Install and Setup OpenLDAP on CentOS 8

|
Last Updated:
|
|

In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on CentOS 8. If you are here, then you already know what an OpenLDAP server is and thus the description of what it is is beyond the scope of this tutorial.

Installing OpenLDAP on CentOS 8

Well, CentOS 8 repositories do not have the latest release versions of OpenLDAP. The available version of OpenLDAP provided by CentOS 8 PowerTools repos, is OpenLDAP server v2.4.46. To get the latest version with bug fixes, you need to build it from the source as described in this guide.

You may want to use other alternatives to OpenLDAP such as FreeIPA;

Install and Setup FreeIPA Server on CentOS 8

Run System Update

To update your system packages, run the command;

dnf update

Install Required Dependencies and Build Tools

There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source. Run the command below to install them.

dnf install cyrus-sasl-devel make libtool autoconf libtool-ltdl-devel openssl-devel libdb-devel tar gcc perl perl-devel wget vim

Create OpenLDAP System Account

In this demo, OpenLDAP will run with a non-privileged system user. Hence, run the command below to create OpenLDAP system user with custom user and group id;

useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin ldap

Consult man useradd for the description of the command line options used above.

Download OpenLDAP Source Tarball

The latest stable release of OpenLDAP as of this writing is OpenLDAP 2.4.48. Navigate to the OpenLDAP download’s page and grab the tarball.

VER=2.4.48
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-$VER.tgz

Extract the OpenLDAP Source Tarball

The tarball can be extracted by running the command;

tar xzf openldap-$VER.tgz

Compiling OpenLDAP

To compile OpenLDAP on CentOS 8, you first need to run the configure script to adapt OpenLDAP to your system and check if any required dependency is missing before you can proceed with installation.

cd openldap-$VER

With configure script, you can enable or disable various options while building OpenLDAP.

./configure --prefix=/usr --sysconfdir=/etc --disable-static \
--enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic \
--enable-crypt --enable-spasswd --enable-slapd --enable-modules \
--enable-rlookups --enable-backends=mod --disable-ndb --disable-sql \
--disable-shell --disable-bdb --disable-hdb --enable-overlays=mod

To learn more about the configuration options, consult;

./configure --help

If the configure script completes with no issues, the last line you should see is;

Please run "make depend" to build dependencies

As the line states, you need to run the make depend command to build OpenLDAP dependencies.

make depend

Next, compile OpenLDAP on CentOS 8.

make

If you got time and patience, you can run the test suite to verify OpenLDAP build for any errors. You can however skip this step.

make test

Installing OpenLDAP on CentOS 8

If the compilation of OpenLDAP completes successfully, proceed to install it by running the command;

make install

OpenLDAP configuration files are now installed on /etc/openldap.

ls /etc/openldap/
certs  ldap.conf  ldap.conf.default  schema  slapd.conf  slapd.conf.default  slapd.ldif  slapd.ldif.default

The libraries are installed under /usr/libexec/openldap.

Configuring OpenLDAP on CentOS 8

Now that the installation of OpenLDAP is complete, proceed to configure it.

Create OpenLDAP data and database directories

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set the proper ownership and permissions on OpenLDAP directories and configuration files.

chown -R ldap:ldap /var/lib/openldap
chown root:ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf

Create OpenLDAP Systemd Service

In order to run OpenLDAP as a service, you need to create a systemd service file as shown below.

vim /etc/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

Save and quit the service file. Do not run the service yet.

Create OpenLDAP SUDO Schema

To configure LDAP with support sudo, first, check if your version of installed sudo supports LDAP.

sudo -V |  grep -i "ldap"

If sudo supports LDAP, you should see the lines below;

...
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Check if LDAP sudo schema is available.

rpm -ql sudo |  grep -i schema.openldap
/usr/share/doc/sudo/schema.OpenLDAP

Copy the schema.OpenLDAP to the schema directory.

cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Next, you need to create sudo schema ldif file. Run the command below to create the sudo.ldif file. This ldif file is obtained from Lullabot github repository.

cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOL

Update SLAPD Database

Edit the SLAPD LDIF file, /etc/openldap/slapd.ldif, and update it as follows;

mv /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif.bak
vi /etc/openldap/slapd.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/sudo.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none
  • To update the SLAPD database from the information provided on the SLAPD LDIF file above, use slapadd command with the option -n 0 which creates the first database.
  • To specify the configuration directory, /etc/openldap/slapd.d, use option -F and option -l to specify location of the LDIF file above.

Before you can write the changes to the database, perform a dry run to see what would happen. Pass -u option to slapadd command.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

If the command above executes with no error, implement the changes.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

This command creates slapd database configurations under /etc/openldap/slapd.d directory.

ls /etc/openldap/slapd.d
'cn=config'  'cn=config.ldif'

Set the user and group ownership of the /etc/openldap/slapd.d directory and the files in it to ldap user.

chown -R ldap:ldap /etc/openldap/slapd.d

Running SLAPD Service

Reload systemd configurations and start and enable OpenLDAP service to run on boot.

systemctl daemon-reload
systemctl enable --now slapd

Check the status;

systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/etc/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-12-07 12:10:52 EST; 6s ago
     Docs: man:slapd
           man:slapd-mdb
  Process: 14975 ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 14976 (slapd)
    Tasks: 2 (limit: 5061)
   Memory: 3.0M
   CGroup: /system.slice/slapd.service
           └─14976 /usr/libexec/slapd -u ldap -g ldap -h ldap:/// ldapi:/// ldaps:/// -F /etc/openldap/slapd.d

Configure OpenLDAP Logging on CentOS 8

To enable OpenLDAP to log connections, operations, results statistics, create and ldif file and update the database as follows. Such OpenLDAP logging is enabled on log level 256 with keyword stats by modifying the olcLogLevel attribute as shown below.

vim enable-ldap-log.ldif
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats
ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q
dn: cn=config
olcLogLevel: stats

Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to local4 facility.

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf

Restart Rsyslog

systemctl restart rsyslog

You should now be able to read the LDAP logs on, /var/log/slapd.log.

Create OpenLDAP Default Root DN

Next, create MDB database defining the root DN as well as the access control lists.

First, generate the root DN password.

slappasswd
New password: ENTER PASSWORD
Re-enter new password: RE-ENTER PASSWORD
{SSHA}qAZah0xybYLcMfPUAN0SG4ki8JxC4bIF

Paste the password hash generated above as the value of olcRootPW in the Root DN ldif file below.

vim rootdn.ldif

Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com with your appropriate names.

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootPW: {SSHA}5Hcgjj4gtcr/exLcdSRuYgH6bFhIqkSe
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none

Read more about ACL on OpenLDAP Access Control.

Updated the slapd database with the content above;

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Configure OpenLDAP with SSL/TLS

To secure OpenLDAP communication between the client and the server, configured it to use SSL/TLS certificates.

In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/pki/tls/ldapserver.key -out /etc/pki/tls/ldapserver.crt
chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

Update the OpenLDAP Server TLS certificates attributes.

vi add-tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Note that we have used self-signed certificate as both the certificate and the CA certificate.

ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif

You can confirm this by running;

slapcat -b "cn=config" | grep olcTLS
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Change the location of the CA certificate on /etc/openldap/ldap.conf.

vim /etc/openldap/ldap.conf
...
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

Create OpenLDAP Base DN

Next, create your base DN or search base to define your organization structure and directory.

vim basedn.ldif

Replace the domain components and organization units accordingly.

dn: dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: Kifarunix-demo
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Create OpenLDAP User Accounts

You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.

vim users.ldif
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: johndoe
gidNumber: 10000
memberUid: johndoe

Add the user to the OpenLDAP database.

ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Setting password for LDAP User

To set the password for user above, run the command below;

ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Create OpenLDAP Bind DN and Bind DN User

Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called system. Note the access controls associated with this ou as defined on the root DN above.

List the Access control lists on the database;

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

Create the BindDN user password.

slappasswd
New password: Password
Re-enter new password: Password
{SSHA}Z7qPE2f8oRfHMo1DSbzdOqbr4jNgqBpC

Paste the password hash value above as the value of userPassword attribute in the file below;

vim bindDNuser.ldif
dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}Z7qPE2f8oRfHMo1DSbzdOqbr4jNgqBpC
description: Bind DN user for LDAP Operations
ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Allow OpenLDAP Service on Firewall

To allow remote clients to query OpenLDAP server, allow the ldap (389 UDP/TCP) and ldaps (636 UDP/TCP) service on firewall.

firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd --reload

Testing OpenLDAP Authentication

Well, there you go. You have learnt how to install and setup OpenLDAP server on CentOS 8. To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.

Note that you can also use phpLDAPadmin to manage and administer your OpenLDAP. Learn how to install phpLDAPadmin on CentOS 8.

Install phpLDAPadmin on CentOS 8

In our next guide, we will learn how to install and setup OpenLDAP clients on CentOS 8.

Want to configure OpenLDAP to provide SUDO rights to your clients? check the link below;

How to Configure SUDO via OpenLDAP Server

Meanwhile, you can check out our other guides on OpenLDAP by following the links below;

How to Create OpenLDAP Member Groups

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

Reference:

Compile OpenLDAP 2.4.48

Building and Installing OpenLDAP Software

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

38 thoughts on “Install and Setup OpenLDAP on CentOS 8”

  1. First of all, thank you for your write up. it’s the best one i’ve used so far on setting up open ldap on centos8.
    I do have a small question. the services are up and running and firewall is off but i still am unable to browse or connect any sort of ldap browser to the server. It might be the bind credentials that i’m using but i’ve tried cn=admin. i could use some guidance if possible.

    Reply
    • Thanks Ed M for the feedback.
      What LDAP browser are you using? Did you set the right bind dn?
      When you query your DN on command line, any errors?

      Reply
  2. Thank you for the document.
    I ran into a problem, when I run ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif
    it repies with ldap_add: Insufficient access (50)
    I stopped slapd, removed the /etc/openldap/slapd.d content and tweaked a bit with rootdn.ldif, but still I get ldap_add: Insufficient access (50)
    I’m running a fresh CentOS 8 install.

    Reply
  3. I have followed this to the tee and although I can bind to ldap I cannot see the base DN.

    [root@localhost openldap]# ldapsearch -LLL -h 10.121.13.160 -b “” -s base +
    ldap_sasl_interactive_bind_s: No such object (32)

    any help would be greatly appreciated.

    Reply
  4. I am trying to execute this “certs ldap.conf ldap.conf.default schema slapd.conf slapd.conf.default slapd.ldif slapd.ldif.default” and I am receiving “bash: certs: command not found…” I have a new install of CentOS8 I have went step by step with no problems and lastly the certs in the ls step above is highlighted in blue.

    Reply
  5. I can not get any further than the below step. Can anyone help?

    Update SLAPD Database…
    # slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

    slapadd: dn=”cn=config” (line=1): no objectClass attribute

    Reply
      • i appreciate your help. I found it was a format issue when i copied the config supplied in the guide.

        i am however having the below issue now when attempting a dry run.
        [root@web openldap-2.4.50]# slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u
        slapadd: dn=”cn=module,cn=config” (line=11): (65) unrecognized objectClass ‘olcModuleList’
        _##### 29.07% eta none elapsed none spd 735.4 k/s

        Reply
  6. slapd daemon does not start.
    The status is as follows.
    What is the problem?

    [root@host01 openldap]# systemctl status slapd.service
    ● slapd.service – OpenLDAP Server Daemon
    Loaded: loaded (/etc/systemd/system/slapd.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since 목 2020-07-16 18:16:26 KST; 12s ago
    Docs: man:slapd
    man:slapd-mdb
    Process: 10454 ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=203/EXEC)

    7월 16 18:16:26 host01 systemd[1]: Starting OpenLDAP Server Daemon…
    7월 16 18:16:26 host01 systemd[1]: slapd.service: control process exited, code=exited status=203
    7월 16 18:16:26 host01 systemd[1]: Failed to start OpenLDAP Server Daemon.
    7월 16 18:16:26 host01 systemd[1]: Unit slapd.service entered failed state.
    7월 16 18:16:26 host01 systemd[1]: slapd.service failed.

    Reply
  7. When I did ldapsearch I cannot have the informations

    ldapsearch -cx -b “dc=ldapmaster,dc=kifarunix-demo,dc=com”
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

    Reply
  8. Thanks for the guide.
    I’m here to ask for some help: I’m getting an error (on centos8) at the “enable log” point and also at at ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif :

    ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif

    I got

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “olcDatabase=mdb,cn=config”
    ldap_add: Insufficient access (50)

    could you please update the guide (I followed the guide on 2 different VMs and the same issue occurred both times)

    I don’t understand how to grant the needed rights

    Reply
      • I can confirm David’s experience. Skipping ahead from the log configuration, I also cannot do the rootdn.ldif step. I always get Insufficient access (50). This is as root, or using sudo. selinux is set to permissive, so that is not the problem.

        Reply
    • I had the exact same problem. I found that removing the sudo schema fixed it.
      But I was using the latest openldap as of this time, version 2.4.52. Maybe there was a change between the version that this guide was written for (2.4,48) and 2.4.52.

      Reply
  9. I think the chown command needs to be `chown -R ldap:ldap /etc/openldap/slapd.d/*` otherwise it just does it to the directory.

    Reply
    • using wildcard will only change the ownership of the directory contents but wont change the ownership of the directory itself.

      -R, –recursive: operate on files and directories recursively, from man chown.

      Reply
  10. Really great document!! Thanks for putting time and effort in putting this up. Everything went well for me but I ended up with the below problem:

    sudo: error in /etc/sudo.conf, line 19 while loading plugin “sudoers_policy”
    sudo: unable to load /usr/libexec/sudo/sudoers.so: libldap-2.4.so.2: cannot open shared object file: Operation not permitted
    sudo: fatal error, unable to load plugins

    I re-did twice thinking I might have done something wrong first time. Why is this happening. I don’t see anybody else having this issue.

    Also.. We use LDAP for managing access to a Java app. Not really POSIX as in Linux/Unix authentication. These accounts don’t need home dir or bash login or anything. Just cn, uid and userPassword and a policy for the passwords. How can I achieve that? What kind of schema should I be using. I tried creating user with the LDIFF by removing certain POSIX elements and I’m getting AD violations errors.

    Reply
  11. Hi

    Its my first time installing OpenLDAP and was wondering how do I get the values for this?

    “Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com with your appropriate names.”

    Reply
  12. Good document! Thank you for taking the time to write this up so thoroughly!!

    Everything worked perfectly for me on CentOS 8.3.2011 with OpenLDAP 2.4.57

    Reply
  13. After following all the steps correctly im not receiving the users and group information.please help me with it
    [root@ openldap]# ldapsearch -x -b ‘dc=cpms-240,dc=local’ ‘(objectclass=*)’
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

    Reply
  14. Hi,

    I have done the setup but when I am trying to configure it in Apache Directory Studio, it gives error as ‘Missing schema location in RootDSE , using default schema’ and then after that AD studio shows nothing.

    Can you please help here?

    Thanks

    Reply
  15. Excellent configuration guide, helped me out immensely. I have phpLDAPAdmin working a treat, but I have been struggling with LDAPAdmin which is windows management program loaded on separate machine. All editing is fine, it just can’t access any of the schema attributes to add them. I assume this is an access control issue, but cannot figure out what is constraining this

    Reply
  16. Hi,

    Thanks for this Article its working absolutely fine on the server side, but I am facing the issue with the client side

    trying to login as an ldap user on the client i am facing the “user does not exist”

    ldap search is successfully able to fetch the ldap data from the server.

    Please share the method to install the ldap client on centos 8 machine

    Regards,
    Pranav

    Reply
      • Hi Koromicha,

        I am seeing the error related to dn(err=32), when trying to add the basedn I am getting the message as
        adding new entry “dc=testldap,dc=local”
        ldap_add: Already exists (68)

        but I am getting no such object while searching for the basedn details

        ldapsearch -x -b “dc=testldap,dc=local”
        # extended LDIF
        #
        # LDAPv3
        # base with scope subtree
        # filter: (objectclass=*)
        # requesting: ALL
        #

        # search result
        search: 2
        result: 32 No such object

        While verifying the user attributes all data are being obtained seems like there is some issue with the baseDN

        Thanks,
        Pranav

        Reply
        • ldapsearch -D cn=”admin,dc=testldap,dc=local” -W -b dc=testldap,dc=local objectclass=person
          Enter LDAP Password:
          # extended LDIF
          #
          # LDAPv3
          # base with scope subtree
          # filter: objectclass=person
          # requesting: ALL
          #

          # pranav, dep, testldap.local
          dn: uid=pranav,ou=dep,dc=testldap,dc=local
          objectClass: inetOrgPerson
          objectClass: posixAccount
          objectClass: shadowAccount
          uid: pranav
          cn: Pranav
          sn: Viswanatha
          loginShell: /bin/bash
          uidNumber: xxxx
          gidNumber: xxxx
          homeDirectory: /home/pranav
          shadowMax: 60
          shadowMin: 1
          shadowWarning: 7
          shadowInactive: 7
          shadowLastChange: 0
          userPassword:: e1NTSEF9UUJFSHpucTJjNkpOcFNMMlY0WWViU3lVTkl0V0NkaXQ=

          # search result
          search: 2
          result: 0 Success

          # numResponses: 2
          # numEntries: 1

          I am able to retrieve the user info both from the client and server, May i please get to know what exactly i am missing where I am going wrong

          Apr 1 15:19:54 sdvt002 slapd[2397]: conn=3948 op=2 SRCH base=”dc=ldaptest,dc=local” scope=2 deref=0 filter=”(&(uid=gnome-initial-setup)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))”
          Apr 1 15:19:54 sdvt002 slapd[2397]: conn=3948 op=2 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
          Apr 1 15:19:54 sdvt002 slapd[2397]: conn=3948 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
          Apr 1 15:26:20 sdvt002 slapd[2397]: conn=3948 op=3 UNBIND
          Apr 1 15:26:20 sdvt002 slapd[2397]: conn=3948 fd=17 closed
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 fd=17 ACCEPT from IP=x.x.x.x:46104 (IP=0.0.0.0:389)
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=0 SRCH base=”” scope=0 deref=0 filter=”(objectClass=*)”
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=1 SRCH base=”dc=ldaptest,dc=local” scope=2 deref=0 filter=”(objectClass=sudoRole)”
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=1 SRCH attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp
          Apr 1 15:26:26 sdvt002 slapd[2397]: conn=3951 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
          Apr 1 15:32:55 sdvt002 slapd[2397]: conn=3952 fd=23 ACCEPT from IP=x.x.x.x:54930 (IP=0.0.0.0:389)
          Apr 1 15:32:55 sdvt002 slapd[2397]: conn=3952 op=0 BIND dn=”cn=admin,dc=ldaptest,dc=local” method=128
          Apr 1 15:32:55 sdvt002 slapd[2397]: conn=3952 op=0 RESULT tag=97 err=49 text=
          Apr 1 15:32:55 sdvt002 slapd[2397]: conn=3952 op=1 UNBIND
          Apr 1 15:32:55 sdvt002 slapd[2397]: conn=3952 fd=23 closed
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 fd=23 ACCEPT from IP=x.x.x.x:54932 (IP=0.0.0.0:389)
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=0 BIND dn=”cn=admin,dc=ldaptest,dc=local” method=128
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=0 BIND dn=”cn=admin,dc=ldaptest,dc=local” mech=SIMPLE ssf=0
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=0 RESULT tag=97 err=0 text=
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=1 SRCH base=”dc=ldaptest,dc=local” scope=2 deref=0 filter=”(objectClass=person)”
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 op=2 UNBIND
          Apr 1 15:33:23 sdvt002 slapd[2397]: conn=3953 fd=23 closed

          Reply
          • hi team my ldap server and client configuration done. but when i check the client server id (username) my username not show to client side. i also created the user to ldap server. please help to resolve the issue.

        • Hello Pranav,

          Error 32 usually means the object being queried does not exist! Ensure the DN is correct

          Reply
          • I am new to LDAP can you help me to modify the data entry in olcDatabase and olcAccess, I am seeing the issue in the olcDatabase={1}mdb

Leave a Comment