Introduction
This guide provides a comprehensive overview of installing and configuring OpenLDAP on Fedora 40 using the 5W1H approach. We will cover the key aspects including the What, Who, Where, When, Why, How, Consequences, and Conclusion of the installation process.
Overview
What
OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). It provides directory services for centralized user management, authentication, and authorization.
Who
This guide is intended for system administrators and IT professionals who manage Linux servers and require centralized directory services for user and resource management.
Where
The installation and configuration can be performed on any server running Fedora 40 that needs to provide directory services for a networked environment.
When
The setup should be done during a planned maintenance window to minimize disruptions to the system and network services.
Why
Implementing OpenLDAP offers several advantages:
| Pros | Cons |
|---|---|
| Centralized user and resource management | Initial setup complexity |
| Scalability | Requires ongoing maintenance |
| Improved security and compliance | Learning curve for administrators |
How
Follow these steps to install and configure OpenLDAP on Fedora 40:
| Step 1 | Update your system: sudo dnf update -y |
| Step 2 | Start and enable the OpenLDAP service: sudo systemctl start slapd sudo systemctl enable slapd |
| Step 3 | Set the LDAP admin password: sudo slappasswd |
| Step 4 | Configure the OpenLDAP settings in /etc/openldap/slapd.d to suit your environment. |
| Step 5 | Load the necessary schemas and configure your LDAP database. |
| Step 6 | Verify the LDAP server is running correctly: ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com |
Consequences
Setting up OpenLDAP on Fedora 40 can have the following consequences:
| Positive |
|
| Negative |
|
Conclusion
Setting up OpenLDAP on Fedora 40 is crucial for organizations requiring centralized directory services for user and resource management. Although the initial setup can be complex and requires ongoing maintenance, the benefits of improved security, scalability, and centralized management make it a valuable addition to any IT infrastructure. By following this guide, system administrators can ensure a successful installation and configuration of OpenLDAP, leveraging its capabilities for efficient and secure directory services.
Configure LDAP Server
Configure LDAP Server in order to share user accounts in your local networks.
Step [1]Install OpenLDAP.
[root@bizantum ~]# dnf -y install openldap-servers openldap-clients
[root@bizantum ~]# systemctl enable --now slapd
Step [2]Set OpenLDAP admin password.
# generate encrypted password
[root@bizantum ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@bizantum ~]# vi chrootpw.ldif
# specify the password generated above for [olcRootPW] section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
Step [3]Import basic Schemas.
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
Step [4]Set your domain name on LDAP DB.
# generate directory manager password
[root@bizantum ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@bizantum ~]# vi chdomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=srv,dc=world" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=srv,dc=world
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=srv,dc=world
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
[root@bizantum ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
[root@bizantum ~]# vi basedomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: srv
dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=srv,dc=world
objectClass: organizationalUnit
ou: Group
[root@bizantum ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif
Enter LDAP Password: # directory manager's password
adding new entry "dc=srv,dc=world"
adding new entry "cn=Manager,dc=srv,dc=world"
adding new entry "ou=People,dc=srv,dc=world"
adding new entry "ou=Group,dc=srv,dc=world"
Step [5]Configure SSL/TLS Setting. On this example, it uses self-signed certificates like here.
Step [6]Configure Slapd for SSL/TLS.
[root@bizantum ~]# cp /etc/pki/tls/certs/{server.key,server.crt} /etc/openldap/certs/
[root@bizantum ~]# chown ldap:ldap /etc/openldap/certs/{server.key,server.crt}
[root@bizantum ~]# vi mod_ssl.ldif
# create new
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
[root@bizantum ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
[root@bizantum ~]# systemctl restart slapd
Step [7]If Firewalld is running, allow LDAP service.
[root@bizantum ~]# firewall-cmd --add-service={ldap,ldaps}
success
[root@bizantum ~]# firewall-cmd --runtime-to-permanent
success
Add User Accounts
Add LDAP User accounts to the OpenLDAP Server.
Step [1]Add a User Account.
# generate encrypted password
[root@bizantum ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxx
[root@bizantum ~]# vi ldapuser.ldif
# create new
# replace the section [dc=***,dc=***] to your own suffix
dn: uid=fedora,ou=People,dc=srv,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Fedora
sn: Linux
userPassword: {SSHA}xxxxxxxxxxxxxxxxx
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/fedora
dn: cn=fedora,ou=Group,dc=srv,dc=world
objectClass: posixGroup
cn: Fedora
gidNumber: 2000
memberUid: fedora
[root@bizantum ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=fedora,ou=People,dc=srv,dc=world"
adding new entry "cn=fedora,ou=Group,dc=srv,dc=world"
Step [2]Add users and groups in local passwd/group to LDAP directory.
[root@bizantum ~]# vi ldapuser.sh
# extract local users and groups who have [1000-9999] digit UID
# replace [SUFFIX=***] to your own domain name
# this is an example, free to modify
#!/bin/bash
SUFFIX='dc=srv,dc=world'
LDIF='ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@bizantum ~]# sh ldapuser.sh
[root@bizantum ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=redhat,ou=People,dc=srv,dc=world"
adding new entry "uid=debian,ou=People,dc=srv,dc=world"
adding new entry "uid=ubuntu,ou=People,dc=srv,dc=world"
adding new entry "uid=centos,ou=People,dc=srv,dc=world"
adding new entry "cn=redhat,ou=Group,dc=srv,dc=world"
adding new entry "cn=debian,ou=Group,dc=srv,dc=world"
adding new entry "cn=ubuntu,ou=Group,dc=srv,dc=world"
adding new entry "cn=centos,ou=Group,dc=srv,dc=world"
Step [3]To delete LDAP User or Group, do like follows.
[root@bizantum ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "uid=fedora,ou=People,dc=srv,dc=world"
Enter LDAP Password:
[root@bizantum ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "cn=fedora,ou=Group,dc=srv,dc=world"
Enter LDAP Password:
Configure LDAP Client
Configure LDAP Client in order to share user accounts in your local networks.
Step [1]Install OpenLDAP Client.
[root@node01 ~]# dnf -y install sssd sssd-ldap oddjob-mkhomedir
# switch authentication provider to sssd
[root@node01 ~]# authselect select sssd with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2024-05-14-00-49-17.Z55dnn
Profile "sssd" was selected.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled and active
- systemctl enable --now oddjobd.service
[root@node01 ~]# vi /etc/sssd/sssd.conf
# create new
# replace [ldap_uri], [ldap_search_base] to your own environment value
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://dlp.bizantum.lab/
ldap_search_base = dc=srv,dc=world
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
cache_credentials = True
ldap_tls_reqcert = allow
[sssd]
services = nss, pam
domains = default
[nss]
homedir_substring = /home
[root@node01 ~]# chmod 600 /etc/sssd/sssd.conf
[root@node01 ~]# systemctl restart sssd oddjobd
[root@node01 ~]# systemctl enable sssd oddjobd
[root@node01 ~]# exit
logout
Fedora Linux 40 (Server Edition)
Kernel 6.8.7-300.fc40.x86_64 on an x86_64 (ttyS0)
Web console: https://node01.bizantum.lab:9090/ or https://10.0.0.51:9090/
node01 login: redhat # LDAP user
Password: # LDAP password
Creating home directory for redhat.
[redhat@node01 ~]$ # logined
# changing LDAP password is common way with passwd
[redhat@node01 ~]$ passwd
Changing password for user redhat.
Current Password: # current password
New password: # new password
Retype new password:
passwd: all authentication tokens updated successfully.
Replication
Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called [Provider] and OpenLDAP replication server is called [Consumer] on OpenLDAP.
Step [1] Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.
Step [2]Configure LDAP Provider. Add [syncprov] module.
[root@bizantum ~]# vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
[root@bizantum ~]# vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@bizantum ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
Step [3]Configure LDAP Consumer.
[root@node01 ~]# vi syncrepl.ldif
# create new
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# LDAP server's URI
provider=ldap://10.0.0.30:389/
bindmethod=simple
# your domain name and admin suffix
binddn="cn=Manager,dc=srv,dc=world"
# directory manager's password
credentials=password
searchbase="dc=srv,dc=world"
# includes subtree
scope=sub
schemachecking=on
type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
interval=00:00:05:00
[root@node01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}mdb,cn=config"
# verify settings to search data
[root@node01 ~]# ldapsearch -x -b 'ou=People,dc=srv,dc=world'
# People, bizantum.lab
dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People
.....
.....
Step [4]Configure LDAP Client to bind LDAP Consumer, too.
[root@client ~]# vi /etc/sssd/sssd.conf
# add Consumer
ldap_uri = ldap://dlp.bizantum.lab/,ldap://node01.bizantum.lab/
[root@client ~]# systemctl restart sssd
- Get link
- X
- Other Apps
Bizantum
Fajar Vicky
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.