Deploy and Configure a CentOS 7 LDAP Server

Overview

The Lighweight Directory Access Protocol, better known using its acronym LDAP, provides a directory service for users and other objects. It’s used primarily to provide single sign-on authentication across your environment, from servers to web applications.

This tutorial will walk you through deploying and configuring an LDAP server on CentOS 7.

The environment used in this tutorial has the following configuration.

Domain corp.serverlab.intra
Domain DN dc=corp,dc=serverlab,dc=intra
LDAP Server server01.corp.serverlab.intra

Install OpenLDAP

  1. Log into server with an account that has administrative rights.
  2. Install the required packages using Yum.
    yum install openldap-servers openldap-clients nss-pam-ldapd

Configure the Domain

Create Password for the Manager Account

The Manager account is the default administrator – also known as the Root account – for OpenLDAP. This account has full rights over LDAP and needs a secure password. This step will guide you through the process of generating an encrypted password for the account.

  1. Use the slappasswd to create an encrypted password.
    slappasswd
  2. When prompted, enter a new password.
  3. When prompted, re-enter the new password.
  4. slappasswd should not output an encrypted form of the password entered.
    {SSHA}BvCGYqos1HWnzIzAnxNTgqu9xRErywaP

    Make not of this output and document it. We’ll be using it shortly.

Configure the Database

  1. Open the LDAP Database file into a text editor.
    vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
  2. Find the following lines.
    olcSuffix: dc=example,dc=com
    olcRootDN: cn=Manager,dc=example,dc=com

    And modify them so that they point to your domain’s distinguish name (DN). In this tutorial, ours is dc=corp,dc=serverlab,dc=intra.

    olcSuffix: dc=corp,dc=serverlab,dc=intra
    olcRootDN: cn=Manager,dc=corp,dc=serverlab,dc=intra
  3. Set the password for the Manager account using the one generated earlier. Add the following line below the olcRootDN line.
    olcRootPW: {SSHA}1gChY5Xzoozcd73sOma9v6qocpRBWpkP
  4. Save your settings and exit the text editor.

Configure Monitoring Privileges

The Monitor backed allows users to query your LDAP database for information. This can be perceived as a security risk in some environments. Therefore, you may want to limit who can access it. We’ll grant access to the Manager account and deny everyone else.

  1. Open the OpenLDAP monitoring configuration file into a text editor.
    vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
  2. Find the following line.
    olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=manager,dc=example,dc=com" read  by * none

    And modify it to by pointing to the DN of your Manager account.

    olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=Manager,dc=serverlab,dc=intra" read  by * none
  3. Save your changes and exit the text editor.

Create the Database Config file

This file is used to tune OpenLDAP. The example file the accompanies the OpenLDAP server install is good for starting out, however, its settings may be too conservative for today’s hardware.

  1. Create the database config file by copying an example template.
    cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  2. Assign the appropriate permissions to the database config file.
    chown -Rf ldap:ldap /var/lib/ldap/

Create a User Account

  1. Create a user named Admin.
    dn: uid=admin,ou=Users,dc=your-domain,dc=com
    uid: admin
    cn: admin
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    userPassword: password
    shadowLastChange: 15140
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 999
    gidNumber: 999
    homeDirectory: /home/ldap