Create a Global Addressbook with OpenLDAP 2.

4 Server

Global Addressbook is a central database where

users can search for email addresses, telephone numbers, addresses,
etc. In this post, we will create a Global Addressbook with OpenLDAP
2.4 Server and access it through Mozilla Tunderbird.
We have already configured a LDAP Server. Therefore, I am skipping
the steps of configuring a LDAP Server. However, if you missed it then
please follow my previous post “Configure Remote Authentication
Server using OpenLDAP 2.4”.

System Specification:
The Same Server that I used in my previous posts “Configure Remote
Authentication Server using OpenLDAP 2.4” and “OpenLDAP
Administration using phpLDAPAdmin”.

Configure Address Book:

Checkout the current structure of our LDAP Directory via
phpLDAPAdmin console
i.e. http://ldapserver.itlab.com/phpldapadmin

We must add the inetorgperson schema to our LDAP Directory,

because we require its objectclasses for our Addressbook entries.
Note: Since I am working on a already configured LDAP Server,
therefore I am not adding other core schemas. However, if you are
configuring the LDAP Server from scratch, then you must add
the cosine schema as well.
[root@ldapserver ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f
/etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
Let’s create the organizationUnit and add some entries therein.
[root@ldapserver ~]# cd ~/ldap
[root@ldapserver ldap]# cat > addressbook.ldif << EOF
> dn: ou=AddressBook,dc=itlab,dc=com
> objectClass: organizationalUnit
> ou: AddressBook
>
> dn: cn=Ahmer Mansoor,ou=AddressBook,dc=itlab,dc=com
> cn: Ahmer Mansoor
> gn: Ahmer
> sn: Mansoor
> mail: ahmer@itlab.com
> objectClass: top
> objectClass: inetOrgPerson
>
> dn: cn=Muhammad Ali,ou=AddressBook,dc=itlab,dc=com
> cn: Muhammad Ali
> gn: Muhammad
> sn: Ali
> mail: m_ali@itlab.com
> objectClass: top
> objectClass: inetOrgPerson
>
> dn: cn=Waseem Hussain,ou=AddressBook,dc=itlab,dc=com
> cn: Waseem Hussain
> gn: Waseem
> sn: Hussain
> mail: waseem@itlab.com
> objectClass: top
> objectClass: inetOrgPerson
>
> dn: cn=Ashfaq Khan,ou=AddressBook,dc=itlab,dc=com
> cn: Ashfaq Khan
> gn: Ashfaq
> sn: Khan
> mail: ashfaq@itlab.com
> objectClass: top
> objectClass: inetOrgPerson
> EOF
[root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f
addressbook.ldif
Enter LDAP Password:
adding new entry "ou=AddressBook,dc=itlab,dc=com"
adding new entry "cn=Ahmer Mansoor,ou=AddressBook,dc=itlab,dc=com"
adding new entry "cn=Muhammad Ali,ou=AddressBook,dc=itlab,dc=com"
adding new entry "cn=Waseem Hussain,ou=AddressBook,dc=itlab,dc=com"
adding new entry "cn=Ashfaq Khan,ou=AddressBook,dc=itlab,dc=com"
Now, take a look at our LDAP Directory.

We can add as much entries as we like in the same way. However, for
the sake of demonstration, I am adding only 4 entries.

Configure Mozilla Thunderbird:

Now our Global Addressbook is configured successfully. Let’s use it
in an email client. I am demonstrating it using Mozilla
Thunderbird .

Because it is out of scope to configure an email account, therefore, I

am skipping it. Click on Addressbook button at toolbar.

Go to File > New > LDAP Directory.

Add our LDAP Directory as follows:

Now, our Global Addressbook has been added in Thunderbird.

Our OpenLDAP Global Addressbook has been configured

successfully.
phpLDAPadmin: Deploy on CentOS 7 LAMP Server

phpLDAPadmin is web based application for easy administration of

OpenLDAP directory server. phpLDAPAdmin is written in PHP , therefore it requires a LAMP/LEMP server for
deployment. I have already configured the LAMP server and now we will deploy the phpLDAPadmin application on it.
Read Also: Install Linux, Apache, MySQL & PHP (LAMP) Stack

Install Linux, Nginx, MySQL & PHP (LEMP) Stack

System Specification:
The same server that I used in my previous post “Configure Remote Authentication Server using OpenLDAP 2.4“.

Configure phpLDAPadmin:
First of all, I must add the EPEL yum Repository, to ease the installation of phpLDAPAdmin.
[root@ldapserver ldap]# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-
latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.HqBu3J: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing... ################################# [100%]
Updating / installing... 1:epel-release-7-
11 ################################# [100%]
[root@ldapserver ldap]# yum makecache
Now, install phpLDAPAdmin, Apache and PHP.
[root@ldapserver ldap]# yum -y install phpldapadmin httpd php
Enable and Start Apache service.
[root@ldapserver ldap]# systemctl enable httpd && systemctl start httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-
user.target.wants/httpd.service'
Allow Apache service port thru firewall.
[root@ldapserver ldap]# firewall-cmd --permanent --add-service=http
success
[root@ldapserver ldap]# firewall-cmd --reload
success
Edit the phpMyadmin web server configurations. Final configurations after editing should be like this (the change is
highlighted in yellow color).
[root@ldapserver ldap]# cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4 Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
[root@ldapserver ldap]# systemctl restart httpd
Open URL http://ldapserver.itlab.com/phpldapadmin in web browser.

To keep the scope limited, I am running phpLDAPAdmin application without SSL. Therefore, it is
displaying Warning: This web connection is unencrypted . To run it over an encrypted
connection, please refer to my previous post Convert an Apache Website from HTTP to HTTPs.
phpLDAPadmin can manage multiple LDAP Servers. We should add our LDAP Server to it.
[root@ldapserver config]# vi /usr/share/phpldapadmin/config/config.php
Add following lines before the php end-tag i.e. ?>
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldapserver.itlab.com');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=itlab,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=ldapadm,dc=itlab,dc=com');
$servers->setValue('login','bind_pass','123');
$servers->setValue('server','tls',false);
Login to web console using LDAP Manager User.

phpLDAPadmin application has been deployed and our OpenLDAP Directory Server has been added to it.

Configure Remote Authentication Server using OpenLDAP

2.4

OpenLDAP is a free and open-source implementation of the

Light Directory Access Protocol (LDAP). The LDAP is an open, vendor-neutral, industry
standard application protocol for accessing and maintaining distributed directory
information services over an IP network. Directory services play an important role in
developing intranet and Internet applications by allowing the sharing of information
about users, systems, networks, services, and applications throughout the network.
In this post, I will demonstrate you how to configure a Central Remote Authentication
Server using OpenLDAP v2.4 on platform RHEL 7.

System Specification:
For this demonstration, I have provisioned a VM with following specification. Please do
not confuse these specification with the minimum system requirements for OpenLDAP.
CPU 2.4 Ghz (1 core)
Memory 1 GB
Storage 20 GB
Swap 2 GB
Operating System RHEL 7.0
I have done some initial configurations in VM, that includes setting up hostname, IP
address and Yum Repository.
Hostname ldapserver.itlab.com
IP Address 192.168.116.3/24
Configure LDAP Server:
Login to VM with root user, and install openldap packages.
[root@ldapserver ~]# yum -y install openldap compat-openldap openldap-clients openldap-
servers openldap-devel
Create database from template.
[root@ldapserver ldap]# cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG
[root@ldapserver ldap]# slaptest -u
config file testing succeeded
[root@ldapserver ldap]# chown ldap:ldap /var/lib/ldap/*
Start and Enable the slapd service.
[root@ldapserver ~]# systemctl enable slapd && systemctl start slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-
user.target.wants/slapd.service'
Allow ldaps port in Firewall.
[root@ldapserver ~]# firewall-cmd --permanent --add-service=ldaps
success
[root@ldapserver ~]# firewall-cmd --reload
success
Configure OpenLDAP syslog.
[root@ldapserver ~]# cat >> /etc/rsyslog.conf << EOF
> #LDAP Logging
> local4.* /var/log/openldap.log
> EOF
[root@ldapserver ~]# systemctl restart rsyslog
Add required schemas to our OpenLDAP Directory.
[root@ldapserver ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f
/etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@ldapserver ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f

/etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
Generate Password hash 123 for Directory Manager.
[root@ldapserver ~]# slappasswd
New password:
Re-enter new password:
{SSHA}mNOljCtwWbG0P88Hu+jqsrkUOzjfqvak
Copy the Password hash, we will need it in later configurations. Add initial database
configurations.
[root@ldapserver ldap]# mkdir ~/ldap
[root@ldapserver ldap]# cd ~/ldap

[root@ldapserver ldap]# cat > db.ldif << EOF

> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> replace: olcSuffix
> olcSuffix: dc=itlab,dc=com
>
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> replace: olcRootDN
> olcRootDN: cn=ldapadm,dc=itlab,dc=com
>
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> replace: olcRootPW
> olcRootPW: {SSHA}mNOljCtwWbG0P88Hu+jqsrkUOzjfqvak
> EOF
[root@ldapserver ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Since, we are planning to run this service in TLS mode, therefore, must required to
create security certificates for this purpose. For simplicity, I am using Self-Signed
certificates, However, you can use a Signed Certificate, if you have a Certification
Authority (CA) configured for your network.
[root@ldapserver ~]# openssl req -new -x509 -nodes -out
/etc/openldap/certs/ldapserver.pem -keyout /etc/openldap/certs/ldapserver.key -days 365
Generating a 2048 bit RSA private key
.........................+++
..................................................................+++
writing new private key to '/etc/openldap/certs/ldapserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:XYZ
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:ldapserver.itlab.com
Email Address []:root@ldapserver.itlab.com

[root@ldapserver ~]# cd /etc/openldap/certs

[root@ldapserver certs]# chown ldap:ldap *
[root@ldapserver certs]# chmod 600 ldapserver.key
Edit the following directive in /etc/sysconfig/slapd to enable service to run in TLS
mode.
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
Now, add security certificate and private key to LDAP configurations.
[root@ldapserver ~]# cd ~/ldap
[root@ldapserver ldap]# cat > cert.ldif << EOF
> dn: cn=config
> changetype: modify
> replace: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/openldap/certs/ldapserver.pem
>
> dn: cn=config
> changetype: modify
> replace: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key
>
> dn: cn=config
> changetype: modify
> replace: olcLogLevel
> olcLogLevel: -1
> EOF
[root@ldapserver ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

Create directory, LDAP Manager user, and two Organisational units for holding users
and groups entries.
[root@ldapserver ldap]# cd ~/ldap
[root@ldapserver ldap]# cat > base.ldif << EOF
> dn: dc=itlab,dc=com
> dc: itlab
> objectClass: top
> objectClass: domain
>
> dn: cn=ldapadm ,dc=itlab,dc=com
> objectClass: organizationalRole
> cn: ldapadm
> description: LDAP Manager
>
> dn: ou=People,dc=itlab,dc=com
> objectClass: organizationalUnit
> ou: People
>
> dn: ou=Groups,dc=itlab,dc=com
> objectClass: organizationalUnit
> ou: Groups
> EOF
[root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=itlab,dc=com"

adding new entry "cn=ldapadm ,dc=itlab,dc=com"

adding new entry "ou=People,dc=itlab,dc=com"

adding new entry "ou=Groups,dc=itlab,dc=com"

Define access levels for the directory.
[root@ldapserver ldap]# cd ~/ldap
[root@ldapserver ldap]# cat > access.ldif << EOF
> dn: olcDatabase={1}monitor,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,
cn=auth" read by dn.base="cn=ldapadm,dc=itlab,dc=com" read by * none
>
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to dn.subtree="dc=itlab,dc=com" by dn.base="cn=ldapadm,dc=itlab,dc=com"
manage by * read
> EOF
[root@ldapserver ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
Let’s create three groups. Groups ahmer & mansoor here are defined to be utilized as
the Primary groups for the Users ahmer & mansoor . While group dba will be used as a
suplementary group for both users.
[root@ldapserver ldap]# cd ~/ldap
[root@ldapserver ldap]# cat > groups.ldif << EOF
> dn: cn=ahmer,ou=Groups,dc=itlab,dc=com
> cn: ahmer
> objectClass: posixGroup
> objectClass: top
> gidNumber: 10001
> memberuid: ahmer
>
> dn: cn=mansoor,ou=Groups,dc=itlab,dc=com
> cn: mansoor
> objectClass: posixGroup
> objectClass: top
> gidNumber: 10002
> memberuid: mansoor
>
> dn: cn=dba,ou=Groups,dc=itlab,dc=com
> cn: dba
> objectClass: posixGroup
> objectClass: top
> gidNumber: 10003
> memberuid: ahmer
> memberuid: mansoor
> EOF
[root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f groups.ldif
Enter LDAP Password:
adding new entry "cn=ahmer,ou=Groups,dc=itlab,dc=com"

adding new entry "cn=mansoor,ou=Groups,dc=itlab,dc=com"

adding new entry "cn=dba,ou=Groups,dc=itlab,dc=com"

Now create users.
[root@ldapserver ldap]# cd ~/ldap
[root@ldapserver ldap]# cat > users.ldif << EOF
> dn: uid=ahmer,ou=People,dc=itlab,dc=com
> uid: ahmer
> cn: ahmer
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}a
> shadowLastChange: 17665
> shadowMin: 0
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 10001
> gidNumber: 10001
> homeDirectory: /home/ahmer
>
> dn: uid=mansoor,ou=People,dc=itlab,dc=com
> uid: mansoor
> cn: mansoor
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}a
> shadowLastChange: 17665
> shadowMin: 0
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 10002
> gidNumber: 10002
> homeDirectory: /home/mansoor
> EOF
[root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f users.ldif
Enter LDAP Password:
adding new entry "uid=ahmer,ou=People,dc=itlab,dc=com"

adding new entry "uid=mansoor,ou=People,dc=itlab,dc=com"

Set passwords for the users.
[root@ldapserver ldap]# ldappasswd -S -x -D "cn=ldapadm,dc=itlab,dc=com" -W
"uid=ahmer,ou=People,dc=itlab,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
[root@ldapserver ldap]# ldappasswd -S -x -D "cn=ldapadm,dc=itlab,dc=com" -W
"uid=mansoor,ou=People,dc=itlab,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
We can also use an LDAP browser utility to manage our directory. Following is a
screenshot of our directory at this time.

There are various commercial and free LDAP Directory Browsers and Admins tools are
available. I used LDAPAdmin for this job.

Configure LDAP Client:

Now, I am going to configure a Linux client to use our LDAP directory for Remote
Authentication. I have a client machine here with hostname= Desktop1 , that I use for
this purpose. First of all, make sure that hostname of our LDAP Directory Server must
be resolvable, because we are using Hostname ldapserver.itlab.com for the
Common Name in the Security Certificate.
[root@desktop1 ~]# echo 192.168.116.3 ldapserver.itlab.com ldapserver >> /etc/hosts
Now install required packages.
[root@desktop1 ~]# yum -y install openldap sssd
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use
subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
localyum
| 4.1 kB 00:00:00
Package openldap-2.4.39-3.el7.x86_64 already installed and latest version
Package sssd-1.11.2-65.el7.x86_64 already installed and latest version
Nothing to do

[root@desktop1 home]# systemctl start sssd && systemctl enable sssd

ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-
user.target.wants/sssd.service'
Since, we are using LDAPS , therefore, we have to copy the Self-Signed Certificate to
our client machine.
[root@desktop1 ~]# scp root@ldapserver.itlab.com:/etc/openldap/certs/ldapserver.pem
/etc/openldap/cacerts/ldapserver.pem
The authenticity of host 'ldapserver.itlab.com (192.168.116.3)' can't be established.
ECDSA key fingerprint is 4c:7f:83:39:d1:bc:ef:4c:fd:58:82:7b:36:ff:9e:f2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ldapserver.itlab.com,192.168.116.3' (ECDSA) to the list of
known hosts.
root@ldapserver.itlab.com's password:
ldapserver.pem 1
00% 1452 1.4KB/s 00:00
Now configure Remote Authentication with LDAP on client machine.
[root@desktop1 ~]# authconfig --update --enableldap --enableldapauth --enableldaptls --
ldapserver=ldaps://ldapserver.itlab.com --ldapbasedn="dc=itlab,dc=com" --enablemkhomedir
Now connect using an LDAP User.
[root@desktop1 home]# su - ahmer
Creating directory '/home/ahmer'.
Last login: Mon May 28 11:28:17 PDT 2018 on pts/0
[ahmer@desktop1 ~]$ id
uid=10001(ahmer) gid=10001(ahmer) groups=10001(ahmer),10003(dba)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Our client machine is now configured to authenticate to the OpenLDAP remote
authentication server.