Introduction
LDAP protocol allows for location of organizations, individuals and other resources over the internet or in an organization’s intranet using TCP/IP. It is arranged in a hierarchical structure:
- The root which is the source and branches to
- Countries which branches out to
- Organizations which branches out to
- Organizational units which finally branches out to
- Individuals ( including files, directories, and other resources)
OpenLDAP is an implementation of the LDAP protocol. It is an optimized non-relational database which is an address book that is used to emulate a domain controller by providing controlled access to backend services which may include samba services etc.
Prerequisite
- CentOS 7 installed on your machine
- A non-root user with sudo privileges
- Apache and PHP installed. You can find thatHow to Install the LAMP Stack on Your CentOS 7 VPS or Dedicated Server
Steps
Update System Packages
$ sudo yum update
Install OpenLDAP services
$ sudo yum install openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel compat-openldap
Start the LDAP services
$ sudo systemctl enable slapd $ sudo systemctl start slapd
Create a new password
$ sudo slappasswd
Special Note: Ensure you save the hashed password output, you will need it later.
Configure OpenLDAP
Create a file called db.ldif using your favorite text editor copy paste in the below content. In my case my domain is example.hostadvice.local hence, you should replace your dc and cn values the following configuration:
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=hostadvice,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=example,dc=hostadvice,dc=local dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: hashed_output_from_the_slappasswd_command
Deploy the following configuration:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Restrict access to monitor to ldapadm user alone. Create another file called monitor.ldif and paste the contents below. Remember to replace the dc and cn names.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth"readby dn.base="cn=ldapadm,dc=example,dc=hostadvice,dc=local"readby * none
Deploy the configuration:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
For secure communication, we will generate a certificate and a private key$ sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/myldap.example.local.cert -keyout /etc/openldap/certs/myldap.example.local.key -days 365
Follow the prompts; filling in your details
Change the access rights of the cert folder to read-only
$ sudo chown -R ldap:ldap /etc/openldap/certs
Configure the OpenLDAP to use the LDAP protocol. Create a file called certs.ldif and paste in the following contents while replacing your cert and key names:
dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/myldap.example.hostadvice.local.cert dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.example.hostadvice.local.key
Setting up the Database
We need to copy the configuration file and change its permission
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown -R ldap:ldap /var/lib/ldap
Add the database schemas as follows:
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Lastly, create a base.ldif file for the domain and write the following while replacing your dc values:
dn: dc=example,dc=hostadvice,dc=local dc: example objectClass: top objectClass: domain dn: cn=ldapadm,dc=example,dc=hostadvice,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=example,dc=hostadvice,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=hostadvice,dc=local objectClass: organizationalUnit ou: Group
Deploy the configurations using the ldapadm user:
$ ldapadd -x -W -D "cn=ldapadm,dc=example,dc=hostadvice,dc=local" -f base.ldif
Conclusion
If you have not run any errors, it means you have successfully installed OpenLDAP on your CentOS 7 successfully. Now you can add new users to the server. It is always easier to manage the LDAP server via a GUI, so make sure to check out How to Install and Configure phpLDAP on CentOS 7 / Ubuntu 18.04.
Check out these top 3 VPS services:
- Do you need the best VPS? Read about our different offers.