{"id":18174,"date":"2023-08-02T23:27:18","date_gmt":"2023-08-02T20:27:18","guid":{"rendered":"https:\/\/kifarunix.com\/?p=18174"},"modified":"2024-03-10T10:44:49","modified_gmt":"2024-03-10T07:44:49","slug":"install-and-setup-openldap-on-rocky-linux-9","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openldap-on-rocky-linux-9\/","title":{"rendered":"Install and Setup OpenLDAP on Rocky Linux 9"},"content":{"rendered":"\n<p>In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on Rocky Linux 9.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-on-rocky-linux-9\">Installing OpenLDAP on Rocky Linux 9<\/a><ul><li><a href=\"#compile-and-install-open-ldap-on-rocky-linux-9\">Compile and Install OpenLDAP on Rocky Linux 9<\/a><\/li><li><a href=\"#install-open-ldap-from-epel-repos-on-rocky-linux-9\">Install OpenLDAP from EPEL Repos on Rocky Linux 9<\/a><ul><li><a href=\"#install-epel-repositories-on-rocky-linux-9\">Install EPEL Repositories on Rocky Linux 9<\/a><\/li><li><a href=\"#install-open-ldap-server-on-rocky-linux-9\">Install OpenLDAP server on Rocky Linux 9<\/a><\/li><\/ul><\/li><li><a href=\"#configuring-open-ldap-on-rocky-linux-9\">Configuring OpenLDAP on Rocky Linux 9<\/a><\/li><li><a href=\"#create-open-ldap-systemd-service\">Create OpenLDAP Systemd Service<\/a><\/li><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/a><\/li><li><a href=\"#update-open-ldap-slapd-database\">Update OpenLDAP SLAPD Database<\/a><\/li><li><a href=\"#running-slapd-service\">Running SLAPD Service<\/a><\/li><li><a href=\"#configure-open-ldap-logging-on-rocky-linux-9\">Configure OpenLDAP Logging on Rocky Linux 9<\/a><\/li><li><a href=\"#create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/a><\/li><li><a href=\"#configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><\/li><li><a href=\"#create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/a><\/li><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/li><li><a href=\"#setting-password-for-ldap-user\">Setting password for LDAP User<\/a><\/li><li><a href=\"#create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#testing-open-ldap-authentication\">Testing OpenLDAP Authentication<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-on-rocky-linux-9\">Installing OpenLDAP on Rocky Linux 9<\/h2>\n\n\n\n<p>Rocky Linux 9 repositories do not have the latest release versions of OpenLDAP as of this writing.<\/p>\n\n\n\n<p>As a result, you have two options to install OpenLDAP on Rocky Linux 9;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Compile and install from the source<\/li>\n\n\n\n<li>Install (not so recent version) from the EPEL repositories.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"compile-and-install-open-ldap-on-rocky-linux-9\">Compile and Install OpenLDAP on Rocky Linux 9<\/h3>\n\n\n\n<p>To get the latest version with bug fixes, you need to build it from the source as described in this guide.<\/p>\n\n\n\n<p>However, building OpenLDAP version 2.6.5, which is the current release version as of this writing, causes a version mismatch issues with the default <strong><code>openldap<\/code><\/strong> library package (<strong>version 2.6.2<\/strong>), which also required by <strong><code>sudo<\/code><\/strong> package. This causes any command that uses Python to fail with such an error as;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nTraceback (most recent call last):\n  File \"\/usr\/bin\/dnf\", line 61, in <module>\n    from dnf.cli import main\n  File \"\/usr\/lib\/python3.9\/site-packages\/dnf\/__init__.py\", line 30, in <module>\n    import dnf.base\n  File \"\/usr\/lib\/python3.9\/site-packages\/dnf\/base.py\", line 29, in <module>\n    import libdnf.transaction\n  File \"\/usr\/lib64\/python3.9\/site-packages\/libdnf\/__init__.py\", line 12, in <module>\n    from . import conf\n  File \"\/usr\/lib64\/python3.9\/site-packages\/libdnf\/conf.py\", line 13, in <module>\n    from . import _conf\nImportError: \/lib64\/libldap.so.2: undefined symbol: ber_sockbuf_io_udp, version OPENLDAP_2.200\n<\/code><\/pre>\n\n\n\n<p>So, if you want to compile and install OpenLDAP server on Rocky Linux 9, then maybe try the same version of the OpenLDAP server and the default openldap library package installed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-ldap-from-epel-repos-on-rocky-linux-9\">Install OpenLDAP from EPEL Repos on Rocky Linux 9<\/h3>\n\n\n\n<p>Kindly note that,the latest available version of OpenLDAP server on EPEL repos is OpenLDAP 2.6.2.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-epel-repositories-on-rocky-linux-9\">Install EPEL Repositories on Rocky Linux 9<\/h4>\n\n\n\n<p>Execute the command below to install EPEL repos on Rocky Linux 9<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf install epel-release<\/pre>\n\n\n\n<p>Looks like it is also recommended to enable CRB repository. &#8220;<em>Many EPEL packages require the CodeReady Builder (CRB) repository. It is recommended that you run \/usr\/bin\/crb enable to enable the CRB repository<\/em>&#8220;.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>\/usr\/bin\/crb enable<\/em><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-open-ldap-server-on-rocky-linux-9\">Install OpenLDAP server on Rocky Linux 9<\/h4>\n\n\n\n<p>You can install OpenLDAP server and clients packages using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install openldap-{servers,clients}<\/code><\/pre>\n\n\n\n<p>OpenLDAP configuration files are now installed on&nbsp;<code>\/etc\/openldap<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls -1 \/etc\/openldap\/<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncerts\ncheck_password.conf\nldap.conf\nschema\nslapd.d\n<\/code><\/pre>\n\n\n\n<p>The libraries are installed under&nbsp;<code><strong>\/usr\/lib64\/openldap\/<\/strong><\/code>.<\/p>\n\n\n\n<p>The data directory is <strong>\/var\/lib\/ldap\/<\/strong>.<\/p>\n\n\n\n<p>Similarly, OpenLDAP system\/service account is created;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>getent passwd ldap<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldap:x:55:55:OpenLDAP server:\/var\/lib\/ldap:\/sbin\/nologin<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-open-ldap-on-rocky-linux-9\">Configuring OpenLDAP on Rocky Linux 9<\/h3>\n\n\n\n<p>Now that the installation of OpenLDAP is complete, proceed to configure it.<\/p>\n\n\n\n<p>As much as  some default configs are put in place after installation, let&#8217;s make out own custom configurations.<\/p>\n\n\n\n<p>Backup default database directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mv \/etc\/openldap\/slapd.d{,.original}<\/pre>\n\n\n\n<p>Create new database directory;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<p>Set the proper ownership and permissions on OpenLDAP directories and configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chown -R ldap:ldap \/var\/lib\/ldap<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chown root:ldap \/etc\/openldap\/ldap.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chmod 640 \/etc\/openldap\/ldap.conf<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-systemd-service\">Create OpenLDAP Systemd Service<\/h3>\n\n\n\n<p>In order to run OpenLDAP as a service, you need to create a systemd service file as shown below.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/systemd\/system\/slapd.service &lt;&lt; 'EOL'\n[Unit]\nDescription=OpenLDAP Server Daemon\nAfter=syslog.target network-online.target\nDocumentation=man:slapd\nDocumentation=man:slapd-mdb\n\n[Service]\nType=forking\nPIDFile=\/var\/lib\/ldap\/slapd.pid\nEnvironment=\"SLAPD_URLS=ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\"\nEnvironment=\"SLAPD_OPTIONS=-F \/etc\/openldap\/slapd.d\"\nExecStart=\/usr\/sbin\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS\n\n[Install]\nWantedBy=multi-user.target\nEOL\n<\/code><\/pre>\n\n\n\n<p>Save and quit the service file.&nbsp;<strong>Do not run\/start the service yet<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/h3>\n\n\n\n<p>To configure LDAP with support&nbsp;<code>sudo<\/code>, first, check if your version of installed sudo supports LDAP.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo -V |  grep -i \"ldap\"<\/pre>\n\n\n\n<p>If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">...\nldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/pre>\n\n\n\n<p>Check if LDAP sudo schema is available.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rpm -ql sudo |  grep -i schema.openldap<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/doc\/sudo\/schema.OpenLDAP<\/pre>\n\n\n\n<p>Copy the&nbsp;<code>schema.OpenLDAP<\/code>&nbsp;to the schema directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp \/usr\/share\/doc\/sudo\/schema.OpenLDAP  \/etc\/openldap\/schema\/sudo.schema<\/pre>\n\n\n\n<p>Create sudo schema ldif file. You can copy the default ldif file from \/usr\/share\/doc\/sudo\/schema.olcSudo and just modified it.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &lt;&lt; 'EOL' > \/etc\/openldap\/schema\/sudo.ldif\ndn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1\n    NAME 'sudoUser'\n    DESC 'User(s) who may  run sudo'\n    EQUALITY caseExactMatch\n    SUBSTR caseExactSubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2\n    NAME 'sudoHost'\n    DESC 'Host(s) who may run sudo'\n    EQUALITY caseExactIA5Match\n    SUBSTR caseExactIA5SubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3\n    NAME 'sudoCommand'\n    DESC 'Command(s) to be executed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4\n    NAME 'sudoRunAs'\n    DESC 'User(s) impersonated by sudo (deprecated)'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5\n    NAME 'sudoOption'\n    DESC 'Options(s) followed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6\n    NAME 'sudoRunAsUser'\n    DESC 'User(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7\n    NAME 'sudoRunAsGroup'\n    DESC 'Group(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8\n    NAME 'sudoNotBefore'\n    DESC 'Start of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9\n    NAME 'sudoNotAfter'\n    DESC 'End of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10\n    NAME 'sudoOrder'\n    DESC 'an integer to order the sudoRole entries'\n    EQUALITY integerMatch\n    ORDERING integerOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )\n#\nolcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL\n    DESC 'Sudoer Entries'\n    MUST ( cn )\n    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $\n        description )\n    )\nEOL\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-open-ldap-slapd-database\">Update OpenLDAP SLAPD Database<\/h3>\n\n\n\n<p>Create and LDIF file with database updates,&nbsp;<code><strong>\/etc\/openldap\/slapd.ldif<\/strong><\/code>, as follows;<\/p>\n\n\n\n<p>Modify it to suit your needs.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/openldap\/slapd.ldif &lt;&lt; 'EOL'\ndn: cn=config\nobjectClass: olcGlobal\ncn: config\nolcArgsFile: \/var\/lib\/ldap\/slapd.args\nolcPidFile: \/var\/lib\/ldap\/slapd.pid\n\ndn: cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: schema\n\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: \/usr\/lib64\/openldap\nolcModuleload: back_mdb.la\n\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/sudo.ldif\n#include: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif\ndn: olcDatabase=frontend,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcFrontendConfig\nolcDatabase: frontend\nolcAccess: to dn.base=\"cn=Subschema\" by * read\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\n\ndn: olcDatabase=config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: config\nolcRootDN: cn=config\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To update the SLAPD database from the information provided on the SLAPD LDIF file above, use&nbsp;<code><strong>slapadd<\/strong><\/code>&nbsp;command with the option&nbsp;<code><strong>-n 0<\/strong><\/code>&nbsp;which creates the first database.<\/li>\n\n\n\n<li>To specify the configuration directory,&nbsp;<strong><code>\/etc\/openldap\/slapd.d<\/code><\/strong>, use option&nbsp;<strong><code>-F<\/code><\/strong>&nbsp;and option&nbsp;<strong><code>-l<\/code><\/strong>&nbsp;to specify location of the LDIF file above.<\/li>\n<\/ul>\n\n\n\n<p>Before you can write the changes to the database, perform a dry run to see what would happen. Pass&nbsp;<strong><code>-u<\/code><\/strong>&nbsp;option to slapadd command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif -u<\/pre>\n\n\n\n<p>Then implement the changes if all is well.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif<\/pre>\n\n\n\n<p>This command creates slapd database configurations under&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls \/etc\/openldap\/slapd.d<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">'cn=config'  'cn=config.ldif'<\/pre>\n\n\n\n<p>Set the user and group ownership of the&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory and the files in it to ldap user.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chown -R ldap:ldap \/etc\/openldap\/slapd.d<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-slapd-service\">Running SLAPD Service<\/h3>\n\n\n\n<p>Reload systemd configurations and start and enable OpenLDAP service to run on boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl daemon-reload<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl enable --now slapd<\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status slapd<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf slapd.service - OpenLDAP Server Daemon\n   Loaded: loaded (\/etc\/systemd\/system\/slapd.service; disabled; vendor preset: disabled)\n   Active: active (running) since Sat 2021-06-19 12:17:43 EAT; 19s ago\n     Docs: man:slapd\n           man:slapd-mdb\n  Process: 153713 ExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0\/SUCCESS)\n Main PID: 153714 (slapd)\n    Tasks: 2 (limit: 11389)\n   Memory: 3.0M\n   CGroup: \/system.slice\/slapd.service\n           \u2514\u2500153714 \/usr\/libexec\/slapd -u ldap -g ldap -h ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/ -F \/etc\/openldap\/slapd.d\n\nJun 19 12:17:43 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon...\nJun 19 12:17:43 localhost.localdomain slapd[153713]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 19 2021 11:30:55) $\n                                                             root@localhost.localdomain:\/root\/openldap-2.5.5\/servers\/slapd\nJun 19 12:17:43 localhost.localdomain slapd[153714]: slapd starting\nJun 19 12:17:43 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.\n<\/code><\/pre>\n\n\n\n<p>If the service fails to start with the error;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>slapd.service: Can't convert PID files \/var\/lib\/ldap\/slapd.pid O_PATH file descriptor to proper file descriptor: Permission denied<\/strong><\/code><\/pre>\n\n\n\n<p>The check SELinux if it is enforcing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sestatus | grep mode<\/code><\/pre>\n\n\n\n<p>If it is enforcing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Current mode:                   enforcing<\/code><\/pre>\n\n\n\n<p>Confirm the same;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep denied \/var\/log\/audit\/audit.log<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\ntype=AVC msg=audit(1691005748.605:250): avc:  denied  { read } for  pid=1 comm=\"systemd\" name=\"slapd.pid\" dev=\"dm-0\" ino=16780213 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0\ntype=AVC msg=audit(1691005748.605:251): avc:  denied  { read } for  pid=1 comm=\"systemd\" name=\"slapd.pid\" dev=\"dm-0\" ino=16780213 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0\ntype=AVC msg=audit(1691005748.605:252): avc:  denied  { read } for  pid=1 comm=\"systemd\" name=\"slapd.pid\" dev=\"dm-0\" ino=16780213 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0\n<\/code><\/pre>\n\n\n\n<p>You can choose to deal with SELinux to sort the permissions or set it to permission mode (SELinux prints warnings instead of enforcing);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>setenforce 0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/^SELINUX=\/s\/enforcing\/permissive\/' \/etc\/selinux\/config<\/code><\/pre>\n\n\n\n<p>Restart the service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-rocky-linux-9\">Configure OpenLDAP Logging on Rocky Linux 9<\/h3>\n\n\n\n<p>To enable OpenLDAP to log connections, operations, results statistics, create and ldif file and update the database as follows. Such OpenLDAP logging is enabled on<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\">&nbsp;log level&nbsp;<\/a><code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\">256<\/a><\/code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\">&nbsp;with keyword&nbsp;<\/a><code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\">stats<\/a><\/code>&nbsp;by modifying the&nbsp;<code>olcLogLevel<\/code>&nbsp;attribute as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd ~<\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>\ncat &gt; enable-openldap-log.ldif &lt;&lt; 'EOL'\ndn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapmodify -Y external -H ldapi:\/\/\/ -f enable-openldap-log.ldif<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.conf<\/pre>\n\n\n\n<p>Restart Rsyslog<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart rsyslog<\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/h3>\n\n\n\n<p>Next, create MDB database defining the root DN as well as the access control lists.<\/p>\n\n\n\n<p>First, generate the root DN password.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slappasswd<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">New password: <strong>ENTER PASSWORD<\/strong>\nRe-enter new password: <strong>RE-ENTER PASSWORD<\/strong><code>\n<\/code><strong>{SSHA}\/23W0+GeW28iXwW986RpuSVEHESSvtlO<\/strong><\/pre>\n\n\n\n<p>Paste the password hash generated above as the value of&nbsp;<strong><code>olcRootPW<\/code><\/strong>&nbsp;in the Root DN ldif file below.<\/p>\n\n\n\n<p>Replace the domain components,&nbsp;<code><strong>dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code>&nbsp;with your appropriate names.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > rootdn.ldif << 'EOL'\ndn: olcDatabase=mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: mdb\nolcDbMaxSize: 42949672960\nolcDbDirectory: \/var\/lib\/ldap\nolcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootPW: {SSHA}\/23W0+GeW28iXwW986RpuSVEHESSvtlO\nolcDbIndex: uid pres,eq\nolcDbIndex: cn,sn pres,eq,approx,sub\nolcDbIndex: mail pres,eq,sub\nolcDbIndex: objectClass pres,eq\nolcDbIndex: loginShell pres,eq\nolcDbIndex: sudoUser,sudoHost pres,eq\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by * none\nolcAccess: to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by * none\nolcAccess: to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<p>Read more about ACL on&nbsp;<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/access-control.html\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Access Control<\/a>.<\/p>\n\n\n\n<p>Updated the slapd database with the content above;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f rootdn.ldif<\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcDatabase=mdb,cn=config\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n<p>To secure OpenLDAP communication between the client and the server, configured it to use SSL\/TLS certificates.<\/p>\n\n\n\n<p>In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl req -x509 \\\n-nodes \\\n-days 3650 \\\n-newkey rsa:2048 -keyout \\\n\/etc\/pki\/tls\/ldapserver.key \\\n-out \/etc\/pki\/tls\/ldapserver.crt<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chown ldap:ldap \/etc\/pki\/tls\/{ldapserver.crt,ldapserver.key}<\/pre>\n\n\n\n<p>Update the OpenLDAP Server TLS certificates attributes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > add-tls.ldif << 'EOL'\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt\nEOL\n<\/code><\/pre>\n\n\n\n<p>Note that we have used self-signed certificate as both the certificate and the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-tls.ldif<\/pre>\n\n\n\n<p>You can confirm this by running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapcat -b \"cn=config\" | grep olcTLS<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">olcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt<\/pre>\n\n\n\n<p>Change the location of the CA certificate on&nbsp;<code>\/etc\/openldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/openldap\/ldap.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n#TLS_CACERT     \/etc\/pki\/tls\/cert.pem\n<strong>TLS_CACERT     \/etc\/pki\/tls\/ldapserver.crt<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/h3>\n\n\n\n<p>Next, create your base DN or search base to define your organization structure and directory.<\/p>\n\n\n\n<p>Replace the domain components and organization units accordingly.<\/p>\n\n\n\n<pre class=\"sroll-box\">\ncat > basedn.ldif << 'EOL'\ndn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: dcObject\nobjectClass: organization\nobjectClass: top\no: Kifarunix-demo\ndc: ldapmaster\n\ndn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f basedn.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\"><a href=\"#create-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/h3>\n\n\n\n<p>You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > users.ldif << 'EOL'\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\nEOL\n<\/code><\/pre>\n\n\n\n<p>Add the user to the OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setting-password-for-ldap-user\">Setting password for LDAP User<\/h3>\n\n\n\n<p>To set the password for user above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL \\\n-S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/h3>\n\n\n\n<p>Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called&nbsp;<code>system<\/code>. Note the access controls associated with this ou as defined on the root DN above.<\/p>\n\n\n\n<p>List the Access control lists on the database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ \\\n-b cn=config '(olcDatabase={1}mdb)' olcAccess<\/pre>\n\n\n\n<p>Create the BindDN user password.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slappasswd<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">New password: Password\nRe-enter new password: Password\n<strong>{SSHA}q3hP3Vfr+4PgF6TE70MPy2yNrEDbGZvs<\/strong><\/pre>\n\n\n\n<p>Paste the password hash value above as the value of&nbsp;<strong><code>userPassword<\/code><\/strong>&nbsp;attribute in the file below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > bindDNuser.ldif << 'EOL'\ndn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}q3hP3Vfr+4PgF6TE70MPy2yNrEDbGZvs\ndescription: Bind DN user for LDAP Operations\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h3>\n\n\n\n<p>To allow remote clients to query OpenLDAP server, allow the&nbsp;<code>ldap<\/code>&nbsp;<strong>(389 UDP\/TCP)<\/strong>&nbsp;and&nbsp;<code>ldaps<\/code>&nbsp;(636 UDP\/TCP) service on firewall.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall-cmd --add-service={ldap,ldaps} --permanent<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall-cmd --reload<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-open-ldap-authentication\">Testing OpenLDAP Authentication<\/h3>\n\n\n\n<p>Well, there you go. You have learnt how to install and setup OpenLDAP server on Rocky Linux 9.<\/p>\n\n\n\n<p>To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n<p>See the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Rocky Linux 8<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-squid-proxy-openldap-authentication-on-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Squid Proxy OpenLDAP Authentication on pfSense<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openldap-password-expiry-email-notification\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenLDAP Password Expiry Email Notification<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openvpn-ldap-based-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on Rocky Linux 9. Installing OpenLDAP on Rocky<\/p>\n","protected":false},"author":10,"featured_media":17759,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[7135,7137,7136],"class_list":["post-18174","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-install-openldap-on-rocky-linux","tag-openldap-rocky-linux-9","tag-rocky-linux-9-openldap-server","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18174"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=18174"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18174\/revisions"}],"predecessor-version":[{"id":20841,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18174\/revisions\/20841"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17759"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=18174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=18174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=18174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}