OpenLDAP on Enterprise Linux
This post will demonstrate setting up an OpenLDAP Server for user authentication on Enterprise Linux.
OpenLDAP is an implementation of the Lightweight Directory Access Protocol and is often used for user identity and authorisation services in corporate environments.
I’ve previously demonstrated setting up an Enterprise Linux virtual machine, so if you haven’t already done so please setup a Linux system to work with, ideally to test authentication across multiple servers you’ll also have a second Linux server to work with as well. These instructions should work with any RHEL variant, including Oracle Linux, AlmaLinux or CentOS.
I’ll be using Oracle Linux 8 running in VirtualBox with the hostname ‘olauth.davidroddick.com’ for the authentication server and a cloned snapshot with the hostname ‘olclient.davidroddick.com’. Note that I’m using my own personal domain name as the LDAP suffix. You should substitute the davidroddick.com part for your own domain name.
To get the most out of this article you should have both your servers already setup in the same host-only network and able to reach each other remotely with ssh. You’ll also need to have local administrator privileges, which if you’re working on your own virtual machines you should already have.
For the sake of demonstration, I have started olauth in a full desktop environment and olclient in headless mode. In the screenshot below you can see the two terminals, on the left hand side I’m logged in locally to the oluser@olauth server and the right hand side terminal is logged in over ssh to oluser@olclient. The oluser accounts on both servers are local Linux user accounts.
Many remote authentication protocols are time sensitive, and the client and server are required to have the same time information. Before setting up LDAP, you should ensure that both servers are synchronised using NTP.
Red Hat deprecated openLDAP-servers in RHEL 8, so it’s not possible to install openLDAP directly in from the repositories, instead we need to enable the Symas repo which provides openLDAP-server packages for RHEL.
$ sudo wget -q https://repo.symas.com/configs/SOFL/rhel8/sofl.repo -O /etc/yum.repos.d/sofl.repo
$ sudo dnf check-update
$ sudo dnf install symas-openldap-clients symas-openldap-servers oddjob-mkhomedir</code></pre>
Next we need to configure SELinux to allow the use of LDAP and start the openldap service slapd.
$ sudo setsebool -P allow_ypbind=1
$ sudo setsebool -P authlogin_nsswitch_use_ldap=1
$ sudo systemctl start slapd
$ sudo systemctl enable slapd</code></pre>
LDAP listens on port 389, so we’ll check that the service is listening:
$ ss -lntu | grep 389
Last, start oddjob for user home directory creation.
$ sudo systemctl start oddjobd
$ sudo systemctl enable oddjobd </code></pre>
To configure openLDAP we can use files with the LDIF extension. We can configure the service manually on the command line, however using the LDIF files is easier and faster. I’ve uploaded some required LDIF files to my github account which you can clone to your authentication server. Make sure to modify each file to change the domain name of your own network and the usernames and passwords you’re configuring.
We’ll start with the db.ldif file to configure the LDAP server distinguished name and the admin password. Before continuing, open the db.ldif file and modify every occurrence of dc=davidroddick with your own domain name, and then run the slappasswd command to generate a password hash.
Slappasswd will ask you to enter your password twice and then output a hash to the terminal, you can copy this hash and paste it directly into the db.ldif file on the line starting with olcRootPW:
Load the db.ldif file.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f db.ldif
When running this command initially I received the error:
ldap_modify: No such object (32)
matched DN: cn=config
After a bit of googling I discovered that the backend database being used by LDAP was different than the one specified in the config file I was using. You can find out the backend database by running:
$ ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
Which gave the output:
dn: olcDatabase={2}mdb,cn=config
Note the use of mdb, in my initial db.ldif file the database specified was hdb. Changing all occurrences to mdb and rerunning the ldapmodify command fixed the error.
Next we will restrict access to the admin user, this configuration is specified in monitor.ldif. Again, edit this file to replace the occurrences of dc=davidroddick to your own domain and run:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f monitor.ldif
Run the following command to check the LDAP configuration:
$ sudo slaptest -u
You see the output ‘config file testing succeeded’.
Next copy the database configuration file from the installed package to the /var/lib/ldap directory:
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown -R ldap:ldap /var/lib/ldap</code></pre>
Now we can add the LDAP schema. We’ll use the files cosine.ldif, nis.ldif and inetorgperson.ldif from /etc/openldap/schema.
$ sudo ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
Next, add the base.ldif file, once again make sure to replace my domain with your own.
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=davidroddick,dc=com" -f base.ldif
Enter the password that you created earlier with the slappasswd command.
Now we can create an LDAP user. I have a file called droddick.ldif which will create the user droddick, but that’s me, so change that file replacing the domain and user information with your own. The add the file and then create a password for the user with ldappasswd, once again typing your LDAP admin password when prompted.
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=davidroddick,dc=com" -f droddick.ldif
$ sudo ldappasswd -s password123 -W -D "cn=ldapadm,dc=davidroddick,dc=com" -x "uid=droddick,ou=People,dc=davidroddick,dc=com"
Now we should be able to confirm our new user exists in LDAP.
$ sudo ldapsearch -x cn=droddick -b dc=davidroddick,dc=com
Add a firewall rule to ensure LDAP is accessible externally for our client machines.
$ sudo firewall-cmd --permanent --add-service=ldap
$ sudo firewall-cmd --reload
And add LDAP logging by adding the following line to /etc/rsyslog.conf and restarting rsyslog with systemctl.
local4.* /var/log/ldap.log
The OpenLDAP server should now be configured and ready to use.
Next we need to configure the client machine to connect to the LDAP server. On your EL client machine install the openLDAP client packages
$ sudo dnf install nss-pam-ldapd openldap-clients oddjobd-mkhomedir
Next configure the client machine to use LDAP. Edit the /etc/nslcd.conf file. On line 18, change the uri from ‘uri ldap://127.0.0.1’ to ‘uri ldap://olauth.davidroddick.com’, changing the domain name for your own. On line 25 change the base dc=example,dc=com line to your own domain, in my case it is ‘base dc=davidroddick,dc=com’.
Restart the LDAP client and oddjob, ensure these services are also enabled.
$ sudo systemctl restart nslcd
$ sudo systemctl enable nslcd
$ sudo systemctl restart oddjobd
$ sudo systemctl enable oddjobd
Next, set up the authselect profile. Copy the sssd profile that we can modify for authselect, changing all occurrences of sss for ldap and selecting the profile to use.
$ sudo cp -Rp /usr/share/authselect/default/sssd /etc/authselect/custom/nscld
$ cd /etc/authselect/custom/nscld
$ sudo sed -i 's/sss/ldap/g' fingerprint-auth
$ sudo sed -i 's/sss/ldap/g' password-auth
$ sudo sed -i 's/sss/ldap/g' smartcard-auth
$ sudo sed -i 's/sss/ldap/g' system-auth
$ sudo sed -i 's/sss/ldap/g' nsswitch.conf
$ sudo sed -i 's/SSSD/NSLCD/g' REQUIREMENTS
$ sudo authselect select custom/nscld with-mkhomedir --force
If everything worked correctly, you should be able to query the LDAP server for the user entry we created previously.
$ sudo getent passwd droddick
Now try logging in to your LDAP user account to verify.
