How to configure LDAP on Fedora

Edited 3 weeks ago by ExtremeHow Editorial Team

FedoraLDAPDirectory ServicesConfigurationSoftwareSystem AdministrationCommand LineTerminalNetworkSecurity

LDAP, which stands for Lightweight Directory Access Protocol, is a protocol used to access and manage directory information. LDAP is used to store and manage user information across different systems, provide authentication, and share directory data across different systems. Configuring LDAP on Fedora involves several steps, including installing required packages, setting up server configuration, and starting LDAP services. In this guide, we will look at these steps in detail so that you can effectively configure LDAP on your Fedora system.

Step 1: Install the OpenLDAP package

To get started with LDAP on Fedora, we first need to install the OpenLDAP package. OpenLDAP provides the tools needed to set up an LDAP server. To install the OpenLDAP package, open the terminal and execute the following command:

sudo dnf install openldap-servers openldap-clients

This command installs both the OpenLDAP server and client packages. The server package contains the files needed for an LDAP server, while the client package provides tools for interacting with LDAP directories.

Step 2: Configure OpenLDAP

Once the package is installed, we need to configure the OpenLDAP server. The main configuration file for OpenLDAP is /etc/openldap/slapd.d/cn=config/. This directory contains several configuration files in LDIF format. Instead of editing these files directly, it is recommended to use the ldapmodify tool to make changes.

2.1 Configure rootDN and domain

The rootDN is the distinguished name of the LDAP admin user. You must also define the domain for your LDAP directory. This information is stored in a file called base.ldif. Create a new file with the following contents using your text editor:

dn: olcDatabase=config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase=config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: <hashed_password_here>

Replace example.com with your domain and replace <hashed_password_here> with the hashed password. Use the slappasswd command to create a hashed password:

slappasswd

Enter the password when prompted and it will output a hashed password which you can enter into <hashed_password_here> above.

2.2 Modify the domain and organization name

Create another file called domain.ldif with the following contents to define the base for your domain:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

Again, replace example.com and Example Company with your actual domain and organization name.

Apply these changes using ldapadd:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f domain.ldif

Step 3: Start and enable the LDAP service

After configuring LDAP, the next step is to start the LDAP service and ensure that it starts on boot. You can achieve this with the following command:

sudo systemctl start slapd
sudo systemctl enable slapd

To check the status of the LDAP service and make sure it is running, use the following command:

sudo systemctl status slapd

Step 4: Adding LDAP entries

Now that the LDAP server is running, the next step is to add entries to your directory. An entry in LDAP is a collection of attributes that are associated with a particular object. You define entries in an LDIF file and use the ldapadd command to include them in the directory.

4.1 Create an organizational unit

Create an LDIF file named ou.ldif to define the organizational unit (OU) in your LDAP structure:

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

Add the organizational unit to the LDAP directory with the following command:

sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f ou.ldif

When prompted, enter the password for the LDAP manager that you configured earlier.

4.2 Add user entries

To add user entries, create another LDIF file named user.ldif with the user details:

dn: uid=john.doe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: John Doe
sn: Doe
uid: john.doe
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/john.doe
loginShell: /bin/bash
mail: john.doe@example.com
userPassword: <hashed_password>

Replace the relevant fields with user information, and ensure that <hashed_password> contains the hashed form of the user's password.

Add the user to the LDAP directory using the ldapadd command:

sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f user.ldif

Step 5: Configure the LDAP client

After setting up the LDAP server, the next step involves configuring the LDAP client to interact with the server. If you are configuring it on the same Fedora machine, install the required LDAP client packages:

sudo dnf install nss-pam-ldapd

Once installed, configure the /etc/nsswitch.conf file. Find the following lines and update them to include ldap:

passwd: files ldap
shadow: files ldap
group: files ldap

Also, update the LDAP client configuration file, /etc/nslcd.conf, with your LDAP server details. Here's an example:

uri ldap://localhost/
base dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
bindpw <password>

In this configuration, replace bindpw value with the password of the manager account. Finally, restart the nslcd service:

sudo systemctl restart nslcd

Step 6: Testing the LDAP configuration

To verify if LDAP is set up correctly, you can use the ldapsearch command to search the directory structure. For example, to list all entries in a directory, use:

ldapsearch -x -b "dc=example,dc=com" "(objectClass=*)"

This command queries the LDAP server and retrieves all entries under the base DN of dc=example,dc=com.

Final thoughts

Configuring LDAP on Fedora provides a robust and flexible means for managing directory information on your network. By following the steps in this guide, you can set up an LDAP server that best suits your needs. Remember to replace placeholder values such as example.com and Manager with your own domains and administrator accounts. This ensures that your LDAP configuration is tailored to your specific infrastructure.

LDAP can be extended to implement more complex directory services or they can be integrated into existing systems for authentication and user management. With its ease of configuration and powerful feature set, LDAP remains an indispensable part of network administration on Fedora.

  Share This Article

If you find anything wrong with the article content, you can request an update