Tags

,

The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.

Following are the two most commonly used objects in OpenLDAP:

  1. cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)
  2. dc (domain component) – This refers to one of the container entries in the LDAP hierarchy.

For example, if there is a user in the hierarchy  user1.anoopk.com, the fully distinguished name of this user is referred as cn=user1, dc=anoopkm, dc=com. If you noticed in the FDN (fully distinguished name), a comma is used a separator and not a dot.

Let us see how to setup a single instance of an LDAP server that can be used by multiple clients in your network for authentication.

INSTALL OPENLDAP PACKAGES

#yum install -y openldap openldap-clients openldap-servers

You should install the following three packages:

  1. openldap-servers – This is the main LDAP server
  2. openldap-clients – This contains all required LDAP client utilities
  3. openldap – This packages contains the LDAP support libraries

LDAP config files

  • config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
  • olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.

Create olcRootDN Account as Admin

It is always recommended to create a dedicated user account first with the full permissions to change information on the LDAP database.

Modify the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following is the default entry.

# grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com

Change the above line to an admin user. In this example, user “ramesh” will be the olcRootDN.

olcRootDN: cn=anoop,dc=anoopkm,dc=com

 

Create olcRootPW Root Password

Now use slappasswd command to create a hash for the root password you want to use. Once the password is generated, open the cn=config.ldif file, include the olcRootPW parameter, and copy the hashed password as shown below.

Execute the following command and specify a password. This will generate the hash for the given password.

# slappasswd
New password: SecretLDAPRootPass2015
Re-enter new password: SecretLDAPRootPass2015
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below.

# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=anoopkm,dc=com

Verify The Configuration Files

Use slaptest command to verify the configuration file as shown below. This should display “testing succeeded” message as shown below.

# slaptest -u
config file testing succeeded

You might get the following messages during the above command, which you can ignore for now.

54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"

Start the LDAP Server

Start the ldap server as shown below.

# service slapd start
Checking configuration files for slapd: [WARNING]
config file testing succeeded
Starting slapd:                         [  OK  ]

Verify the LDAP Search

To verify the ldap server is configured successfully, you can use the below command and verify that the domain entry is present.

To verify the ldap server is configured successfully, you can use the below command and verify that the domain entry is present.

# ldapsearch -x -b "dc=anoopkm,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=anoopkm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1

Base LDAP Structure in base.ldif

The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP database. If you are planning on adding in different types of entries, such as users, groups, computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its own container.

To create these OU’s, you can create an initial LDIF file as shown in the below example. In this example, this file allows you to create the base container which is dc=anoopkm,dc=com and it creates two organizational units with the names users and groups in that container.

# cat base.ldif
dn: dc=thegeekstuff,dc=com
objectClass: dcObject
objectClass: organization
o: thegeekstuff.com
dc: thegeekstuff
dn: ou=users,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

Import Base Structure Using ldapadd

Now we can import the base structure in to the LDAP directory using the ldapadd command as shown below.

# ldapadd -x -W -D "cn=anoop,dc=anoopkm,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=anoopkm,dc=com"
adding new entry "ou=users,dc=anoopkm,dc=com"
adding new entry "ou=groups,dc=anoopkm,dc=com"

Verify the Base Structure using ldapsearch

To verify the OUs are successfully created, use the following ldapsearch command.

# ldapsearch -x -W -D "cn=anoopkm,dc=anoopkm,dc=com" -b "dc=anoopkm,dc=com" "(objectclass=*)"
Enter LDAP Password:

The output of the above command will display all the objects in the LDAP directory structure.

 

# extended LDIF
#
# LDAPv3
# base <dc=anoopkm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# anoopkm.com
dn: dc=anoopkm,dc=com
objectClass: dcObject
objectClass: organization
o: anoopkm.com
dc: anoopkm
# users, anoopkm.com
dn: ou=users,dc=anoopkm,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, anoopkm.com
dn: ou=groups,dc=anoopkm,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3

In the next OpenLDAP article, I wil explain how to add new users and groups to the LDAP Directory.

Advertisements