Install OpenLDAP Packages
On
CentOS and RedHat, use yum install as shown below, to install the openldap
related packages.
yum
install -y openldap openldap-clients openldap-servers
You
should install the following three packages:
1.
openldap-servers
– This is the main LDAP server
2.
openldap-clients
– This contains all required LDAP client utilities
3.
openldap
– This packages contains the LDAP support libraries
Create olcRootDN Account as Admin
It
is always recommended to create a dedicated user account first with the full
permissions to change information on the LDAP database.
Modify
the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following
is the default entry.
#
grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN:
cn=Manager,dc=my-domain,dc=com
Change
the above line to an admin user. In this example, user “ramesh” will be the
olcRootDN.
olcRootDN:
cn=ramesh,dc=aeri,dc=com
Create olcRootPW Root Password
Now
use slappasswd command to create a hash for the root password you want to use.
Once the password is generated, open the cn=config.ldif file, include the
olcRootPW parameter, and copy the hashed password as shown below.
Execute
the following command and specify a password. This will generate the hash for
the given password.
#
slappasswd
New
password: SecretLDAPRootPass2015
Re-enter
new password: SecretLDAPRootPass2015
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Take
the hash output of the above command and add it to the oclRootPW parameter in
the config.ldif file as shown below.
#
vi /etc/openldap/slapd.d/cn=config.ldif
olcRootPW:
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Create olcSuffix Domain Name
Now
setup the olcSuffix and to set the domain that you want. Simply modify the line
that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.
#
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix:
dc=aeri,dc=com
Verify The Configuration Files
Use
slaptest command to verify the configuration file as shown below. This should
display “testing succeeded” message as shown below.
#
slaptest -u
config
file testing succeeded
You
might get the following messages during the above command, which you can ignore
for now.
54a39508
ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
54a39508
ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
Start the LDAP Server
Start
the ldap server as shown below.
#
service slapd start
Checking
configuration files for slapd: [WARNING]
config
file testing succeeded
Starting
slapd: [ OK ]
Verify the LDAP Search
To
verify the ldap server is configured successfully, you can use the below
command and verify that the domain entry is present.
#
ldapsearch -x -b "dc=aeri,dc=com"
#
extended LDIF
#
#
LDAPv3
#
base <dc=aeri,dc=com> with scope subtree
#
filter: (objectclass=*)
#
requesting: ALL
#
#
search result
search:
2
result:
32 No such object
#
numResponses: 1
Base LDAP Structure in base.ldif
The use of OU
(organizational unit) objects can help you in providing additional structure to
the LDAP database. If you are planning on adding in different types of entries,
such as users, groups, computers, printers and more to the LDAP directory, it
makes it easier to put every entry type into its own container.
To create
these OU’s, you can create an initial LDIF file as shown in the below example.
In this example, this file allows you to create the base container which is dc=aeri,dc=com
and it creates two organizational units with the names users and groups in that
container.
# cat base.ldif
dn: dc=aeri,dc=com
objectClass: dcObject
objectClass: organization
o: aeri.com
dc: aeri
dn: ou=users,dc=aeri,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=aeri,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
Import Base Structure Using ldapadd
Now we can
import the base structure in to the LDAP directory using the ldapadd command as
shown below.
# ldapadd -x -W -D "cn=ramesh,dc=aeri,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=aeri,dc=com"
adding new entry "ou=users,dc=aeri,dc=com"
adding new entry "ou=groups,dc=aeri,dc=com"
Verify the Base Structure using ldapsearch
To verify the
OUs are successfully created, use the following ldapsearch command.
# ldapsearch -x -W -D "cn=ramesh,dc=aeri,dc=com" -b "dc=aeri,dc=com" "(objectclass=*)"
Enter LDAP Password:
The output of
the above command will display all the objects in the LDAP directory structure.
# extended LDIF
#
# LDAPv3
# base <dc=aeri,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# aeri.com
dn: dc=aeri,dc=com
objectClass: dcObject
objectClass: organization
o: aeri.com
dc: aeri
# users, aeri.com
dn: ou=users,dc=aeri,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, aeri.com
dn: ou=groups,dc=aeri,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
In the next
OpenLDAP article, we’ll explain how to add new users and groups to the LDAP
Directory.
1. ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
2.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
3. ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Change LDAP Password for the user:
ldappasswd
-s kanna@123 -W -D “cn=Manager,dc=aeri,dc=local” -x “uid=kanna,ou=Employees,dc=aeri,dc=local”