LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.
The information is stored and organized in a hierarchical manner and the advantage of this approach is that the information can be grouped into containers and clients can access these containers whenever needed.
The OpenLDAP hierarchy is almost similar to the DNS hierarchy.
The following are the two most commonly used objects in OpenLDAP:
1. cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)
2. dc (domain component) – This refers to one of the container entries in the LDAP hierarchy. If in a setup the LDAP hierarchy is mapped to a DNS hierarchy, typically all DNS domains are referred to as DC objects.
For example, if there is user in the hierarchy sam.thegeekstuff.com, the fully distinguished name of this user is referred as cn=sam, dc=thegeekstuff, dc=com. If you noticed in the FDN (fully distinguished name), a comma is used a separator and not a dot, which is common in DNS.
By using the different LDAP entry types, you can setup a hierarchical directory structure. This is the reason why openLDAP is so widely used. You can easily build an openLDAP hierarchy where objects in the other locations are easily referred to without storing them on local servers. This makes OpenLDAP a lightweight directory, especially when compared to other directory servers such as Microsoft’s Active directory.
Now lets see how to setup a single instance of an LDAP server that can be used by multiple clients in your network for authentication.
Install OpenLDAP Packages
On CentOS and RedHat, use yum install as shown below, to install the openldap related packages.
yum install -y openldap openldap-clients openldap-servers
You should install the following three packages:
1 openldap-servers – This is the main LDAP server
2 openldap-clients – This contains all required LDAP client utilities
3 openldap – This packages contains the LDAP support libraries
LDAP Config Files
. config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
. olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.
Create olcRootDN Account as Admin
It is always recommended to create a dedicated user account first with the full permissions to change information on the LDAP database.
Modify the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following is the default entry.
# grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com
Change the above line to an admin user. In this example, user “ramesh” will be the olcRootDN.
olcRootDN: cn=ramesh,dc=thegeekstuff,dc=com
Create olcRootPW Root Password
Now use slappasswd command to create a hash for the root password you want to use. Once the password is generated, open the cn=config.ldif file, include the olcRootPW parameter, and copy the hashed password as shown below.
Execute the following command and specify a password. This will generate the hash for the given password.
# slappasswd
New password: SecretLDAPRootPass2015
Re-enter new password: SecretLDAPRootPass2015
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below.
# vim /etc/openldap/slapd.d/cn=config.ldif
olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6
Create olcSuffix Domain Name
Now setup the olcSuffix and to set the domain that you want. Simply modify the line that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.
# vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=thegeekstuff,dc=com
Verify The Configuration Files
Use slaptest command to verify the configuration file as shown below. This should display “testing succeeded” message as shown below.
# slaptest -u
config file testing succeeded
You might get the following messages during the above command, which you can ignore for now.
54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
Start the LDAP Server
Start the ldap server as shown below.
# service slapd start
Checking configuration files for slapd: [WARNING]
config file testing succeeded
Starting slapd: [ OK ]
Verify the LDAP Search
To verify the ldap server is configured successfully, you can use the below command and verify that the domain entry is present.
# ldapsearch -x -b "dc=thegeekstuff,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=thegeekstuff,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Base LDAP Structure in base.ldif
The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP database. If you are planning on adding in different types of entries, such as users, groups, computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its own container.
To create these OU’s, you can create an initial LDIF file as shown in the below example. In this example, this file allows you to create the base container which is dc=thegeekstuff,dc=com and it creates two organizational units with the names users and groups in that container.
# cat base.ldif
dn: dc=thegeekstuff,dc=com
objectClass: dcObject
objectClass: organization
o: thegeekstuff.com
dc: thegeekstuff
dn: ou=users,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
Import Base Structure Using ldapadd
Now we can import the base structure in to the LDAP directory using the ldapadd command as shown below.
# ldapadd -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=thegeekstuff,dc=com"
adding new entry "ou=users,dc=thegeekstuff,dc=com"
adding new entry "ou=groups,dc=thegeekstuff,dc=com"
Verify the Base Structure using ldapsearch
To verify the OUs are successfully created, use the following ldapsearch command.
# ldapsearch -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -b "dc=thegeekstuff,dc=com" "(objectclass=*)"
Enter LDAP Password:
The output of the above command will display all the objects in the LDAP directory structure.
# extended LDIF
#
# LDAPv3
# base <dc=thegeekstuff,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# thegeekstuff.com
dn: dc=thegeekstuff,dc=com
objectClass: dcObject
objectClass: organization
o: thegeekstuff.com
dc: thegeekstuff
# users, thegeekstuff.com
dn: ou=users,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, thegeekstuff.com
dn: ou=groups,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
In the next OpenLDAP article, we’ll explain how to add new users and groups to the LDAP Directory.
Add LDAP Users and Groups in OpenLDAP on Linux
To add something to the LDAP directory, you need to first create a LDIF file.
The ldif file should contain definitions for all attributes that are required for the entries that you want to create.
With this ldif file, you can use ldapadd command to import the entries into the directory as explained in this tutorial.
If you are new to OpenLDAP, you should first install OpenLDAP on your system.
Create a LDIF file for New User
The following is a sample LDIF file that will be used to create a new user.
# cat adam.ldif
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Add a LDAP User using ldapadd
Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif
Enter LDAP Password:
adding new entry "uid=adam,ou=users,dc=tgs,dc=com"
Assign Password to LDAP User
To set the password for the LDAP user we just created above, use ldappasswd command as shown in the below example:
# ldappasswd -s welcome123 -W -D "cn=ramesh,dc=tgs,dc=com" -x "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password:
In the above command:
. -s specify the password for the username entry
. -x The username entry for which the password is changed
. -D specify your DN here. i.e Distinguished name to authenticate in the server
Create LDIF file for New Group
Similar to adding user, you’ll also need a ldif file to add a group.
To add a new group to the LDAP groups OU, you need to create a LDIF with the group information as shown in the example ldif file below.
# cat group1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 678
Add a LDAP Group using ldapadd
Just like adding user, use ldapadd command to add the group from the group1.ldif file that we created above.
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f group1.ldif
Enter LDAP Password:
adding new entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"
Create LDIF file for an existing Group
To add an existing user to a group, we should still create an ldif file.
First, create an ldif file. In this example, I am adding the user adam to the dbagrp (group id: 678)
# cat file1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
changetype: modify
add: memberuid
memberuid: adam
Add an User to an existing Group using ldapmodify
To add an user to an existing group, we’ll be using ldapmodify. This example will use the above LDIF file to add user adam to dbagrp.
# ldapmodify -x -W -D "cn=ramesh,dc=tgs,dc=com" -f file1.ldif
Enter LDAP Password:
modifying entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"
Verify LDAP Entries
Once you’ve added an user or group, you can use ldapsearch to verify it.
Here is a simple example to verify if the users exists in the LDAP database:
# ldapsearch -x -W -D "cn=ramesh,dc=tgs,dc=com" -b "uid=adam,ou=users,dc=tgs,dc=com" "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=adam,ou=users,dc=tgs,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# adam, users, tgs.com
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9b0lPd3AzYTBmT2xQcHBPNDcrK0VHRndEUjdMV2hSZ2U=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Delete an Entry from LDAP using ldapdelete
If you’ve made a mistake while adding an user or group, you can remove the entry using ldapdelete.
To delete an entry, you don’t need to create an ldif file. The following will delete user “adam” that we created earlier.
# ldapdelete -W -D "cn=ramesh,dc=tgs,dc=com" "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password:
Коментари
Публикуване на коментар