.png?sv=2022-11-02&spr=https&st=2024-09-19T01%3A56%3A52Z&se=2024-09-19T02%3A06%3A52Z&sr=c&sp=r&sig=JV0lc2lwzP9S34SkWLFa%2F0Ztc8ZS781bpdl9srMdTJ8%3D){kind=logo}
Configuring OpenLDAP
- 03 Apr 2024
-
DarkLight
-
PDF
Configuring OpenLDAP
- Updated on 03 Apr 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Use the following to set-up OpenLDAP with adapter-ldap for the Itential Automation Platform (IAP).
Note: For documentation purposes, the following steps were executed from a CentOS 7 install.
Install OpenLDAP
To install and configure OpenLDAP:
-
Install
openldap.yum install -y openldap openldap-clients openldap-servers -
Encrypt the password for the admin.
[root@localhost cn=config]# slappasswd New password: Re-enter new password: {SSHA}HPHUXuZhbtOs0CIRhnWjglbitrlWt0Lh -
Edit the
olcDatabase\=\{2\}hdb.ldiffile.vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif -
Modify the attributes. Remember to replace the value for
olcRootPWwith the encrypted value of your unique password provided by theslappasswdcommand.olcSuffix: dc=pronghorn,dc=io olcRootDN: cn=admin,dc=pronghorn,dc=io olcRootPW: {SSHA}HPHUXuZhbtOs0CIRhnWjglbitrlWt0Lh -
Edit the
olcDatabase={1}monitor.ldiffile.vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif -
Modify the access entry by deleting the existing line and replacing it with the following command.
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,dc=pronghorn,dc=io" read by * none -
Validate the configuration. The
checksumerrors on the two files modified in Step 3 and Step 5 are expected.[root@localhost vagrant]# slaptest -u 5a9d88af ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 5a9d88af ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded -
Copy the
DB_CONFIGfile for OpenLDAP.ls -l /var/lib/ldap/DB_CONFIG cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap:ldap /var/lib/ldap/ -
Restart
openldap.systemctl enable slapd service slapd restart -
Add standard OpenLDAP schemas.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif -
Add the
memberofOpenLDAP schema.Note: For any steps that create an LDIF file, you may need to break the commands down into smaller chunks as illustrated below.
cat << EOF > /etc/openldap/schema/memberof.ldif dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: memberof.la olcmodulepath: /usr/lib64/openldap EOF cat << EOF > /etc/openldap/schema/enable-memberof.ldif dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof EOF cat << EOF > /etc/openldap/schema/refint.ldif dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: refint.la olcmodulepath: /usr/lib64/openldap EOF cat << EOF > /etc/openldap/schema/enable-refint.ldif dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner EOF -
Import the following schema files (in order).
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/memberof.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/enable-memberof.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/refint.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/enable-refint.ldif -
Add the OpenLDAP schema to create users and group nodes. This is a custom LDIF to create users and group organizational units, and the default admin user.
- Replace the
userPasswordcomponent of the Itential admin user with a value obtained by running theslappasswdutility. - Once the
ldapaddcommand is executed, you will be prompted for a password. Enter the OpenLDAP admin password created in Step 2.
cat << EOF > /etc/openldap/schema/pronghorn.ldif dn: dc=pronghorn,dc=io objectclass: domain dc: pronghorn dn: ou=users,dc=pronghorn,dc=io description: pronghorn users objectclass: organizationalUnit ou: users dn: ou=groups,dc=pronghorn,dc=io description: pronghorn groups objectclass: organizationalUnit ou: groups dn: uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io uid: admin@pronghorn objectClass: inetOrgPerson cn: admin sn: admin mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ EOF - Replace the
-
Import the schema.
ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/pronghorn.ldif Enter LDAP Password: adding new entry "dc=pronghorn,dc=io" adding new entry "ou=users,dc=pronghorn,dc=io" adding new entry "ou=groups,dc=pronghorn,dc=io" adding new entry "uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io" -
Use Apache Directory Studio to connect to the LDAP server.
-
Verify the connect and credentials are running as expected.
Create Groups and Users in OpenLDAP
Each group object should be created as a groupOfUniqueNames with its common name (cn) containing the name of the group.
If the group object is some other class (i.e. groupOfNames), the groupSearchFilter in the LDAP adapter properties must be aligned with the class (i.e. objectClass=groupOfNames).
Use the sample LDIF files to creates users and groups.
-
Create the following groups in OpenLDAP.
Group Description global_adminMulti-Tenant Administrator Group global_opsMulti-Tenant Operations Group tenant1_adminTenant1Administrator Grouptenant1_opsTenant1Operations Grouptenant2_adminTenant2Administrator Grouptenant2_opsTenant2Operations Group -
Create the following users in OpenLDAP.
User First Name Last Name Email Groups global@adminadmin global nobody@itential.ioglobal_adminglobal@opsops global nobody@itential.ioglobal_opstenant1@adminadmin tenant1nobody@itential.iotenant1_admintenant1@opsops tenant1nobody@itential.iotenant1_opstenant2@adminadmin tenant2nobody@itential.iotenant2_admintenant2@opsops tenant2nobody@itential.iotenant2_ops -
Adjust the users, passwords, and groups in the sample files (if needed).
-
Create the
tenant-users.ldiffile.cat << EOF > /etc/openldap/schema/tenant-users.ldif dn: uid=admin@global,ou=users,dc=pronghorn,dc=io uid: admin@global objectClass: inetOrgPerson cn: admin sn: global mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ dn: uid=admin@tenant1,ou=users,dc=pronghorn,dc=io uid: admin@tenant1 objectClass: inetOrgPerson cn: admin sn: tenant1 mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ dn: uid=admin@tenant2,ou=users,dc=pronghorn,dc=io uid: admin@tenant2 objectClass: inetOrgPerson cn: admin sn: tenant2 mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ dn: uid=ops@global,ou=users,dc=pronghorn,dc=io uid: ops@global objectClass: inetOrgPerson cn: ops sn: global mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ dn: uid=ops@tenant1,ou=users,dc=pronghorn,dc=io uid: ops@tenant1 objectClass: inetOrgPerson cn: ops sn: tenant1 mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ dn: uid=ops@tenant2,ou=users,dc=pronghorn,dc=io uid: ops@tenant2 objectClass: inetOrgPerson cn: ops sn: tenant2 mail: nobody@pronghorn.io userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+ EOF -
Import the
tenant-users.ldiffile.ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/tenant-users.ldif -
Create the
tenant-groups.ldiffile.cat << EOF > /etc/openldap/schema/tenant-groups.ldif dn: cn=pronghorn_admin,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: pronghorn_admin member: uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io dn: cn=global_admin,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: global_admin member: uid=admin@global,ou=users,dc=pronghorn,dc=io dn: cn=global_ops,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: global_ops member: uid=ops@global,ou=users,dc=pronghorn,dc=io dn: cn=tenant1_admin,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: tenant1_admin member: uid=admin@tenant1,ou=users,dc=pronghorn,dc=io dn: cn=tenant1_ops,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: tenant1_ops member: uid=ops@tenant1,ou=users,dc=pronghorn,dc=io dn: cn=tenant2_admin,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: tenant2_admin member: uid=admin@tenant2,ou=users,dc=pronghorn,dc=io dn: cn=tenant2_ops,ou=groups,dc=pronghorn,dc=io objectClass: groupOfNames cn: tenant2_ops member: uid=ops@tenant2,ou=users,dc=pronghorn,dc=io EOF -
Import the
tenant-groups.ldiffile.ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/tenant-groups.ldif
OpenLDAP Configuration Example
The following is an example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.
{
"id": "ldap",
"type": "LDAP",
"properties": {
"domain": "uid={0},ou=users,dc=pronghorn,dc=io",
"url": "ldaps://example.pronghorn.io:636",
"bindUsername": "cn=admin,dc=pronghorn,dc=io",
"bindPassword": "<your_user_password>",
"baseDN": "dc=pronghorn,dc=io",
"baseGroupDN": "ou=groups,dc=pronghorn,dc=io",
"baseUserDN": "ou=users,dc=pronghorn,dc=io",
"groupSearchFilter": "(objectClass=groupOfNames)",
"userSearchFilter": "uid",
"userMembershipAttribute": "memberOf",
"healthCheckInterval": 5000,
"timeout": 5000,
"connectTimeout": 5000,
"idleTimeout": 5000,
"timeLimit": 10,
"reconnect": true,
"activeDirectory": false,
"tlsOptions": {
"secureProtocol": "TLSv1_method",
"requestCert": true,
"rejectUnauthorized": true,
"ca": "/etc/ssl/keys/openldap_ca.pem"
} },
"brokers": [ "aaa" ]
}
Was this article helpful?
