Placeholder for our stuff related to Telecom, IT, Internet of things (IOT), ESP8266, Raspberry Pi

Home IOT Telecom IT stuff About Us Contact Us Site Map

openLDAP Setup

OpenLDAP is a free and open-source implementation of LDAP(Lightweight Directory Access Protocol). LDAP protocol is used for centralized authentication and directory access services over a network.

This tutorial is based on centOS 7.

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

Use following commands to install and enable it to automatically start on boot.

# yum -y install openldap openldap-servers openldap-clients
# systemctl enable slapd
# systemctl start slapd
# systemctl status slapd



Run the slappasswd command to set a LDAP root password and save the output. We need it to configure OpenLDAP.
Replace "myPassword" with password of your choice. Note down the line starting with {SSHA}

[root@localhost ~]# slappasswd
New password:myPassword
Re-enter new password:myPassword
[root@localhost ~]#

Make a dir to save LDIF files needed for openLDAP configuration.

[root@localhost ~]# mkdir ldap-ldif-dir
[root@localhost ~]# cd ldap-ldif-dir
[root@localhost ldap-ldif-dir]# 

our domain is field.linuxhostsupport.com, and written inside the ‘db.ldif’ file it looks like this ‘dc=field,dc=linuxhostsupport,dc=com’ and our root distinguished name is ‘cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com’.

# vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=field,dc=linuxhostsupport,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}WGSlVF9ZbImNmB1te4zEFEyEmOfFaD59

In last line olcRootPW, you need to put  hashed output received from the slappasswd command.
Deploy the configuration using ldapmodify:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Now restrict monitor access only to the ldapadm user:

# vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" read by * none

Deploy the configuration change again:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

Now test the configuration using the following command:

[root@localhost ldap-ldif-dir]# slaptest -u
config file testing succeeded
[root@localhost ldap-ldif-dir]#


Setting up the OpenLDAP database

Copy the sample database configuration file to ‘/var/lib/ldap’ and change the file permissions:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

Add the LDAP schemas:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

now create a base.ldif file for your domain:

# vi base.ldif
dn: dc=field,dc=linuxhostsupport,dc=com
dc: field
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalUnit
ou: Group

We will deploy these configuration changes to the OpenLDAP server using the ldapadm user:
(Input the password assigned in above section when server asks for it)

# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f base.ldif

If you don't want memberof overlay, you can install JXplorer and start creating users and groups graphicallly now.

Enable memberof overlay

Find the location of the memberof overlay module. The path below might be different in your case.

# find / -iname memberof.la

now find out what backend databases is configured

# ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config

make the following 3 files, verify path of overlay module and database you found in above steps.

# vi memberof_config.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib64/openldap/

dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
# vi refint1.ldif
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
# vi refint2.ldif
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

To set up the memberof module and configure it, run this command:

# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif

To load and configure the refint module

# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif


Add Users

Note: Jump here if you want to install JXplorer and make use of GUI.

Before we add a user, we first need to generated his password hash.

# slappasswd -h {SHA} -s myPWuser01

Make a file and name it add_user01.ldif, use generated password hash in it.

# vi add_user01.ldif
dn: uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com
cn: user01 name
givenName: user01
sn: user01
uid: user01
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/user01
mail: [email protected]
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {SHA}BJf+TWdP43GUpvywiRPllu9qMH8=

And add user by running:

# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f add_user01.ldif

Similarly add user02 and more.

Add Groups

Note: Jump here if you want to install JXplorer and make use of GUI.

Make a file and name it

# vi add_group1.ldif
dn: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com
objectClass: groupofnames
cn: mygroup1
ou: admin
description: All ems users
member: uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com
member: uid=user02,ou=people,dc=field,dc=linuxhostsupport,dc=com

where you add a "member : user_dn" line for each user you want to add to this group. And then run

# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f add_group1.ldif

test with these commands

# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=user01)" -b ou=people,dc=field,dc=linuxhostsupport,dc=com memberOf

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
version: 1

dn: uid=user01,ou=People,dc=field,dc=linuxhostsupport,dc=com
memberOf: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com
# ldapsearch -x -LLL -H ldap:/// -b uid=user01,ou=people,dc=field,dc=linuxhostsupport,dc=com dn memberof

dn: uid=user01,ou=People,dc=field,dc=linuxhostsupport,dc=com
memberOf: cn=mygroup1,ou=Group,dc=field,dc=linuxhostsupport,dc=com


Reinstall openLDAP

For some reason if you want to remove all LDAP configuration and want to start from scratch, use following commands.

Note that all LDAP data will be lost.

# systemctl stop slapd
# systemctl disable slapd
# yum -y remove openldap-servers openldap-clients 
# rm -rf /var/lib/ldap
# userdel ldap
# rm -rf /etc/openldap

Go back and start openLDAP Setup

Connect from JXplorer

To open LDAP connection from JXplorer, input following info

Level: User + Password
User DN: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com

JXplorer login


The ldap search result finishes with the following:
# search result
search: 2
result: 0 Success

# numResponses: 85
# numEntries: 84


"search: 2" 2 is the messageID of the search operation.

"result: 0 Success" 0 is the error code. Here is a list of the others http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes

"numResponses: 85" 85 is the number of pieces of information returned including the meta information.

"numEntries: 84" 84 is the total number of entries that the search returned.


Related Pages

Related Links