OpenLDAP authentication

This is a simple setup to authenticate Linux/UNIX users against an OpenLDAP server. Basicaly this setup is enableing us to create a common user database that will be use as a SSO.

Install OpenLDAP

Install OpenLDAP server and OpenLDAP-clients.

server@root#yum install openldap-servers openldap-clients

Configure /etc/hosts

IP ldap-server.local
IP ldap-client.local

Start OpenLDAP

server@root#systemctl start slapd
server@root#systemctl enable slapd

Setup OpenLDAP admin password

Setup your OpenLDAP password for user admin.

server@root#slappasswd -h {SSHA} -s your_ldap_admin_password

This will generate a hashed password, that we’ll use bellow.

Change the OpenLDAP configuration

OpenLDAP configuration file is located in /etc/openldap/slapd.d/.

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap-server,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=ldap-server,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}J4ldmfky06N23jFQmSw/6WkrPDXe81zO

Execute the config

[root@ldap-server ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Change the monitoring

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,dc=ldap-server,dc=local" read by * none
[root@ldap-server ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

Setup OpenLDAP database

[root@ldap-server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-server ~]# chown ldap:ldap /var/lib/ldap/*
[root@ldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

Create the base

dn: dc=ldap-server,dc=local
dc: ldap-server
objectClass: top
objectClass: domain

dn: cn=admin ,dc=ldap-server,dc=local
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=ldap-server,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ldap-server,dc=local
objectClass: organizationalUnit
ou: Group

Execute the base

[root@ldap-server ~]# ldapadd -x -W -D "cn=admin,dc=ldap-server,dc=local" -f base.ldif
Enter LDAP Password:
adding new entry "dc=ldap-server,dc=local"

adding new entry "cn=admin ,dc=ldap-server,dc=local"

adding new entry "ou=People,dc=ldap-server,dc=local"

adding new entry "ou=Group,dc=ldap-server,dc=local"

Create a user

dn: uid=raul,ou=People,dc=ldap-server,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raul
uid: raul
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/raul
loginShell: /bin/bash
gecos: Raul [raulclimber (at) yahoo.com]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Add the user

ldapadd -x -W -D "cn=admin,dc=ldap-server,dc=local" -f user.ldif
https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2