210.4 Configuring an OpenLDAP server (weight: 4)

Configuring an OpenLDAP Server: A Comprehensive Guide #

Introduction #

In this tutorial, we will explore how to configure an OpenLDAP server, covering all the essential steps and commands required to set up, manage, and troubleshoot an LDAP (Lightweight Directory Access Protocol) server. LDAP is widely used for directory services that involve storing and retrieving organizational information such as usernames and passwords, and OpenLDAP is one of the most popular open-source implementations of this protocol.

Key Knowledge Areas: #

  • OpenLDAP installation
  • LDAP configuration files
  • LDAP schema
  • LDAP entries management
  • LDAP search operations
  • Security with LDAP (using TLS)

Utilities: #

  • slapd
  • ldapadd
  • ldapmodify
  • ldapdelete
  • ldapsearch
  • slaptest
  • ldappasswd

Step-by-Step Guide #

Step 1: Installing OpenLDAP #

First, you need to install the OpenLDAP server and the client packages. This can vary based on your Linux distribution.

For Debian/Ubuntu:

sudo apt update
sudo apt install slapd ldap-utils

For CentOS/RHEL:

sudo yum install openldap-servers openldap-clients

Step 2: Configuring OpenLDAP #

The main configuration file for OpenLDAP is slapd.conf, but many modern installations use a dynamic configuration stored in the slapd.d directory. To start, we’ll generate a basic configuration using slaptest.

Create a simple configuration:

  1. Create a new configuration file, slapd.conf:
include /etc/ldap/schema/core.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

moduleload back_mdb

database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}password_hash
directory /var/lib/ldap
index objectClass eq
  1. Convert this configuration to the slapd.d format:
sudo slaptest -f slapd.conf -F /etc/ldap/slapd.d
  1. Ensure permissions and ownership are correct:
sudo chown -R ldap:ldap /etc/ldap/slapd.d
sudo chmod -R 700 /etc/ldap/slapd.d

Step 3: Managing LDAP Entries #

Add an LDAP entry:

Create an LDIF file, add_entry.ldif, containing the following:

dn: cn=John Doe,dc=example,dc=com
objectClass: inetOrgPerson
cn: John Doe
sn: Doe
mail: johndoe@example.com
userPassword: password123

Add the entry:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add_entry.ldif

Modify an LDAP entry:

Create a modification LDIF file, modify_entry.ldif:

dn: cn=John Doe,dc=example,dc=com
changetype: modify
replace: mail
mail: john.doe@example.com

Apply the modification:

ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify_entry.ldif

Delete an LDAP entry:

ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "cn=John Doe,dc=example,dc=com"

Step 4: Searching LDAP Entries #

To search for an entry:

ldapsearch -x -LLL -b "dc=example,dc=com" "(cn=John Doe)"

Step 5: Securing LDAP with TLS #

  1. Generate TLS certificates or obtain them from a CA.
  2. Configure slapd to use TLS:
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCertificateFile /etc/ssl/certs/ldapserver.crt
TLSCertificateKeyFile /etc/ssl/private/ldapserver.key
  1. Restart slapd to apply changes.

Conclusion #

By following this guide, you’ve learned how to set up and manage an OpenLDAP server on a Linux system. You’ve covered installation, basic configuration, adding, modifying, deleting entries, and securing the connection with TLS. LDAP is a powerful tool for centralized authentication and should be secured appropriately in a production environment. Continue to explore more advanced configurations and optimizations based on your organizational needs.