How to Set Up LDAP Authentication with OpenLDAP on CentOS 7

Introduction

The OpenLDAP is an implementation of the Lightweight Directory Access Protocol that serves to provide network clients with directory services.

You can use the directory server to store organization information in a centralized location and make available the information to applications or users through LDAP.

Records may be searched, read and modified according to the permissions you give your users on the network.

OpenLDAP is mainly used to provide network-based authentication services to users.

Before You Get Started

This guide assumes that you are familiar with LDAP protocol and OpenLDAP and the terminologies used.

Steps

Ensure the domain names can be resolved by both your server and client VPS/Dedicated server. Open your hosts file and add the hostnames and corresponding IP addresses on both the server and client nodes. Replace the IP addresses with yours.

$ vim /etc/hosts
192.168.56.104        server.hostadvice.local
192.168.56.105        client.hostadvice.local

On your LDAP dedicated server or virtual server create a folder that will be used to create your ldif scripts.

$ mkdir ldap-scripts
$ cd ldap-scripts

Create an ldif file using your favorite editor that will contain the details of the new user that you will be creating and paste in the following details. Make sure to replace the domain details with your specific ones.

$ vim linuxuser.ldif
dn: uid=linuxuser,ou=People,dc=hostadvice,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: linuxuser
uid: linuxuser
uidNumber: 9998
gidNumber: 100
homeDirectory: /home/linuxuser
loginShell: /bin/bash
gecos: Linuxuser [Admin (at) HostAdvice]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Once created, you can add the user to your database by using the following command:

$ ldapadd -x -W -D "cn=ldapadm,dc=hostadvice,dc=local" -f linuxuser.ldif
Enter LDAP Password: 
adding new entry "uid=linuxuser,ou=People,dc=hostadvice,dc=local"

You can verify the user is added by searching the newly entered record:

$ ldapsearch -x cn=linuxuser -b dc=hostadvice,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=hostadvice,dc=local> with scope subtree
# filter: cn=linuxuser
# requesting: ALL
#

# linuxuser, People, hostadvice.local
dn: uid=linuxuser,ou=People,dc=hostadvice,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: linuxuser
uid: linuxuser
uidNumber: 9998
gidNumber: 100
homeDirectory: /home/linuxuser
loginShell: /bin/bash
gecos: Linuxuser [Admin (at) HostAdvice]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9eVoraStkZTc4dW94TmY2NmJ3WWx0YmRUU1dsSnRud3U=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
$ ldappasswd -s pa55word@HostAdvice -W -D "cn=ldapadm,dc=hostadvice,dc=local" -x "uid=linuxuser,ou=People,dc=hostadvice,dc=local"

Configure Client

On the client VPS, you need to install the OpenLDAP client packages and dependencies.

$ yum install -y openldap-clients nss-pam-ldapd

The client then needs to be configured to authenticate from the specified server IP address. Replace the server IP address and domain controller with your own. This will allow a new home directory to be created once you enter the single sign on (SSO) password.

$ authconfig --enableldap --enableldapauth --ldapserver=192.168.56.104 --ldapbasedn="dc=hostadvice,dc=local" --enablemkhomedir --update

You can confirm the created user exists in the server by querying it with the username.

$ getent passwd linuxuser
linuxuser:x:9998:100:Linuxuser [Admin (at) HostAdvice]:/home/linuxuser:/bin/bash

You can now log into the newly created account user.

$ su - linuxuser

Conclusion

If you have succeeded without errors, you have just learned how to add a new user on the LDAP server. The client has been configured to authenticate with the LDAP server through a given password.

You can now try adding more users with different permission levels. With OpenLDAP, you can also migrate local users to its database without having to enter them one by one.

Check out these top 3 Linux hosting services

Was this article helpful?