Linux Message Center

3. OpenLDAP

3.1 Installation

Installation is rather simple. Get the openldap-server and openldap-client package from the second Redhat CD and install it with "rpm -ihv <pkgname>". I recommend using the 2.0 series or later of OpenLDAP, because it supports LDAPv3 and encryption. Don't forget to start the daemon at boot time by either using in Linuxconf or creating a link to the start script in the appropriate directories.

3.2 Basic configuration

Now we have to tell slapd (the OpenLDAP daemon) some parameter it have to know. The file /etc/openldap/slapd.conf contains the configuration directives which you have to change to match your needs.

The suffix directive specifies the root of the LDAP tree. The simplest way is to use your domain code (e.g. linuxnetworks.de):


suffix	"dc=linuxnetworks,dc=de"

Furthermore we need somebody we can give all rights to add, modify or delete the tree. This is equivalent to the "root" account in Unix. Here it is often called the "Manager" account.


rootdn	"cn=Manager,dc=linuxnetworks,dc=de"

Finally, this Manager account must be protected by a password. It is highly recommended to store a hashed password in this config file. "slappasswd" can be used to create such a string, which can be inserted in the rootpw line.


rootpw	<secrethashedpassword>

3.3 Access control

We have to restrict write access to the entries to the Manager except for the user subtree. This subtree must also be writeable by the LMC Admin, which is created in the next section. Then the LMC Admin is able to create new users, modify the attributes of existing users and delete users. The first ACL ensures that users can change their password with their one privileges. To match your needs simply replace "linuxnetworks" and "de" with your own second and top level domain code and then append it to the slapd.conf. Restart the OpenLDAP server after you finished the editing of slapd.conf.


access to attr="userPassword"
 by self write
 by dn="cn=Manager,dc=linuxnetworks,dc=de" write
 by dn="cn=lmcadmin,ou=user,dc=linuxnetworks,dc=de" write
 by anonymous auth
 by * none

access to dn=".*,ou=user,dc=linuxnetworks,dc=de"
 by dn="cn=Manager,dc=linuxnetworks,dc=de" write
 by dn="cn=lmcadmin,ou=user,dc=linuxnetworks,dc=de" write
 by * read

access to *
 by dn="cn=Manager,dc=linuxnetworks,dc=de" write
 by * read

3.4 Create lmcadmin

To create the account described above (lmcadmin), we have to create the tree structure first and then insert the lmcadmin entry. Replace the second and top level domain code with yours and write the resulting text into a file.


dn: dc=linuxnetworks,dc=de
objectclass: top
objectclass: dcObject
dc: linuxnetworks

dn: ou=user,dc=linuxnetworks,dc=de
objectclass: top
objectclass: organizationalUnit
ou: user

dn: cn=lmcadmin,ou=user,dc=linuxnetworks,dc=de
objectclass: top
objectclass: person
objectclass: inetOrgPerson
cn: lmcadmin
sn: lmcadmin
uid: lmcadmin
userPassword: <secrethashedpassword>

The contents of this file must be inserted into the OpenLDAP server. Therefore open a shell and type the following command (don't forget to replace second and top level domain):


ldapadd -D "cn=Manager,dc=linuxnetworks,dc=de" -W -x -f <file>

You will be asked for the Manager password (this one you inserted into the slapd.conf) and then the entries will be written to the database. You can check it by typing


ldapsearch -x "objectclass=*"

into the shell. Then you get a list of all objects (entries) which are in the database.

3.5 PAM authentication

Finally, we have to convince the Linux system to look for users not only in /etc/passwd but also in the LDAP tree. Therefore we can modify /etc/ldap.conf, /etc/nsswitch.conf and the /etc/pam.d/* files by hand or use the "authconfig" program. If it isn't already installed on your system (provided you use Redhat 7.x) you will find it on the second CD.

You can select the usage of a LDAP server for authentication and insert this parameters:


server: localhost
basedn: ou=user,dc=linuxnetworks,dc=de

Don't forget to replace "linuxnetworks" and "de" with your second and top level domain code.

Previous Contents Next