Setting up an LDAP server provides a centralized directory service for managing user accounts, groups, and other network resources. Here’s a guide on how to get OpenLDAP up and running on Fedora 29, covering the essential installation and initial configuration steps.
Installation
Begin by opening a terminal and installing the necessary OpenLDAP server and client packages using the DNF package manager.
Use the command:
sudo dnf install openldap-servers openldap-clients compat-openldap
After the installation completes, enable and start the main OpenLDAP service, slapd.
Enable the service to start on boot:
sudo systemctl enable slapd
Start the service immediately:
sudo systemctl start slapd
You can verify the service status with:
sudo systemctl status slapd
Initial Configuration
OpenLDAP configuration on modern systems often involves managing configuration entries directly within the LDAP directory itself, typically under the cn=config subtree. This is done using LDIF files and tools like ldapmodify.
First, you need to set an administrator password. OpenLDAP stores passwords as hashes. Generate a hashed password using the slappasswd utility.
Run:
slappasswd
Enter your desired password when prompted and copy the generated hash (it will look something like {SSHA}hashstring).
Now, create an LDIF file to set this password for the configuration administrator (cn=config). Let’s call it set_password.ldif.
Create the file:
nano set_password.ldif (or use your preferred text editor)
Add the following content, replacing YOUR_PASSWORD_HASH with the hash you generated:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: YOUR_PASSWORD_HASH
Apply this configuration change using ldapmodify:
ldapmodify -Y EXTERNAL -H ldapi:/// -f set_password.ldif
This command uses the EXTERNAL SASL mechanism with the LDAPI socket, which allows root users on the system to modify the configuration database locally without needing a password initially.
Configuring the Main Database
The default OpenLDAP configuration often needs adjustments for your specific domain and database backend. On Fedora 29, the MDB (Memory-Mapped Database) backend is commonly used.
You need to define your root suffix (your domain’s base DN, e.g., dc=example,dc=com) and assign a manager DN and password for this specific database.
Create an LDIF file, for example, domain_config.ldif, to set up your database parameters. Remember to replace dc=example,dc=com with your actual domain components and YOUR_MANAGER_DN and YOUR_MANAGER_PASSWORD_HASH with appropriate values and a newly generated password hash for the manager DN.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: YOUR_MANAGER_PASSWORD_HASH
Apply this configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f domain_config.ldif
Loading Schemas
To support standard object classes like users (inetOrgPerson) and groups (groupOfNames), you need to load standard LDAP schemas. These are typically available as LDIF files in the OpenLDAP installation.
Common schemas to load include:
- cosine.ldif
- nis.ldif (for NIS attributes often used in conjunction with LDAP)
- inetorgperson.ldif
Load them one by one using ldapadd:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Adding Your Base DN Entry
Before adding users or groups, you need to create the base entry for your domain suffix.
Create an LDIF file, e.g., base_dn.ldif:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example
Apply this entry using ldapadd, authenticating as your manager DN:
ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f base_dn.ldif
You will be prompted for the manager password you set earlier.
Firewall Configuration
Ensure your firewall allows traffic on the standard LDAP port (389) if you plan to access the server from other machines.
Add the service:
sudo firewall-cmd –add-service=ldap –permanent
Reload the firewall rules:
sudo firewall-cmd –reload
Your OpenLDAP server is now installed and has basic configuration. You can begin adding user and group entries using tools like ldapadd or graphical LDAP clients. Remember to secure your manager password and restrict access to the server appropriately.
Source: https://kifarunix.com/install-and-configure-openldap-server-on-fedora-29/
