logo

jupfaf

some stuffs, and some others ...

openldap with memberOf overlay

Written by julien

I won't present LDAP, just explain how to configure openldap with the memberof overlay on CentOS 7. By default, the memberof overlay is not enable and it is quite useful to know which groups a user is member of when requesting for user information.

First, install the needed packages


sudo yum install -y openldap openldap-clients openldap-servers

Then, copy the samples database from /usr/share/openldap-servers/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG, and update the permission in the /var/lib/ldap folder


sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown ldap:ldap /var/lib/ldap/*

The server can now be started


sudo systemctl start slapd

For ldap server to start automatically when restarting the machine


sudo systemctl enable slapd

Generate a password for the ldap administrator


sudo slappasswd

The server will now be configured for our domain, in this example, it will be dc=jupfaf,dc=net.

The base configuration can be found under /etc/opnldap/slapd.d/cn=config/ (you can have a look at the files olcDatabase={1}monitor.ldif and olcDatabase={2}hdb.ldif). The files in this folder can't be modified directly, changes will be lost when using some ldap commands otherwise, so we will create some ldif files and apply them to modify configuration.

Create a file db.ldif with the following content (adapt to your domain, and change the password with the one returned by the slappasswd command)


dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=jupfaf,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=jupfaf,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}avm/5RsK69rlKEV/Y9LJufW9Nyke2bQe

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=jupfaf,dc=net" read by * none

Send the configuration to the ldap server


sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

Add the cosine, nis and inetorgperson schema


sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif  
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

To enable memberOf overlay in the openldap configuration, create 3 files (it can be done with only one file, but I prefer to differenciate the load of the modules, and their configuration)

module.ldif


dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: memberof.la
olcModuleload: refint.la

memberof.ldif


dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof

refint.ldif


dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

and send the configuration to the ldap server


sudo ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f refint.ldif

The server configuration is now done, we need to polulate it with groups and users, start with a base.ldif file which will include the admin user and two organizations: Users and Groups


dn: dc=jupfaf,dc=net
dc: jupfaf
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=jupfaf,dc=net
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=Users,dc=jupfaf,dc=net
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=jupfaf,dc=net
objectClass: organizationalUnit
ou: Groups

and build the directory structure using ldapadd command


sudo ldapadd -x -W -D "cn=ldapadm,dc=jupfaf,dc=net" -f base.ldif

it will ask for the ldapadm user password.

Add a user and a group, create a julien.ldif file


dn: uid=julien,ou=Users,dc=jupfaf,dc=net
objectClass: top
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
cn: julien
sn: julien
uid: julien

dn: cn=Writers,ou=Groups,dc=jupfaf,dc=net
objectclass: groupOfNames
cn: Writers
member: uid=julien,ou=Users,dc=jupfaf,dc=net

and send the configuration to the server


sudo ldapadd -x -W -D "cn=ldapadm,dc=jupfaf,dc=net" -f julien.ldif

There is now one user julien who is member of the group Writers, that can be verified by using a ldapsearch command


ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=julien)" -b dc=jupfaf,dc=net memberOf

which should return


SASL/EXTERNAL authentication started
SASL username: gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=julien,ou=Users,dc=jupfaf,dc=net
memberOf: cn=Writers,ou=Groups,dc=jupfaf,dc=net

memberOf is not a direct attribute of the user, so it has to be requested explicitely. The overlay applies ony for newly created objects, if some objects were created before adding the memberOf overlay in LDAP configuration, they have to be recreated.