Friday, 4 July 2014

How to setup LDAP Server in Linux

How to setup LDAP Server in Linux

In this tutorial, I'm going to show you a simple and easy way to get your own LDAP server up and running using any major Linux distributions like CentOS, RedHat, Fedora, etc.

In this guide, we are going to use CentOS as the base OS for setting up our LDAP Server. I have written a separate GUIDE for setting up a DNS Server. You can access the same HERE.

Machine Details:

Primary / Master DNS Server:
OS: CentOS 6.3 64 Bit
Host name:  

To get started, the first thing we need to do is setup a static IP address for our LDAP Server. You can do that by editing the ifcfg-eth0 file as shown below:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

# Add the following in your Network config file

The next thing is too setup a FQDN for our LDAP Server. the quick way to do this is to edit the hosts file and make an entry for your LDAP Server there as shown:

# vi /etc/hosts

# Add the following entry in your hosts file    ldap

You can check the hostname using the hostname command:

# hostname --fqdn

Performance Tuning
There are a few tweaks that you need to complete in order for the LDAP to work well with your system.
The first thing is to add few lines in the sysctl file. 

# vi /etc/security/limits.conf

net.ipv4.tcp_keepalive_time = 300 
net.ipv4.ip_local_port_range = 1024 65000 
fs.file-max = 64000

Next, edit the limits file and add the following at the end

# vi /etc/security/limits.conf

*    soft       nofile            8192 
*    hard      nofile            8192

Just one final tuning left to be done. Edit the login file and add the following line towards the end of the file.

# vi /etc/pam.d/login

session required /lib/security/

Configure the EPEL Repository

EPEL stands for Extra Packages for Enterprise Linux. It is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux such as Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL). 

EPEL repository has more than 8000 packages and it was started by some Fedora contributors mainly for using Fedora packages they maintain on RHEL and it’s derivatives.

First go to the EPEL repository download page. Download the latest EPEL rpm based on your Linux Server's architecture (x86_64 or i386) and install it as shown below.

# wget 

# rpm -ivh epel-release-6-8.noarch.rpm

Once installed, run the repolist command to list the newly added EPEL Repo.

# yum repolist

Configure the REMI Repository
REMI is a similar repo like EPEL. We need to enable this as well for our LDAP Server.

Simply download the correct REMI release rpm depending on your Server's base architecture and install it as shown below:

# wget 

# rpm -ivh remi-release-6.rpm

Once installed, run the repolist command to list the newly added REMI Repo.

# yum repolist

Install and Configure LDAP

In this tutorial I'm going to setup the LDAP server using something called as 389 Directory Server. The 389 Directory Server is an enterprise class open source LDAP server developed by Redhat Community.

For the detailed explanation of 389 along with its feature set; CLICK HERE

Before we begin, its recommended that you create a new user in your Linux system. This user will be dedicated for LDAP itself.

# useradd ldapadmin

# passwd ldapadmin 

Install the 389 Directory Service using the following command:

# yum install 389-ds openldap-clients

Once the installation completes, you can now configure your LDAP Server. This is a really loooooooooooong process, but thankfully, its simple and self explanatory all the way.


NOTE: You need to have root privileges to execute the 389 configuration script.

Type in yes to continue

Type in yes to continue again

389 provides 3 setup types:

1. Express 
Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 
 2. Typical 
Allows you to specify common defaults and options. 
3. Custom 
Allows you to specify more advanced options. This is recommended for experienced server administrators only.

Type in 2 and continue

Provide your LDAP Server's FQDN next.

Provide the User and corresponding Group details that we created specially for our LDAP Server

The next step prompts you to register this particular LDAP with any existing Directory Server on your network. Since this is my newly created LDAP Server, I provided no as the answer here 

Provide an administrative ID and Password that will be used later to log into the 389's Console

Provide your Domain name 

Select which Port you want your LDAP service to run on. By default, its going to be port 389 (Hence the name... duuuuhh)

Provide the System Name of your LDAP Server. In my case, my LDAP server is called as

Provide the suffix of your domain. e.g. for; the suffix will be dc=cloud, dc=com

Provide a suitable password for your Directory Manager account

Set the default port (9830) for your LDAP administration

Once done with the configs, you will be prompted to begin the actual installation of your LDAP. Type in yes to begin the installation. If all goes well, you should see no errors and a message "The admin server was successfully started.

Admin server was successfully created, configured, and started."

Make sure you set the LDAP daemons to startup automatically on boot.

# chkconfig dirsrv on

# chkconfig dirsrv-admin on

LDAP Administration
389 Directory Service provides you with a simple and easy to use Management Console to administer your LDAP, add users, groups and manage them all from a single pane.

Open up a terminal window, and just type in the following command to get started:

# 389-console 

You will need to provide your LDAP User ID and Password along with the administrative URL: http://<YOUR_LDAP_SERVER_IP>:9830

NOTE: The Port will differ with what you specified during the initial configuration stages. I have kept it as default; 9830

389 Directory Service provides two Groups/ Servers 

1) Administration Server
2) Directory Server

The Administration Server can be used for any generic Directory Service administration work. You can access more of the configurations for your 389 Service by double-clicking on the "Administrative Server" Tab

Further, you will be shown two tabs within the Administer Server category. One Tab contains the "Tasks" that you can perform on your server, while the other tab contains the "Configuration" settings for the same.

In the Configuration tab, you change/edit your Admin server IP address, default port, LDAP admin password, default user directory. Also you can define which host names to allow and which IP addresses to allow to access your 389 LDAP server.

The Directory Server section, you can do all necessary configuration for your LDAP server. You can change/modify default port, create users, groups, organizational units etc

Similar to the Administrative Server, you can use the Tabs here as well to start and stop various services 

You can use this to create and manage various Organization Units, Groups and Users. Feel free to dig around the various tabs to get a hang of what 389 can offer.

Thats all there is for this tutorial.. stay tuned for much more coming your way..

No comments :

Post a Comment

Note: only a member of this blog may post a comment.