OpenLDAP is a free and open-source implementation of LDAP(Lightweight Directory Access Protocol). LDAP protocol is used for centralized authentication and directory access services over a network.
This tutorial is based on centOS 7.
[root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core)
Use following commands to install and enable it to automatically start on boot.
# yum -y install openldap openldap-servers openldap-clients # systemctl enable slapd # systemctl start slapd # systemctl status slapd
Run the slappasswd command to set a LDAP root password and save the
output. We need it to configure OpenLDAP.
Replace "myPassword" with
password of your choice. Note down the line starting with {SSHA}
[root@localhost ~]# slappasswd New password:myPassword Re-enter new password:myPassword {SSHA}WGSlVF9ZbImNmB1te4zEFEyEmOfFaD59 [root@localhost ~]#
Make a dir to save LDIF files needed for openLDAP configuration.
[root@localhost ~]# mkdir ldap-ldif-dir [root@localhost ~]# cd ldap-ldif-dir [root@localhost ldap-ldif-dir]#
our domain is field.linuxhostsupport.com, and written inside the ‘db.ldif’ file it looks like this ‘dc=field,dc=linuxhostsupport,dc=com’ and our root distinguished name is ‘cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com’.
# vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=field,dc=linuxhostsupport,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}WGSlVF9ZbImNmB1te4zEFEyEmOfFaD59
In last line olcRootPW, you need to put hashed output received
from the slappasswd command.
Deploy the configuration using ldapmodify:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Now restrict monitor access only to the ldapadm user:
# vi monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" read by * none
Deploy the configuration change again:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
Now test the configuration using the following command:
[root@localhost ldap-ldif-dir]# slaptest -u config file testing succeeded [root@localhost ldap-ldif-dir]#
Copy the sample database configuration file to ‘/var/lib/ldap’ and change the file permissions:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown -R ldap:ldap /var/lib/ldap
Add the LDAP schemas:
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
now create a base.ldif file for your domain:
# vi base.ldif dn: dc=field,dc=linuxhostsupport,dc=com dc: field objectClass: top objectClass: domain dn: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=field,dc=linuxhostsupport,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=field,dc=linuxhostsupport,dc=com objectClass: organizationalUnit ou: Group
We will deploy these configuration changes to the OpenLDAP server using
the ldapadm user:
(Input the password assigned in above section when
server asks for it)
# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f base.ldif
If you don't want memberof overlay, you can install JXplorer and start creating users and groups graphicallly now.
Find the location of the memberof overlay module. The path below might be different in your case.
# find / -iname memberof.la /usr/lib64/openldap/memberof.la
now find out what backend databases is configured
# ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}monitor,cn=config dn: olcDatabase={2}hdb,cn=config
make the following 3 files, verify path of overlay module and database you found in above steps.
# vi memberof_config.ldif dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib64/openldap/ dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
# vi refint1.ldif dn: cn=module{0},cn=config add: olcmoduleload olcmoduleload: refint
# vi refint2.ldif dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner
To set up the memberof module and configure it, run this command:
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
To load and configure the refint module
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
Note: Jump here if you want to install JXplorer and make use of GUI.
Before we add a user, we first need to generated his password hash.
# slappasswd -h {SHA} -s myPWuser01 {SHA}BJf+TWdP43GUpvywiRPllu9qMH8=
Make a file and name it add_user01.ldif, use generated password hash in it.
# vi add_user01.ldif dn: uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com cn: user01 name givenName: user01 sn: user01 uid: user01 uidNumber: 5000 gidNumber: 10000 homeDirectory: /home/user01 mail: [email protected] objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash userPassword: {SHA}BJf+TWdP43GUpvywiRPllu9qMH8=
And add user by running:
# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f add_user01.ldif
Similarly add user02 and more.
Note: Jump here if you want to install JXplorer and make use of GUI.
Make a file and name it
# vi add_group1.ldif dn: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com objectClass: groupofnames cn: mygroup1 ou: admin description: All ems users member: uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com member: uid=user02,ou=people,dc=field,dc=linuxhostsupport,dc=com
where you add a "member : user_dn" line for each user you want to add to this group. And then run
# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f add_group1.ldif
test with these commands
# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user01)" -b ou=people,dc=field,dc=linuxhostsupport,dc=com memberOf SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: uid=user01,ou=People,dc=field,dc=linuxhostsupport,dc=com memberOf: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com
# ldapsearch -x -LLL -H ldap:/// -b uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com dn memberof dn: uid=user01,ou=People,dc=field,dc=linuxhostsupport,dc=com memberOf: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com
For some reason if you want to remove all LDAP configuration and want to start from scratch, use following commands.
Note that all LDAP data will be lost.
# systemctl stop slapd # systemctl disable slapd # yum -y remove openldap-servers openldap-clients # rm -rf /var/lib/ldap # userdel ldap # rm -rf /etc/openldap
Go back and start openLDAP Setup
To open LDAP connection from JXplorer, input following info
Level: User + Password
User DN:
cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com
Password:
The ldap search result finishes with the following:
# search result
search: 2
result: 0 Success
# numResponses: 85
# numEntries:
84
"search: 2" 2 is the messageID of the search operation.
"result:
0 Success" 0 is the error code. Here is a list of the others
http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes
"numResponses: 85" 85 is the number of pieces of information returned
including the meta information.
"numEntries: 84" 84 is the total
number of entries that the search returned.
https://likegeeks.com/linux-ldap-server/
https://linuxhostsupport.com/blog/how-to-install-ldap-on-centos-7/
https://blog.adimian.com/2014/10/15/how-to-enable-memberof-using-openldap/
https://kifarunix.com/how-to-create-openldap-member-groups/
https://mobilenxtgen.blogspot.com/2011/04/how-to-create-new-user-in-open-ds-ldap.html
https://ephesoft.com/docs/products/transact/configurations/user-connectivity/ldap-and-openldap-resources/how-to-create-user-in-openldap/