Install and Configure OpenLDAP server on Fedora 29

2
3876

This guide will take you through the steps required to install and configure OpenLDAP server on Fedora 29. As you already know, OpenLDAP is an implementation of Light weight directory access protocol (LDAP). It provides a central management point for user information.

Install and Configure OpenLDAP server on Fedora 29

Update and upgrade your system packages;

dnf update
dnf upgrade

To install LDAP server on Fedora 29, run the command below;

dnf install openldap-clients openldap-servers

Start and enable OpenLDAP server service to run system reboot.

systemctl enable slapd
systemctl start slapd

Configure OpenLDAP server on Fedora 29

Set the OpenLDAP administrator password.

This can be done using the slappasswd command which generate an encrypted password hash.

slappasswd 
New password: password
Re-enter new password: password 
{SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq

You can also set the password in a one line command; slappasswd -h {SHA} -s password. Replace the ‘password‘ with your password.

Save the generated hash since we will require it in a moment.

Configure OpenLDAP database

TO begin with, copy the sample OpenLDAP database configuration renaming it as follows;

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Set the ownership of the LDAP database configuration directory ldap user.

chown -R ldap:ldap /var/lib/ldap

Import OpenLDAP basic schemas

Navigate to OpenLDAP schemas directory and import the cosine, nis and inetorgperson schemas.

cd /etc/openldap/schema
for schema in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -Y EXTERNAL -H ldapi:/// -f $schema; done
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

Update the OpenLDAP database configuration file by modifying the values of the following attributes;

  • olcSuffix – set the value to your base domain
  • olcRootDN – set the value to your LDAP domain administrative entry
  • olcRootPW – This is set to your LDAP admin password generated above.

Also, configure the access control list for the LDAP monitor backend (olcDatabase\=\{1\}monitor.ldif) and the primary database backend (olcDatabase={2}mdb.ldif).

All these modifications can be implemented using a single ldif file as shown below;

vim mod_domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

These modifications can be implemented using the ldapmodify command.

ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

You can use ldapsearch command to verify this.

ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={2}mdb -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=exam
 ple,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}monitor -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Create the base domain and add it to LDAP to create your directory. Replace the domain entries approriately.

vim basedn.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Com
dc: Example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

To add the Base domain entry, run the command below;

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedn.ldif
Enter LDAP Password: LDAP  manager's password set above

adding new entry "dc=example,dc=com" 

adding new entry "cn=Manager,dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

The OpenLDAP server configuration is about done.

Create OpenLDAP server User Accounts

Generate a password for the user using the slappasswd command;

slappasswd 
New password: 
Re-enter new password: 
{SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b

Create an ldif file for specifying user attributes.

vim add_user.ldif
dn: uid=amosm,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Amos
sn: Mibey
userPassword: {SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/amosm

dn: cn=amosm,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: Amos
gidNumber: 10000
memberUid: amosm
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f add_user.ldif 
Enter LDAP Password: 
adding new entry "uid=amosm,ou=People,dc=example,dc=com"

adding new entry "cn=amosm,ou=Group,dc=example,dc=com"

To verify that the user is created, you can use ldapsearch command to query its details.

ldapsearch -x uid=amosm -b dc=example,dc=com -LLL
dn: uid=amosm,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Amos
sn: Mibey
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/amosm
uid: amosm

Well, that  it all takes to install and configure OpenLDAP server on Fedora 29. It all seems good. Feel free to add more users and explore the full funtionality of OpenLDAP. Before we can wrap up, open the OpenLDAP server service on firewall to allow external access.

firewall-cmd --permanent --add-service=ldapfirewall-cmd --reload

All is left for doing is to configure the LDAP client to authenticate via the OpenLDAP server, We will cover this in our next tutorial. Thank you for reading.

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here