DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 966,155 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for Install and configure OpenLDAP server in CentOS 7
JoeHo
JoeHo

Posted on • Originally published at joeho.xyz

Install and configure OpenLDAP server in CentOS 7

LDAP, Lightweight Directory Access Protocol is a directory service for us to manage identities and objects easily. One of the most common application is that you can authenticate to a server with LDAP. In Windows world, the server is usually Active Directory. In Linux world, OpenLDAP is widely adopted.

In this guide, I will show you how to install and configure a simple workable LDAP server.

Concept

Before diving into the installation and configuration, it's better to know some terms used in LDAP.

Attribute

An attribute is a characteristic of an object. For example, an email of an account.

Object Class

An object class defines what attributes that object can have. For example, we define an object class, InetOrgPerson, it may contain displayName and mail attributes. Depends on the definition of object class, the attributes specified can be mandatory or optional.

Distinguished Name (DN)

Distinguished Name lets us uniquely identify the object. It is similar to the file path in a reverse order. For example, uid=joeho,OU=People,DC=abc,DC=local is a DN

Entry

An entry is just an object. You define what object class this entry belongs to & each object class defines what attributes this object has. Each entry can belong to multiple object classes and need to have all mandatory attributes specified in all object classes it belongs to.

Schema

A schema contains the definitions of various attributes and object classes.

Domain Component (DC) & Organizational Unit (OU)

They are containers, contains object & let you manage objects in a hierarchy manner. People use them commonly.

OpenLDAP Installation

Install OpenLDAP related packages

sudo yum install openldap* -y
sudo systemctl start slapd
sudo systemctl enable slapd
sudo systemctl status slapd # Check service is started & enabled
Enter fullscreen mode Exit fullscreen mode

OpenLDAP Installation

OpenLDAP Configuration

Generate OpenLDAP password and save it

sudo slappasswd
Enter fullscreen mode Exit fullscreen mode

Generate OpenLDAP password
Then, we will use ldapmodify to update /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif, which is our database config file
Original OpenLDAP configuration
We will create a file & customize and paste content below

vi db.ldif
Enter fullscreen mode Exit fullscreen mode

Content you should paste:
You should replace with your customized values

  1. olcSuffix (should be replaced by your domain, e.g. example.com -> dc=example,dc=com)
  2. olcRootDN (should be replaced by your domain admin name, can be any name you prefer, e.g. admin -> cn=admin,dc=abc,dc=local)
  3. olcRootPW (should be the password you generate above)
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=abc,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=abc,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}xxxxx
Enter fullscreen mode Exit fullscreen mode

OpenLDAP configuration modified

Run this command to update.

sudo ldapmodify -Y External -H ldapi:/// -f db.ldif
Enter fullscreen mode Exit fullscreen mode

Configuration of /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif should change

New OpenLDAP configuration

Apply some commonly used schema. The 2nd & 3rd schema allow us to create an object with InetOrgPerson & ShadowAccount which we will use to create an user

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Enter fullscreen mode Exit fullscreen mode

OpenLDAP Verification

Create objects, Organizational Unit and group

Create a file, entries.ldif, and add below content which

  1. create a user, joe
  2. assign joe to 2 groups, joe & Engineering
dn: dc=abc,dc=local
dc: abc
objectClass: top
objectClass: domain

dn: ou=People,dc=abc,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=abc,dc=local
objectClass: organizationalUnit
ou: Groups

dn: cn=Engineering,ou=Groups,dc=abc,dc=local
cn: Engineering
objectClass: posixGroup
gidNumber: 20100
memberUid: joe

dn: uid=joe,ou=People,dc=abc,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: joe
sn: Ho
givenName: Joe
cn: Joe Ho
displayName: Joe Ho
uidNumber: 20001
gidNumber: 20001
loginShell: /bin/bash
homeDirectory: /home/joe
shadowMin: 0
shadowMax: 2
shadowWarning: 1
userPassword: {CRYPT}x
shadowLastChange: 19261
dn: cn=joe,ou=Groups,dc=abc,dc=local
cn: joe
objectClass: posixGroup
gidNumber: 20001
memberUid: joe
Enter fullscreen mode Exit fullscreen mode

Apply the content

ldapadd -x -W -D "cn=admin,dc=abc,dc=local" -f entries.ldif
Enter fullscreen mode Exit fullscreen mode

Test querying LDAP

Query all entries

ldapsearch -D cn="admin,dc=abc,dc=local" -W -b "dc=abc,dc=local"
Enter fullscreen mode Exit fullscreen mode

Query result

Conclusion

We complete the whole set up and are able to create users and manage them in LDAP

Original Post: Disable anonymous bind for OpenLDAP in Centos7 | Joe Ho Blog

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.