Configure LDAP Server

Configure LDAP Server in order to share users' accounts in your local networks.

[1] Install OpenLDAP.

[[email protected] ~]# dnf install openldap-servers openldap-clients -y
...
[[email protected] ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[[email protected] ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[[email protected] ~]# systemctl start slapd
[[email protected] ~]# systemctl enable slapd
Created symlink /etc/systemd/system/openldap.service β†’ /usr/lib/systemd/system/slapd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/slapd.service β†’ /usr/lib/systemd/system/slapd.service.

[2] Set OpenLDAP admin password.

# generate encrypted password
[[email protected] ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[[email protected] ~]# vi chrootpw.ldif

# specify the password generated above for [olcRootPW] section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

[3] Import basic Schemas.

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[4] Set your domain name on LDAP DB.

# generate directory manager's password
[[email protected] ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[[email protected] ~]# vi chdomain.ldif

# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=futurelinux,dc=org" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=futurelinux,dc=org

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=futurelinux,dc=org

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=futurelinux,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=futurelinux,dc=org" write by * read

[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

[[email protected] ~]# vi basedomain.ldif

# replace to your own domain name for [dc=***,dc=***] section
dn: dc=futurelinux,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: Future Linux
dc: futurelinux

dn: cn=Manager,dc=futurelinux,dc=org
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=futurelinux,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=futurelinux,dc=org
objectClass: organizationalUnit
ou: Group

[[email protected] ~]# ldapadd -x -D cn=Manager,dc=futurelinux,dc=org -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=futurelinux,dc=org"

adding new entry "cn=Manager,dc=futurelinux,dc=org"

adding new entry "ou=People,dc=futurelinux,dc=org"

adding new entry "ou=Group,dc=futurelinux,dc=org"

[5] If Firewalld is running, allow LDAP service.

[[email protected] ~]# firewall-cmd  --permanent --add-service=ldap
success
[[email protected] ~]# firewall-cmd --reload
success