Mastering OpenLDAP on CentOS 8: A Comprehensive Installation and Configuration Guide
In modern IT environments, managing user accounts across multiple servers can quickly become a complex and error-prone task. A centralized directory service is the definitive solution, and OpenLDAP stands as a powerful, open-source implementation of the Lightweight Directory Access Protocol. By setting up an OpenLDAP server, you can centralize user authentication, streamline administration, and enhance security.
This guide provides a detailed, step-by-step walkthrough for installing and configuring a robust OpenLDAP server on CentOS 8. We will cover everything from initial package installation to creating your first user, ensuring you have a solid foundation for your centralized authentication system.
Step 1: Installing OpenLDAP Packages
The first step is to install the necessary OpenLDAP packages from the official CentOS repositories. These packages include the server daemon (slapd), client tools, and utilities.
Open your terminal and run the following command as a user with sudo privileges:
sudo dnf install openldap openldap-clients openldap-servers
Once the installation is complete, you can verify it by checking the version of the installed server:
slapd -V
Step 2: Starting and Enabling the OpenLDAP Service
With the packages installed, the next step is to start the OpenLDAP server daemon, known as slapd. It’s also crucial to enable the service so it automatically starts whenever the system reboots.
Use the systemctl command to perform both actions at once:
sudo systemctl enable --now slapd
You can confirm that the service is active and running without errors by checking its status:
sudo systemctl status slapd
You should see an “active (running)” status in the output.
Step 3: Securing and Configuring the LDAP Root User
By default, OpenLDAP is not configured with an administrative password. Securing your directory with a strong administrator password is the most critical initial step.
First, we will generate a secure, hashed password using the slappasswd utility. When prompted, enter a strong, unique password.
slappasswd
The command will output a password hash, such as {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx. Copy this entire hash string, as you will need it shortly.
Next, we will create a configuration file in LDIF (LDAP Data Interchange Format) to apply our settings. Create a new file named db.ldif:
nano db.ldif
Paste the following content into the file. Be sure to:
- Replace
dc=example,dc=comwith your own domain components. For instance, if your domain ismydomain.net, you would usedc=mydomain,dc=net. - Replace the
olcRootPWvalue with the password hash you just generated.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Save and close the file. Now, apply this configuration using the ldapmodify command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
Step 4: Importing Essential LDAP Schemas
Schemas define the types of objects and attributes you can store in your LDAP directory (e.g., users, groups, permissions). We need to import several core schemas to support standard user and group management.
Run the following commands to import the cosine, nis, and inetorgperson schemas:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Successful execution of these commands is vital for creating standard user accounts later.
Step 5: Defining Your Directory’s Base Structure
Now we need to create the base structure for our domain within the LDAP directory. This typically involves creating an “Organizational Unit” (OU) for users and another for groups.
Create a new LDIF file named base.ldif:
nano base.ldif
Paste the following content into the file, again replacing dc=example,dc=com with your domain components.
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Inc
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
Now, add this structure to your directory. This time, you will need to provide the administrator password you set in Step 3.
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f base.ldif
You will be prompted to enter the LDAP password.
Step 6: Configuring Firewall Rules for LDAP Access
To allow other machines on the network to connect to your LDAP server, you must open the necessary ports in the system firewall. LDAP uses port 389 for standard, unencrypted communication and port 636 for LDAPS (LDAP over SSL/TLS).
sudo firewall-cmd --add-service=ldap --permanent
sudo firewall-cmd --reload
This command opens the standard LDAP port. For production environments, it is highly recommended to configure and use LDAPS on port 636 to encrypt all traffic between your clients and the LDAP server.
Step 7: Adding Your First User to the Directory
With the server fully configured, let’s test it by adding a new user. First, create another LDIF file named newuser.ldif:
nano newuser.ldif
Paste the following user definition, customizing the values as needed. Remember to update the domain components (dc=example,dc=com).
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Test User
sn: User
uid: testuser
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Note: You should generate a new password hash using slappasswd for the userPassword field. Never use plaintext passwords in LDIF files.
Add the new user to the directory using the ldapadd command:
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f newuser.ldif
Finally, you can verify that the user was created successfully by performing a search:
ldapsearch -x -b "ou=People,dc=example,dc=com"
This command will search the “People” OU and should display the “testuser” entry you just created.
Conclusion
You have successfully installed, configured, and secured a functional OpenLDAP server on CentOS 8. This centralized directory provides a scalable and robust foundation for managing user identities across your network. From here, you can proceed to configure client systems to authenticate against your new LDAP server, explore advanced topics like setting up TLS encryption, and build out a comprehensive directory structure to meet your organization’s needs.
Source: https://kifarunix.com/install-and-setup-openldap-on-centos-8/
