Configuring OpenLDAP

  • Updated on Jan 21, 2025
Prev Next

Use the following to set-up OpenLDAP with adapter-ldap for the Itential Platform.

Note: For documentation purposes, the following steps were executed from a CentOS 7 install.

Install OpenLDAP

To install and configure OpenLDAP:

  1. Install openldap.

    yum install -y openldap openldap-clients openldap-servers

  2. Encrypt the password for the admin.

    [root@localhost cn=config]# slappasswd
New password:
Re-enter new password:
{SSHA}HPHUXuZhbtOs0CIRhnWjglbitrlWt0Lh

  3. Edit the olcDatabase\=\{2\}hdb.ldif file.

    vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif

  4. Modify the attributes. Remember to replace the value for olcRootPW with the encrypted value of your unique password provided by the slappasswd command.

    olcSuffix: dc=pronghorn,dc=io
olcRootDN: cn=admin,dc=pronghorn,dc=io
olcRootPW: {SSHA}HPHUXuZhbtOs0CIRhnWjglbitrlWt0Lh

  5. Edit the olcDatabase={1}monitor.ldif file.

    vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

  6. Modify the access entry by deleting the existing line and replacing it with the following command.

    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,dc=pronghorn,dc=io" read by * none

  7. Validate the configuration. The checksum errors on the two files modified in Step 3 and Step 5 are expected.

    [root@localhost vagrant]# slaptest -u
5a9d88af ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5a9d88af ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

  8. Copy the DB_CONFIG file for OpenLDAP.

    ls -l /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

  9. Restart openldap.

    systemctl enable slapd
service slapd restart

  10. Add standard OpenLDAP schemas.

    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

  11. Add the memberof OpenLDAP schema.

    Note: For any steps that create an LDIF file, you may need to break the commands down into smaller chunks as illustrated below.

    cat << EOF > /etc/openldap/schema/memberof.ldif
dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: memberof.la
olcmodulepath: /usr/lib64/openldap
EOF

cat << EOF > /etc/openldap/schema/enable-memberof.ldif
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
EOF

cat << EOF > /etc/openldap/schema/refint.ldif
dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: refint.la
olcmodulepath: /usr/lib64/openldap
EOF

cat << EOF > /etc/openldap/schema/enable-refint.ldif
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
EOF

  12. Import the following schema files (in order).

    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/memberof.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/enable-memberof.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/refint.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/enable-refint.ldif

  13. Add the OpenLDAP schema to create users and group nodes. This is a custom LDIF to create users and group organizational units, and the default admin user.

    • Replace the userPassword component of the Itential admin user with a value obtained by running the slappasswd utility.
    • Once the ldapadd command is executed, you will be prompted for a password. Enter the OpenLDAP admin password created in Step 2.
    cat << EOF > /etc/openldap/schema/pronghorn.ldif
dn: dc=pronghorn,dc=io
objectclass: domain
dc: pronghorn

dn: ou=users,dc=pronghorn,dc=io
description: pronghorn users
objectclass: organizationalUnit
ou: users

dn: ou=groups,dc=pronghorn,dc=io
description: pronghorn groups
objectclass: organizationalUnit
ou: groups

dn: uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io
uid: admin@pronghorn
objectClass: inetOrgPerson
cn: admin
sn: admin
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+
EOF

  14. Import the schema.

    ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/pronghorn.ldif
Enter LDAP Password:
adding new entry "dc=pronghorn,dc=io"
adding new entry "ou=users,dc=pronghorn,dc=io"
adding new entry "ou=groups,dc=pronghorn,dc=io"
adding new entry "uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io"

  15. Use Apache Directory Studio to connect to the LDAP server.

  16. Verify the connect and credentials are running as expected.

Create Groups and Users in OpenLDAP

Each group object should be created as a groupOfUniqueNames with its common name (cn) containing the name of the group.

If the group object is some other class (i.e. groupOfNames), the groupSearchFilter in the LDAP adapter properties must be aligned with the class (i.e. objectClass=groupOfNames).

Use the sample LDIF files to creates users and groups.

  1. Create the following groups in OpenLDAP.

    Group Description
    global_admin Multi-Tenant Administrator Group
    global_ops Multi-Tenant Operations Group
    tenant1_admin Tenant1 Administrator Group
    tenant1_ops Tenant1 Operations Group
    tenant2_admin Tenant2 Administrator Group
    tenant2_ops Tenant2 Operations Group

  2. Create the following users in OpenLDAP.

    User First Name Last Name Email Groups
    global@admin admin global nobody@itential.io global_admin
    global@ops ops global nobody@itential.io global_ops
    tenant1@admin admin tenant1 nobody@itential.io tenant1_admin
    tenant1@ops ops tenant1 nobody@itential.io tenant1_ops
    tenant2@admin admin tenant2 nobody@itential.io tenant2_admin
    tenant2@ops ops tenant2 nobody@itential.io tenant2_ops

  3. Adjust the users, passwords, and groups in the sample files (if needed).

  4. Create the tenant-users.ldif file.

    cat << EOF > /etc/openldap/schema/tenant-users.ldif
dn: uid=admin@global,ou=users,dc=pronghorn,dc=io
uid: admin@global
objectClass: inetOrgPerson
cn: admin
sn: global
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+

dn: uid=admin@tenant1,ou=users,dc=pronghorn,dc=io
uid: admin@tenant1
objectClass: inetOrgPerson
cn: admin
sn: tenant1
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+

dn: uid=admin@tenant2,ou=users,dc=pronghorn,dc=io
uid: admin@tenant2
objectClass: inetOrgPerson
cn: admin
sn: tenant2
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+

dn: uid=ops@global,ou=users,dc=pronghorn,dc=io
uid: ops@global
objectClass: inetOrgPerson
cn: ops
sn: global
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+

dn: uid=ops@tenant1,ou=users,dc=pronghorn,dc=io
uid: ops@tenant1
objectClass: inetOrgPerson
cn: ops
sn: tenant1
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+

dn: uid=ops@tenant2,ou=users,dc=pronghorn,dc=io
uid: ops@tenant2
objectClass: inetOrgPerson
cn: ops
sn: tenant2
mail: nobody@pronghorn.io
userPassword: {SSHA}qPe2L+D5288ikfEXttx0hLr8hQIunHo+
EOF

  5. Import the tenant-users.ldif file.

    ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/tenant-users.ldif

  6. Create the tenant-groups.ldif file.

    cat << EOF > /etc/openldap/schema/tenant-groups.ldif
dn: cn=pronghorn_admin,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: pronghorn_admin
member: uid=admin@pronghorn,ou=users,dc=pronghorn,dc=io

dn: cn=global_admin,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: global_admin
member: uid=admin@global,ou=users,dc=pronghorn,dc=io

dn: cn=global_ops,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: global_ops
member: uid=ops@global,ou=users,dc=pronghorn,dc=io

dn: cn=tenant1_admin,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: tenant1_admin
member: uid=admin@tenant1,ou=users,dc=pronghorn,dc=io

dn: cn=tenant1_ops,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: tenant1_ops
member: uid=ops@tenant1,ou=users,dc=pronghorn,dc=io

dn: cn=tenant2_admin,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: tenant2_admin
member: uid=admin@tenant2,ou=users,dc=pronghorn,dc=io

dn: cn=tenant2_ops,ou=groups,dc=pronghorn,dc=io
objectClass: groupOfNames
cn: tenant2_ops
member: uid=ops@tenant2,ou=users,dc=pronghorn,dc=io
EOF

  7. Import the tenant-groups.ldif file.

    ldapadd -c -x -W -D "cn=admin,dc=pronghorn,dc=io" -f /etc/openldap/schema/tenant-groups.ldif

OpenLDAP Configuration Example

The following is an example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain":  "uid={0},ou=users,dc=pronghorn,dc=io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "cn=admin,dc=pronghorn,dc=io",
        "bindPassword": "<your_user_password>",
        "baseDN": "dc=pronghorn,dc=io",
        "baseGroupDN": "ou=groups,dc=pronghorn,dc=io",
        "baseUserDN": "ou=users,dc=pronghorn,dc=io",
        "groupSearchFilter": "(objectClass=groupOfNames)",
        "userSearchFilter": "uid",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": false,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/openldap_ca.pem"
} },
    "brokers": [ "aaa" ]
}