In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on CentOS 8. If you are here, then you already know what an OpenLDAP server is and thus the description of what it is is beyond the scope of this tutorial.<\/p>\n\n\n\n
Well, CentOS 8 repositories do not have the latest release versions of OpenLDAP. The available version of OpenLDAP provided by CentOS 8 PowerTools repos, is OpenLDAP server v2.4.46<\/a>. To get the latest version with bug fixes, you need to build it from the source as described in this guide.<\/p>\n\n\n\n You may want to use other alternatives to OpenLDAP such as FreeIPA;<\/p>\n\n\n\n Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n\n\n\n To update your system packages, run the command;<\/p>\n\n\n\n There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source. Run the command below to install them.<\/p>\n\n\n\n In this demo, OpenLDAP will run with a non-privileged system user. Hence, run the command below to create OpenLDAP system user with custom user and group id;<\/p>\n\n\n\n Consult The latest stable release of OpenLDAP as of this writing is OpenLDAP 2.4.48. Navigate to the OpenLDAP download’s page<\/a> and grab the tarball.<\/p>\n\n\n\n The tarball can be extracted by running the command;<\/p>\n\n\n\n To compile OpenLDAP on CentOS 8, you first need to run the configure script to adapt OpenLDAP to your system and check if any required dependency is missing before you can proceed with installation.<\/p>\n\n\n\n With configure script, you can enable or disable various options while building OpenLDAP.<\/p>\n\n\n\n To learn more about the configuration options, consult;<\/p>\n\n\n\n If the configure script completes with no issues, the last line you should see is;<\/p>\n\n\n\n As the line states, you need to run the Next, compile OpenLDAP on CentOS 8.<\/p>\n\n\n\n If you got time and patience, you can run the test suite to verify OpenLDAP build for any errors. You can however skip this step.<\/p>\n\n\n\n If the compilation of OpenLDAP completes successfully, proceed to install it by running the command;<\/p>\n\n\n\n OpenLDAP configuration files are now installed on The libraries are installed under Now that the installation of OpenLDAP is complete, proceed to configure it.<\/p>\n\n\n\n Create OpenLDAP data and database directories<\/p>\n\n\n\n Set the proper ownership and permissions on OpenLDAP directories and configuration files.<\/p>\n\n\n\n In order to run OpenLDAP as a service, you need to create a systemd service file as shown below.<\/p>\n\n\n\n Save and quit the service file. Do not run the service yet<\/strong>.<\/p>\n\n\n\n To configure LDAP with support If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n Check if LDAP sudo schema is available.<\/p>\n\n\n\n Copy the Next, you need to create sudo schema ldif file. Run the command below to create the Edit the SLAPD LDIF file, Before you can write the changes to the database, perform a dry run to see what would happen. Pass If the command above executes with no error, implement the changes.<\/p>\n\n\n\n This command creates slapd database configurations under Set the user and group ownership of the Reload systemd configurations and start and enable OpenLDAP service to run on boot.<\/p>\n\n\n\n Check the status;<\/p>\n\n\n\n To enable OpenLDAP to log connections, operations, results statistics, create and ldif file and update the database as follows. Such OpenLDAP logging is enabled on log level <\/a> Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to Restart Rsyslog<\/p>\n\n\n\n You should now be able to read the LDAP logs on, Next, create MDB database defining the root DN as well as the access control lists.<\/p>\n\n\n\n First, generate the root DN password.<\/p>\n\n\n\n Paste the password hash generated above as the value of Replace the domain components, Read more about ACL on OpenLDAP Access Control<\/a>.<\/p>\n\n\n\n Updated the slapd database with the content above;<\/p>\n\n\n\n To secure OpenLDAP communication between the client and the server, configured it to use SSL\/TLS certificates.<\/p>\n\n\n\n In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.<\/p>\n\n\n\n Update the OpenLDAP Server TLS certificates attributes.<\/p>\n\n\n\n Note that we have used self-signed certificate as both the certificate and the CA certificate.<\/p>\n\n\n\n You can confirm this by running;<\/p>\n\n\n\n Change the location of the CA certificate on Next, create your base DN or search base to define your organization structure and directory.<\/p>\n\n\n\n Replace the domain components and organization units accordingly.<\/p>\n\n\n\n You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.<\/p>\n\n\n\n Add the user to the OpenLDAP database.<\/p>\n\n\n\n To set the password for user above, run the command below;<\/p>\n\n\n\n Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called List the Access control lists on the database;<\/p>\n\n\n\n Create the BindDN user password.<\/p>\n\n\n\n Paste the password hash value above as the value of To allow remote clients to query OpenLDAP server, allow the Well, there you go. You have learnt how to install and setup OpenLDAP server on CentOS 8. To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n Note that you can also use phpLDAPadmin to manage and administer your OpenLDAP. Learn how to install phpLDAPadmin on CentOS 8.<\/p>\n\n\n\n Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n In our next guide, we will learn how to install and setup OpenLDAP clients on CentOS 8.<\/p>\n\n\n\n Want to configure OpenLDAP to provide SUDO rights to your clients? check the link below;<\/p>\n\n\n\n How to Configure SUDO via OpenLDAP Serve<\/a>r<\/a><\/p>\n\n\n\n Meanwhile, you can check out our other guides on OpenLDAP by following the links below;<\/p>\n\n\n\n How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n\n\n\nRun System Update<\/h3>\n\n\n\n
dnf update<\/code><\/pre>\n\n\n\nInstall Required Dependencies and Build Tools<\/h3>\n\n\n\n
dnf install cyrus-sasl-devel make libtool autoconf libtool-ltdl-devel openssl-devel libdb-devel tar gcc perl perl-devel wget vim<\/code><\/pre>\n\n\n\nCreate OpenLDAP System Account<\/h3>\n\n\n\n
useradd -r -M -d \/var\/lib\/openldap -u 55 -s \/usr\/sbin\/nologin ldap<\/code><\/pre>\n\n\n\nman useradd<\/code> for the description of the command line options used above.<\/p>\n\n\n\nDownload OpenLDAP Source Tarball<\/h3>\n\n\n\n
VER=2.4.48<\/code><\/pre>\n\n\n\nwget ftp:\/\/ftp.openldap.org\/pub\/OpenLDAP\/openldap-release\/openldap-$VER.tgz<\/code><\/pre>\n\n\n\nExtract the OpenLDAP Source Tarball<\/h3>\n\n\n\n
tar xzf openldap-$VER.tgz<\/code><\/pre>\n\n\n\nCompiling OpenLDAP<\/h3>\n\n\n\n
cd openldap-$VER<\/code><\/pre>\n\n\n\n.\/configure --prefix=\/usr --sysconfdir=\/etc --disable-static \\\n--enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic \\\n--enable-crypt --enable-spasswd --enable-slapd --enable-modules \\\n--enable-rlookups --enable-backends=mod --disable-ndb --disable-sql \\\n--disable-shell --disable-bdb --disable-hdb --enable-overlays=mod<\/code><\/pre>\n\n\n\n.\/configure --help<\/code><\/pre>\n\n\n\nPlease run \"make depend\" to build dependencies<\/strong><\/code><\/pre>\n\n\n\nmake depend<\/strong><\/code> command to build OpenLDAP dependencies.<\/p>\n\n\n\nmake depend<\/code><\/pre>\n\n\n\nmake<\/code><\/pre>\n\n\n\nmake test<\/code><\/pre>\n\n\n\nInstalling OpenLDAP on CentOS 8<\/h3>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n\/etc\/openldap<\/code>.<\/p>\n\n\n\nls \/etc\/openldap\/<\/code><\/pre>\n\n\n\ncerts ldap.conf ldap.conf.default schema slapd.conf slapd.conf.default slapd.ldif slapd.ldif.default<\/code><\/pre>\n\n\n\n\/usr\/libexec\/openldap<\/code>.<\/p>\n\n\n\nConfiguring OpenLDAP on CentOS 8<\/h3>\n\n\n\n
mkdir \/var\/lib\/openldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\nchown -R ldap:ldap \/var\/lib\/openldap<\/code><\/pre>\n\n\n\nchown root:ldap \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\nchmod 640 \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\nCreate OpenLDAP Systemd Service<\/h3>\n\n\n\n
vim \/etc\/systemd\/system\/slapd.service<\/code><\/pre>\n\n\n\n[Unit]\nDescription=OpenLDAP Server Daemon\nAfter=syslog.target network-online.target\nDocumentation=man:slapd\nDocumentation=man:slapd-mdb\n\n[Service]\nType=forking\nPIDFile=\/var\/lib\/openldap\/slapd.pid\nEnvironment=\"SLAPD_URLS=ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\"\nEnvironment=\"SLAPD_OPTIONS=-F \/etc\/openldap\/slapd.d\"\nExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nCreate OpenLDAP SUDO Schema<\/h3>\n\n\n\n
sudo<\/code>, first, check if your version of installed sudo supports LDAP.<\/p>\n\n\n\nsudo -V | grep -i \"ldap\"<\/code><\/pre>\n\n\n\n...\nldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/code><\/pre>\n\n\n\nrpm -ql sudo | grep -i schema.openldap<\/code><\/pre>\n\n\n\n\/usr\/share\/doc\/sudo\/schema.OpenLDAP<\/code><\/pre>\n\n\n\nschema.OpenLDAP<\/code> to the schema directory.<\/p>\n\n\n\ncp \/usr\/share\/doc\/sudo\/schema.OpenLDAP \/etc\/openldap\/schema\/sudo.schema<\/code><\/pre>\n\n\n\nsudo.ldif<\/strong><\/code> file. This ldif file is obtained from Lullabot github repository<\/a>.<\/p>\n\n\n\ncat << 'EOL' > \/etc\/openldap\/schema\/sudo.ldif\ndn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )\nEOL<\/code><\/pre>\n\n\n\nUpdate SLAPD Database<\/h3>\n\n\n\n
\/etc\/openldap\/slapd.ldif<\/strong><\/code>, and update it as follows;<\/p>\n\n\n\nmv \/etc\/openldap\/slapd.ldif \/etc\/openldap\/slapd.ldif.bak<\/code><\/pre>\n\n\n\nvi \/etc\/openldap\/slapd.ldif<\/code><\/pre>\n\n\n\ndn: cn=config\nobjectClass: olcGlobal\ncn: config\nolcArgsFile: \/var\/lib\/openldap\/slapd.args\nolcPidFile: \/var\/lib\/openldap\/slapd.pid\n\ndn: cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: schema\n\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: \/usr\/libexec\/openldap\nolcModuleload: back_mdb.la\n\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/sudo.ldif<\/strong>\n\ndn: olcDatabase=frontend,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcFrontendConfig\nolcDatabase: frontend\nolcAccess: to dn.base=\"cn=Subschema\" by * read\nolcAccess: to * \n by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n by * none\n\ndn: olcDatabase=config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: config\nolcRootDN: cn=config\nolcAccess: to * \n by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n by * none<\/code><\/pre>\n\n\n\n\n
slapadd<\/strong><\/code> command with the option -n 0<\/strong><\/code> which creates the first database.<\/li>\n\n\n\n\/etc\/openldap\/slapd.d<\/code><\/strong>, use option -F<\/code><\/strong> and option -l<\/code><\/strong> to specify location of the LDIF file above.<\/li>\n<\/ul>\n\n\n\n-u<\/code><\/strong> option to slapadd command.<\/p>\n\n\n\nslapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif -u<\/code><\/pre>\n\n\n\nslapadd -n 0 -F \/etc\/openldap\/slapd.d<\/code> -l \/etc\/openldap\/slapd.ldif<\/code><\/pre>\n\n\n\n\/etc\/openldap\/slapd.d<\/code> directory.<\/p>\n\n\n\nls \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n'cn=config' 'cn=config.ldif'<\/code><\/pre>\n\n\n\n\/etc\/openldap\/slapd.d<\/code> directory and the files in it to ldap user.<\/p>\n\n\n\nchown -R ldap:ldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\nRunning SLAPD Service<\/h3>\n\n\n\n
systemctl daemon-reload<\/code><\/pre>\n\n\n\nsystemctl enable --now slapd<\/code><\/pre>\n\n\n\nsystemctl status slapd<\/code><\/pre>\n\n\n\n\u25cf slapd.service - OpenLDAP Server Daemon\n Loaded: loaded (\/etc\/systemd\/system\/slapd.service; enabled; vendor preset: disabled)\n Active: active (running) since Sat 2019-12-07 12:10:52 EST; 6s ago\n Docs: man:slapd\n man:slapd-mdb\n Process: 14975 ExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0\/SUCCESS)\n Main PID: 14976 (slapd)\n Tasks: 2 (limit: 5061)\n Memory: 3.0M\n CGroup: \/system.slice\/slapd.service\n \u2514\u250014976 \/usr\/libexec\/slapd -u ldap -g ldap -h ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/ -F \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\nConfigure OpenLDAP Logging on CentOS 8<\/h3>\n\n\n\n
256<\/a><\/code> with keyword <\/a>stats<\/a><\/code> by modifying the olcLogLevel<\/code> attribute as shown below.<\/p>\n\n\n\nvim enable-ldap-log.ldif<\/code><\/pre>\n\n\n\ndn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats<\/code><\/pre>\n\n\n\nldapmodify -Y external -H ldapi:\/\/\/ -f enable-ldap-log.ldif<\/code><\/pre>\n\n\n\nldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/code><\/pre>\n\n\n\ndn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\nlocal4<\/code> facility.<\/p>\n\n\n\necho \"local4.* \/var\/log\/slapd.log\" >> \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\nsystemctl restart rsyslog<\/code><\/pre>\n\n\n\n\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\nCreate OpenLDAP Default Root DN<\/h3>\n\n\n\n
slappasswd<\/code><\/pre>\n\n\n\nNew password: ENTER PASSWORD<\/strong>\nRe-enter new password: RE-ENTER PASSWORD<\/strong>\n{SSHA}qAZah0xybYLcMfPUAN0SG4ki8JxC4bIF<\/code><\/pre>\n\n\n\nolcRootPW<\/code><\/strong> in the Root DN ldif file below.<\/p>\n\n\n\nvim rootdn.ldif<\/code><\/pre>\n\n\n\ndc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code> with your appropriate names.<\/p>\n\n\n\ndn: olcDatabase=mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: mdb\nolcDbMaxSize: 42949672960\nolcDbDirectory: \/var\/lib\/openldap\nolcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootPW: {SSHA}5Hcgjj4gtcr\/exLcdSRuYgH6bFhIqkSe<\/strong>\nolcDbIndex: uid pres,eq\nolcDbIndex: cn,sn pres,eq,approx,sub\nolcDbIndex: mail pres,eq,sub\nolcDbIndex: objectClass pres,eq\nolcDbIndex: loginShell pres,eq\nolcDbIndex: sudoUser,sudoHost pres,eq<\/strong>\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n by self write\n by anonymous auth\n by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n by * none\nolcAccess: to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n by * none\nolcAccess: to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n by users read \n by * none<\/code><\/pre>\n\n\n\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f rootdn.ldif<\/code><\/pre>\n\n\n\nConfigure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \\\n\/etc\/pki\/tls\/ldapserver.key -out \/etc\/pki\/tls\/ldapserver.crt<\/code><\/pre>\n\n\n\nchown ldap:ldap \/etc\/pki\/tls\/{ldapserver.crt,ldapserver.key}<\/code><\/pre>\n\n\n\nvi add-tls.ldif<\/code><\/pre>\n\n\n\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt<\/code><\/pre>\n\n\n\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-tls.ldif<\/code><\/pre>\n\n\n\nslapcat -b \"cn=config\" | grep olcTLS<\/code><\/pre>\n\n\n\nolcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt<\/code><\/pre>\n\n\n\n\/etc\/openldap\/ldap.conf<\/code>.<\/p>\n\n\n\nvim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n...\n#TLS_CACERT \/etc\/pki\/tls\/cert.pem\nTLS_CACERT \/etc\/pki\/tls\/ldapserver.crt<\/strong><\/code><\/pre>\n\n\n\nCreate OpenLDAP Base DN<\/h3>\n\n\n\n
vim basedn.ldif<\/code><\/pre>\n\n\n\ndn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: dcObject\nobjectClass: organization\nobjectClass: top\no: Kifarunix-demo\ndc: ldapmaster\n\ndn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people<\/code><\/pre>\n\n\n\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f basedn.ldif<\/code><\/pre>\n\n\n\nCreate OpenLDAP User Accounts<\/h3>\n\n\n\n
vim users.ldif<\/code><\/pre>\n\n\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe<\/code><\/pre>\n\n\n\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users.ldif<\/code><\/pre>\n\n\n\nSetting password for LDAP User<\/h4>\n\n\n\n
ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\nCreate OpenLDAP Bind DN and Bind DN User<\/h3>\n\n\n\n
system<\/code>. Note the access controls associated with this ou as defined on the root DN above.<\/p>\n\n\n\nldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\nslappasswd<\/code><\/pre>\n\n\n\nNew password: Password\nRe-enter new password: Password\n{SSHA}Z7qPE2f8oRfHMo1DSbzdOqbr4jNgqBpC<\/strong><\/code><\/pre>\n\n\n\nuserPassword<\/code><\/strong> attribute in the file below;<\/p>\n\n\n\nvim bindDNuser.ldif<\/code><\/pre>\n\n\n\ndn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}Z7qPE2f8oRfHMo1DSbzdOqbr4jNgqBpC<\/strong>\ndescription: Bind DN user for LDAP Operations<\/code><\/pre>\n\n\n\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/code><\/pre>\n\n\n\nAllow OpenLDAP Service on Firewall<\/h3>\n\n\n\n
ldap<\/code> (389 UDP\/TCP)<\/strong> and ldaps<\/code> (636 UDP\/TCP) service on firewall.<\/p>\n\n\n\nfirewall-cmd --add-service={ldap,ldaps} --permanent<\/code><\/pre>\n\n\n\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\nTesting OpenLDAP Authentication<\/h3>\n\n\n\n