{"id":2110,"date":"2019-01-20T19:28:58","date_gmt":"2019-01-20T16:28:58","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2110"},"modified":"2019-01-20T19:50:44","modified_gmt":"2019-01-20T16:50:44","slug":"install-and-configure-openldap-server-on-fedora-29","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-fedora-29\/","title":{"rendered":"Install and Configure OpenLDAP server on Fedora 29"},"content":{"rendered":"

This guide will take you through the steps required to install and configure OpenLDAP server on Fedora 29. As you already know, OpenLDAP is an implementation of Light weight directory access protocol (LDAP). It provides a central management point for user information.<\/p>\n

Install and Configure OpenLDAP server on Fedora 29<\/h2>\n

Update and upgrade your system packages;<\/p>\n

dnf update\r\ndnf upgrade<\/code><\/pre>\n
To install LDAP server on Fedora 29, run the command below;<\/p>\n
dnf install openldap-clients openldap-servers<\/code><\/pre>\n
Start and enable OpenLDAP server service to run system reboot.<\/p>\n
systemctl enable slapd\r\nsystemctl start slapd<\/code><\/pre>\n
Configure OpenLDAP server on Fedora 29<\/h2>\n
Set the OpenLDAP administrator password.<\/h3>\n
This can be done using the slappasswd<\/code> command which generate an encrypted password hash.<\/p>\n
slappasswd \r\nNew password: password\r\nRe-enter new password: password \r\n{SSHA}MI\/malE7t763EWw7YiRzXsojGETmqMJq<\/strong><\/code><\/pre>\n
You can also set the password in a one line command; slappasswd -h {SHA} -s password<\/strong><\/code>. Replace the ‘password<\/strong>‘ with your password.<\/p>\n
Save the generated hash since we will require it in a moment.<\/p>\n
Configure OpenLDAP database<\/h3>\n
TO begin with, copy the sample OpenLDAP database configuration renaming it as follows;<\/p>\n
cp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG<\/code><\/pre>\n
Set the ownership of the LDAP database configuration directory ldap<\/code> user.<\/p>\n
chown -R ldap:ldap \/var\/lib\/ldap<\/code><\/pre>\n
Import OpenLDAP basic schemas<\/h4>\n
Navigate to OpenLDAP schemas directory and import the cosine, nis and inetorgperson schemas.<\/p>\n
cd \/etc\/openldap\/schema<\/code><\/pre>\n
for schema in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f $schema; done<\/code><\/pre>\n
SASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\nadding new entry \"cn=cosine,cn=schema,cn=config\"\r\n\r\nSASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\nadding new entry \"cn=nis,cn=schema,cn=config\"\r\n\r\nSASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\nadding new entry \"cn=inetorgperson,cn=schema,cn=config\"<\/code><\/pre>\n
Update the OpenLDAP database configuration file by modifying the values of the following attributes;<\/p>\n
    \n
  • olcSuffix<\/code> – set the value to your base domain<\/li>\n
  • olcRootDN<\/code> – set the value to your LDAP domain administrative entry<\/li>\n
  • olcRootPW<\/code> – This is set to your LDAP admin password generated above.<\/li>\n<\/ul>\n
    Also, configure the access control list for the LDAP monitor backend (olcDatabase\\=\\{1\\}monitor.ldif<\/code>) and the primary database backend (olcDatabase={2}mdb.ldif<\/code>).<\/p>\n
    All these modifications can be implemented using a single ldif file as shown below;<\/p>\n
    vim mod_domain.ldif<\/code><\/pre>\n
    dn: olcDatabase={1}monitor,cn=config\r\nchangetype: modify\r\nreplace: olcAccess\r\nolcAccess: {0}to * by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\"\r\n  read by dn.base=\"cn=Manager,dc=example,dc=com\" read by * none\r\n\r\ndn: olcDatabase={2}mdb,cn=config\r\nchangetype: modify\r\nreplace: olcSuffix\r\nolcSuffix: dc=example,dc=com\r\n\r\ndn: olcDatabase={2}mdb,cn=config\r\nchangetype: modify\r\nreplace: olcRootDN\r\nolcRootDN: cn=Manager,dc=example,dc=com\r\n\r\ndn: olcDatabase={2}mdb,cn=config\r\nchangetype: modify\r\nadd: olcRootPW\r\nolcRootPW: {SSHA}MI\/malE7t763EWw7YiRzXsojGETmqMJq\r\n\r\ndn: olcDatabase={2}mdb,cn=config\r\nchangetype: modify\r\nadd: olcAccess\r\nolcAccess: {0}to attrs=userPassword,shadowLastChange by\r\n  dn=\"cn=Manager,dc=example,dc=com\" write by anonymous auth by self write by * none\r\nolcAccess: {1}to dn.base=\"\" by * read\r\nolcAccess: {2}to * by dn=\"cn=Manager,dc=example,dc=com\" write by * read<\/code><\/pre>\n
    These modifications can be implemented using the ldapmodify<\/code> command.<\/p>\n
    ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f mod_domain.ldif<\/code><\/pre>\n
    SASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\nmodifying entry \"olcDatabase={1}monitor,cn=config\"\r\n\r\nmodifying entry \"olcDatabase={2}mdb,cn=config\"\r\n\r\nmodifying entry \"olcDatabase={2}mdb,cn=config\"\r\n\r\nmodifying entry \"olcDatabase={2}mdb,cn=config\"\r\n\r\nmodifying entry \"olcDatabase={2}mdb,cn=config\"<\/code><\/pre>\n
    You can use ldapsearch command to verify this.<\/p>\n
    ldapsearch  -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config olcDatabase={2}mdb -LLL<\/code><\/pre>\n
    SASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\ndn: olcDatabase={2}mdb,cn=config\r\nobjectClass: olcDatabaseConfig\r\nobjectClass: olcMdbConfig\r\nolcDatabase: {2}mdb\r\nolcDbDirectory: \/var\/lib\/ldap\r\nolcDbIndex: objectClass eq,pres\r\nolcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub\r\nolcSuffix: dc=example,dc=com\r\nolcRootDN: cn=Manager,dc=example,dc=com\r\nolcRootPW: {SSHA}MI\/malE7t763EWw7YiRzXsojGETmqMJq\r\nolcAccess: {0}to attrs=userPassword,shadowLastChange by dn=\"cn=Manager,dc=exam\r\n ple,dc=com\" write by anonymous auth by self write by * none\r\nolcAccess: {1}to dn.base=\"\" by * read\r\nolcAccess: {2}to * by dn=\"cn=Manager,dc=example,dc=com\" write by * read<\/code><\/pre>\n
    ldapsearch  -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config olcDatabase={1}monitor -LLL<\/code><\/pre>\n
    SASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\ndn: olcDatabase={1}monitor,cn=config\r\nobjectClass: olcDatabaseConfig\r\nolcDatabase: {1}monitor\r\nolcAccess: {0}to * by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external\r\n ,cn=auth\" read by dn.base=\"cn=Manager,dc=example,dc=com\" read by * none<\/code><\/pre>\n
    Create the base domain and add it to LDAP to create your directory. Replace the domain entries approriately.<\/p>\n
    vim basedn.ldif<\/code><\/pre>\n
    dn: dc=example,dc=com\r\nobjectClass: top\r\nobjectClass: dcObject\r\nobjectclass: organization\r\no: Example Com\r\ndc: Example\r\n\r\ndn: cn=Manager,dc=example,dc=com\r\nobjectClass: organizationalRole\r\ncn: Manager\r\ndescription: LDAP Directory Manager\r\n\r\ndn: ou=People,dc=example,dc=com\r\nobjectClass: organizationalUnit\r\nou: People\r\n\r\ndn: ou=Group,dc=example,dc=com\r\nobjectClass: organizationalUnit\r\nou: Group<\/code><\/pre>\n
    To add the Base domain entry, run the command below;<\/p>\n
    ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedn.ldif\r\nEnter LDAP Password: LDAP  manager's password set above<\/strong>\r\n\r\nadding new entry \"dc=example,dc=com\" \r\n\r\nadding new entry \"cn=Manager,dc=example,dc=com\"\r\n\r\nadding new entry \"ou=People,dc=example,dc=com\"<\/code><\/pre>\n
    The OpenLDAP server configuration is about done.<\/p>\n
    Create OpenLDAP server User Accounts<\/h3>\n
    Generate a password for the user using the slappasswd<\/code> command;<\/p>\n
    slappasswd \r\nNew password: \r\nRe-enter new password: \r\n{SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b<\/code><\/pre>\n
    Create an ldif file for specifying user attributes.<\/p>\n
    vim add_user.ldif<\/code><\/pre>\n
    dn: uid=amosm,ou=People,dc=example,dc=com\r\nobjectClass: inetOrgPerson\r\nobjectClass: posixAccount\r\nobjectClass: shadowAccount\r\ncn: Amos\r\nsn: Mibey\r\nuserPassword: {SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b\r\nloginShell: \/bin\/bash\r\nuidNumber: 10000\r\ngidNumber: 10000\r\nhomeDirectory: \/home\/amosm\r\n\r\ndn: cn=amosm,ou=Group,dc=example,dc=com\r\nobjectClass: posixGroup\r\ncn: Amos\r\ngidNumber: 10000\r\nmemberUid: amosm<\/code><\/pre>\n
    ldapadd -x -D cn=Manager,dc=example,dc=com -W -f add_user.ldif \r\nEnter LDAP Password: \r\nadding new entry \"uid=amosm,ou=People,dc=example,dc=com\"\r\n\r\nadding new entry \"cn=amosm,ou=Group,dc=example,dc=com\"<\/code><\/pre>\n
    To verify that the user is created, you can use ldapsearch<\/code> command to query its details.<\/p>\n
    ldapsearch -x uid=amosm -b dc=example,dc=com -LLL<\/code><\/pre>\n
    dn: uid=amosm,ou=People,dc=example,dc=com\r\nobjectClass: inetOrgPerson\r\nobjectClass: posixAccount\r\nobjectClass: shadowAccount\r\ncn: Amos\r\nsn: Mibey\r\nloginShell: \/bin\/bash\r\nuidNumber: 10000\r\ngidNumber: 10000\r\nhomeDirectory: \/home\/amosm\r\nuid: amosm<\/code><\/pre>\n
    Well, that\u00a0 it all takes to install and configure OpenLDAP server on Fedora 29. It all seems good. Feel free to add more users and explore the full funtionality of OpenLDAP. Before we can wrap up, open the OpenLDAP server service on firewall to allow external access.<\/p>\n
    firewall-cmd --permanent --add-service=ldap<\/span>firewall-cmd --reload<\/code><\/pre>\n
    All is left for doing is to configure the LDAP client to authenticate via the OpenLDAP server, We will cover this in our next tutorial. Thank you for reading.<\/p>\n","protected":false},"excerpt":{"rendered":"
    This guide will take you through the steps required to install and configure OpenLDAP server on Fedora 29. As you already know, OpenLDAP is an<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121],"tags":[289,248],"class_list":["post-2110","post","type-post","status-publish","format-standard","hentry","category-directory-server","category-howtos","tag-fedora-29","tag-ldap","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2110"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2110"}],"version-history":[{"count":1,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2110\/revisions"}],"predecessor-version":[{"id":2112,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2110\/revisions\/2112"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}