Rob's web

LDAP server

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.1. The latest specification is Version 3, published as RFC 4511 (a road map to the technical specifications is provided by RFC4510).

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.

Warning

Be sure you changed the dc=example,dc=com to your domain after you copy/past the example strings before you hit the <Enter>-key.

Installation

# dnf install openldap openldap-servers openldap-clients

Moving the database

First we prepare the new location.

# cd /srv
# mkdir ldap

slapcat the content of the cn=config branch in a LDIF file

# slapcat -b cn=config > /root/config.ldif
# systemctl stop slapd
# cd /var/lib/ldap
# ll
// If not empty move database
# mv * /srv/ldap/
# cd /srv/
# chown -R ldap:ldap ldap/
# chcon -R system_u:object_r:slapd_db_t:s0 ldap/

Edit the previously exported LDIF to modify the olcDbDirectory to the new location /srv/ldap. Also change dc=my-domain,dc=com to your domain.

# cd ~
# vi config.ldif
# rm -Rf /etc/openldap/slapd.d/*
# slapadd -F /etc/openldap/slapd.d -b cn=config -l config.ldif

Make sure the /etc/ldap/slapd.d and all its content is owned by openldap.

# chown -R ldap:ldap /etc/openldap/slapd.d/
# chcon system_u:object_r:slapd_db_t:s0 -R /etc/openldap/slapd.d/

Enable and Start the LDAP Service

First start de deamon and when no error enable de service.

# systemctl start slapd
# systemctl enable slapd

Configure OpenLDAP

After installation, configure the LDAP administrator password by generating a hashed password:

# slappasswd
New password:
Re-enter new password:
{SSHA}vHEq........
# vi db.ldif

Include the following content, adjusting the domain components (dc) to reflect your domain. Insert the hash password.

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: YourHashedPasswordHere

Apply the changes with the ldapmodify command:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Add basic schemas

Now, add the basic schema to the LDAP directory:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

To verify if custom schemas were applied, you can use the ldapsearch command to query the LDAP server for the loaded schemas.

# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

Add Base and Organizational Units

To check existing OUs, use the following command:

# ldapsearch -x -LLL -b dc=example,dc=com "(objectClass=organizationalUnit)" dn
No such object (32)

Because this is a new installation there is no OU configured.

Add the base unit

First let's create and add a base DN. Create add-base.ldif and add following content:

# vi base.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

Add the base DN:

# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif

Enter the admin password you created earlier when prompted.

You should now have a basic OpenLDAP server set up. You can extend the configuration by adding more organizational units, entries, and attributes as required for your directory service.

LDAP services should be available from now.

Firewall

When you need the LDAP-service in the network open the firewall.

# firewall-cmd --zone=public --permanent --add-service=ldap
# firewall-cmd --reload

Never open the port in the router to the WAN.

Backing up

Add to you backup script:

cd /tmp
slapcat -n 0 -l config.ldif
slapcat -b "dc=example,dc=com" -l data.ldif
tar -czvf ldap-server1.tar.gz *.ldif
rm -f *.ldif

Adding functions

LDAPS
Manage users and groups
Changing root password

Links