603OpenLdap - amagerard/FreeRadius GitHub Wiki
RedHat10/OpenLdap
| 01 Synoptic | 02 Network | 03 Openldap | 04 PhpLdapAdmin |
|---|---|---|---|
| 05 Selinux | 06 GnomeShell | 07 Troubleshoots | 08 Backup |
| FreeRadius | DaloRadius | SambaAD |
3. Openldap.
3.1 Installation.
Enable the CodeReady Linux Builder repository.
subscription-manager repos --enable codeready-builder-for-rhel-10-$(arch)-rpms
dnf update
dnf install openldap-servers openldap-clients
On November 11, 2025, Red Hat made an update, but the EPEL repositories did not follow.
This is version 2.6.9.1 for openldap-clients and 2.6.8.3 for openldap-servers.
dnf install https://www.rpmfind.net/linux/epel/10.2/Everything/x86_64/Packages/o/openldap-slapi-2.6.9-1.el10_2.x86_64.rpm
dnf install https://www.rpmfind.net/linux/epel/10.2/Everything/x86_64/Packages/o/openldap-servers-2.6.9-1.el10_2.x86_64.rpm
systemctl enable --now slapd
Generate a password.
The password will be: X2m56AB50!.
slappasswd
New password:
Re-enter new password:
{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI
Note the Password SSHA.
Create a folder for your ldif files.
mkdir /root/ldif
Generate an ldif file for the password.
vi /root/ldif/pass-root.ldif
# specify the password generated above for [olcRootPW] section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI
Open a connection to the LDAP server to add the password entry.
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/pass-root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
3.2 Import default schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
3.3 Import your domain's schemas.
Generate an ldif file for the domain.
vi /root/ldif/ldapdomain.ldif
My example is domain ol26modk.com.
OlcRootPW is already done.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=ol26modk,dc=com" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ol26modk,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ol26modk,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=ol26modk,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ol26modk,dc=com" write by * read
Add the ldapdomain.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
Generate a baseldapdomain.ldif file.
vi /root/ldif/baseldapdomain.ldif
dn: dc=ol26modk,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ol26modk com
dc: ol26modk
dn: cn=Manager,dc=ol26modk,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=ol26modk,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=ol26modk,dc=com
objectClass: organizationalUnit
ou: Group
Add the baseldapdomain.ldif entry to the LDAP server.
ldapadd -x -D cn=Manager,dc=ol26modk,dc=com -W -f /root/ldif/baseldapdomain.ldif
Password: X2m56AB50!.
Enter LDAP Password:
adding new entry "dc=ol26modk,dc=com"
adding new entry "cn=Manager,dc=ol26modk,dc=com"
adding new entry "ou=People,dc=ol26modk,dc=com"
adding new entry "ou=Group,dc=ol26modk,dc=com"
3.4 Openldap(s).
3.4.1 Certificates.
- Certificat.
I need:
/etc/ssl/certs/openldap-ecc.crt (to generate).
/etc/ssl/certs/CA-ecc.crt (to update).
/etc/ssl/private/openldap-ecc.key (to generate).
IMPORTANT The CA-ecc.crt and CA-ecc.key of the openldap server must be the same as the CA-ecc.crt and CA-ecc.key of the freeradius server.
Import the new CA-ecc.crt and CA-ecc.key from freeradius and overwrite the existing CA-ecc.crt and CA-ecc.key.
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create openldap.key and openldap.crt.
openssl ecparam -genkey -name prime256v1 -noout -out /etc/ssl/private/openldap-ecc.key
openssl req -new -days 365 -key /etc/ssl/private/openldap-ecc.key -out /etc/ssl/certs/openldap-ecc.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:openldap.ol26modk.com
Email Address []:[email protected]
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/openldap-ecc.crt -in /etc/ssl/certs/openldap-ecc.csr
chmod 400 /etc/ssl/private/openldap-ecc.key
chmod 400 /etc/ssl/certs/openldap-ecc.crt
chmod 400 /etc/ssl/certs/CA-ecc.crt
Give permissions for ldap.
setfacl -m g:ldap:r /etc/pki/tls/certs/CA-ecc.crt
setfacl -m g:ldap:r /etc/pki/tls/certs/openldap-ecc.crt
setfacl -m g:ldap:r /etc/pki/tls/private/openldap-ecc.key
3.4.2 Configuration.
Generate an ldapssl.ldif file.
vi /root/ldif/ldapssl.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/openldap-ecc.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/openldap-ecc.key
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/certs/CA-ecc.crt
Add the ldapssl.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Check.
slaptest -u
config file testing succeeded
Edit /etc/openldap/ldap.conf
vi /etc/openldap/ldap.conf
Add or modiffy the lines.
TLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/certs/CA-ecc.crt
TLS_REQCERT allow
systemctl restart slapd
systemctl status slapd
3.4.3 ldap and ldaps verification.
ldapsearch should not be initiated with ldaps and start_tls both.
Use either -ZZ or use ldaps://localhost.
No SSL or TLS.
ldapsearch -x -H ldap://localhost:389 -LL -b "dc=ol26modk,dc=com"
LDAP SSL/TLS.
ldapsearch -x -ZZZ -LLL -H ldap://localhost:389 -b "dc=ol26modk,dc=com"
LDAPS
ldapsearch -x -H ldaps://localhost -b "dc=ol26modk,dc=com"