openLDAP server installation and configuration step by step – RHEL7

by ARK · Published March 19, 2016 · Updated September 24, 2016

openLDAP directory service is based on a client-server model. LDAP transferred “Lightweight directory access protocol” is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. OpenLDAP Server installation

openLDAP is used to facilitate centralized user management. It eliminates users creation on each and every server, instead of creating users and there profile in all the servers we can create them in LDAP server and access from all the LDAP client machines.

Few advantages of openLDAP

Global naming model ensures unique entries
Allows for multiple independent directories
Extensible to meet future/local requirements
Runs directly over TCP/IP and SSL
Has broad industry support
Based on existing deployed technologies
Schema definitions
Schema publication
Security features
Extended operation framework
Dynamic and pages search extensions

This tutorial will explain how to install and configure openLDAP server and it’s configuration with user home directory auto mount using NFS autofs

Please observe step by step and modify your requirements accordingly

Let’s start the configuration

Requirements – RHEL7/Centos 7 with minimal installation OR GUI installation is enough

Tested Centos7, RHEL7, RHEL7.1 and RHEL7.2 versions

Server Profile :-

Packages : openldap, migrationtools
Port Number: 389, 636

Step 1: Installing LDAP packages using yum

[root@ark-ldapserver ~]# yum -y install *openldap* migrationtools

generating LDAP admin password

[root@ark-ldapserver ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}KczPx+72Gz5W4Tv58EgT8beoPsuxkekO

as shown in above slappasswd command will generate an password with encryption, please copy above encrypted password and keep it safe this password we are going to use in further configuration

add the generated password to below file and change olcSuffix olcRootDN olcRootPW and add key file location as shown in below (bold ones have to modify)

[root@ark-ldapserver ~]# cd /etc/openldap/slapd.d/cn\=config/
[root@ark-ldapserver cn=config]# vi olcDatabase\=\{2\}hdb.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5514a54b
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=arkit,dc=co.in
olcRootDN: cn=Manager,dc=arkit,dc=co.in
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 7ffd78be-8216-1035-9daa-e3230d8ea492
creatorsName: cn=config
createTimestamp: 20160319120438Z
entryCSN: 20160319120438.887404Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160319120438Z
olcRootPW: {SSHA}KczPx+72Gz5W4Tv58EgT8beoPsuxkekO
olcTLSCertificateFile: /etc/pki/tls/certs/arkitldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/arkitkey.pem

Now edit the file monitor.ldif and add modify dc=my-domain,dc=com to your domain as shown in below

[root@ark-ldapserver cn=config]# vi olcDatabase\=\{1\}monitor.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3eb2863a
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=arkit,dc=co.in" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 7ffd68a6-8216-1035-9da9-e3230d8ea492
creatorsName: cn=config
createTimestamp: 20160319120438Z
entryCSN: 20160319120438.886990Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160319120438Z

Test your LDAP configuration using below command, you may see few checksum errors no problem don’t bother

[root@ark-ldapserver cn=config]# slaptest -u
56ed4143 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56ed4143 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

Step 2: Start LDAP server slapd.service

use below command to start and enable the service to start after the server reboot

[root@ark-ldapserver cn=config]# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

[root@ark-ldapserver cn=config]# systemctl start slapd.service

[root@ark-ldapserver cn=config]# netstat -lt |grep ldap
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ldap [::]:* LISTEN

Step 3: Generate certificate

generating x509 certificate for 365 days

[root@ark-ldapserver cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/arkitldap.pem -keyout /etc/pki/tls/certs/arkitkey.pem -days 365
Generating a 2048 bit RSA private key
..................+++
.................................................................................................................................+++
writing new private key to '/etc/pki/tls/certs/arkitkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Telangana
Locality Name (eg, city) [Default City]:Hyderabad
Organization Name (eg, company) [Default Company Ltd]:arkit
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ark-ldapserver
Email Address []:
[root@ark-ldapserver cn=config]#

as mentioned above you can give the details are else just hit enter in all the fields. verify your certificate files by listing directory, key file names should match exactly with Step 1 configuration

[root@ark-ldapserver cn=config]# ll /etc/pki/tls/certs/
total 20
-rw-r--r--. 1 root root 1704 Mar 19 17:42 arkitkey.pem
-rw-r--r--. 1 root root 1330 Mar 19 17:42 arkitldap.pem

Step 4: Change migration config

Go to directory path as mentioned below and edit the file migrate_common.ph file add few entries as shown in below screen

[root@ark-ldapserver cn=config]# cd /usr/share/migrationtools/
[root@ark-ldapserver migrationtools]# vi migrete_common.ph 

$DEFAULT_MAIL_DOMAIN = "arkit.co.in";
$DEFAULT_BASE = "dc=arkit,dc=co.in";
$EXTENDED_SCHEMA = 1;

Step 5: Creating openLDAP database file

Now we just create an openLDAP database with file extension as .ldif

[root@ark-ldapserver migrationtools]# touch /root/base.ldif

[root@ark-ldapserver migrationtools]# cat /root/base.ldif
dn: dc=arkit,dc=co.in
objectClass: top
objectClass: dcObject
objectclass: organization
o: arkit co.in
dc: arkit

dn: cn=Manager,dc=arkit,dc=co.in
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=arkit,dc=co.in
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=arkit,dc=co.in
objectClass: organizationalUnit
ou: Group

Step 6: Creating users and groups

Create normal Linux users along with there primary groups

[root@ark-ldapserver migrationtools]# useradd ldapuser1
[root@ark-ldapserver migrationtools]# useradd ldapuser2
[root@ark-ldapserver migrationtools]# useradd ldapuser3
[root@ark-ldapserver migrationtools]# passwd ldapuser1
Changing password for user ldapuser1.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@ark-ldapserver migrationtools]# passwd ldapuser2
Changing password for user ldapuser2.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@ark-ldapserver migrationtools]# passwd ldapuser3
Changing password for user ldapuser3.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

now gather all the users and groups information to separate files

[root@ark-ldapserver migrationtools]# cat /etc/passwd |grep ldapuser > /root/password
[root@ark-ldapserver migrationtools]# cat /root/password
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
ldapuser3:x:1003:1003::/home/ldapuser3:/bin/bash

[root@ark-ldapserver migrationtools]# cat /etc/group |grep ldapuser > /root/groups

after that migrate your local users as openLDAP users

[root@ark-ldapserver migrationtools]# ./migrate_passwd.pl /root/password /root/users.ldif
[root@ark-ldapserver migrationtools]# ./migrate_group.pl /root/groups /root/groups.ldif
[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/base.ldif 
Enter LDAP Password: 
adding new entry "dc=arkit,dc=co.in"
adding new entry "cn=Manager,dc=arkit,dc=co.in"
adding new entry "ou=People,dc=arkit,dc=co.in"
adding new entry "ou=Group,dc=arkit,dc=co.in"

[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/users.ldif 
Enter LDAP Password: 
adding new entry "uid=ldapuser1,ou=People,dc=arkit,dc=co.in"
adding new entry "uid=ldapuser2,ou=People,dc=arkit,dc=co.in"
adding new entry "uid=ldapuser3,ou=People,dc=arkit,dc=co.in"

[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/groups.ldif 
Enter LDAP Password: 
adding new entry "cn=ldapuser1,ou=Group,dc=arkit,dc=co.in"
adding new entry "cn=ldapuser2,ou=Group,dc=arkit,dc=co.in"
adding new entry "cn=ldapuser3,ou=Group,dc=arkit,dc=co.in"

Verify the users using below command

[root@ark-ldapserver migrationtools]# ldapsearch -x cn=ldapuser3 -b dc=arkit,dc=co.in

Step 7: Allow firewall ports

we have to allow ldap and ldaps port numbers

[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=ldap
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=ldaps
success
[root@ark-ldapserver migrationtools]# firewall-cmd --reload 
success

That’s about openLDAP server configuration now we will see how to export LDAP users home directories

Step 8: Install NFS util packages

[root@ark-ldapserver migrationtools]# yum -y install rpcbind nfs-utils

Enable and start the NFS service

[root@ark-ldapserver migrationtools]# systemctl enable nfs-server.service 
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/multi-user.target.wants/nfs-server.service'

[root@ark-ldapserver migrationtools]# systemctl start nfs-server.service
[root@ark-ldapserver migrationtools]# systemctl enable rpcbind

[root@ark-ldapserver migrationtools]# systemctl start rpcbind

configure NFS export

[root@ark-ldapserver migrationtools]# vi /etc/exports
/home *(rw,sync)

[root@ark-ldapserver migrationtools]# systemctl restart nfs-server.service

Enable NFS and it’s supported Firewall ports

[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=nfs
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=mountd
success
[root@ark-ldapserver migrationtools]# firewall-cmd --reload
success

[root@ark-ldapserver migrationtools]# showmount -e localhost
Export list for localhost:
/home *.arkit.co.in
 
[root@ark-ldapserver ~]# chmod 777 /home
[root@ark-ldapserver ~]# systemctl restart slapd.service

[root@ark-ldapserver ~]# systemctl status slapd.service

That’s it about openLDAP server configuration OpenLDAP Server installation OpenLDAP Server installation OpenLDAP Server installation OpenLDAP Server installation OpenLDAP Server installation OpenLDAP Server installation OpenLDAP Server installation

See Client side configuration

Please write your valuable feedback about this article..

DHCP Server installation and Configuration Guide

Master DNS Server installation and configuration Guide

Describe various protocols Video tutorial

Thanks for your wonderful Support and Encouragement

Stay Connected with us. Learn More and Earn More

Do Not Miss Interesting and Important Articles: Signin Now
Download free PDF Books : Download Anything and Everything for Free
Stay Connected with Us: Facebook Page | Twitt | Google Plus | LinkedIn | RSS feeds
High Qualitfy Video Tutorials : All Videos

Tags: LDAP server installation LDAP server installation and configuration openLDAP RHEL7

ARK

My Name is ARK. Expert in grasping any new technology, Interested in Sharing the knowledge. Learn more & Earn MoreView all Posts

deepak says:
June 20, 2016 at 9:46 pm
Hai ankit,

Can you please share ldap server with phpldapadmin(GUI).i am looking for it.

Reply
XU ZHI says:
June 21, 2016 at 5:45 pm
Hi Ravi,

Thanks for sharing this one, I use the exact same configuration as yours except the password. But when I follow your post, I get a error when adding the ldap base.

[root@CentOS7-Server ~]# ldapadd -x -W -D “cn=Manager,dc=arkit,dc=co.in” -f /root/base.ldif
Enter LDAP Password:
ldapadd: attributeDescription “dn”: (possible missing newline after line 9, entry “dc=arkit,dc=co.in”?)
ldapadd: attributeDescription “dn”: (possible missing newline after line 10, entry “dc=arkit,dc=co.in”?)
ldapadd: attributeDescription “dn”: (possible missing newline after line 11, entry “dc=arkit,dc=co.in”?)
adding new entry “dc=arkit,dc=co.in”
ldap_add: Type or value exists (20)
additional info: objectClass: value #4 provided more than once

Reply
- Ankam Ravi Kumar says:
  June 22, 2016 at 12:11 pm
  Hi Xu Zhi, You have missed one of the step while doing it. Please install fresh Linux server OS and try you will definitely get it. Good Luck.
  
  Reply
Vivek Jaiswal says:
September 24, 2016 at 12:11 pm
hi thanks for share this one ,
i need to know how to update new ldap user entry

Reply
- Ankam Ravi Kumar says:
  September 24, 2016 at 12:15 pm
  Sure We will update one more article to create/update LDAP users
  
  Reply
  - vivek says:
    September 24, 2016 at 6:32 pm
    thankx
    
    Reply
rakesh jain says:
October 6, 2016 at 9:46 am
i have followed it line by line on RHEl 7.

Its throwing an error –

[root@classroom cn=config]# ldapadd -x -W -D “cn=Manager,dc=example,dc=com” -f /root/users.ldif
Enter LDAP Password:
adding new entry “uid=ldapuser1,ou=People,dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: objectClass: value #3 invalid per syntax

Reply
rakesh jain says:
October 6, 2016 at 9:47 am
have added these schemas as well –

[root@classroom Downloads]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=cosine,cn=schema,cn=config”

[root@classroom Downloads]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=inetorgperson,cn=schema,cn=config”

Reply
rakesh jain says:
October 6, 2016 at 9:48 am
users.ldif file –

[root@classroom cn=config]# cat /root/users.ldif
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$zFN1p/46$k3ltZs9w.RZ2nsofnI/JrV2HGrHMDR.aNgztLhYmlXrGuK.a2hBQZ4bFY/c9wthzrO2nm1h.X1LYj4IsOXY8U.
shadowLastChange: 17080
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1

Reply
rakesh jain says:
October 6, 2016 at 9:51 am
Resolved it .. Plz modify your tutorial and mention that we need to add all the 3 schemas –

[root@classroom Downloads]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@classroom Downloads]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
[root@classroom Downloads]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

Thanks!!

Reply
Govind says:
December 24, 2016 at 12:22 am
Hi Ravi , these steps also works on centos 7

Reply
- Ankam Ravi Kumar says:
  December 24, 2016 at 8:26 am
  Yes, it works in Centos 7 as well.
  
  Reply
govind says:
December 29, 2016 at 5:05 am
on client no output for the command getent passwd ldapuser1, I followed the same steps as mentioned in the document

Reply
- ARK says:
  December 29, 2016 at 6:19 am
  Installing LDAP Server will not help client to fetch the information. you have to join client to LDAP network.
  
  Reply
govind says:
January 5, 2017 at 10:40 am
Thanks for your post. LDAP server configuration done. How to add new users on ldap server to existing server. I have little bit problem in adding. let me know if any step by step procedure

Reply
Sahil says:
September 1, 2018 at 5:30 pm
Hi ARK,

Can you please help me to migrate LDAP servers(All LDAP users) from SUSE11 to RHEL7 ?

Reply