In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on Rocky Linux 8. If you are here, then you already know what an OpenLDAP server is and thus the description of what it is is beyond the scope of this tutorial.
Install and Setup OpenLDAP on Rocky Linux 8
Well, Rocky Linux 8 repositories do not have the latest release versions of OpenLDAP.
The available version of OpenLDAP provided by Rocky Linux 8 base repos is OpenLDAP server v2.4.46.
dnf provides openldap
openldap-2.4.46-16.el8.i686 : LDAP support libraries Repo : baseos Matched from: Provide : openldap = 2.4.46-16.el8 openldap-2.4.46-16.el8.x86_64 : LDAP support libraries Repo : @System Matched from: Provide : openldap = 2.4.46-16.el8 openldap-2.4.46-16.el8.x86_64 : LDAP support libraries Repo : baseos Matched from: Provide : openldap = 2.4.46-16.el8
To get the latest version with bug fixes, you need to build it from the source as described in this guide.
Run System Update
To update your system packages, run the command;
dnf update
Install Required Dependencies and Build Tools
There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source. Run the command below to install them.
dnf install cyrus-sasl-devel make libtool autoconf libtool-ltdl-devel openssl-devel libdb-devel tar gcc perl perl-devel wget vim
Install wiredtiger, provided by EPEL-7 repos;
cat > /etc/yum.repos.d/epel-release-7.repo << 'EOF'
[epel-release-7]
name=Extra Packages for Enterprise Linux 7 - x86_64
baseurl=https://dl.fedoraproject.org/pub/epel/7/x86_64/
enabled=0
gpgcheck=0
EOF
dnf --enablerepo=epel-release-7 install wiredtiger wiredtiger-devel
Create OpenLDAP System Account
In this demo, OpenLDAP will run with a non-privileged system user. Hence, run the command below to create OpenLDAP system user with custom user and group id;
useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin ldap
Consult man useradd
for the description of the command line options used above.
Download OpenLDAP Source Tarball
The latest stable release of OpenLDAP as of this writing is OpenLDAP 2.5.5.However, this version failed to compile with Password Policy, for some reasons!!
Thus, in this tutorial, we will use OpenLDAP 2.4.59. Hence navigate to the OpenLDAP download’s page and grab the tarball.
VER=2.4.59
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-$VER.tgz
Extract the OpenLDAP Source Tarball
The tarball can be extracted by running the command;
tar xzf openldap-$VER.tgz
Install and Setup OpenLDAP on Rocky Linux 8
Compiling OpenLDAP on Rocky Linux 8
To compile OpenLDAP on Rocky Linux 8, you first need to run the configure script to adapt OpenLDAP to your system and check if any required dependency is missing before you can proceed with installation.
cd openldap-$VER
With configure script, you can enable or disable various options while building OpenLDAP.
./configure --prefix=/usr --sysconfdir=/etc --disable-static \ --enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic \ --enable-crypt --enable-spasswd --enable-slapd --enable-modules \ --enable-rlookups --enable-backends=mod --disable-ndb --disable-sql \ --enable-ppolicy --enable-syslog --enable-overlays=mod
To learn more about the configuration options, consult;
./configure --help
If the configure script completes with no issues, the last line you should see is;
Please run "make depend" to build dependencies
As the line states, you need to run the make depend
command to build OpenLDAP dependencies.
make depend
Next, compile OpenLDAP on Rocky Linux 8.
make
If you got time and patience, you can run the test suite to verify OpenLDAP build for any errors. You can however skip this step.
make test
Install OpenLDAP on Rocky Linux 8
If the compilation of OpenLDAP completes successfully, proceed to install it by running the command;
make install
OpenLDAP configuration files are now installed on /etc/openldap
.
ls -1 /etc/openldap/
DB_CONFIG.example
ldap.conf
ldap.conf.default
schema
slapd.conf
slapd.conf.default
slapd.ldif
slapd.ldif.default
The libraries are installed under /usr/libexec/openldap
.
Configuring OpenLDAP on Rocky Linux 8
Now that the installation of OpenLDAP is complete, proceed to configure it.
Create OpenLDAP data and database directories
mkdir /var/lib/openldap /etc/openldap/slapd.d
Set the proper ownership and permissions on OpenLDAP directories and configuration files.
chown -R ldap:ldap /var/lib/openldap
chown root:ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf
Create OpenLDAP Systemd Service
In order to run OpenLDAP as a service, you need to create a systemd service file as shown below.
cat > /etc/systemd/system/slapd.service << 'EOL' [Unit] Description=OpenLDAP Server Daemon After=syslog.target network-online.target Documentation=man:slapd Documentation=man:slapd-mdb [Service] Type=forking PIDFile=/var/lib/openldap/slapd.pid Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///" Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d" ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS [Install] WantedBy=multi-user.target EOL
Save and quit the service file. Do not run the service yet.
Create OpenLDAP SUDO Schema
To configure LDAP with support sudo
, first, check if your version of installed sudo supports LDAP.
sudo -V | grep -i "ldap"
If sudo supports LDAP, you should see the lines below;
... ldap.conf path: /etc/sudo-ldap.conf ldap.secret path: /etc/ldap.secret
Check if LDAP sudo schema is available.
rpm -ql sudo | grep -i schema.openldap
/usr/share/doc/sudo/schema.OpenLDAP
Copy the schema.OpenLDAP
to the schema directory.
cp /usr/share/doc/sudo/schema.OpenLDAP /etc/openldap/schema/sudo.schema
Next, you need to create sudo schema ldif file. Run the command below to create the sudo.ldif
file. This ldif file is obtained from Lullabot github repository.
cat << 'EOL' > /etc/openldap/schema/sudo.ldif dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) ) EOL
Update OpenLDAP SLAPD Database
Edit the SLAPD LDIF file, /etc/openldap/slapd.ldif
, and update it as follows;
mv /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif.bak
cat > /etc/openldap/slapd.ldif << 'EOL' dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/lib/openldap/slapd.args olcPidFile: /var/lib/openldap/slapd.pid dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/libexec/openldap olcModuleload: back_mdb.la include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/sudo.ldif include: file:///etc/openldap/schema/ppolicy.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcAccess: to dn.base="cn=Subschema" by * read olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: cn=config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none EOL
- To update the SLAPD database from the information provided on the SLAPD LDIF file above, use
slapadd
command with the option-n 0
which creates the first database. - To specify the configuration directory,
/etc/openldap/slapd.d
, use option-F
and option-l
to specify location of the LDIF file above.
Before you can write the changes to the database, perform a dry run to see what would happen. Pass -u
option to slapadd command.
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u
Command output should be like;
_#################### 100.00% eta none elapsed none fast!
Then implement the changes if all is well.
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
This command creates slapd database configurations under /etc/openldap/slapd.d
directory.
ls /etc/openldap/slapd.d
'cn=config' 'cn=config.ldif'
Set the user and group ownership of the /etc/openldap/slapd.d
directory and the files in it to ldap user.
chown -R ldap:ldap /etc/openldap/slapd.d
Running SLAPD Service
Reload systemd configurations and start and enable OpenLDAP service to run on boot.
systemctl daemon-reload
systemctl enable --now slapd
Check the status;
systemctl status slapd
● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/etc/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-06-19 12:17:43 EAT; 19s ago Docs: man:slapd man:slapd-mdb Process: 153713 ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Main PID: 153714 (slapd) Tasks: 2 (limit: 11389) Memory: 3.0M CGroup: /system.slice/slapd.service └─153714 /usr/libexec/slapd -u ldap -g ldap -h ldap:/// ldapi:/// ldaps:/// -F /etc/openldap/slapd.d Jun 19 12:17:43 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon... Jun 19 12:17:43 localhost.localdomain slapd[153713]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 19 2021 11:30:55) $ [email protected]:/root/openldap-2.5.5/servers/slapd Jun 19 12:17:43 localhost.localdomain slapd[153714]: slapd starting Jun 19 12:17:43 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.
Configure OpenLDAP Logging on Rocky Linux 8
To enable OpenLDAP to log connections, operations, results statistics, create and ldif file and update the database as follows. Such OpenLDAP logging is enabled on log level 256
with keyword stats
by modifying the olcLogLevel
attribute as shown below.
cd ~
cat > enable-openldap-log.ldif << 'EOL'
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
EOL
ldapmodify -Y external -H ldapi:/// -f enable-openldap-log.ldif
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q
dn: cn=config
olcLogLevel: stats
Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to local4
facility.
echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf
Restart Rsyslog
systemctl restart rsyslog
You should now be able to read the LDAP logs on, /var/log/slapd.log
.
Create OpenLDAP Default Root DN
Next, create MDB database defining the root DN as well as the access control lists.
First, generate the root DN password.
slappasswd
New password: ENTER PASSWORD Re-enter new password: RE-ENTER PASSWORD {SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y/BD
Paste the password hash generated above as the value of olcRootPW
in the Root DN ldif file below.
Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com
with your appropriate names.
cat > rootdn.ldif << 'EOL' dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 42949672960 olcDbDirectory: /var/lib/openldap olcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com olcRootPW: {SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y/BD olcDbIndex: uid pres,eq olcDbIndex: cn,sn pres,eq,approx,sub olcDbIndex: mail pres,eq,sub olcDbIndex: objectClass pres,eq olcDbIndex: loginShell pres,eq olcDbIndex: sudoUser,sudoHost pres,eq olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire by self write by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read by * none olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none olcAccess: to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * none EOL
Read more about ACL on OpenLDAP Access Control.
Updated the slapd database with the content above;
ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif
Sample command output;
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"
Configure OpenLDAP with SSL/TLS
To secure OpenLDAP communication between the client and the server, configured it to use SSL/TLS certificates.
In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \ /etc/pki/tls/ldapserver.key -out /etc/pki/tls/ldapserver.crt
chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}
Update the OpenLDAP Server TLS certificates attributes.
cat > add-tls.ldif << 'EOL' dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt EOL
Note that we have used self-signed certificate as both the certificate and the CA certificate.
ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif
You can confirm this by running;
slapcat -b "cn=config" | grep olcTLS
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt
Change the location of the CA certificate on /etc/openldap/ldap.conf
.
vim /etc/openldap/ldap.conf
... #TLS_CACERT /etc/pki/tls/cert.pem TLS_CACERT /etc/pki/tls/ldapserver.crt
Create OpenLDAP Base DN
Next, create your base DN or search base to define your organization structure and directory.
Replace the domain components and organization units accordingly.
cat > basedn.ldif << 'EOL' dn: dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: dcObject objectClass: organization objectClass: top o: Kifarunix-demo dc: ldapmaster dn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: organizationalUnit objectClass: top ou: groups dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: organizationalUnit objectClass: top ou: people EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif
Create OpenLDAP User Accounts
You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.
cat > users.ldif << 'EOL' dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: johndoe cn: John sn: Doe loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/johndoe shadowMax: 60 shadowMin: 1 shadowWarning: 7 shadowInactive: 7 shadowLastChange: 0 dn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: posixGroup cn: johndoe gidNumber: 10000 memberUid: johndoe EOL
Add the user to the OpenLDAP database.
ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif
Setting password for LDAP User
To set the password for user above, run the command below;
ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
Create OpenLDAP Bind DN and Bind DN User
Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called system
. Note the access controls associated with this ou as defined on the root DN above.
List the Access control lists on the database;
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
Create the BindDN user password.
slappasswd
New password: Password Re-enter new password: Password {SSHA}1s+ndOUpf7dzQvH3z7BJoJLOkRJRIHvX
Paste the password hash value above as the value of userPassword
attribute in the file below;
cat > bindDNuser.ldif << 'EOL' dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: organizationalUnit objectClass: top ou: system dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: readonly userPassword: {SSHA}1s+ndOUpf7dzQvH3z7BJoJLOkRJRIHvX description: Bind DN user for LDAP Operations EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif
Allow OpenLDAP Service on Firewall
To allow remote clients to query OpenLDAP server, allow the ldap
(389 UDP/TCP) and ldaps
(636 UDP/TCP) service on firewall.
firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd --reload
Testing OpenLDAP Authentication
Well, there you go. You have learnt how to install and setup OpenLDAP server on Rocky Linux 8.
To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.
See the guide below;
Configure SSSD for LDAP Authentication on Rocky Linux 8
Other Tutorials
Configure Squid Proxy OpenLDAP Authentication on pfSense
Configure OpenLDAP Password Expiry Email Notification
Configure OpenVPN LDAP Based Authentication
1) Try to copy ppolicy.ldif manually:
# lapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u
ldif_read_record: include file:///etc/openldap/schema/ppolicy.ldif failed
Closing DB…
# cp ./tests/data/ppolicy.ldif /etc/openldap/schema/
# # slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u
slapadd: line 1013: database #0 (cn=config) not configured to hold “dc=example,dc=com”; no database configured for that naming context
Closing DB…
2) Finally I have commented out line:
file:///etc/openldap/schema/ppolicy.ldif at the /etc/openldap/slapd.ldif
Any hints on how to fix this?