linux
vault
+
+
vb
+
+
+
+
|>
+
+
+
=
*
+
+
+
==
+
+
+
pinecone
graphql
+
+
+
+
+
+
+
sublime
cargo
+
+
+
+
+
+
parcel
jquery
+
+
+
+
?
+
rb
matplotlib
+
junit
+
ray
gulp
+
+
+
ember
hugging
tcl
backbone
+
rails
+
+
wasm
go
debian
+
+
+
+
gin
ansible
+
xcode
phpstorm
rollup
+
>=
f#
scheme
+
echo
suse
#
[]
bun
+
+
Back to Blog
🔑 AlmaLinux LDAP: Complete Active Directory Integration Guide
AlmaLinux LDAP Active Directory

🔑 AlmaLinux LDAP: Complete Active Directory Integration Guide

Published Sep 18, 2025

Master LDAP and Active Directory on AlmaLinux! Learn OpenLDAP setup, AD integration, user authentication, group management, and security best practices.

57 min read
0 views
Table of Contents

🔑 AlmaLinux LDAP: Complete Active Directory Integration Guide

Hey there, directory services champion! 🎉 Ready to master centralized authentication and user management? Today we’re diving deep into LDAP and Active Directory integration on AlmaLinux – the backbone of enterprise identity management! 🚀

Whether you’re setting up OpenLDAP from scratch, integrating with existing Active Directory, or building a hybrid authentication system, this guide will turn your AlmaLinux server into an identity management powerhouse! 💪

🤔 Why is LDAP/AD Integration Important?

Imagine managing user accounts on hundreds of servers manually – it’s a nightmare! 😱 LDAP provides centralized authentication, so users have one password for everything!

Here’s why LDAP/AD on AlmaLinux is essential:

  • 🎯 Single Sign-On (SSO) - One password for all systems
  • 👥 Centralized User Management - Manage thousands of users from one place
  • 🔒 Enhanced Security - Consistent password policies everywhere
  • 🌍 Scalability - Add servers without duplicating user accounts
  • 📊 Audit Trail - Track authentication across the enterprise
  • 🔄 Automated Provisioning - Create accounts automatically
  • 💼 Group Management - Organize users by department or role
  • 🛡️ Access Control - Fine-grained permissions based on LDAP groups

🎯 What You Need

Before we build your identity management system, let’s check prerequisites:

AlmaLinux 9.x server (minimum 2GB RAM) ✅ Network connectivity to domain controllers ✅ DNS resolution properly configured ✅ Time synchronization (NTP is crucial!) ✅ Firewall access for LDAP ports (389, 636) ✅ Domain admin credentials (for AD integration) ✅ SSL certificates for secure connections ✅ Basic understanding of directory services 🌲

📝 Step 1: Install and Configure OpenLDAP Server

Let’s start by setting up our own OpenLDAP server! 🎯

# Install OpenLDAP packages
sudo dnf install -y openldap openldap-servers openldap-clients

# Set up LDAP database
sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown ldap:ldap /var/lib/ldap/DB_CONFIG

# Generate admin password hash
ADMIN_PASSWORD=$(slappasswd -s AdminPassword123)
echo "Admin password hash: $ADMIN_PASSWORD"

# Create base LDAP configuration
sudo tee /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=company,dc=local
olcRootDN: cn=admin,dc=company,dc=local
olcRootPW: $ADMIN_PASSWORD
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcLastMod: TRUE
olcAccess: to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=local" write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by self write by dn="cn=admin,dc=company,dc=local" write by * read
EOF

# Start and enable OpenLDAP
sudo systemctl enable slapd
sudo systemctl start slapd

# Import base schemas
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

# Create base directory structure
cat > /tmp/base.ldif << 'EOF'
dn: dc=company,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: Company
dc: company

dn: cn=admin,dc=company,dc=local
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=company,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=company,dc=local
objectClass: organizationalUnit
ou: Groups
EOF

# Add base structure
ldapadd -x -D "cn=admin,dc=company,dc=local" -W -f /tmp/base.ldif

Perfect! OpenLDAP server is running! 🎉

🔧 Step 2: Configure LDAP Client Authentication

Now let’s configure AlmaLinux to authenticate against LDAP:

# Install LDAP client packages
sudo dnf install -y sssd sssd-ldap authselect

# Configure SSSD for LDAP
sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = company.local

[domain/company.local]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://localhost:389
ldap_search_base = dc=company,dc=local
ldap_default_bind_dn = cn=admin,dc=company,dc=local
ldap_default_authtok = AdminPassword123

# User and group mappings
ldap_user_search_base = ou=People,dc=company,dc=local
ldap_group_search_base = ou=Groups,dc=company,dc=local
ldap_user_object_class = inetOrgPerson
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell

# Group settings
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = memberUid

# Security settings
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow

# Caching
cache_credentials = true
enumerate = false
EOF

# Set SSSD permissions
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf

# Configure system authentication
sudo authselect select sssd --force

# Enable and start SSSD
sudo systemctl enable sssd
sudo systemctl start sssd

# Enable home directory creation
sudo authselect enable-feature with-mkhomedir

Excellent! LDAP authentication is configured! 🌟

🌟 Step 3: Integrate with Active Directory

Let’s configure integration with Windows Active Directory:

# Install Active Directory integration packages
sudo dnf install -y realmd adcli samba-common-tools krb5-workstation

# Join domain (replace with your domain)
sudo realm discover COMPANY.COM

# Configure Kerberos
sudo tee /etc/krb5.conf << 'EOF'
[libdefaults]
 default_realm = COMPANY.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

[realms]
 COMPANY.COM = {
  kdc = dc1.company.com
  admin_server = dc1.company.com
 }

[domain_realm]
 .company.com = COMPANY.COM
 company.com = COMPANY.COM
EOF

# Join the Active Directory domain
sudo realm join --user=administrator COMPANY.COM

# Configure SSSD for AD
sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam

[domain/company.com]
ad_domain = company.com
krb5_realm = COMPANY.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

# Performance tuning
ldap_referrals = false
enumerate = false
ldap_page_size = 1000
EOF

# Restart SSSD
sudo systemctl restart sssd

# Test AD authentication
getent passwd domain_user
id domain_user

✅ Step 4: LDAP User and Group Management

Let’s create tools for managing LDAP users and groups:

# Create LDAP management script
cat > /usr/local/bin/ldap-manager.sh << 'EOF'
#!/bin/bash
# LDAP User and Group Management Tool

LDAP_BASE="dc=company,dc=local"
LDAP_ADMIN="cn=admin,$LDAP_BASE"
LDAP_USERS_OU="ou=People,$LDAP_BASE"
LDAP_GROUPS_OU="ou=Groups,$LDAP_BASE"

add_user() {
    read -p "Username: " USERNAME
    read -p "First Name: " FIRSTNAME
    read -p "Last Name: " LASTNAME
    read -p "Email: " EMAIL
    read -sp "Password: " PASSWORD
    echo
    read -p "UID Number: " UIDNUMBER
    read -p "GID Number: " GIDNUMBER

    # Generate password hash
    PASSHASH=$(slappasswd -s "$PASSWORD")

    # Create LDIF
    cat > /tmp/user_$USERNAME.ldif << USERLDIF
dn: uid=$USERNAME,$LDAP_USERS_OU
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: $USERNAME
sn: $LASTNAME
givenName: $FIRSTNAME
cn: $FIRSTNAME $LASTNAME
displayName: $FIRSTNAME $LASTNAME
uidNumber: $UIDNUMBER
gidNumber: $GIDNUMBER
userPassword: $PASSHASH
gecos: $FIRSTNAME $LASTNAME
loginShell: /bin/bash
homeDirectory: /home/$USERNAME
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: $EMAIL
USERLDIF

    # Add user to LDAP
    ldapadd -x -D "$LDAP_ADMIN" -W -f /tmp/user_$USERNAME.ldif
    rm /tmp/user_$USERNAME.ldif

    echo "✅ User $USERNAME created successfully"
}

add_group() {
    read -p "Group Name: " GROUPNAME
    read -p "GID Number: " GIDNUMBER
    read -p "Description: " DESCRIPTION

    cat > /tmp/group_$GROUPNAME.ldif << GROUPLDIF
dn: cn=$GROUPNAME,$LDAP_GROUPS_OU
objectClass: posixGroup
cn: $GROUPNAME
gidNumber: $GIDNUMBER
description: $DESCRIPTION
GROUPLDIF

    ldapadd -x -D "$LDAP_ADMIN" -W -f /tmp/group_$GROUPNAME.ldif
    rm /tmp/group_$GROUPNAME.ldif

    echo "✅ Group $GROUPNAME created successfully"
}

add_user_to_group() {
    read -p "Username: " USERNAME
    read -p "Group Name: " GROUPNAME

    cat > /tmp/add_to_group.ldif << ADDLDIF
dn: cn=$GROUPNAME,$LDAP_GROUPS_OU
changetype: modify
add: memberUid
memberUid: $USERNAME
ADDLDIF

    ldapmodify -x -D "$LDAP_ADMIN" -W -f /tmp/add_to_group.ldif
    rm /tmp/add_to_group.ldif

    echo "✅ User $USERNAME added to group $GROUPNAME"
}

list_users() {
    echo "👥 LDAP Users:"
    ldapsearch -x -b "$LDAP_USERS_OU" "(objectClass=inetOrgPerson)" uid cn mail | grep -E "^uid:|^cn:|^mail:"
}

list_groups() {
    echo "👤 LDAP Groups:"
    ldapsearch -x -b "$LDAP_GROUPS_OU" "(objectClass=posixGroup)" cn gidNumber description | grep -E "^cn:|^gidNumber:|^description:"
}

search_user() {
    read -p "Search term: " SEARCH
    echo "🔍 Search results:"
    ldapsearch -x -b "$LDAP_USERS_OU" "(|(uid=*$SEARCH*)(cn=*$SEARCH*)(mail=*$SEARCH*))" uid cn mail
}

case "$1" in
    add-user) add_user ;;
    add-group) add_group ;;
    add-to-group) add_user_to_group ;;
    list-users) list_users ;;
    list-groups) list_groups ;;
    search) search_user ;;
    *) echo "Usage: $0 {add-user|add-group|add-to-group|list-users|list-groups|search}" ;;
esac
EOF

chmod +x /usr/local/bin/ldap-manager.sh

🎮 Quick Examples

Example 1: LDAP SSL/TLS Security

# Generate SSL certificate for LDAP
sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt \
    -keyout /etc/openldap/certs/ldap.key -days 365 \
    -subj "/C=US/ST=State/L=City/O=Company/CN=ldap.company.local"

# Set permissions
sudo chown ldap:ldap /etc/openldap/certs/ldap.*
sudo chmod 600 /etc/openldap/certs/ldap.key

# Configure LDAP for SSL
cat > /tmp/ssl.ldif << 'EOF'
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
EOF

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif

Example 2: LDAP Backup and Restore

# Create LDAP backup script
cat > /usr/local/bin/ldap-backup.sh << 'EOF'
#!/bin/bash
# LDAP Backup Script

BACKUP_DIR="/backup/ldap"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

# Backup LDAP data
slapcat > $BACKUP_DIR/ldap_data_$DATE.ldif

# Backup configuration
sudo cp -r /etc/openldap/slapd.d $BACKUP_DIR/config_$DATE

echo "✅ LDAP backup completed: $BACKUP_DIR/ldap_data_$DATE.ldif"
EOF

chmod +x /usr/local/bin/ldap-backup.sh

# Schedule daily backups
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/ldap-backup.sh") | crontab -

Example 3: LDAP Monitoring

# Create LDAP monitoring script
cat > /usr/local/bin/ldap-monitor.sh << 'EOF'
#!/bin/bash
# LDAP Server Monitoring

echo "🔍 LDAP Server Status"
echo "===================="

# Check service status
systemctl is-active slapd && echo "✅ SLAPD Service: Running" || echo "❌ SLAPD Service: Stopped"

# Check connections
CONNECTIONS=$(netstat -an | grep :389 | wc -l)
echo "🔗 Active connections: $CONNECTIONS"

# Check database size
DB_SIZE=$(du -sh /var/lib/ldap | cut -f1)
echo "💾 Database size: $DB_SIZE"

# Test search
if ldapsearch -x -b "dc=company,dc=local" "(objectClass=*)" dn > /dev/null 2>&1; then
    echo "✅ LDAP search: Working"
else
    echo "❌ LDAP search: Failed"
fi

# Count users and groups
USERS=$(ldapsearch -x -b "ou=People,dc=company,dc=local" "(objectClass=inetOrgPerson)" | grep -c "dn:")
GROUPS=$(ldapsearch -x -b "ou=Groups,dc=company,dc=local" "(objectClass=posixGroup)" | grep -c "dn:")

echo "👥 Users: $USERS"
echo "👤 Groups: $GROUPS"
EOF

chmod +x /usr/local/bin/ldap-monitor.sh

🚨 Fix Common Problems

Problem 1: LDAP Authentication Failing

# Check SSSD status
sudo systemctl status sssd

# Test LDAP connectivity
ldapsearch -x -H ldap://localhost -b "dc=company,dc=local"

# Check SSSD logs
sudo tail -f /var/log/sssd/sssd.log

# Restart SSSD
sudo systemctl restart sssd

# Clear SSSD cache
sudo sss_cache -E

Problem 2: Active Directory Join Fails

# Check DNS resolution
nslookup company.com

# Check time synchronization
timedatectl status

# Test Kerberos
kinit [email protected]

# Re-join domain
sudo realm leave
sudo realm join --user=administrator COMPANY.COM

Problem 3: Slow LDAP Queries

# Check LDAP indexes
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDbIndex=*)"

# Add indexes for better performance
cat > /tmp/index.ldif << 'EOF'
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: mail eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: sn eq,sub
EOF

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/index.ldif

📋 Simple Commands Summary

CommandPurpose
sudo systemctl status slapdCheck OpenLDAP status
ldapsearch -x -b "dc=company,dc=local"Search LDAP directory
sudo realm listShow joined domains
getent passwd usernameTest user lookup
ldap-manager.sh add-userAdd LDAP user
sudo sss_cache -EClear SSSD cache
kinit [email protected]Test Kerberos authentication
ldap-monitor.shMonitor LDAP server

🏆 What You Learned

Congratulations! You’ve mastered LDAP and Active Directory integration on AlmaLinux! 🎉

Installed OpenLDAP server from scratch ✅ Configured LDAP authentication for Linux systems ✅ Integrated with Active Directory for Windows compatibility ✅ Created user management tools ✅ Implemented SSL/TLS security ✅ Built monitoring and backup systems

🎯 Why This Matters

Centralized authentication is the foundation of enterprise security! 🌟 You now have the skills to manage identity services for organizations of any size, providing secure, scalable authentication solutions! 🚀

Keep your directory services updated and monitored for optimal security and performance! ⭐🙌