LDAP Installation on CentOS 7 / RHEL 7

Aug 12, 2015 Linux

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for accessing directory services, specifically X.500-based directory services. OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.

In this tutorial we will show you, how to install OpenLDAP server on CentOS 7 / RHEL 7 and create basic configuration in a few simple steps:

1. Update your server and install OpenLDAP packages

[root@ldap_server ~]# yum update
[root@ldap_server ~]# yum install openldap openldap-clients openldap-servers

Note: after installation directory /var/lib/ldap should be owned by ldap, if it’s owned by root, change ownership to ldap:

[root@ldap_server ~]# chown -R ldap:ldap /var/lib/ldap

2. Enable, launch and verify slapd service

[root@ldap_server ~]# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
[root@ldap_server ~]# systemctl start slapd
[root@ldap_server ~]# systemctl is-active slapd
active

3. Set OpenLDAP admin password

[root@ldap_server ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Create setrootpasswd.ldif file to modify admin password:

[root@ldap_server ~]# touch /root/setrootpasswd.ldif
[root@ldap_server ~]# vim /root/setrootpasswd.ldif

Contents of setrootpasswd.ldif: 

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
# paste the password generated above for olcRootPW directive
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Add/modify entry:

[root@ldap_server ~]# ldapadd -H ldapi:/// -f /root/setrootpasswd.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

4. Import basic schemas

OpenLDAP Software is distributed with a set of schema specifications for our use. Let’s import two schemas: cosine and inetOrgPerson.

[root@ldap_server cn=schema]# ldapadd -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@ldap_server cn=schema]# ldapadd -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

5. Configure OpenLDAP Server

Create configure.ldif file to configure: domain name, ACLs and directory Manager’s user/password:

[root@ldap_server ~]# touch /root/configure.ldif
[root@ldap_server ~]# vim /root/configure.ldif

Configure directory Manager’s password:

[root@ldap_server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

Contents of configure.ldif file:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
  by dn.base="cn=Manager,dc=tuxfixer,dc=com" read 
  by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=tuxfixer,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=tuxfixer,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
# paste below Manager's encrypted password
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword 
  by dn="cn=Manager,dc=tuxfixer,dc=com" write 
  by anonymous auth 
  by self write 
  by * none 
olcAccess: {1}to dn.base="" 
  by * read
olcAccess: {2}to * 
  by dn="cn=Manager,dc=tuxfixer,dc=com" write 
  by * read

Modify records:

[root@ldap_server ~]# ldapmodify -H ldapi:/// -f /root/configure.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Grzegorz Juszczak

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.