What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral protocol used for accessing and maintaining distributed directory information services. Commonly used for user authentication, LDAP organizes data in a hierarchical structure and allows centralized authentication for users and services.
Prerequisites
- A Linux server with root privileges.
- Basic knowledge of Linux commands.
- Access to a domain name (optional for naming).
- Installed
sudoandapt,yum, or equivalent package managers.
Step 1: Install OpenLDAP
On Ubuntu/Debian
- Update the system:
sudo apt update && sudo apt upgrade -y - Install the OpenLDAP server and client utilities:
sudo apt install slapd ldap-utils -y - During installation, you’ll be prompted to set an admin password for LDAP. Provide a strong password.
- Reconfigure slapd (if needed):
sudo dpkg-reconfigure slapdFollow the prompts to set your domain name, organization name, and other parameters.
On CentOS/RHEL
- Install the OpenLDAP server and client utilities:
sudo yum install openldap openldap-servers openldap-clients -y - Start and enable the slapd service:
sudo systemctl start slapd sudo systemctl enable slapd - Set an admin password:
sudo ldappasswd -s your_password -W -D "cn=admin,dc=example,dc=com" -xReplace
your_passwordwith a strong password and modify the domain components (dc).
Step 2: Configure LDAP
1. Generate Password Hash
Generate a hashed password for secure storage:
slappasswdEnter your desired password twice. Copy the resulting hash.
2. Modify LDAP Configuration
Edit the LDAP configuration file to define your domain structure and admin credentials.
- Create a configuration file (e.g.,
base.ldif):dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: example dn: cn=admin,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: admin userPassword: {SSHA}hashed_password description: LDAP AdministratorReplace
examplewith your domain name andhashed_passwordwith the output fromslappasswd. - Add the configuration:
sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif
3. Add Organizational Units
Create an ou.ldif file to define organizational units (OUs):
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: GroupsAdd the file:
sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f ou.ldifStep 3: Add Users and Groups
1. Add a Group
Create a group.ldif file:
dn: cn=developers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: developers
gidNumber: 5000Add the group:
sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f group.ldif2. Add a User
Create a user.ldif file:
dn: uid=jdoe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: John Doe
sn: Doe
uid: jdoe
uidNumber: 10000
gidNumber: 5000
homeDirectory: /home/jdoe
userPassword: {SSHA}hashed_password
loginShell: /bin/bashAdd the user:
sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f user.ldifStep 4: Test the LDAP Server
1. Search LDAP Entries
Use ldapsearch to query your LDAP server:
ldapsearch -x -LLL -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W2. Authenticate Users
Test authentication for a specific user:
ldapwhoami -x -D "uid=jdoe,ou=People,dc=example,dc=com" -WStep 5: Configure LDAP Client for Authentication
1. Install Required Packages
On client machines:
- Ubuntu/Debian:
sudo apt install libnss-ldap libpam-ldap ldap-utils - CentOS/RHEL:
sudo yum install nss-pam-ldapd
2. Configure LDAP Authentication
- Update
/etc/nsswitch.confto include LDAP:passwd: files ldap
group: files ldap shadow: files ldap
- Test with:
```bash
getent passwdConclusion
Setting up an LDAP server provides centralized authentication and user management for your organization. By following this guide, you can configure OpenLDAP, add users and groups, and integrate it with client systems. For enhanced security, consider enabling TLS for encrypted communication.
