How To Install OpenLDAP on Rocky Linux 9
In this tutorial, we will show you how to install OpenLDAP on Rocky Linux 9. For those of you who didn’t know, OpenLDAP is a lightweight directory service protocol that facilitates communication between client applications and a directory server, allowing centralized storage of user data, authentication, and access control. It boasts several key features, such as multi-master replication for high availability and fault tolerance, efficient indexing for fast data retrieval, and support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for secure data transmission.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo
‘ to the commands to get root privileges. I will show you the step-by-step installation of the OpenLDAP on Rocky Linux. 9.
Prerequisites
- A server running one of the following operating systems: Rocky Linux 9.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- An active internet connection. You’ll need an internet connection to download the necessary packages and dependencies for OpenLDAP.
- A
non-root sudo user
or access to theroot user
. We recommend acting as anon-root sudo user
, however, as you can harm your system if you’re not careful when acting as the root.
Install OpenLDAP on Rocky Linux 9
Step 1. The first step is to update your system to the latest version of the package list. To do so, run the following commands:
sudo dnf check-update sudo dnf install dnf-utils epel-release mod_ssl
Step 2. Installing OpenLDAP on Rocky Linux 9.
Once Rocky Linux 9 is up and running, the next step is to install the OpenLDAP packages. Open a terminal and execute the following command to install the required components:
sudo dnf install openldap openldap-servers openldap-clients
The package manager will resolve dependencies and prompt you to confirm the installation. Type ‘Y‘ and press Enter to proceed. Rocky Linux will then download and install the packages.
Step 3. Configuring OpenLDAP.
To configure OpenLDAP, we need to initialize the LDAP database. Run the following command:
sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/DB_CONFIG.example
Set the root user password for the LDAP server using the slappasswd
utility. This command will generate a secure password hash that we’ll use in the configuration file:
sudo slappasswd
Now, it’s time to configure the OpenLDAP server. Open the olcDatabase={2}hdb.ldif
file in a text editor:
nano /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
Locate the line that starts with olcRootDN
and replace it with the following, using the password hash you generated earlier:
olcRootDN: cn=Manager,dc=mydomain,dc=com olcRootPW: {SSHA}your_generated_password_hash
Replace dc=mydomain,dc=com
with the appropriate domain for your organization.
Next, we’ll set up the LDAP domain. Open the olcDatabase={1}monitor.ldif
file:
nano /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
Find the line that starts with olcAccess
and modify it to the following:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * none
Replace dc=mydomain,dc=com
with your domain.
After configuring OpenLDAP, you can start the OpenLDAP server by running the following command:
sudo systemctl enable slapd sudo systemctl start slapd
Step 4. Securing OpenLDAP
- A. Implementing TLS/SSL:
To secure data communication with OpenLDAP, we’ll implement TLS/SSL certificates. Start by creating a certificate directory:
sudo mkdir /etc/openldap/certs
Next, generate a private key and a certificate signing request (CSR):
sudo openssl req -new -nodes -out /etc/openldap/certs/mydomain.csr -keyout /etc/openldap/certs/mydomain.key -subj "/C=US/ST=State/L=City/O=MyCompany/CN=mydomain.com"
Replace the country (C), state (ST), city (L), organization (O), and common name (CN) with your organization’s details.
Now, create a self-signed certificate using the CSR:
sudo openssl x509 -req -in /etc/openldap/certs/mydomain.csr -out /etc/openldap/certs/mydomain.crt -signkey /etc/openldap/certs/mydomain.key -days 365
- B. Access Control:
Implement access control rules to secure data access. Open the olcDatabase={2}hdb.ldif
file:
nano /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
Locate the olcAccess
line and modify it to restrict access as needed:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mydomain,dc=com" write by * none olcAccess: {1}to * by self read by dn="cn=admin,dc=mydomain,dc=com" write by * read
Replace dc=mydomain,dc=com
with your domain.
Step 5. Integrating OpenLDAP with Applications.
- A. Configuring Client Systems:
To authenticate client systems against the OpenLDAP server, you need to configure the client system’s LDAP client accordingly.
Install the LDAP client packages on the client system:
sudo dnf install openldap openldap-clients
Create an LDAP configuration file:
sudo nano /etc/openldap/ldap.conf
Add the following lines to the file:
BASE dc=mydomain,dc=com URI ldap://your_ldap_server_ip
Replace dc=mydomain,dc=com
with your domain and your_ldap_server_ip
with the IP address of your LDAP server.
To ensure successful configuration, use the ldapsearch
command to test LDAP connectivity:
ldapsearch -x -b "dc=mydomain,dc=com" -D "cn=Manager,dc=mydomain,dc=com" -W
Congratulations! You have successfully installed OpenLDAP. Thanks for using this tutorial for installing OpenLDAP on your Rocky Linux 9 system. For additional help or useful information, we recommend you check the official OpenLDAP website.