install openldap on centos 8

This tutorial will cover how to install OpenLDAP on CentOS 8. LDAP is a lightweight domain authentication protocol. This means that you can use LDAP as a central authentication system for both users and systems such as Postfix. It can be compared to Microsoft’s Active Directory. OpenLDAP is an opensource LDAP system that runs on Linux systems.

Install OpenLDAP on CentOS 8

In this guide, we shall build the latest source release of OpenLDAP as opposed to using the available version provided by PowerTools.

Follow the steps below to setup OpenLDAP server on CentOS 8.

Update System

Run system updates and upgrade the packages.

sudo dnf update
sudo dnf upgrade -y

Reboot after upgrade:

sudo reboot

Install required software Packages

Install the required packages that will allow you to successfully build OpenLDAP.

sudo dnf install wget vim cyrus-sasl-devel libtool-ltdl-devel openssl-devel libdb-devel make libtool autoconf  tar gcc perl perl-devel -y

Add EPEL for EL 7 which contains wiredtiger packages required:

sudo tee /etc/yum.repos.d/epel-el7.repo<<EOF
[epel-el7]
name=Extra Packages for Enterprise Linux 7 - x86_64
baseurl=https://dl.fedoraproject.org/pub/epel/7/x86_64/
enabled=0
gpgcheck=0
EOF

Install wiredtiger packages:

sudo dnf --enablerepo=epel-el7 install wiredtiger wiredtiger-devel

Accept installation prompts:

....
Extra Packages for Enterprise Linux 7 - x86_64                                                                                     49 MB/s |  17 MB     00:00
Last metadata expiration check: 0:00:05 ago on Thu 10 Jun 2021 07:51:03 AM UTC.
Dependencies resolved.
==================================================================================================================================================================
 Package                                     Architecture                      Version                                  Repository                           Size
==================================================================================================================================================================
Installing:
 wiredtiger                                  x86_64                            2.6.1-1.el7                              epel-el7                             30 k
 wiredtiger-devel                            x86_64                            2.6.1-1.el7                              epel-el7                             40 k
Installing dependencies:
 wiredtiger-libs                             x86_64                            2.6.1-1.el7                              epel-el7                            434 k

Transaction Summary
==================================================================================================================================================================
Install  3 Packages

Total download size: 503 k
Installed size: 1.3 M
Is this ok [y/N]: y

Create LDAP system account

We need to create a non-privileged system user for OpenLDAP.

sudo useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin ldap

Download OpenLDAP Source file

At the time of this tutorial, the latest version for OpenLDAP was 2.5.5.

Download the latest release from this page.

We’ll declare the version to your shell

VER=2.5.5
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$VER.tgz

Extract the downloaded file:

tar xzf openldap-$VER.tgz

Install OpenLDAP

Move the extracted files to /opt/ then compile the source files.

sudo mv openldap-$VER /opt
cd /opt/openldap-$VER

Compile the source files

sudo ./configure --prefix=/usr --sysconfdir=/etc --disable-static \
--enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic \
--enable-crypt --enable-spasswd --enable-slapd --enable-modules \
--enable-rlookups --enable-backends=mod --disable-ndb --disable-sql \
--disable-shell --disable-bdb --disable-hdb --enable-overlays=mod

Upon successful compilation, you should see an output that says: “Please run “make depend” to build dependencies”

Run make depend to build OpenLDAP dependencies.

sudo make depend

Compile

sudo make

Install OpenLDAP

sudo make install

A successful installation creates configuration files at /etc/openldap. The following files are available after installation:

certs  ldap.conf  ldap.conf.default  schema  slapd.conf  slapd.conf.default  slapd.ldif  slapd.ldif.default

Configuring OpenLDAP

Let’s proceed to configuring OpenLDAP.

First, we need to create OpenLDAP database directories.

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set the proper permisions to he OpenLDAP directories

sudo chown -R ldap:ldap /var/lib/openldap
sudo chown root:ldap /etc/openldap/slapd.conf
sudo chmod 640 /etc/openldap/slapd.conf

Create OpenLDAP SUDO schema

Check if your sudo version supports LDAP.

sudo -V |  grep -i "ldap"

You should see the lines below in the output if your system supports LDAP.

ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Confirm if LDAP sudo schema is available on your system

rpm -ql sudo |  grep -i schema.openldap

Sample output

/usr/share/doc/sudo/schema.OpenLDAP
Install OPENLDAP on centos8

Copy the schema to the ldap schema directory.

sudo cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Create a sudo schema ldif file.

sudo su -

Run below to add lines to the file:

cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOL

Configure SLAPD database

Update the content of the /etc/openldap/slapd.ldif

sudo mv /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif.bak
sudo vi /etc/openldap/slapd.ldif

Paster below data:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/sudo.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

Perform a dry run to check the configurarion

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

Execute the command to write the changes

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

The above command creates slapd database configurations and puts them under /etc/openldap/slapd.d.

$ ls /etc/openldap/slapd.d
'cn=config'  'cn=config.ldif'

Set the right ownership to the slapd directory

sudo chown -R ldap:ldap /etc/openldap/slapd.d

Create OpenLDAP Service

Create a systemd service

$ sudo vim /etc/systemd/system/slapd.service

[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

Restart daemon

sudo systemctl daemon-reload

Start slapd service

sudo systemctl enable --now slapd

Check status

$ systemctl status slapd
install openldap on centos8 1

Configure OpenLDAP Default Root DN

Create MDB database with the root DN and the ACLs.

Generate root password:

$ sudo slappasswd

Copy the generated hash password to a text editor. This will be needed in the rootdn.ldif file at the olcRootPW entry.

vim rootdn.ldif

Add the content below replacing dc=ldapmaster,dc=computingforgeeks,dc=com with your domain information.

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootPW: {SSHA}0phayAb6bQA9rONibLb97O5B89KPeNlW
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none

Update the slapd database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Define your Organization structure

Create the basedn.ldif file to define your organization structure.

vim basedn.ldif

With info similar to below – update to suit your domain.

dn: dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: computingforgeeks
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

Update database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Configure SSL/TLS

You can secure client-server communication between OpenLDAP and the client systems by enabling TLS/SSL.

You could use a self signed cert or Let’s Encrypt for this. We shall be using a self signed cert in this guide.

$ sudo openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/pki/tls/ldapserver.key \
  -out /etc/pki/tls/ldapserver.crt

Set correct ownership.

sudo chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

Create SSL configuration file:

$ sudo vi add-tls.ldif

With below information:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Update slapd database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif

Update the CA locatin for OpenLDAP.

$ sudo vim /etc/openldap/ldap.conf

...
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

Create OpenLDAP Users

Define your users in the users.ldif file as follows:

$ sudo vim users.ldif

Here is sample data:

dn: uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: vshamallah
cn: Vic
sn: Shamallah
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/vshamallah
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=vshamallah,ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: posixGroup
cn: vshamallah
gidNumber: 10000
memberUid: vshamallah

Update the LDAP database to add the new user

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Set the password for the user above with the command below:

sudo ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com"

Create LDAP Bind user

Create the OpenLDAP Bind DN and bind user. This is a user that will be used to perform LDAP openrations such as resolving user IDs and group IDs.

Create the BindDN password.

$ sudo slappasswd
New password: 
Re-enter new password: 
{SSHA}9Sx4MzBieiojFsXLgXDVnJavwt4vql4p

Obtain the hashed password and save it somewhere.

Create the bindDNuser.ldif file and add the content below, remember to replace the hashed password and the domain information with your details.

vim bindDNuser.ldif

Here is my configurations:

dn: ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}9Sx4MzBieiojFsXLgXDVnJavwt4vql4p
description: Bind DN user for LDAP Operations

Update ldap database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Allow OpenLDAP through Firewall

Allow OpenLDAP through the firewall to allow connections.

sudo firewall-cmd --add-service={ldap,ldaps} --permanent
sudo firewall-cmd --reload

At this point, OpenLDAP is configured and ready for use. You need to configure OpenLDAP clients on your systems to be able to connect to the OpenLDAP server.

OpenLDAP Replication guides:

Setup OpenLDAP Multi-Master Replication on CentOS 8

setup OpenLDAP Provider-Consumer replication

Follow the guide below to configure OpenLDAP clients:

Configure LDAP Client on Ubuntu

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

17 COMMENTS

  1. Hello,

    At the step “Configure OpenLDAP Default Root DN”

    we have to edit the rootdn.ldif file, but I can’t find it.

    Where can I find it, and if i have to create it, where ?

    By the way, thanks for the guide, very helpful.

    Regards

  2. Package ‘wiredtiger’, required by ‘virtual:world’, not found

    Consider adjusting the PKG_CONFIG_PATH environment variable if you
    installed software in a non-standard prefix.

    Alternatively, you may set the environment variables WT_CFLAGS
    and WT_LIBS to avoid the need to call pkg-config.
    See the pkg-config man page for more details.

  3. Still getting error..
    ”””””””””””””””””””””””””””””””””””””””’
    Package ‘wiredtiger’, required by ‘virtual:world’, not found

    Consider adjusting the PKG_CONFIG_PATH environment variable if you
    installed software in a non-standard prefix.

    Alternatively, you may set the environment variables WT_CFLAGS
    and WT_LIBS to avoid the need to call pkg-config.
    See the pkg-config man page for more details.
    ””””””””””””””””””””””””””””””””””””””””””””’
    after installing ‘mongodb’ database package, which is based on ‘wiredtiger’ engine

    please help, if anyone resolve this error.

  4. Thanks for the tutorial. But i have an issue, when am updating the slapd database am getting the result

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “olcDatabase=mdb,cn=config”
    ldap_add: Insufficient access (50)

  5. Hello,

    Under the section titled ‘Configure SLAPD database’

    Step: Perform a dry run to check the configuration …

    ~]# slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

    reason: ldif_read_record: include file:///etc/openldap/schema/ppolicy.ldif failed

    There is no such file called ppolicy.ldif created during the process before the above command and this is causing failures.

  6. Hi,

    I am also facing same issue while Step: Perform a dry run to check the configuration …

    ~]# slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

    reason: ldif_read_record: include file:///etc/openldap/schema/ppolicy.ldif failed

    There is no such file called ppolicy.ldif created during the process before the above command and this is causing failures.

  7. Hi,

    I have done the setup but when I am trying to configure it in Apache Directory Studio, it gives error as ‘Missing schema location in RootDSE , using default schema’ and then after that AD studio shows nothing.

    Can you please help here?

    Thanks

  8. Hi Victor
    In section Create OpenLDAP Users , I get error:
    [[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “uid=john,ou=people,dc=ldapmaster,dc=my-domain,dc=com”
    ldap_add: No such object (32)
    matched DN: dc=ldapmaster,dc=my-domain,dc=com

    [[email protected] ~]#

LEAVE A REPLY

Please enter your comment!
Please enter your name here