openLDAP deployment? (pro-test available)

Preface

Recently, Baidu has published a lot of articles when building openLDAP, most of which are missing or unable to proceed. Personally organize articles for your reference, please point out any errors.
 
 

Introduction

Lightweight Directory Access Protocol (LDAP for short) is an industry-standard lightweight protocol that is widely used to access directory services. Directory service is a shared information infrastructure for accessing, managing, organizing, and updating daily projects and network resources, such as users, groups, devices, email addresses, phone numbers, capacity, and many other objects.
  

The LDAP information model is based on entries. An entry in an LDAP directory represents a single unit or information, and is uniquely identified by a so-called distinguished name (DN). The attributes of each entry have a type and one or more values.
  
An attribute is a piece of information associated with an entry. These types are usually mnemonic strings, for example, "cn" represents a common name, and "mail" represents an email address. Assign one or more values ​​to each attribute, which consist of a space-separated list.
 
  

The following explains how to arrange information in the LDAP directory.
 
 

Ldap Information Model
 
In this article, we will show how to install and configure an OpenLDAP server in CentOS 7 for centralized authentication.
 
  
 

installation

  
 
 

• Environment introduction
• CentOS 7.6
• Turn off the firewall
• ldap version 2.4.xx
   
   

 
1. First, first install OpenLDAP using the following commands, which is an open source implementation of LDAP and some traditional LDAP management utilities.
 

＃yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-devel 

 
2. On CentOS 7, run the following command to start the openldap server daemon, make it start automatically at boot time, and check if it is up and running
  

＃ systemctl start slapd
＃ systemctl enable slapd
＃ systemctl status slapd
＃ slapd -VV

 

Configure ldap server

 

Note: It is not recommended to edit the LDAP configuration manually. You need to add the configuration to the file and load them into the LDAP directory using the ldapadd or ldapmodify command as shown below.
 

1. Now create an OpenLDAP management user and assign a password to the user. In the following command, a hash value will be created for the given password, please pay attention to the hash value, you will use it in the LDAP configuration file.
    

   ＃ slappasswd

   
    

2. Then create an LDIF file (ldaprootpasswd.ldif), which is used to add entries to the LDAP directory.
    

   ＃ vim ldaprootpasswd.ldif

    

   dn: olcDatabase={0}config,cn=config
   changetype: modify
   add: olcRootPW
   olcRootPW: {SSHA}PASSWORD_CREATED

    
   explaining the attribute-value pairs above:

   olcDatabase: indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.
   cn=config: indicates global config options.
   PASSWORD: is the hashed string obtained while creating the administrative user.

 
3. Next, add the corresponding LDAP entry by specifying the URI that references the ldap server and the above file.

＃ ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

 

Configure LDAP data

 
 
1. Now, copy the sample database configuration file for slapd into the /var/lib/ldap directory and set the correct permissions on the file.
 

＃  cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
＃ chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
＃ systemctl restart slapd

 
2. Next, import some basic LDAP schemas from the /etc/openldap/schema directory as shown below.

＃  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
＃  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
＃  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

3. Now, add your domain to the LDAP database and create a file named ldapdomain.ldif for your domain.

 

＃  vim ldapdomain.ldif

 
Add the following in it (replace the example with your domain and replace PASSWORD with the hash value obtained earlier)

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

 
4. Then use the following command to add the above configuration to the LDAP database

 

＃  ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

 
5. In this step, we need to add some entries to the LDAP directory. Create another file named baseldapdomain.ldif with the following content.

 

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 

 
Save the file and then add the entries to the LDAP directory.

 

#  ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif

 
6. The next step is to create an LDAP user (such as tecmint) and set a password for this user as shown below.

 

＃  useradd tecmint
＃  passwd tecmint

 
7. Then create a definition for the LDAP group in a file named ldapgroup.ldif with the following content.

 

dn: cn=Manager,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

 
In the above configuration, gidNumber is the GID of tecmint in /etc/group, and it is added to the OpenLDAP directory.
 

#  ldapadd -Y EXTERNAL -x  -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif

 

8. Next, create another LDIF file named ldapuser.ldif and add the definition of user tecmint.
 

dn: uid=tecmint,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tecmint
uid: tecmint
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tecmint
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

 
Then load the configuration into the LDAP directory.

＃ ldapadd -Y EXTERNAL  -x -D cn=Manager,dc=example,dc=com -W -f  ldapuser.ldif

 
 
Once the central server for authentication is set up, the last part is to enable clients to use LDAP for authentication, either phpldapadmin or ldapadmin.exe (recommended)

 
For more information, please refer to the corresponding document in the "OpenLDAP Software" document directory