Creating a simple LDAP directory with OpenLDAP 2.4 in CentOS 6.4

Hi again!.

I like to write posts so I don’t forget things that I test in my lab, today I wanted to create an LDAP directory for my future projects where I want to use LDAP for authentication.

Update: I use OpenLDAP in this post but you may use 389-ds as 42zy suggests.

In this guide I’ve used information from these sources, I wish to thank all the people behind these webs and those who provides all the open source software.

Reference: Red Hat Deployment Guide

Reference: OpenLDAP Quickstart

Reference: Zytrax LDAP book [1] and [2]

Reference: IBM [1] and [2]

1) Let’s install the packages for OpenLDAP

# yum install openldap openldap-clients openldap-servers

2) We are going to create a backup of the /etc/openldap/slapd.d/cn=config.ldif configuration file.

# cp /etc/openldap/slapd.d/cn\=config.ldif /etc/openldap/slapd.d/cn\=config.ldif.orig

3) Let’s modify some options in the /etc/openldap/slapd.d/cn=config.ldif configuration file:

  • Delete the olcAllows: bind_v2 line, in my case I only want LDAPv3 connections.
  • I’ve changed the olcIdleTimeout: from 0 to 60, idle connections will be closed after 60 seconds.

4) Now we are going to create a backup for the BDB database used by OpenLDAP

# cp /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.orig

5) Let’s change some configuration options for the database. My domain will be example.com

  • I’ve changed the olcSuffix: dc=my-domain,dc=com so OpenLDAP uses my own domain e.g olcSuffix: dc=example,dc=com
  • The RootDN is the user that can manage the LDAP server without restrictions. Change the olcRootDN line so it reflects your domain configurationolcRootDN: cn=admin,dc=example,dc=com
  • We have to add a password for the RootDN user, we can generate a password using the slappasswd command. We’ll paste the {SSHA}…. password generated into the olcRootPW: directive e.g olcRootPW: {SSHA}blahblahcode

6) Now we are going to start the OpenLDAP server and we are going to configure it to start at boot time.

# chkconfig slapd on
# service slapd start
Starting slapd: [ OK ]

7) We need to create an LDIF (LDAP Interchange Format) file with the configuration for our organization LDAP tree. I also will create two organizational units one called People where all users be a member of this ou, and another ou called Groups which will be used to create groups for my organization. At the end of the file I specify who is the RootDN for this LDAP tree (cn=admin,dc=example,dc=com)

Very Important: no space must be placed at the end of each line, use only new line characters!

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Org
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

8) Now we apply our LDIF file. We’ll need the admin password. Finally we can test if the LDAP tree is ready with the ldapsearch command.

# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f example.ldif
# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

9) I’m not using LDAP for Unix authentication, I’m preparing my LDAP directory for web application authentication. I’ll create an LDIF file with entries for a user that will be authenticated. I’m using a Á (A with an accent) in my given name so I’m using the utf-8 code for that caracter.

dn: uid=mcabrerizo,ou=People,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: mcabrerizo
cn: Miguel \C1ngel Cabrerizo
sn: Cabrerizo
givenName: Miguel \C1ngel

10) Now I’m going to provide a password for my new LDAP user. The following command will prompt me for a password and of course will ask for the admin user

# ldappasswd -S -x -D "cn=admin,dc=example,dc=com" -W \ 
uid=mcabrerizo,ou=People,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:

11) I’ll create a group in the Groups organizational unit and I’ll include my new user into that group

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
cn: onemanagers
objectclass: groupofnames
member: uid=mcabrerizo,ou=People,dc=example,dc=com

12) Let’s suppose that I’ve created a new user with uid n40lab and now I want to add it to the group onemanagers. I’ll create an LDIF file (addto_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
add: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f addto_onemanagers.ldif

13) Now, if I want to remove that user from my group, I’ll create an LDIF file (removefrom_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
delete: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f removefrom_onemanagers.ldif

OK, this is long enough. That’s how I’ve created a simple directory for a web application authentication. I’m an LDAP newbie so forgive me if you find anything wrong with this post, I’ll update it while I use this LDAP configuration in my test.

In a different post I’ll try to increase the security for this LDAP directory.

Cheers!

Advertisements

5 thoughts on “Creating a simple LDAP directory with OpenLDAP 2.4 in CentOS 6.4

    • n40lab says:

      Hi,
      thanks for your comment and for reading my blog! it provides more info for anyone visiting my post.

      Indeed, I’ve used 389ds in the past, works great and it’s very easy to install offering an administration console GUI but I also like OpenLDAP. It’s great to have so many alternatives in Linux for the same purposes. I’ll write a post about this topic soon.

      In this blog post about OpenLDAP I link the official deployment guide for RHEL 6 for OpenLDAP, but thanks for the tip your link contains many interesting information about how to deploy an LDAP Directory Server, it’s very useful!

      Cheers and thanks for following my blog!

      Like

  1. AAAAA says:

    Hi n40lab,

    I am in the process of familiarizing myself with LDAP and wanted to thank you for sharing the above examples. They have helped me.

    One typo that will cause a newbee (me 🙂 ) some headache: I had to change “remove: member” to “delete: member” for it to work.

    Cheers,

    Like

  2. Anonymous says:

    Great information thanks. However, I was unable to add memberOf overlay, do you know how that can be done? Thanks.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s