VMware Telco Cloud Operations: Setup OpenLDAP server in CentOS7
search cancel

VMware Telco Cloud Operations: Setup OpenLDAP server in CentOS7

book

Article ID: 324824

calendar_today

Updated On:

Products

VMware VMware Telco Cloud Operations

Issue/Introduction

This document helps you in setting up an OPENLDAP server that can be used in VMware Telco Cloud Operations integration with Keycloak.

Environment

VMware Telco Cloud Operations 1.x

Resolution

Configuring OPENLDAP server on CentOs7:

User needs to follow the procedure to configure the OPENLDAP server on CentOs7
  1. To update the packages, run the following command:
yum update
  1. To Install the necessary OpenLDAP module, run the following command:
           yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
  1. To start the OpenLDAP service, run the following command:
          systemctl start slapd.service
     systemctl enable slapd.service
  1. To check the status, run the following command:
             systemctl status slapd.service
  1.  To set the OpenLDAP master password, run the following command:
Slappasswd
Note: Take a note of the encrypted password. This would be required for other places/commands.
  1. To create the basic OpenLDAP configuration
Create a file name “db.ldif”
Content of the file is as follows, here we are creating OpenLDAP server for tco.com. Please change according to your need (e.g., example.com etc.)
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=tco,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadmin,dc=tco,dc=com
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW

TThi
olcRootPW: {SSHA}eTBtskULaWTq59CCvn1JBCShqZcfXb3h     

This encrypted   password was the output of slappasswd command (step5)
  1.  To import the modified ldif file into OpenLDAP, run the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
  1.  To create admin user for OPENLDAP server, run the following command:
Create a file “monitor.ldif” with the following content. Here admin is “ldapadmin”

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadmin,dc=tco,dc=com" read by * none
  1.  To import the configuration, run the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
  1.  Copy the sample databases and change permissions accordingly.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
chown ldap:ldap /var/lib/ldap/*
  1.  Add few sample OPENLDAP schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  1.  Create the base OPENLDAP configuration.
Create a file “base.ldif” with following contents
dn: dc=tco,dc=com
dc: tco
objectClass: top
objectClass: domain

dn: cn=ldapadmin,dc=tco,dc=com
objectClass: organizationalRole
cn: ldapadmin
description: LDAP Admin
 
dn: ou=users,dc=tco,dc=com
objectClass: organizationalUnit
ou: People
 
dn: ou=Group,dc=tco,dc=com
objectClass: organizationalUnit
ou: Group
  1. Create OPENLDAP structure, provide master password when prompted:
ldapadd -x -W -D "cn=ldapadmin,dc=tco,dc=com" -f base.ldif
  1. Create few example users.
Create a file “users.ldif”. Here we are adding 2 users “user1” and “service”.
dn: cn=user1,ou=users,dc=tco,dc=com
objectclass: inetOrgPerson
cn: user1
sn: lastname
uid: user1
mail: [email protected]
userPassword: {crypt}x
description: user1
ou: users
 
dn: cn=service,ou=users,dc=tco,dc=com
objectclass: inetOrgPerson
cn: service
sn: service
uid: service
mail: [email protected]
userPassword: {crypt}x
description: service
ou: users
  1. Import the configuration file.
Provide master password when prompted:
ldapadd -x -W -D "cn=ldapadmin,dc=tco,dc=com" -f users.ldif
  1. Set password for the recently added user.
ldappasswd -S -W -D "cn=ldapadmin,dc=tco,dc=com" -x "cn=service,ou=users,dc=tco,dc=com"
  1. Verify if the user is created.
ldapsearch -x cn=user1 -b dc=tco,dc=com
  1. Create few example groups.
Create a file “groups.ldif”. Here we are adding 2 users “group1” and “group2”.

dn: cn=group1,ou=Group,dc=tco,dc=com
objectClass: posixGroup
objectClass: top
cn: group1
gidNumber: 101
memberUid: user1


dn: cn=group2,ou=Group,dc=tco,dc=com
objectClass: posixGroup
objectClass: top
cn: group2
gidNumber: 102
memberUid: service
  1. Import the configuration file.
Provide master password when prompted:
ldapadd -x -W -D "cn=ldapadmin,dc=tco,dc=com" -f groups.ldif
  1.  Verify if the group is created.
ldapsearch -x cn=group1 -b dc=tco,dc=com
  1. Configure firewall to access OpenLDAP.
    firewall-cmd --permanent --add-service=ldap
    firewall-cmd --reload

     
  2.  Restart the OPENLDAP server:
systemctl restart slapd

Refer section “Adding custom schema ” for addition of custom schema in OPENLDAP server.
 

Configure SSL on OPENLDAP

Create certificates and enable LDAPS and TLS
  1. Change working directory and make a new server.key file, specify password for private key.
cd /etc/pki/tls/certs
make server.key
  1. Sign key, specify password used on previous step when prompted:
openssl rsa -in server.key -out server.key
  1. Make Certificate Signing Request (CSR),
Provide proper hostname. Improper hostname may cause issues.
make server.csr
Example of configuration.
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server2.key -out server2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:smarts
Organizational Unit Name (eg, section) []:tco
Common Name (eg, your name or your server's hostname) []:my-ldap-172.eng.vmware.com
Email Address []:[email protected]
cat /etc/hostname
my-ldap-172.eng.vmware.com
The keycloak server should be able to reach the OpenLDAP server using this hostname [
 Example:  my-ldap-172.eng.vmware.com ]
  1. Create CRT file.
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
  1. Copy certs to OPENLDAP’s cert directory.
cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/
  1.  Set proper ownership of OpenLDAP cert.
chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.crt
 
  1.  Configure OPENLDAP with the generated certificate.
Create the required ldif file.
ssl.ldif  
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
  1. Configure OPENLDAP with the above file.
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
  1.  Configure OPENLDAP for ldaps.
Edit the /etc/sysconfig/slapd
SLAPD URLS= line in the file to include ldaps:/// at the end, like shown below:
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Note: If we want to have only secured OpenLDAP communication then SLAPD_URLS should have only value
“ldaps:///"
  1. Restart the OPENLDAP server.
systemctl restart slapd
 

Adding Custom Schema

To create. A custom schema user may follow the following steps
  1. Create a file “smarts_engineer1.ldif"
dn: cn={5}smartsengineer,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}smartsengineer
olcAttributeTypes: {0}( 2.25.128424792425578037463837247958458780603.1 NAME
 'memberOf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 2.25.128424792425578037463837247958458780603.2 NAME
 'homeTown' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15{1024} )
olcObjectClasses: {0}( 2.25.128424792425578037463837247958458780603.3 NAME '
 smartsEngineer' DESC 'SMARTSWorker' SUP inetOrgPerson STRUCTURAL MAY ( memb
 erOf $ homeTown ) )
 
  1. Load the schema
ldapadd  -Y EXTERNAL -H ldapi:/// -f  smarts_engineer1.ldif
  1.  Check if the schema being added
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn | grep "schema"
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}misc,cn=schema,cn=config
dn: cn={5}smartsengineer,cn=schema,cn=config
  1.  Restart the OPENLDAP server
systemctl restart slapd

Additional Information

User may use “Apache Directory Studio” to manage the OPENLDAP server