OpenLDAP 2.4 Configuration

Hello everybody, today we are going to create an OpenLDAP server for central authentication. I won't give you introduction to LDAP service, but show just a basic configuration. In the end you will have a working server without any objects and with one access rule.

I'm going to install openldap server on CentOS 6.3 as a binary package, not from the source. The current version of the openldap-servers package up to the day I'm writing this is 2.4.23.

# yum install openldap-servers

Since version 2.3 openldap has a new configuration engine and use LDIF files for configuring the server and the directory database. The new dynamic runtime configuration engine with LDIF files is a little bit tricky while you get used to it.

First you need a username and password for the slapd configuration database, later you can use it to add another database or module, or you can use it to extend the default schema. Next you need another admin user for configuration of the actual LDAP tree database. These two accounts are configured in different files.

For the configuration database you should add these two lines in /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif

olcRootDN: cn=root,cn=config

olcRootPW: {SSHA}rtCwogFExs+w4sE2Mp1RtNnio2SWgijY

The olcRootDN contains the administrator distinguish name (the first common name could be admin or manager, whatever you like, but the second one should be config ex. cn=admin,cn=config) and olcRootPW attribute contains the password. The password is not in plain text, but it is a hash (SHA) and to the hash is added a salt, known only by the slapd server. This is the most secured option and if even someone reads the file it is almost impossible to get the original password. You can generate a password hash with slappasswd utility. Copy the output to the olcRootPW attribute.

# slappasswd

Notice: You can insert your password directly in a plain text in the configuration file, without using the slappasswd program. This is not recommended from security point. The password should look like this:

olcRootPW: {CLEARTEXT}MyPassword

Every LDAP tree has an admin account for adding objects to the tree and changing object's attributes. This is the first object you should create, when you configuring the directory tree. Openldap comes with preinstalled database and its file in CentOS is in /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif

The olcRootDN attribute is already populated by default. You can keep the common name, but you should change the domain component to reflect your organization structure. Use again the slappasswd for generating password hash and add the olcRootPW attribute with the output of slappasswd command.

olcRootDN: cn=admin,dc=mycompany,dc=com

olcRootPW: {SSHA}rtCwogFExs+w4sE2Mp1RtNnio2SWgijY

Note: Do not copy paste directly the olcRootPW attribute from here!

In the etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif you should change the olcSuffix attribute too, so it represents your organization structure. The default configuration of the directory tree doesn`t include any access rules. I`ll give a rule I think is mandatory for every directory, but it's up to you to add more rules, that suits your organization needs:

olcAccess: to * by self write by anonymous auth by users read

The order of the rules is very important, because slapd stops at the first rule that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access. If there is no match access is deny. More information and details about configuring ACLs can be found in the OpenLDAP Administartion Guide.

Before starting the slapd daemon you can check for errors with slaptest command. On CentOS the files inside /var/lib/ldap are owned by root, so you should change that:

# chown ldap.ldap /var/lib/ldap/*

And finally start the daemon with :

# /etc/init.d/slapd start

If everything is ok check if the daemon listens with the command:

#netstat -patune | grep slapd

By default slapd messages are not logged and if you want to know what happens to the daemon you should add the following line to /etc/rsyslog.conf

#Log file for slap daemon

local4.* /var/log/slapd.log

One more thing to do to get slapd log files – inside /etc/openldap/slapd.d/cn\=config.ldif add the following line.

olcLogLevel: 0x20 0x40 0x80 0x100

These log levels give information about search filter pocessing (0x20), configuration file processing (0x40), access control list processing (0x80) and stats log connections/operations/results (0x100). You can add even more, all log levels are well documented in manual pages of slapd-config. Restart both rsyslog and slapd for changes to take effect.

# /etc/init.d/rsync restart

# /etc/init.d/slapd restart

More information can be found inside OpenLDAP Administration guide http://www.openldap.org/doc/, full reference of configuration attributes can be found inside manual pages of slapd-config.

I highly recommend the book Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services for more configuration options and information about LDAP protocol and OpenLDAP server. The only downside is, that it is written for the old configuration syntax with slapd.conf and configuration examples must be rebuild to suit the new one.