OpenLDAP Installation and Configuration — Offline Environment

The main focus of this article is to share my experience on installing OpenLDAP in a internet connectivity restricted environment and some of the other areas I spent more time to get understood to do the configuration.

Hope this helps someone in the similar situation.

When I started the installation, below are my considerations.

  1. Need to install without pulling the libraries using yum ( As working with CentOS 7 / Red Hat 7.5).
  2. Need to enable ldaps connectivity.
  3. Need to enable the logging and move it to a preferred location.
  4. Need to move the default database location to my preferred location where the disk space is high.

Let’s get started.

Initial Installation

I’m using Ansible scripting to do the deployment to the remote Open LDAP server. If you need to get understand on that please refer my previous blog “Remote Server Management with Ansible”.

As a first step download all the rpm files from https://centos.pkgs.org or https://rpmfind.net. Here are the list of needed RPMs.

compat-openldap-2.3.43–5.el7.x86_64.rpm
cyrus-sasl-devel-2.1.26–23.el7.x86_64.rpm
openldap-2.4.44–21.el7_6.x86_64.rpm
openldap-clients-2.4.44–21.el7_6.x86_64.rpm
openldap-devel-2.4.44–21.el7_6.x86_64.rpm
openldap-servers-2.4.44–21.el7_6.x86_64.rpm
openldap-servers-sql-2.4.44–21.el7_6.x86_64.rpm
unixODBC-2.3.1–14.el7.x86_64.rpm

The above list worked fine with centos 7, but with Red Hat 7.5 required additional library:

cyrus-sasl-2.1.26–23.el7.x86_64.rpm and this needed by the cyrus-sasl-devel-2.1.26–23.el7.x86_64.rpm

Then you need to use the Ansible Script ( Download it from Github ) to execute the initial installation. when you go through my script you can refer the comments to understand the reason for each of them. You can execute

ansible-playbook -i inventories/dev/hosts site.yml — tags=openldapinstallation

or

In two steps, to verify the initial and the do the configuration update can execute as below.

ansible-playbook -i inventories/dev/hosts site.yml — tags=ldapinstallstep1

ansible-playbook -i inventories/dev/hosts site.yml — tags=ldapinstallstep2

After a successful execution, check the status “systemctl status slapd.service” or “service slapd status”.

Enabling SSL

Go to “vi /etc/sysconfig/slapd” and update the

SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///”

Then do a “systemctl restart slapd”, If it is failed go to

vi /etc/sysconfig/selinux and update enforcing to permissive Or else you set it using the below command but this is temporary.

sudo setenforce Permissive

Then do a “systemctl restart slapd”. Now if you execute the below command you will see that the 636 port is started to listen.

netstat -antup | grep -i 636

Enabling Logs

By default there will be no logs enabled, so to do that first we need to update the config to what level of log need to be configured. We have already done that using the Ansible script. Below section in the Ansible code done that.

- block:
— name: “Enable Logs”
command: “/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f {{openldap_directory}}/openldap/ldifs/logenable.ldif”
become: yes
become_user: root
tags: [ logenable, ldapinstallstep2 ]

Then we need to update the rsyslog.conf

sudo vi /etc/rsyslog.conf

add the blow to the file.

local4.* /openldapserver/openldap/logs/slapd.log

after that do a restart

service rsyslog restart

After a successful update if you do a ldap search then you will see that the logs get printed.

Moving the Database

Stop the slapd service: sudo service slapd stop

Execute slapcat -b “cn=config” >> slapdbackup.ldif and get a backup of the configuration.

copy the database files to the new location:

cp -R /var/lib/ldap /openldapserver/openldap/data/

Note: In DB_CONFIG you need to specify the same location.

Update the owner of the data directory

chown -R ldap:ldap /openldapserver/openldap/data

Open the slapdbackup.ldif and update the “olcDbDirectory” to your preferred location here it is /openldapserver/openldap/data/ldap as i copied the directory also.

Now remove all the conf files inside /etc/ldap/slapd.d

Execute the below give ownership to ldap user:

sudo chown -R ldap:ldap /etc/openldap/slapd.d

To apply the configuration execute the below:

sudo slapadd -F /etc/openldap/slapd.d -b cn=config -l slapdbackup.ldif

Again add ownership to ldap user: sudo chown -R ldap:ldap /etc/openldap/slapd.d

Now start the service: service slapd start

That’s it all done.

If you need to contact from a third party application through ldaps then you need to get the certificate from the ldap server and upload it to the truststore. You can use the below command to that.

keytool -importcert -file ldaps.cert -keystore truststore.jks -alias “ldapssl”

References

[1] https://linuxhostsupport.com/blog/how-to-install-ldap-on-centos-7/

[2] https://www.golinuxcloud.com/install-and-configure-openldap-centos-7-linux/

[3] https://www.tecmint.com/disable-selinux-in-centos-rhel-fedora/

[4] http://tutoriels.meddeb.net/openldap-tutorial-log/

Senior Tech Lead — Enterprise Integration | WSO2 Certified Solution Architect | https://ajanthane.blogspot.com/

Senior Tech Lead — Enterprise Integration | WSO2 Certified Solution Architect | https://ajanthane.blogspot.com/