1. Home
  2. Linux
  3. CentOS
  4. How to install LDAP on CentOS 7

How to install LDAP on CentOS 7

How to install LDAP on CentOS 7
How to install LDAP on CentOS 7

In this tutorial, we will teach you how to install LDAP on CentOS 7.
Check out Our Best

What is LDAP client

LDAP is short for Lightweight Directory Access Protocol, it is an open, vendor-neutral, industry standard application protocol which helps access and maintains any distributed directory information services over an Internet Protocol (IP) network.
LDAP is used to store any type of information and it is generally used as one component of a centralized authentication system.

Installing LDAP on CentOS 7

Installing and configuring an OpenLDAP server on CentOS 7 is a simple task, follow the instructions below and you should get it installed in less than 10 minutes.

Step 1: Updating the System

Before you start installing any new software, you need to update your system packages to the latest available versions.

# yum update

 

Step 2: Installing OpenLDAP

Now, you have to install the packages OpenLDAP needs for its functionality.

# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
 

Next, you need to initiate and enable it on boot.

# systemctl start slapd.service
# systemctl enable slapd.service

 
Execute the ‘slappasswd’ command to set a LDAP root password and save the output since we will be requiring it to configure OpenLDAP.

# slappasswd

 

Configuring OpenLDAP server

You can now start configuring the OpenLDAP server. First, create a couple of LDIF files and then execute the ‘ldapmodify’ command to deploy the configuration to the server. The files are going to be stored in ‘/etc/openldap/slapd.d’ which should not be modified manually.

OlcSuffix Variable

The ‘db.ldif’ file is going to update the ‘olcSuffix’ variable and will append the distinguished name to queries which will be passed to the backend database. After this, it will configure the domain name and your LDAP server to provide account information as well as updating the ‘olcRootDN’ variable which specifies the root distinguished name user which will have administrator access to the LDAP server.

Main Domain

Our domain is going to be ‘field.dreamvps.com‘ and written within the ‘dbldif’ file. It should be like this: ‘dc=field,dc=dreamvps,dc=com’ and our root distinguished name is ‘cn=ldapadm,dc=field,dc=dreamvps,dc=com’.

Step 3: Configuring OpenLDAP

Create the ‘db.ldif’ file with nano or a text editor of your preference and enter in the content below in.

# nano db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=field,dc=dreamvps,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=field,dc=dreamvps,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: hashed_output_from_the_slappasswd_command

Next, deploy the configuration with ldapmodify.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Now restrict monitor access only to the ldapadm user.

# nano monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=field,dc=dreamvps,dc=com" read by * none

Deploy the configuration change once more.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

You have to generate a certificate and a private key so that you can communicate securely with the OPenLDAP server.  Run the following command to do it.

openssl req -new -x509 -nodes -out \
/etc/openldap/certs/myldap.field.dreamvps.com.cert \
-keyout /etc/openldap/certs/myldap.field.dreamvps.com.key \
-days 365

Now change the owner and group permissions so OpenLDAP is able to read the files.

# chown -R ldap:ldap /etc/openldap/certs

Next, you will have to create ‘certs.ldif’ to configure OpenLDAP to use the LDAPS protocol.

# nano certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.field.dreamvps.com.cert
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.field.dreamvps.com.key

We may now deploy the configuration again.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif

Now try out the configuration by executing the command below.

# slaptest -u

 

Step 4: Setting up the OpenLDAP database

You may now set up the LDAP database, begin by copying the sample database configuration file to ‘/var/lib/ldap’ and replacing the file permissions.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

Append the LDAP schemas.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Now make the ‘base.ldif’ file for your domain.

# nano base.ldif
dn: dc=field,dc=dreamvps,dc=com
dc: field
objectClass: top
objectClass: domain
dn: cn=ldapadm,dc=field,dc=dreamvps,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
dn: ou=People,dc=field,dc=dreamvps,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=field,dc=dreamvps,dc=com
objectClass: organizationalUnit
ou: Group

You now need to deploy those configuration changes to the OpenLDAP by using the ldapadm user:

# ldapadd -x -W -D "cn=ldapadm,dc=field,dc=linuxhostsupport,dc=com" -f base.ldif

Put in the root password once prompted.
If you want to add users, it is simpler to append them using a GUI; we suggest using Apache Directory Studio or JXplorer for this.
This is it, LDAP should now be installed on your CentOS 7 VPS.
And one more thing
Also, here are a few hand-picked guides that must read next:

  1. How to install SquirrelMail on CentOS 7
  2. How to Rebuild a Corrupted RPM Database in CentOS

 

Updated on December 23, 2018

Was this article helpful?

Related Articles

Leave a Comment

[apsl-login-lite login_text='Please login with a social account']