNAL -H ldapi:/// -f updateSSSL.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"
    ldap_modify: Other (e.g., implementation specific) error (80)

    Below is my updateSSSL.ldif file

    # updateSSSL.ldif
    
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/server.crt
    -
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

    Can you help me figure out why I’m getting this error when the example doesn’t?

    Thank you

    Reply
    • There was one minor typo, We have to use

      chown ldap:ldap /etc/openldap/certs

      Earlier it was chmod. Please let me know if it still fails
      I have also updated the section to configure TLS with more details and output.

      I see you are not adding CA certificate and instead using self signed. You can also try to create your own CA and then use that CA to sign the certs instead of self signed. I have provided all the relevant links to follow.

      Reply

Leave a Comment