{"id":9205,"date":"2021-06-19T18:18:31","date_gmt":"2021-06-19T15:18:31","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9205"},"modified":"2024-03-18T20:37:47","modified_gmt":"2024-03-18T17:37:47","slug":"install-and-setup-openldap-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openldap-on-rocky-linux-8\/","title":{"rendered":"Install and Setup OpenLDAP on Rocky Linux 8"},"content":{"rendered":"\n<p>In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on Rocky Linux 8. If you are here, then you already know what an OpenLDAP server is and thus the description of what it is is beyond the scope of this tutorial.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-on-rocky-linux-8\">Installing OpenLDAP on Rocky Linux 8<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/a><\/li><li><a href=\"#create-open-ldap-system-account\">Create OpenLDAP System Account<\/a><\/li><li><a href=\"#download-open-ldap-source-tarball\">Download OpenLDAP Source Tarball<\/a><\/li><li><a href=\"#extract-the-open-ldap-source-tarball\">Extract the OpenLDAP Source Tarball<\/a><\/li><li><a href=\"#compile-open-ldap-on-rocky-linux-8\">Compile OpenLDAP on Rocky Linux 8<\/a><\/li><li><a href=\"#install-open-ldap-on-rocky-linux-8\">Install OpenLDAP on Rocky Linux 8<\/a><\/li><li><a href=\"#configuring-open-ldap-on-rocky-linux-8\">Configuring OpenLDAP on Rocky Linux 8<\/a><\/li><li><a href=\"#create-open-ldap-systemd-service\">Create OpenLDAP Systemd Service<\/a><\/li><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/a><\/li><li><a href=\"#update-open-ldap-slapd-database\">Update OpenLDAP SLAPD Database<\/a><\/li><li><a href=\"#running-slapd-service\">Running SLAPD Service<\/a><\/li><li><a href=\"#configure-open-ldap-logging-on-rocky-linux-8\">Configure OpenLDAP Logging on Rocky Linux 8<\/a><\/li><li><a href=\"#create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/a><\/li><li><a href=\"#configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><\/li><li><a href=\"#create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/a><\/li><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/li><li><a href=\"#create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/a><\/li><li><a href=\"#implement-open-ldap-password-policies\">Implement OpenLDAP Password Policies<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#testing-open-ldap-authentication\">Testing OpenLDAP Authentication<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-on-rocky-linux-8\">Installing OpenLDAP on Rocky Linux 8<\/h2>\n\n\n\n<p>Well, Rocky Linux 8 repositories do not provide OpenLDAP server packages.<\/p>\n\n\n\n<p>To  install the latest version of OpenLDAP server with bug fixes on Rocky Linux 8, you need to build it from the source as described in this guide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>To update your system packages, run the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf update<\/pre>\n\n\n\n<p>You can reboot after update;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>reboot<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/h3>\n\n\n\n<p>There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source. Run the command below to install them.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install epel-release -y<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf install cyrus-sasl-devel make libtool autoconf \\\nopenssl-devel libdb-devel tar gcc perl perl-devel wget vim -y<\/pre>\n\n\n\n<p>Install Libtool development libraries;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf --enablerepo=highavailability install -y<\/code><\/pre>\n\n\n\n<p>Install wiredtiger, provided by EPEL-7 repos;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; \/etc\/yum.repos.d\/epel-release-7.repo &lt;&lt; 'EOF'\n[epel-release-7]\nname=Extra Packages for Enterprise Linux 7 - x86_64\nbaseurl=https:\/\/dl.fedoraproject.org\/pub\/epel\/7\/x86_64\/\nenabled=0\ngpgcheck=0\nEOF\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf --enablerepo=epel-release-7 install wiredtiger wiredtiger-devel<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-system-account\">Create OpenLDAP System Account<\/h3>\n\n\n\n<p>In this demo, OpenLDAP will run with a non-privileged system user. Hence, run the command below to create OpenLDAP system user with custom user and group id;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">useradd -r -M -d \/var\/lib\/openldap -u 55 -s \/usr\/sbin\/nologin ldap<\/pre>\n\n\n\n<p>Consult&nbsp;<code><strong>man useradd<\/strong><\/code>&nbsp;for the description of the command line options used above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"download-open-ldap-source-tarball\">Download OpenLDAP Source Tarball<\/h3>\n\n\n\n<p>The latest stable release of OpenLDAP as of this writing is OpenLDAP 2.6.5.<\/p>\n\n\n\n<p>Hence navigate to the&nbsp;<a href=\"https:\/\/www.openldap.org\/software\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP download\u2019s page<\/a>&nbsp;and grab the tarball.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">VER=2.6.5<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">wget ftp:\/\/ftp.openldap.org\/pub\/OpenLDAP\/openldap-release\/openldap-$VER.tgz<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-the-open-ldap-source-tarball\">Extract the OpenLDAP Source Tarball<\/h3>\n\n\n\n<p>The tarball can be extracted by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar xzf openldap-$VER.tgz<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"compile-open-ldap-on-rocky-linux-8\">Compile OpenLDAP on Rocky Linux 8<\/h3>\n\n\n\n<p>To compile OpenLDAP on Rocky Linux 8, you first need to run the configure script to adapt OpenLDAP to your system and check if any required dependency is missing before you can proceed with installation.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd openldap-$VER<\/pre>\n\n\n\n<p>With configure script, you can enable or disable various options while building OpenLDAP.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n.\/configure --prefix=\/usr \\\n\t--sysconfdir=\/etc \\\n\t--disable-static \\\n\t--enable-debug \\\n\t--with-tls=openssl \\\n\t--with-cyrus-sasl \\\n\t--enable-dynamic \\\n\t--enable-crypt \\\n\t--enable-spasswd \\\n\t--enable-slapd \\\n\t--enable-modules \\\n\t--enable-rlookups \\\n\t--enable-backends=mod \\\n\t--disable-sql \\\n\t--disable-wt \\\n\t--enable-ppolicy \\\n\t--enable-syslog \\\n\t--enable-overlays=mod\n<\/code><\/pre>\n\n\n\n<p>To learn more about the configuration options, consult;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/configure --help<\/pre>\n\n\n\n<p>If the configure script completes with no issues, the last line you should see is;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nMaking servers\/slapd\/backends.c\n    Add config ...\n    Add ldif ...\n    Add monitor ...\nMaking servers\/slapd\/overlays\/statover.c\n    Add ppolicy ...\nPlease run \"make depend\" to build dependencies\n<\/code><\/pre>\n\n\n\n<p>As the line states, you need to run the&nbsp;<code><strong>make depend<\/strong><\/code>&nbsp;command to build OpenLDAP dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">make depend<\/pre>\n\n\n\n<p>Next, compile OpenLDAP on Rocky Linux 8.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">make<\/pre>\n\n\n\n<p>If you got time and patience, you can run the test suite to verify OpenLDAP build for any errors. <strong>You can however skip this step<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">make test<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-ldap-on-rocky-linux-8\">Install OpenLDAP on Rocky Linux 8<\/h3>\n\n\n\n<p>If the compilation of OpenLDAP completes successfully, proceed to install it by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">make install<\/pre>\n\n\n\n<p>OpenLDAP configuration files are now installed on&nbsp;<code>\/etc\/openldap<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls -1 \/etc\/openldap\/<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncerts\nldap.conf\nldap.conf.default\nschema\nslapd.conf\nslapd.conf.default\nslapd.ldif\nslapd.ldif.default\n<\/code><\/pre>\n\n\n\n<p>The libraries are installed under&nbsp;<code><strong>\/usr\/libexec\/openldap<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-open-ldap-on-rocky-linux-8\">Configuring OpenLDAP on Rocky Linux 8<\/h3>\n\n\n\n<p>Now that the installation of OpenLDAP is complete, proceed to configure it.<\/p>\n\n\n\n<p>Create OpenLDAP data and database directories<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir \/var\/lib\/openldap \/etc\/openldap\/slapd.d<\/pre>\n\n\n\n<p>Set the proper ownership and permissions on OpenLDAP directories and configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chown -R ldap:ldap \/var\/lib\/openldap<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chown root:ldap \/etc\/openldap\/slapd.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chmod 640 \/etc\/openldap\/slapd.conf<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-systemd-service\">Create OpenLDAP Systemd Service<\/h3>\n\n\n\n<p>In order to run OpenLDAP as a service, you need to create a systemd service file as shown below.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/systemd\/system\/slapd.service &lt;&lt; 'EOL'\n[Unit]\nDescription=OpenLDAP Server Daemon\nAfter=syslog.target network-online.target\nDocumentation=man:slapd\nDocumentation=man:slapd-mdb\n\n[Service]\nType=forking\nPIDFile=\/var\/lib\/openldap\/slapd.pid\nEnvironment=\"SLAPD_URLS=ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\"\nEnvironment=\"SLAPD_OPTIONS=-F \/etc\/openldap\/slapd.d\"\nExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS\n\n[Install]\nWantedBy=multi-user.target\nEOL\n<\/code><\/pre>\n\n\n\n<p>Save and quit the service file.&nbsp;<strong>Do not run\/start the service yet<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/h3>\n\n\n\n<p>To configure LDAP with support&nbsp;<code>sudo<\/code>, first, check if your version of installed sudo supports LDAP.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo -V |  grep -i \"ldap\"<\/pre>\n\n\n\n<p>If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">...\nldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/pre>\n\n\n\n<p>Check if LDAP sudo schema is available.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rpm -ql sudo |  grep -i schema.openldap<\/pre>\n\n\n\n<p>Output;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/doc\/sudo\/schema.OpenLDAP<\/pre>\n\n\n\n<p>Copy the&nbsp;<code>schema.OpenLDAP<\/code>&nbsp;to the schema directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp \/usr\/share\/doc\/sudo\/schema.OpenLDAP  \/etc\/openldap\/schema\/sudo.schema<\/pre>\n\n\n\n<p>Next, you need to create sudo schema ldif file.<\/p>\n\n\n\n<p>Run the command below to create the&nbsp;<code><strong>sudo.ldif<\/strong><\/code>&nbsp;file. (<em>We copied the default ldif file from&nbsp;<strong><code>\/usr\/share\/doc\/sudo\/schema.olcSudo<\/code><\/strong>&nbsp;and just modified it<\/em>).<\/p>\n\n\n\n<pre class=\"scroll-box\">\ncat &lt;&lt; 'EOL' > \/etc\/openldap\/schema\/sudo.ldif\ndn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1\n    NAME 'sudoUser'\n    DESC 'User(s) who may  run sudo'\n    EQUALITY caseExactMatch\n    SUBSTR caseExactSubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2\n    NAME 'sudoHost'\n    DESC 'Host(s) who may run sudo'\n    EQUALITY caseExactIA5Match\n    SUBSTR caseExactIA5SubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3\n    NAME 'sudoCommand'\n    DESC 'Command(s) to be executed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4\n    NAME 'sudoRunAs'\n    DESC 'User(s) impersonated by sudo (deprecated)'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5\n    NAME 'sudoOption'\n    DESC 'Options(s) followed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6\n    NAME 'sudoRunAsUser'\n    DESC 'User(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7\n    NAME 'sudoRunAsGroup'\n    DESC 'Group(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8\n    NAME 'sudoNotBefore'\n    DESC 'Start of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9\n    NAME 'sudoNotAfter'\n    DESC 'End of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10\n    NAME 'sudoOrder'\n    DESC 'an integer to order the sudoRole entries'\n    EQUALITY integerMatch\n    ORDERING integerOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )\n#\nolcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL\n    DESC 'Sudoer Entries'\n    MUST ( cn )\n    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $\n        description )\n    )\nEOL\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-open-ldap-slapd-database\">Update OpenLDAP SLAPD Database<\/h3>\n\n\n\n<p>Edit the SLAPD LDIF file,&nbsp;<code><strong>\/etc\/openldap\/slapd.ldif<\/strong><\/code>, and update it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mv \/etc\/openldap\/slapd.ldif \/etc\/openldap\/slapd.ldif.bak<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/openldap\/slapd.ldif &lt;&lt; 'EOL'\ndn: cn=config\nobjectClass: olcGlobal\ncn: config\nolcArgsFile: \/var\/lib\/openldap\/slapd.args\nolcPidFile: \/var\/lib\/openldap\/slapd.pid\n\ndn: cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: schema\n\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: \/usr\/libexec\/openldap\nolcModuleload: back_mdb.la\n\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/sudo.ldif\n#include: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif\ndn: olcDatabase=frontend,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcFrontendConfig\nolcDatabase: frontend\nolcAccess: to dn.base=\"cn=Subschema\" by * read\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\n\ndn: olcDatabase=config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: config\nolcRootDN: cn=config\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To update the SLAPD database from the information provided on the SLAPD LDIF file above, use&nbsp;<code><strong>slapadd<\/strong><\/code>&nbsp;command with the option&nbsp;<code><strong>-n 0<\/strong><\/code>&nbsp;which creates the first database.<\/li>\n\n\n\n<li>To specify the configuration directory,&nbsp;<strong><code>\/etc\/openldap\/slapd.d<\/code><\/strong>, use option&nbsp;<strong><code>-F<\/code><\/strong>&nbsp;and option&nbsp;<strong><code>-l<\/code><\/strong>&nbsp;to specify location of the LDIF file above.<\/li>\n<\/ul>\n\n\n\n<p>Before you can write the changes to the database, perform a dry run to see what would happen. Pass&nbsp;<strong><code>-u<\/code><\/strong>&nbsp;option to slapadd command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif -u<\/pre>\n\n\n\n<p>Then implement the changes if there is no error;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif<\/pre>\n\n\n\n<p>This command creates slapd database configurations under&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls \/etc\/openldap\/slapd.d<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">'cn=config'  'cn=config.ldif'<\/pre>\n\n\n\n<p>Set the user and group ownership of the&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory and the files in it to ldap user.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chown -R ldap:ldap \/etc\/openldap\/slapd.d<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-slapd-service\">Running SLAPD Service<\/h3>\n\n\n\n<p>Reload systemd configurations and start and enable OpenLDAP service to run on boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl daemon-reload<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl enable --now slapd<\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status slapd<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf slapd.service - OpenLDAP Server Daemon\n   Loaded: loaded (\/etc\/systemd\/system\/slapd.service; enabled; vendor preset: disabled)\n   Active: active (running) since Wed 2023-08-02 00:06:58 EDT; 9s ago\n     Docs: man:slapd\n           man:slapd-mdb\n  Process: 101987 ExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0\/SUCCESS)\n Main PID: 101988 (slapd)\n    Tasks: 2 (limit: 11131)\n   Memory: 3.1M\n   CGroup: \/system.slice\/slapd.service\n           \u2514\u2500101988 \/usr\/libexec\/slapd -u ldap -g ldap -h ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/ -F \/etc\/openldap\/slapd.d\n\nAug 02 00:06:58 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon...\nAug 02 00:06:58 localhost.localdomain slapd[101987]: @(#) $OpenLDAP: slapd 2.6.5 (Aug  1 2023 15:41:52) $\n                                                             root@localhost.localdomain:\/root\/openldap-2.6.5\/servers\/slapd\nAug 02 00:06:58 localhost.localdomain slapd[101988]: slapd starting\nAug 02 00:06:58 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-rocky-linux-8\">Configure OpenLDAP Logging on Rocky Linux 8<\/h3>\n\n\n\n<p>To enable OpenLDAP to log connections, operations, results statistics, create and ldif file and update the database as follows. Such OpenLDAP logging is enabled on<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">&nbsp;log level&nbsp;<\/a><code><a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">256<\/a><\/code><a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">&nbsp;with keyword&nbsp;<\/a><code><a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">stats<\/a><\/code>&nbsp;by modifying the&nbsp;<code>olcLogLevel<\/code>&nbsp;attribute as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd ~<\/pre>\n\n\n\n<pre class=\"scroll-box\">\ncat &gt; enable-openldap-log.ldif &lt;&lt; 'EOL'\ndn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats\nEOL\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapmodify -Y external -H ldapi:\/\/\/ -f enable-openldap-log.ldif<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ \\\n-b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.conf<\/pre>\n\n\n\n<p>Restart Rsyslog<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart rsyslog<\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>Update log rotation;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/{\/i \/var\/log\/slapd.log'  \/etc\/logrotate.d\/syslog<\/code><\/pre>\n\n\n\n<p>You syslog log rotation config should now look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/logrotate.d\/syslog<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\">\n\/var\/log\/cron\n\/var\/log\/maillog\n\/var\/log\/messages\n\/var\/log\/secure\n\/var\/log\/spooler\n<strong>\/var\/log\/slapd.log<\/strong>\n{\n    missingok\n    sharedscripts\n    postrotate\n        \/usr\/bin\/systemctl -s HUP kill rsyslog.service >\/dev\/null 2>&amp;1 || true\n    endscript\n}\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/h3>\n\n\n\n<p>Next, create MDB database defining the root DN as well as the access control lists.<\/p>\n\n\n\n<p>First, generate the root DN password.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slappasswd<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">New password: <strong>ENTER PASSWORD<\/strong>\nRe-enter new password: <strong>RE-ENTER PASSWORD<\/strong>\n<strong>{SSHA}QSFUa8itfMYx3t3DNyAkvL0X+w2e6SXr<\/strong><\/pre>\n\n\n\n<p>Paste the password hash generated above as the value of&nbsp;<strong><code>olcRootPW<\/code><\/strong>&nbsp;in the Root DN ldif file below.<\/p>\n\n\n\n<p>Replace the domain components,&nbsp;<code><strong>dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code>&nbsp;with your appropriate names.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > rootdn.ldif << 'EOL'\ndn: olcDatabase=mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: mdb\nolcDbMaxSize: 42949672960\nolcDbDirectory: \/var\/lib\/openldap\nolcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootPW: {SSHA}QSFUa8itfMYx3t3DNyAkvL0X+w2e6SXr\nolcDbIndex: uid pres,eq\nolcDbIndex: cn,sn pres,eq,approx,sub\nolcDbIndex: mail pres,eq,sub\nolcDbIndex: objectClass pres,eq\nolcDbIndex: loginShell pres,eq\nolcDbIndex: sudoUser,sudoHost pres,eq\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by * none\nolcAccess: to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by * none\nolcAccess: to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<p>Read more about ACL on&nbsp;<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/access-control.html\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Access Control<\/a>.<\/p>\n\n\n\n<p>Updated the slapd database with the content above;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f rootdn.ldif<\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcDatabase=mdb,cn=config\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n<p>To secure OpenLDAP communication between the client and the server, configured it to use SSL\/TLS certificates.<\/p>\n\n\n\n<p>In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.<\/p>\n\n\n\n<pre class=\"scroll-box\">\nopenssl req -x509 \\\n\t-nodes \\\n\t-days 3650 \\\n\t-newkey rsa:2048 \\\n\t-keyout \/etc\/pki\/tls\/ldapserver.key \\\n\t-out \/etc\/pki\/tls\/ldapserver.crt\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">chown ldap:ldap \/etc\/pki\/tls\/{ldapserver.crt,ldapserver.key}<\/pre>\n\n\n\n<p>Update the OpenLDAP Server TLS certificates attributes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > add-tls.ldif << 'EOL'\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt\nEOL\n<\/code><\/pre>\n\n\n\n<p>Note that we have used self-signed certificate as both the certificate and the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-tls.ldif<\/pre>\n\n\n\n<p>You can confirm this by running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapcat -b \"cn=config\" | grep olcTLS<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">olcTLSCACertificateFile: \/etc\/pki\/tls\/ldapserver.crt\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt<\/pre>\n\n\n\n<p>Change the location of the CA certificate on&nbsp;<code>\/etc\/openldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/openldap\/ldap.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n#TLS_CACERT     \/etc\/pki\/tls\/cert.pem\n<strong>TLS_CACERT     \/etc\/pki\/tls\/ldapserver.crt<\/strong><\/code>\n...<\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/h3>\n\n\n\n<p>Next, create your base DN or search base to define your organization structure and directory.<\/p>\n\n\n\n<p>Replace the domain components and organization units accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\">\ncat > basedn.ldif &lt;&lt; 'EOL'\ndn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: dcObject\nobjectClass: organization\nobjectClass: top\no: Kifarunix-demo\ndc: ldapmaster\n\ndn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\nEOL\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f basedn.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\"><a href=\"#create-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/h3>\n\n\n\n<p>You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > users.ldif << 'EOL'\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\nEOL\n<\/code><\/pre>\n\n\n\n<p>Add the user to the OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users.ldif<\/pre>\n\n\n\n<p>Setting password for LDAP User<\/p>\n\n\n\n<p>To set the password for user above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL \\\n-S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/h3>\n\n\n\n<p>Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs. In this guide, we create a bind DN ou called&nbsp;<code>system<\/code>. Note the access controls associated with this ou as defined on the root DN above.<\/p>\n\n\n\n<p>List the Access control lists on the database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ \\\n-b cn=config '(olcDatabase={1}mdb)' olcAccess<\/pre>\n\n\n\n<p>Create the BindDN user password.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slappasswd<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">New password: Password\nRe-enter new password: Password\n<strong>{SSHA}lyFDLUYjo+JB4wRm+S9bzjAW0svJugjj<\/strong><\/pre>\n\n\n\n<p>Paste the password hash value above as the value of&nbsp;<strong><code>userPassword<\/code><\/strong>&nbsp;attribute in the file below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > bindDNuser.ldif << 'EOL'\ndn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}lyFDLUYjo+JB4wRm+S9bzjAW0svJugjj\ndescription: Bind DN user for LDAP Operations\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"implement-open-ldap-password-policies\">Implement OpenLDAP Password Policies<\/h3>\n\n\n\n<p>To ensure that you can enforce password complexity policies from OpenLDAP server, check the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/implement-openldap-password-policies\/\" target=\"_blank\" rel=\"noreferrer noopener\">Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h3>\n\n\n\n<p>To allow remote clients to query OpenLDAP server, allow the&nbsp;<code>ldap<\/code>&nbsp;<strong>(389 UDP\/TCP)<\/strong>&nbsp;and&nbsp;<code>ldaps<\/code>&nbsp;(636 UDP\/TCP) service on firewall.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall-cmd --add-service={ldap,ldaps} --permanent<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall-cmd --reload<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-open-ldap-authentication\">Testing OpenLDAP Authentication<\/h3>\n\n\n\n<p>Well, there you go. You have learnt how to install and setup OpenLDAP server on Rocky Linux 8.<\/p>\n\n\n\n<p>To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n<p>e the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Rocky Linux 8<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-squid-proxy-openldap-authentication-on-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Squid Proxy OpenLDAP Authentication on pfSense<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openldap-password-expiry-email-notification\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenLDAP Password Expiry Email Notification<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openvpn-ldap-based-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we provide a step by step tutorial on how to install and setup OpenLDAP on Rocky Linux 8. If you are here,<\/p>\n","protected":false},"author":1,"featured_media":9219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[3720,3718,248,286,3719,3587],"class_list":["post-9205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-install-ldap-rocky-linux","tag-install-openldap-rocky-linux","tag-ldap","tag-openldap","tag-openldap-rocky-linux-8","tag-rocky-linux-8","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9205"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=9205"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9205\/revisions"}],"predecessor-version":[{"id":21779,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9205\/revisions\/21779"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9219"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=9205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=9205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=9205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}