How to OpenLDAP Server Configuration on CentOS 7

OpenLDP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server.

 LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.

In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in to multiple servers.

Environment

Host NameIP AddressOSPurpose
server.Ldap.local192.168.2.254CentOS 7LDAP Server
client.Ldap.local192.168.1.250CentOS 7LDAP Client

Prerequisites

1. Make sure both LDAP server “server.Ldap.local” (192.168.2.254) and LDAP client “client.Ldap.local” (192.168.1.250) are accessible.

2. Make an host entry on each machine in /etc/hosts for name resolution.

Install OpenLDAP Packages?

Install the following LDAP RPM packages on LDAP server (server.Ldap.local). (192.168.2.254)

command :

# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Start the LDAP service and enable.

# systemctl enable slapd


the auto start of service on system boot.

# systemctl start slapd

OpenLDP server congregation

OpenLdp Server configuration file /etc/openldp/slapd.d/
Go to cn=config Directory /etc/openldp/slapd.d/ and edit the “olcDatabase={2}hdb.ldip” change configuration.

Generate user and password for LDAP administrative access. 

User name : Password : LDP@Server

Re Password : LDP@Server

Our main working directory will be the following:

/etc/openldap/slapd.d
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcMahak
olcMahak: dc=patel,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcMahakDN: cn=ldapadm,dc=dzhorov,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcMahakPW
olcMahakPW: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG

The configuration variables have the following purpose:

  • dn: – The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.
  • changetype-modify – Modifying an entry’s attributes is a very common change to make and is made possible by specifying changetype: modify after the DN of the entry.
  • replace: olcMahak – Replace the property “olcSuffix”
  • olcMahakPW: – The password that we previously generated with slappasswd utility .

Create LDAP SSL certificate:

The create our self-signed SSL certificate, which will be used by our LDAP server .

openssl req -new -sha256 -nodes -out /etc/openldap/certs/dzhorov-cert.pem -keyout /etc/openldap/certs/dzhorov-key.pem -days 365

 The file in which this information is stored is located in /etc/openldap/spad.d/cn=config.ldif which should not be edited directly. Create the file certificates.ldiff in the directory /etc/openldap/slapd.d/ 

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/dzhorov-cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/dzhorov-key.pem

The changes with the similar command, which we used above:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/certificates.ldiff

Verify the current configuration with the command:

slaptest -u
config file testing succeeded

I hope you enjoy our article and successfully install if you have any issue regarding this mention in comment section.



Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: