The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.1. The latest specification is Version 3, published as RFC 4511 (a road map to the technical specifications is provided by RFC4510).
A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.
LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.
Be sure you changed the dc=example,dc=com to your domain after you copy/past the example strings before you hit the <Enter>-key.
# dnf install openldap openldap-servers openldap-clients
First we prepare the new location.
# cd /srv # mkdir ldap
slapcat the content of the cn=config branch in a LDIF file
# slapcat -b cn=config > /root/config.ldif
# systemctl stop slapd # cd /var/lib/ldap # ll // If not empty move database # mv * /srv/ldap/ # cd /srv/ # chown -R ldap:ldap ldap/ # chcon -R system_u:object_r:slapd_db_t:s0 ldap/
Edit the previously exported LDIF to modify the olcDbDirectory to the new location /srv/ldap. Also change dc=my-domain,dc=com to your domain.
# cd ~ # vi config.ldif # rm -Rf /etc/openldap/slapd.d/* # slapadd -F /etc/openldap/slapd.d -b cn=config -l config.ldif
Make sure the /etc/ldap/slapd.d and all its content is owned by openldap.
# chown -R ldap:ldap /etc/openldap/slapd.d/ # chcon system_u:object_r:slapd_db_t:s0 -R /etc/openldap/slapd.d/
First start de deamon and when no error enable de service.
# systemctl start slapd # systemctl enable slapd
After installation, configure the LDAP administrator password by generating a hashed password:
# slappasswd New password: Re-enter new password: {SSHA}vHEq........
# vi db.ldif
Include the following content, adjusting the domain components (dc) to reflect your domain. Insert the hash password.
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=com dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: YourHashedPasswordHere
Apply the changes with the ldapmodify command:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Now, add the basic schema to the LDAP directory:
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
To verify if custom schemas were applied, you can use the ldapsearch command to query the LDAP server for the loaded schemas.
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config
To check existing OUs, use the following command:
# ldapsearch -x -LLL -b dc=example,dc=com "(objectClass=organizationalUnit)" dn No such object (32)
Because this is a new installation there is no OU configured.
First let's create and add a base DN. Create add-base.ldif and add following content:
# vi base.ldif dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: example
Add the base DN:
# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif
Enter the admin password you created earlier when prompted.
You should now have a basic OpenLDAP server set up. You can extend the configuration by adding more organizational units, entries, and attributes as required for your directory service.
LDAP services should be available from now.
When you need the LDAP-service in the network open the firewall.
# firewall-cmd --zone=public --permanent --add-service=ldap # firewall-cmd --reload
Never open the port in the router to the WAN.
Add to you backup script:
cd /tmp slapcat -n 0 -l config.ldif slapcat -b "dc=example,dc=com" -l data.ldif tar -czvf ldap-server1.tar.gz *.ldif rm -f *.ldif
LDAPS
Manage users and groups
Changing root password