엉뚱한 녀석의 블로그 [quirky guy's Blog]

OpenLDAP-Based Central Authentication Architecture (Part 2) — Server Installation and Initial Configuration

제공

black K
| ,

🧭 Looking for related posts? Search for “OpenLDAP-Based Central
Authentication Architecture” in the search bar

1. Overview

This post describes how to install and configure an OpenLDAP server on CentOS 7.
The same configuration applies to Ubuntu, Rocky, or AlmaLinux,
with only minor differences in package names and file paths.

⚠️ Note:
All IP addresses, hostnames, domain names, and account names shown here are examples.
Replace them with values that match your organization’s environment and security policy.

2. Installing OpenLDAP

2.1 Install Packages

For CentOS 7:

# yum install -y openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

For Ubuntu:

# apt install slapd ldap-utils

2.2 Enable and Start the Service

# systemctl enable slapd
# systemctl start slapd
# systemctl status slapd

OpenLDAP uses TCP port 389 by default.
Verify the port status:

# netstat -tulnp | grep 389

3. Generate the Administrator Password

Use the slappasswd command to generate the manager password hash.

# slappasswd
New password:
Re-enter new password:
{SSHA}wL2YjR1iZ2VfK3s9bHbF4vAozLzLzFqC

Keep the resulting {SSHA}… hash securely —
it will be assigned as the password for the cn=manager account.

4. Initial Database Configuration (LDIF Method)

Since OpenLDAP 2.4, configuration files under /etc/openldap/slapd.d/
must not be edited directly.
All changes are made using LDIF files applied via ldapmodify.

4.1 Create a Directory for LDIF Files

# mkdir /etc/openldap/ldif

4.2 Create the Database Definition

File: /etc/openldap/ldif/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}wL2YjR1iZ2VfK3s9bHbF4vAozLzLzFqC

4.3 Apply the Configuration

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/db.ldif

Expected output:

modifying entry "olcDatabase={2}hdb,cn=config"

5. Restrict Access to the Monitoring Database

Limit monitoring access (cn=monitor) to the root and LDAP manager.

File: /etc/openldap/ldif/monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
  by dn.base="cn=manager,dc=example,dc=com" read 
  by * none

Apply:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/monitor.ldif

6. Apply Core Schemas

Load the standard schema files required by most directory structures.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

7. Create the Initial Directory Structure

Assume the organization domain is example.com.
Create base entries as follows.

File: /etc/openldap/ldif/base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

dn: cn=manager,dc=example,dc=com
objectClass: organizationalRole
cn: manager
description: LDAP Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Apply:

# ldapadd -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/base.ldif

Expected output:

adding new entry "dc=example,dc=com"
adding new entry "cn=manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

8. Configuration Precautions

  1. Never edit files directly under /etc/openldap/slapd.d/.
    Doing so may cause the slapd service to fail on restart.
  2. Always create separate LDIF files and apply them using ldapmodify.
  3. The legacy slapd.conf format is deprecated since version 2.4.
  4. Ensure all configuration files are restricted to root access (chmod 600).

9. Basic Validation

Run a test query to confirm the directory structure.

# ldapsearch -x -LLL -b "dc=example,dc=com"

Expected result:

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

If the entries appear correctly, the initial setup is complete.

10. Next Step

In the next post, we’ll configure LDAP client integration for Linux servers,
using authconfig, nslcd, and sssd to enable centralized SSH login, sudo/su control,
and group-based access policies directly from OpenLDAP.

🛠 마지막 수정일: 2025.11.13

ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. 본문 및 이미지를 무단 복제·배포할 수 없습니다. 공유 시 반드시 원문 링크를 명시해 주세요.
ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. All rights reserved. Unauthorized copying or redistribution of the text and images is prohibited. When sharing, please include the original source link.

💡 도움이 필요하신가요?
Zabbix, Kubernetes, 그리고 다양한 오픈소스 인프라 환경에 대한 구축, 운영, 최적화, 장애 분석, 광고 및 협업 제안이 필요하다면 언제든 편하게 연락 주세요.

📧 Contact: jikimy75@gmail.com
💼 Service: 구축 대행 | 성능 튜닝 | 장애 분석 컨설팅

📖 E-BooK [PDF] 전자책 (Gumroad): Zabbix 엔터프라이즈 최적화 핸드북
블로그에서 다룬 Zabbix 관련 글들을 기반으로 실무 중심의 지침서로 재구성했습니다. 운영 환경에서 바로 적용할 수 있는 최적화·트러블슈팅 노하우까지 모두 포함되어 있습니다.

💡 Need Professional Support?
If you need deployment, optimization, or troubleshooting support for Zabbix, Kubernetes, or any other open-source infrastructure in your production environment, or if you are interested in sponsorships, ads, or technical collaboration, feel free to contact me anytime.

📧 Email: jikimy75@gmail.com
💼 Services: Deployment Support | Performance Tuning | Incident Analysis Consulting

📖 PDF eBook (Gumroad): Zabbix Enterprise Optimization Handbook
A single, production-ready PDF that compiles my in-depth Zabbix and Kubernetes monitoring guides.

코멘트

답글 남기기