A Step-by-Step Guide to Installing and Configuring OpenLDAP on Rocky Linux 9
Centralized authentication is a cornerstone of modern IT infrastructure, allowing for streamlined user management and enhanced security across multiple systems. OpenLDAP, the premier open-source implementation of the Lightweight Directory Access Protocol, provides a robust and flexible solution for creating a central directory service. This guide will walk you through the complete process of installing and configuring an OpenLDAP server on Rocky Linux 9, from initial setup to client authentication.
Prerequisites
Before you begin, ensure you have the following:
- A running instance of Rocky Linux 9.
- Root or sudo privileges.
- A basic understanding of the Linux command line.
Step 1: Installing the Necessary OpenLDAP Packages
The first step is to install the OpenLDAP server and client packages from the default Rocky Linux repositories. The server package contains the core daemon (slapd), while the client package provides command-line utilities for interacting with the directory.
Open your terminal and execute the following command:
sudo dnf install openldap-servers openldap-clients
This command will download and install all the required dependencies for running your LDAP server.
Step 2: Initializing the OpenLDAP Configuration
Once installed, you need to prepare the database environment. OpenLDAP comes with a sample database configuration file that serves as an excellent starting point.
Copy the sample configuration file to the OpenLDAP data directory:
sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGAssign the correct ownership to the data directory. The OpenLDAP service runs as the
ldapuser, so it needs permission to manage these files:sudo chown -R ldap:ldap /var/lib/ldap
Step 3: Starting and Enabling the SLAPD Service
With the initial configuration in place, you can start the OpenLDAP server daemon, known as slapd.
Start the service:
sudo systemctl start slapdEnable the service to start automatically on boot:
sudo systemctl enable slapdVerify that the service is running without any errors:
sudo systemctl status slapd
You should see an “active (running)” status in the output.
Step 4: Configuring Firewall Rules for LDAP
For clients to connect to your OpenLDAP server, you must allow traffic through the system’s firewall. LDAP uses port 389 for standard connections and port 636 for secure connections (LDAPS).
Execute the following commands to permanently add a rule for the standard LDAP service and reload the firewall:
sudo firewall-cmd --add-service=ldap --permanent
sudo firewall-cmd --reload
Step 5: Securing the Root DSE and Defining Your Directory Structure
Now it’s time to configure the core components of your directory: the administrator password and the directory’s base structure.
Generate a Hashed Administrator Password
Never store the root password in plaintext. Use theslappasswdutility to generate a secure, hashed password.slappasswdEnter your desired password twice. The command will output a hash string, such as
{SSHA}abcdef123.... Copy this entire string, as you will need it shortly.Create an LDIF File for the Root Password
Create a file namedroot_password.ldifand add the following content. Replace{SSHA}your_hashed_passwordwith the hash you just generated.dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}your_hashed_passwordApply the Password Change
Use theldapmodifycommand to apply this change. The-Y EXTERNALand-H ldapi:///options allow you to authenticate securely over a local Unix socket without needing a password.sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f root_password.ldifImport Core Schemas
To store common object types like users and groups, you must import standard schemas.sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldifDefine Your Base Distinguished Name (DN)
Your Base DN is the root of your directory tree. This is typically based on your domain name. For example, if your domain isexample.com, your Base DN would bedc=example,dc=com.Create a file named
base_dn.ldifwith the following content, replacingexampleandcomwith your own domain details.dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=comApply this configuration file:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f base_dn.ldif
Step 6: Adding Organizational Units, Groups, and Users
With the directory structure defined, you can now populate it. A common practice is to create Organizational Units (OUs) to hold your users and groups.
Create an LDIF file for your base structure named
structure.ldif. This example creates OUs for “People” (users) and “Group”.dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Corp dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: GroupAdd the structure to your directory. This time, you will authenticate using the Manager DN and the password you set earlier.
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f structure.ldifThe
-Wflag will prompt you for the LDAP root password.
Step 7: Configuring a Rocky Linux Client for LDAP Authentication
The final step is to configure a client machine to use your new OpenLDAP server for user authentication.
On the client machine, install the necessary packages:
sudo dnf install openldap-clients sssd-ldapUse
authselectto configure the system for authentication via SSSD (System Security Services Daemon). This command also enables the automatic creation of home directories for network users upon their first login.sudo authselect select sssd with-mkhomedirConfigure SSSD by editing the
/etc/sssd/sssd.conffile. Add the following configuration, replacing theldap_uriandldap_search_basewith your server’s IP/hostname and Base DN.[sssd] services = nss, pam domains = default [nss] filter_groups = root filter_users = root [pam] [domain/default] id_provider = ldap auth_provider = ldap ldap_uri = ldap://your_ldap_server_ip ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True cache_credentials = True ldap_tls_reqcert = allowSecure the configuration file as it may contain sensitive information.
sudo chmod 600 /etc/sssd/sssd.confRestart and enable the SSSD service:
sudo systemctl restart sssd sudo systemctl enable sssd
To test, you can now try to SSH into the client machine using an LDAP user’s credentials or use the id <ldap_username> command to verify that the client can retrieve user information from the LDAP server.
Essential Security Best Practices for OpenLDAP
- Implement TLS/SSL (LDAPS): The configuration above uses
start_tls, which is good, but for maximum security, configure your server to use LDAPS on port 636. This encrypts all communication between clients and the server, protecting credentials and data in transit. - Use Strong Access Control Lists (ACLs): The default OpenLDAP ACLs are a good starting point, but they should be reviewed and tightened. Restrict read/write access based on the principle of least privilege to prevent unauthorized data exposure or modification.
- Regularly Audit and Monitor Logs: Keep a close eye on OpenLDAP logs for suspicious activity, such as a high number of failed bind attempts, which could indicate a brute-force attack.
- Keep Software Updated: Regularly update your OpenLDAP packages using
dnfto protect against known vulnerabilities.
Source: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-9/
