How to Install LDAP on CentOS 7

How to Install LDAP on CentOS 7

Spread the love

Today, we will show you, How to install LDAP on CentOS 7. LDAP, or Lightweight Directory Access Protocol, is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It can be used to store any kind of information and it is often used as one component of a centralized authentication system. Installing and configuring an OpenLDAP server on CentOS 7, it’s fairly easy task, just carefully follow the tutorial below and you should have it installed in less then 10 minutes.

Update the system

As usual before installing new software, update all your system packages to the newest available version first:

# yum update

Install OpenLDAP

We are going to begin by installing the packages required for OpenLDAP functionality:

# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

We will also start the LDAP daemon and enable it on boot:

# systemctl start slapd.service
# systemctl enable slapd.service

Run the slappasswd command to set a LDAP root password and save the output because we are going to need it to configure OpenLDAP:

# slappasswd

We’ll configure the OpenLDAP server now. We’ll create a few LDIF files and then we will use the ldapmodify command to deploy the configuration to the server. The files will be stored in ‘/etc/openldap/slapd.d’ and they shouldn’t be edited manually.

The ‘db.ldif’ file will update the olcSuffix variable which will add the distinguished name to queries that will be passed to the backend database, it will configure the domain name for which your LDAP server will provide account information, and it will update the olcRootDN variable which specifies the root distinguished name user that will have administrator access to the LDAP server.

Our domain is field.linuxhostsupport.com, and written inside the ‘db.ldif’ file it looks like this ‘dc=field,dc=linuxhostsupport,dc=com’ and our root distinguished name is ‘cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com’.

Configure OpenLDAP

Create the db.ldif file using nano or an editor of your preference and paste the following content in:

# nano db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=field,dc=linuxhostsupport,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: hashed_output_from_the_slappasswd_command

Deploy the configuration using ldapmodify:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Now restrict monitor access only to the ldapadm user:

# nano monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" read by * none

Deploy the configuration change again:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server. We will use the command below to do that:

openssl req -new -x509 -nodes -out \
/etc/openldap/certs/myldap.field.linuxhostsupport.com.cert \
-keyout /etc/openldap/certs/myldap.field.linuxhostsupport.com.key \
-days 365

Change the owner and group permissions so OpenLDAP can read the files:

# chown -R ldap:ldap /etc/openldap/certs

Now create certs.ldif to configure OpenLDAP to use the LDAPS protocol:

# nano certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.field.linuxhostsupport.com.cert

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.field.linuxhostsupport.com.key

We can then deploy the configuration again:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif

Now test the configuration using the following command:

# slaptest -u

Setting up the OpenLDAP database

Now we can set up the LDAP database, start by copying the sample database configuration file to ‘/var/lib/ldap’ and change the file permissions:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

Add the LDAP schemas:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

And now create a base.ldif file for your domain:

# nano base.ldif

dn: dc=field,dc=linuxhostsupport,dc=com
dc: field
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=field,dc=linuxhostsupport,dc=com
objectClass: organizationalUnit
ou: Group

We will deploy these configuration changes to the OpenLDAP server using the ldapadm user:

# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f base.ldif

Enter the root password when prompted.

If you need to add users it’s easier to add them with a GUI, we recommend using Apache Directory Studio or JXplorer for this.

That’s it you should now have successfully installed LDAP on CentOS 7.

 

Of course you don’t have to install LDAP on CentOS 7, if you use one of our Linux server support services, in which case you can simply ask our expert Linux admins to configure this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post,  on how to install LDAP on CentOS 7, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

33 thoughts on “How to Install LDAP on CentOS 7

  1. Hi Getting the below error .Please let me know what to do.

    systemctl start slapd
    Job for slapd.service failed because the control process exited with error code. See “systemctl status slapd.service” and “journalctl -xe”

      1. [root@mspildapsrv lib]# systemctl status slapd.service
        ● slapd.service – OpenLDAP Server Daemon
        Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
        Active: failed (Result: exit-code) since Wed 2018-08-22 03:51:49 IST; 18s ago
        Docs: man:slapd
        man:slapd-config
        man:slapd-hdb
        man:slapd-mdb
        file:///usr/share/doc/openldap-servers/guide.html
        Process: 3571 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
        Process: 3555 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

        Aug 22 03:51:45 mspildapsrv.com slapd[3571]: ldif_read_file: checksum error on “/etc/openld…if”
        Aug 22 03:51:49 mspildapsrv.com slapd[3571]: Could not get the realpath: No such file or di…ory
        Aug 22 03:51:49 mspildapsrv.com slapd[3571]: main: TLS init def ctx failed: -1
        Aug 22 03:51:49 mspildapsrv.com slapd[3571]: DIGEST-MD5 common mech free
        Aug 22 03:51:49 mspildapsrv.com slapd[3571]: slapd stopped.
        Aug 22 03:51:49 mspildapsrv.com slapd[3571]: connections_destroy: nothing to destroy.
        Aug 22 03:51:49 mspildapsrv.com systemd[1]: slapd.service: control process exited, code=exi…s=1
        Aug 22 03:51:49 mspildapsrv.com systemd[1]: Failed to start OpenLDAP Server Daemon.
        Aug 22 03:51:49 mspildapsrv.com systemd[1]: Unit slapd.service entered failed state.
        Aug 22 03:51:49 mspildapsrv.com systemd[1]: slapd.service failed.
        Hint: Some lines were ellipsized, use -l to show in full.

        1. I hope your found your answer, you can just reinstall openldap services again and start the process if you did not go far
          sudo yum reinstall openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

        2. I had this same problem. The default config of the database has directives that point to certain paths and files for certificates. You most likely don’t have those certificates in place yet. What you need to do is either comment out those lines that are looking for certs, or create certs and place them where those directives are looking for.

          Ofcourse, since slapd is not running you cannot use ldapmodify to make these changes. See the answer to this post: https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running

          Once you either comment out those lines that are looking for certs, or place certs in the correct locations, you will be able to start slapd and use ldapmodify from then on.

    1. I encountered this on Centos 7. The problem was SElinux.

      edit /etc/selinux/config

      SELINUX=enforcing can be changed to SELINUX=disabled

      See if that fixes it.

  2. which password exactly i should enter? The one I created in slappassword line or the one who terminal back to me when i entered? Anyway, in the last last step none of them dont’t work, i’ve tried severeal times, i couldn’t type wrong one so many times.
    Thanks in advance

    1. When deploying configuration changes to the OpenLDAP server you need to enter the LDAP root password you set up earlier. Thanks

  3. A couple of questions:
    1. What is meant by “monitor access”?
    2. Why was the ldapadm user created? Where is it used?

  4. 1. When the monitoring interface is enabled, LDAP clients may be used to access information provided by the monitor backend, subject to access and other controls
    2. We created ldapadm user so we can deploy configuration changes to the OpenLDAP server.

  5. Ran all the steps without errors.
    Using ldap_bind() and ldap_search from PHP, I can see users (can’t see ldapadm, though).
    Using ldap_bind(user,password), the binding fails.
    How do I add a user which can then be authenticated using PHP? A non-OS user, one that exists in the LDAP only.

  6. [root@linuxhostsupport ~]# ldapadd -x -W -D “cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    Please help on this..

      1. I have the same problem and the password is definitely correct. The ldapadm dn is mine too.

        What else could the problem be?

  7. ldapadd -x -W -D “cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    I confirm that password entered is correct one.

  8. this is my base.ldif:
    dn: dc=cycleon,dc=com
    dc: admin
    objectClass: top
    objectClass: domain

    dn: cn=admin,dc=cycleon,dc=com
    objectClass: organizationalRole
    cn: admin
    description: LDAP Admin

    dn: ou=People,dc=cycleon,dc=com
    objectClass: organizationalUnit
    ou: People

    dn: ou=Group,dc=field,dc=com
    objectClass: organizationalUnit
    ou: Group

    when trying the last command:
    ]# ldapadd -x -W -D “cn=admin,dc=cycleon,dc=com” -f base.ldif
    Enter LDAP Password:
    adding new entry “dc=cycleon,dc=com”
    ldap_add: Naming violation (64)
    additional info: value of single-valued naming attribute ‘dc’ conflicts with value present in entry

    the base.ldif looks correct to me, can you please help?

  9. Meanwhile, congratulations for the guide. I have a problem with the last step:
    ldapadd -x -W -D “cn=ldapadm,dc=ldap,dc=halldis,dc=cloud” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    I need to use encrypted password o clear password?
    It does not work in both cases.

    Thanks

  10. After deploy of db.ldif:
    [root@X slapd.d]# vim db.ldif
    [root@X slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    ldapmodify: wrong attributeType at line 5, entry “olcDatabase={2}hdb,cn=config”

  11. centos]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “cn=config”
    ldap_modify: Other (e.g., implementation specific) error (80)

    1. Please try to change the permissions of the ‘/etc/openldap/certs’ directory:

      chown -R ldap:ldap /etc/openldap/certs

    2. I encountered the similar problem, I found a workaround by splitting the file in two, and load each section in two different ldap_modify command. Perhaps try that?

  12. [root@localhost ~]# ldapadd -x -W -D “cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Server is unwilling to perform (53)
    additional info: unauthenticated bind (DN with no password) disallowed

    i need change the password

  13. [root@centos user]# hostname
    field
    [root@centos user]# cat /etc/resolv.conf
    # Generated by NetworkManager
    search linuxhostsupport.com
    nameserver 8.8.8.8
    nameserver 8.8.4.4

    Above line is my hostname.
    When I was try to modify certs.ldif file .
    I got ” modifying entry “cn=config”
    ldap_modify: Other (e.g., implementation specific) error (80) ”

    vim certs.ldif
    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/openldap/certs/myldap.field.linuxhostsupport.com.cert

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.field.linuxhostsupport.com.key

    May I how how can I trace to solve it.

    # ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “cn=config”
    ldap_modify: Other (e.g., implementation specific) error (80)

    Please may I know which state has wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *