{"id":10418,"date":"2021-09-16T22:46:31","date_gmt":"2021-09-16T19:46:31","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10418"},"modified":"2024-03-18T14:00:05","modified_gmt":"2024-03-18T11:00:05","slug":"install-and-setup-openldap-server-on-debian-11","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openldap-server-on-debian-11\/","title":{"rendered":"Install and Setup OpenLDAP Server on Debian 11"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 11.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-server-on-debian-11\">Installing OpenLDAP Server on Debian 11<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#build-and-install-open-ldap-server-on-debian-11\">Build and Install OpenLDAP Server on Debian 11<\/a><ul><li><a href=\"#create-open-ldap-system-account\">Create OpenLDAP System Account<\/a><\/li><li><a href=\"#install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/a><\/li><li><a href=\"#download-open-ldap-source-code\">Download OpenLDAP Source Code<\/a><\/li><li><a href=\"#extract-the-open-ldap-source-code\">Extract the OpenLDAP Source Code<\/a><\/li><li><a href=\"#install-open-ldap-server-on-debian-11\">Install OpenLDAP Server on Debian 11<\/a><\/li><\/ul><\/li><li><a href=\"#configuring-open-ldap-on-debian-11\">Configuring OpenLDAP on Debian 11<\/a><ul><li><a href=\"#create-data-and-database-directories\">Create Data and Database Directories<\/a><\/li><li><a href=\"#update-open-ldap-service\">Update OpenLDAP Service<\/a><\/li><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/a><\/li><li><a href=\"#update-slapd-database\">Update SLAPD Database<\/a><\/li><li><a href=\"#running-open-ldap-service\">Running OpenLDAP Service<\/a><\/li><li><a href=\"#configure-open-ldap-logging-on-debian-11\">Configure OpenLDAP Logging on Debian 11<\/a><\/li><li><a href=\"#create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><ul><li><a href=\"#create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/a><\/li><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/li><li><a href=\"#setting-password-for-ldap-user\">Setting password for LDAP User<\/a><\/li><li><a href=\"#create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/a><\/li><li><a href=\"#enable-open-ldap-password-policies\">Enable OpenLDAP Password Policies<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-server-on-debian-11\">Installing OpenLDAP Server on Debian 11<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>Before you begin, ensure your system package cache is up-to-date.<\/p>\n\n\n\n<pre id=\"block-f2549898-cc5a-4438-ace1-28aabcad1789\" class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt upgrade<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"build-and-install-open-ldap-server-on-debian-11\">Build and Install OpenLDAP Server on Debian 11<\/h3>\n\n\n\n<p>The default Debian 11 repositories provides OpenLDAP 2.4.57;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy slapd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>slapd:\n  Installed: (none)\n  Candidate: 2.4.57+dfsg-3\n  Version table:\n     2.4.57+dfsg-3 500\n        500 http:\/\/deb.debian.org\/debian bullseye\/main amd64 Packages<\/code><\/pre>\n\n\n\n<p>As of this writing, OpenLDAP 2.5.7 is the current stable release, as per the <a href=\"https:\/\/www.openldap.org\/software\/release\/\" target=\"_blank\" rel=\"noreferrer noopener\">release page<\/a>.<\/p>\n\n\n\n<p>To ensure you run the latest version of OpenLDAP, you need then to build it from the source.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-system-account\">Create OpenLDAP System Account<\/h4>\n\n\n\n<p>Create a non-privileged system user to run OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>useradd -r -M -d \/var\/lib\/openldap -s \/usr\/sbin\/nologin ldap<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/h4>\n\n\n\n<p>There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source which can be installed by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install libsasl2-dev make libtool build-essential openssl \\\nlibevent-dev libargon2-dev sudo wget pkg-config wiredtiger \\\nlibsystemd-dev libssl-dev<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-open-ldap-source-code\">Download OpenLDAP Source Code<\/h4>\n\n\n\n<p>Navigate to the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/software\/download\/\" target=\"_blank\">OpenLDAP download\u2019s page<\/a>&nbsp;and grab the tarball.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=2.5.7<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/www.openldap.org\/software\/download\/OpenLDAP\/openldap-release\/openldap-$VER.tgz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-the-open-ldap-source-code\">Extract the OpenLDAP Source Code<\/h4>\n\n\n\n<p>The tarball can be extracted by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf openldap-$VER.tgz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-open-ldap-server-on-debian-11\">Install OpenLDAP Server on Debian 11<\/h4>\n\n\n\n<p>Compile and install OpenLDAP server on Debian 11 as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd openldap-$VER<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n.\/configure --prefix=\/usr --sysconfdir=\/etc --disable-static \\\n--enable-debug --with-tls=openssl --with-cyrus-sasl \\\n--enable-dynamic --enable-crypt --enable-spasswd \\\n--enable-slapd --enable-modules --enable-rlookups \\\n--enable-backends=mod --disable-sql --enable-ppolicy=mod \\\n--enable-syslog --enable-overlays=mod --with-systemd --enable-wt=no\n<\/code><\/pre>\n\n\n\n<p>If the command ends with an error, fix it before you can proceed. Otherwise, with no error, the command should end with such output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nconfig.status: executing libtool commands\nconfig.status: executing default commands\nMaking servers\/slapd\/backends.c\n    Add config ...\n    Add ldif ...\n    Add monitor ...\nMaking servers\/slapd\/overlays\/statover.c\n    Add ppolicy ...\nPlease run \"make depend\" to build dependencies\n<\/code><\/pre>\n\n\n\n<p>Next, run the&nbsp;<code><strong>make depend<\/strong><\/code>&nbsp;command to build OpenLDAP dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make depend<\/code><\/pre>\n\n\n\n<p>Compile OpenLDAP on Debian 11.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>make install<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-open-ldap-on-debian-11\">Configuring OpenLDAP on Debian 11<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-data-and-database-directories\">Create Data and Database Directories<\/h4>\n\n\n\n<p>Create OpenLDAP data and database directories<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/var\/lib\/openldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<p>Set the proper ownership and permissions on OpenLDAP directories and configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R ldap:ldap \/var\/lib\/openldap<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown root:ldap \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 640 \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-open-ldap-service\">Update OpenLDAP Service<\/h4>\n\n\n\n<p>We will update the created OpenLDAP service file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/lib\/systemd\/system\/slapd.service{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/systemd\/system\/slapd.service << 'EOL'\n[Unit]\nDescription=OpenLDAP Server Daemon\nAfter=syslog.target network-online.target\nDocumentation=man:slapd\nDocumentation=man:slapd-mdb\n\n[Service]\nType=forking\nPIDFile=\/var\/lib\/openldap\/slapd.pid\nEnvironment=\"SLAPD_URLS=ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\"\nEnvironment=\"SLAPD_OPTIONS=-F \/etc\/openldap\/slapd.d\"\nExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS\n\n[Install]\nWantedBy=multi-user.target\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/h4>\n\n\n\n<p>To configure LDAP with support&nbsp;<code>sudo<\/code>, first, install sudo-ldap package.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install sudo-ldap<\/code><\/pre>\n\n\n\n<p>You can then verify the sudo OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -V |  grep -i \"ldap\"<\/code><\/pre>\n\n\n\n<p>If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/code><\/pre>\n\n\n\n<p>Check if LDAP sudo schema is available.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>find \/usr\/share\/doc\/ -iname schema.openldap<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP<\/code><\/pre>\n\n\n\n<p>Copy the&nbsp;<code>schema.OpenLDAP<\/code>&nbsp;to the schema directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP  \/etc\/openldap\/schema\/sudo.schema<\/code><\/pre>\n\n\n\n<p>Next, you need to create sudo schema ldif file.<\/p>\n\n\n\n<p>Run the command below to create the&nbsp;<code><strong>sudo.ldif<\/strong><\/code>&nbsp;file. This ldif file is obtained from&nbsp;<a href=\"https:\/\/github.com\/Lullabot\/openldap-schema\/blob\/master\/sudo.ldif\" target=\"_blank\" rel=\"noreferrer noopener\">Lullabot github repository<\/a>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat << 'EOL' > \/etc\/openldap\/schema\/sudo.ldif\ndn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-slapd-database\">Update SLAPD Database<\/h4>\n\n\n\n<p>Edit the SLAPD LDIF file,&nbsp;<code><strong>\/etc\/openldap\/slapd.ldif<\/strong><\/code>, and update it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/etc\/openldap\/slapd.ldif{,.bak}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/openldap\/slapd.ldif << 'EOL'\ndn: cn=config\nobjectClass: olcGlobal\ncn: config\nolcArgsFile: \/var\/lib\/openldap\/slapd.args\nolcPidFile: \/var\/lib\/openldap\/slapd.pid\n\ndn: cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: schema\n\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: \/usr\/libexec\/openldap\nolcModuleload: back_mdb.la\n\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/sudo.ldif\n#include: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif\ndn: olcDatabase=frontend,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcFrontendConfig\nolcDatabase: frontend\nolcAccess: to dn.base=\"cn=Subschema\" by * read\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\n\ndn: olcDatabase=config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: config\nolcRootDN: cn=config\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To update the SLAPD database from the information provided on the SLAPD LDIF file above, use&nbsp;<code><strong>slapadd<\/strong><\/code>&nbsp;command with the option&nbsp;<code><strong>-n 0<\/strong><\/code>&nbsp;which creates the first database.<\/li>\n\n\n\n<li>To specify the configuration directory,&nbsp;<strong><code>\/etc\/openldap\/slapd.d<\/code><\/strong>, use option&nbsp;<strong><code>-F<\/code><\/strong>&nbsp;and option&nbsp;<strong><code>-l<\/code><\/strong>&nbsp;to specify location of the LDIF file above.<\/li>\n<\/ul>\n\n\n\n<p>Before you can write the changes to the database, perform a dry run to see what would happen. Pass&nbsp;<strong><code>-u<\/code><\/strong>&nbsp;option to slapadd command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif -u<\/code><\/pre>\n\n\n\n<p>If the command do not output anything, then all is fine.<\/p>\n\n\n\n<p>Then implement the changes if all is well.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif<\/code><\/pre>\n\n\n\n<p>This command creates slapd database configurations under&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>'cn=config'  'cn=config.ldif'<\/code><\/pre>\n\n\n\n<p>Set the user and group ownership of the&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory and the files in it to ldap user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R ldap:ldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"running-open-ldap-service\">Running OpenLDAP Service<\/h4>\n\n\n\n<p>Reload systemd configurations and start OpenLDAP service.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now slapd<\/code><\/pre>\n\n\n\n<p>Check status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf slapd.service - OpenLDAP Server Daemon\n     Loaded: loaded (\/etc\/systemd\/system\/slapd.service; enabled; vendor preset: enabled)\n     Active: active (running) since Thu 2021-09-16 07:49:19 EAT; 3min 32s ago\n       Docs: man:slapd\n             man:slapd-mdb\n   Main PID: 1422 (slapd)\n      Tasks: 4 (limit: 2341)\n     Memory: 3.0M\n        CPU: 31ms\n     CGroup: \/system.slice\/slapd.service\n             \u2514\u25001422 \/usr\/libexec\/slapd -u ldap -g ldap -h ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/ -F \/etc\/openldap\/slapd.d\n\nSep 16 07:49:19 bullseye.kifarunix-demo.com systemd[1]: Started OpenLDAP Server Daemon.\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 fd=12 ACCEPT from PATH=\/usr\/var\/run\/ldapi (PATH=\/usr\/var\/run\/ldapi)\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND dn=\"\" method=163\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND authcid=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" authzid=\"gidNumber=0+uidNumb&gt;\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND dn=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mech=EXTERNAL bind_ssf=0 ssf=71\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000058 etime=0.000590 text=\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=1 SRCH base=\"cn=config\" scope=2 deref=0 filter=\"(objectClass=*)\"\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000039 etime=0.002017 nentries=10 text=\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=2 UNBIND\nSep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 fd=12 closed\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-debian-11\">Configure OpenLDAP Logging on Debian 11<\/h4>\n\n\n\n<p>By default, OpenLDAP logging level is set to&nbsp;<code>none<\/code>&nbsp;which is required to have high priority messages only logged.<\/p>\n\n\n\n<p>You can change this to a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">different log level<\/a>, say to&nbsp;<code>stats<\/code>&nbsp;level (logs connections\/operations\/results), run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>The copy and paste the content below on the prompt to modify the log level.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Next, press&nbsp;<strong>ENTER<\/strong> twice. Once you see a line,&nbsp;<code><strong>modifying entry \"cn=config\"<\/strong><\/code>, then press&nbsp;<code><strong>Ctrl+d<\/strong><\/code>.<\/p>\n\n\n\n<p>You can as well use LDIF files to update this information if you like.<\/p>\n\n\n\n<p>To confirm the changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Next, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility, hence, to configure it to log to&nbsp;<code>\/var\/log\/slapd.log<\/code>&nbsp;for example, execute the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.d\/51-slapd.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog and SLAPD service<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart rsyslog slapd<\/code><\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>You can as well configure log rotation;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/logrotate.d\/slapd << EOL\n\/var\/log\/slapd.log\n{ \n        rotate 7\n        daily\n        missingok\n        notifempty\n        delaycompress\n        compress\n        postrotate\n                \/usr\/lib\/rsyslog\/rsyslog-rotate\n        endscript\n}\nEOL\n<\/code><\/pre>\n\n\n\n<p>Restart log rotation service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart logrotate<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/h4>\n\n\n\n<p>Next, create MDB database defining the root DN as well as the access control lists.<\/p>\n\n\n\n<p>First, generate the root DN password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>New password: <strong>ENTER PASSWORD<\/strong>\nRe-enter new password: <strong>RE-ENTER PASSWORD<\/strong>\n<strong>{SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y\/BD<\/strong><\/code><\/pre>\n\n\n\n<p>Copy and paste the password hash generated above,  <strong>{SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y\/BD<\/strong>, as the value of&nbsp;<strong><code>olcRootPW<\/code><\/strong>&nbsp;in the Root DN ldif file below.<\/p>\n\n\n\n<p>Replace the domain components,&nbsp;<code><strong>dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code>&nbsp;with your appropriate names.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > rootdn.ldif << 'EOL'\ndn: olcDatabase=mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: mdb\nolcDbMaxSize: 42949672960\nolcDbDirectory: \/var\/lib\/openldap\nolcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootPW: {SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y\/BD\nolcDbIndex: uid pres,eq\nolcDbIndex: cn,sn pres,eq,approx,sub\nolcDbIndex: mail pres,eq,sub\nolcDbIndex: objectClass pres,eq\nolcDbIndex: loginShell pres,eq\nolcDbIndex: sudoUser,sudoHost pres,eq\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by * none\nolcAccess: to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by * none\nolcAccess: to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<p>Read more about ACL on&nbsp;<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/access-control.html\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Access Control<\/a>.<\/p>\n\n\n\n<p>Updated the slapd database with the content above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f rootdn.ldif<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcDatabase=mdb,cn=config\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n<p>To secure OpenLDAP communication between the client and the server, configured it to use SSL\/TLS certificates.<\/p>\n\n\n\n<p>In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \\\n\/etc\/ssl\/ldapserver.key -out \/etc\/ssl\/ldapserver.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown ldap:ldap \/etc\/ssl\/{ldapserver.crt,ldapserver.key}<\/code><\/pre>\n\n\n\n<p>Update the OpenLDAP Server TLS certificates attributes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > tls.ldif << 'EOL'\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/ssl\/ldapserver.crt\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/ssl\/ldapserver.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/ssl\/ldapserver.key\nEOL\n<\/code><\/pre>\n\n\n\n<p>Note that we have used self-signed certificate as both the certificate and the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f tls.ldif<\/code><\/pre>\n\n\n\n<p>You can confirm this by running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -b \"cn=config\" | grep olcTLS<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>olcTLSCACertificateFile: \/etc\/ssl\/ldapserver.crt\nolcTLSCertificateFile: \/etc\/ssl\/ldapserver.crt\nolcTLSCertificateKeyFile: \/etc\/ssl\/ldapserver.key<\/code><\/pre>\n\n\n\n<p>Change the location of the CA certificate on&nbsp;<code>\/etc\/ldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's|\/etc\/ssl\/certs\/ca-certificates.crt|\/etc\/ssl\/ldapserver.crt|' \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/h4>\n\n\n\n<p>Next, create your base DN or search base to define your organization structure and directory.<\/p>\n\n\n\n<p>Replace the domain components and organization units accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > basedn.ldif << 'EOL'\ndn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: dcObject\nobjectClass: organization\nobjectClass: top\no: Kifarunix-demo\ndc: ldapmaster\n\ndn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f basedn.ldif<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nadding new entry \"dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/h4>\n\n\n\n<p>You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > users.ldif << 'EOL'\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\nEOL\n<\/code><\/pre>\n\n\n\n<p>Add the user to the OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users.ldif<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"setting-password-for-ldap-user\">Setting password for LDAP User<\/h4>\n\n\n\n<p>To set the password for user above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/h4>\n\n\n\n<p>Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.<\/p>\n\n\n\n<p>In this guide, we create a bind DN ou called&nbsp;<code>system<\/code>.<\/p>\n\n\n\n<p>Note the access controls associated with this <strong><code>ou<\/code><\/strong> as defined on the root DN above.<\/p>\n\n\n\n<p>List the Access control lists on the database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ\n e by anonymous auth by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=ext\n ernal,cn=auth\" manage  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-de\n mo,dc=com\" read by * none\nolcAccess: {1}to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mana\n ge by * none\nolcAccess: {2}to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.sub\n tree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by user\n s read  by * none\n<\/code><\/pre>\n\n\n\n<p>Create the LDAP BindDN user password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>New password: \nRe-enter new password: \n<strong>{SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf<\/strong><\/code><\/pre>\n\n\n\n<p>Copy and Paste the password hash value above as the value of&nbsp;<strong><code>userPassword<\/code><\/strong>&nbsp;attribute in the file below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > bindDNuser.ldif << 'EOL'\ndn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf\ndescription: Bind DN user for LDAP Operations\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-open-ldap-password-policies\">Enable OpenLDAP Password Policies<\/h4>\n\n\n\n<p>If you want to implement OpenLDAP password policies, ensure that the Password Policy Schema is enabled.<\/p>\n\n\n\n<p>To enable the Password policy schema, run the command below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > ppolicy.ldif << 'EOL'\ndn: cn=ppolicy,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: ppolicy\nolcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY\n  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )\nolcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in\n tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27\n  SINGLE-VALUE )\nolcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in\n tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27\n  SINGLE-VALUE )\nolcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY\n  integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1\n .27 SINGLE-VALUE )\nolcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL\n ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12\n 1.1.27 SINGLE-VALUE )\nolcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY\n  integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.\n 1.27 SINGLE-VALUE )\nolcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA\n LITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.\n 121.1.27 SINGLE-VALUE )\nolcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ\n UALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.11\n 5.121.1.27 SINGLE-VALUE )\nolcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b\n ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )\nolcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E\n QUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.1\n 15.121.1.27 SINGLE-VALUE )\nolcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL\n ITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.1\n 21.1.27 SINGLE-VALUE )\nolcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter\n val' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.\n 1466.115.121.1.27 SINGLE-VALUE )\nolcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL\n ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )\nolcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' \n EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )\nolcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL\n ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )\nolcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L\n oadable module that instantiates \"check_password() function' EQUALITY caseExa\n ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )\nolcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur\n e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.\n 1466.115.121.1.27 SINGLE-VALUE )\nolcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top\n  AUXILIARY MAY pwdCheckModule )\nolcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI\n LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck\n Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $\n  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange\n  $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f ppolicy.ldif<\/code><\/pre>\n\n\n\n<p>Next, read the guide below to learn how to implement password policies.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/implement-openldap-password-policies\/\" target=\"_blank\" rel=\"noreferrer noopener\">Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h4>\n\n\n\n<p>If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow \"OpenLDAP LDAP\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow \"OpenLDAP LDAPS\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/h4>\n\n\n\n<p>To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n<p>See the guides below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-sssd-for-openldap-authentication-on-fedora-32-31-30\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure SSSD for OpenLDAP Authentication on Fedora 32\/31\/30<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 11. Installing OpenLDAP Server on Debian 11 Run System Update<\/p>\n","protected":false},"author":3,"featured_media":10430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[4090,3958,4086,4088,4085,248,4087,286,4089],"class_list":["post-10418","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-configure-openldap-server-on-debian-11","tag-debian-11","tag-debian-11-openldap","tag-directory-service-ldap","tag-install-openldap-debian-11","tag-ldap","tag-ldap-server-debian-11","tag-openldap","tag-setup-ldap-on-debian-11","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10418"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10418"}],"version-history":[{"count":18,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10418\/revisions"}],"predecessor-version":[{"id":21659,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10418\/revisions\/21659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10430"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}