Set up OpenLDAP server on CentOS 6.5

Set up OpenLDAP on CentOS 6.5

Hi readers, hope you are learning Linux and gaining more knowledge every day. In this tutorial I am going to show you how to set up an OpenLDAP server on CentOS 6.5 server. Follow along to get a better understanding.

This is going to be a two part tutorial/article as shown below
  • Set up OpenLDAP server on CentOS 6.5
  • Enable LDAP authentication on client machines
    • LDAP Authentication on Ubuntu 14.04
    • LDAP Authentication on CentOS 6.5

What my set up will look like ?

I have an Ubuntu machine which will be my host and has KVM set up in it. All demonstrations will be done in the KVM virtual machines. I have three virtual machines.
  • Cent1 – CentOS 6.5 minimal server (This will be the ldap server)
  • Cent2 – CentOS 6.5 minimal server (users will be authenticated using ldap server cent1)
  • Ubunt1 – Ubuntu 14.04 minimal server (Users will be authenticated using ldap server cent1)

Tasks we will be doing

  • Install software packages for OpenLDAP
  • Configure LDAP & logging
  • Set up firewall rules
  • Do a first import of an ldif file
  • Verify our first import
  • Create ldap users
  • Query ldap for users we added in the previous step

Install OpenLDAP

The basic installation requires the following three packages
  1. openldap – installed by default on CentOS 6.5
  2. openldap-servers – provides slapd ldap server
  3. openldap-clients – provides client utilities like ldapadd, ldapsearch, ldapmodify
Lets install all the required packages using the below command.
# yum install openldap openldap-servers openldap-clients
Verify the installation using the below command
# rpm -qa | grep openldap
Ldap service is called slapd in CentOS/RHEL. By default, the service will be stopped and disabled. Once we complete all our configurations we shall enable and start it.

Configure LDAP

Note that you won’t have any configuration named slapd.conf under /etc/openldap. All the configuration files are located under /etc/openldap/slapd.d

Change the default domain:

The first thing you need to do is change the default domain in few config files. The default domain will be my-domain. Change this to your domain. In my case I will be using as my domain throughout this article.
# cd /etc/openldap/slapd.d/cn\=config
Find out which files you need to update using the below grep command.
# grep my-domain *
Usually it will be the following two files
  • olcDatabase={1}monitor.ldif
  • olcDatabase={2}bdb.ldif
Open these two files in vi editor and change all occurrences of my-domain to junglegeek. I opened them and changed it with the following vi command

Set up admin password:

Now lets generate the admin password hash using slappasswd utility provided by the openldap-servers package.
# slappasswd
New password: 
Re-enter new password:
Copy the above password hash. We need to add it to couple of config files. Open up the following two files
  • olcDatabase={2}bdb.ldif
  • olcDatabase={0}config.ldif
Look for line that starts with olcRootDN. Add the following line next to this line in the above two files
olcRootPW: {SSHA}PlOJU60HjF+WTt9/8L10fjPyTugQ79V

Copy database config file

Copy DB_CONFIG.example from /usr/share/openldap-servers to /var/lib/ldap and set correct permissions as shown below
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap.ldap /var/lib/ldap

Configure LDAP Logging

Now lets set up logging. Open /etc/rsyslog.conf
# vi /etc/rsyslog.conf
Add the below line
local4.*                         /var/log/slapd/slapd.log
Set up permissions appropriately
# mkdir /var/log/slapd
# chmod 755 /var/log/slapd
# chown ldap.ldap /var/log/slapd

Set up iptables

Ldap server uses the following ports. We need to add iptables rules to allow connections on port 389.
Port Description
389 LDAP
Add the below IPTable rule
# iptables -I INPUT -m tcp -p tcp --dport 389 -j ACCEPT

Restart services

All set and now start/restart all the services as below
# chkconfig slapd on
# service slapd start
# service rsyslog restart
# service iptables save
Verify slapd service using below commands
# netstat -nltp | grep slapd
# tail -f /var/log/slapd/slapd.log

Set up first import using ldapadd

Next thing we need to do is create a root entry for ldap. Create a file named firstimport.ldif
# vi firstimport.ldif
And enter the following content
dn: dc=junglegeek,dc=com
dc: junglegeek
o: junglegeek
objectclass: dcObject
objectclass: organization
Now add this entry to ldap using the below command
# ldapadd -x -D "cn=Manager,dc=junglegeek,dc=com" -W -f firstimport.ldif
Enter the admin password that you created earlier when asked. This command will add the root entry to the ldap server.
  • -x     : use simple authentication instead of SASL
  • -D    : binddn, the distinguished name to bind to the ldap directory
  • -W   : prompt for authentication instead of entering password in the command line
  • -f      : read information from the given file instead of the standard input

Verify import using ldapsearch

Now that we have added a single entry, we will verify it by querying the ldap server as below
[root@cent1 ~]# ldapsearch -x -b dc=junglegeek,dc=com
# extended LDIF
# LDAPv3
# base <dc=junglegeek,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

dn: dc=junglegeek,dc=com
dc: junglegeek
o: junglegeek
objectClass: dcObject
objectClass: organization

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
If you want to see the actual query output without comments and ldap version information use -LLL option as shown below.
[root@cent1 ~]# ldapsearch -x -LLL -b dc=junglegeek,dc=com 
dn: dc=junglegeek,dc=com 
dc: junglegeek 
o: junglegeek 
objectClass: dcObject 
objectClass: organization

Create LDAP Users

We have got a root entry dc=junglegeek,dc=com. Now lets add some OUs organizational units and some users.

Add organizational units OU:

Create a file named usersou.ldif and enter the below contents
dn: ou=users,dc=junglegeek,dc=com
ObjectClass: organizationalUnit
ou: users

dn: ou=groups,dc=junglegeek,dc=com
ObjectClass: organizationalUnit
ou: groups
Now add it to LDAP using the below command
[root@cent1 ~]# ldapadd -x -D "cn=Manager,dc=junglegeek,dc=com" -W -f usersou.ldif 
Enter LDAP Password: 
adding new entry "ou=users,dc=junglegeek,dc=com"
adding new entry "ou=groups,dc=junglegeek,dc=com"

Add a user to OU users:

We shall add a user to the newly created users organizational unit. Create a file named users.ldif and enter the below content.
# Section for User's primary group
dn: cn=venkatn,ou=groups,dc=junglegeek,dc=com
cn: venkatn
objectClass: top
objectClass: posixGroup
gidNumber: 5000

# Section for User
dn: uid=venkatn,ou=users,dc=junglegeek,dc=com
cn: Venkat Nagappan
givenName: Venkat
sn: Nagappan
uid: venkatn
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/venkatn
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {CRYPT}*
Add it to LDAP using the below command
# ldapadd -x -D "cn=Manager,dc=junglegeek,dc=com" -W -f users.ldif
Set up password for the newly created user using the below command
# ldappasswd -x -D "cn=Manager,dc=junglegeek,dc=com" -W -S "uid=venkatn,ou=users,dc=junglegeek,dc=com"
We are done adding an user and his primary group.

Query LDAP for users

Lets query the user we created in the previous step. You can use any of the user fields to query ldap. Try the following search commands.
# ldapsearch -x -LLL "uid=venkatn" -b "ou=users,dc=junglegeek,dc=com"
# ldapsearch -x -LLL "cn=Venkat Nagappan" -b "ou=users,dc=junglegeek,dc=com"
That’s it for this tutorial. In my next tutorial I will show you how to set up/enable LDAP authentication on CentOS 6.5 & Ubuntu client machines so that we can use this ldap user venkatn for login.
Hope you enjoyed this article. Thanks for reading.


Unknown said...

A few things.

1: The OpenLDAP build from CentOS should be completely avoided. It is horribly out of date, and is linked to MozNSS, which has serious security design flaws. Linking to MozNSS is not supported by the OpenLDAP project.

2. The back-bdb database engine has been deprecated for quite some time. It was supplanted by back-hdb in OpenLDAP 2.3. back-hdb was supplanted by back-mdb in the OpenLDAP 2.4 series. The back-bdb/hdb backends will be removed in a future release.

I would strongly advise people to use the LTB project builds for OpenLDAP, which are current and correctly linked to OpenSSL.

See also

OpenLDAP Core Team

Post a Comment