🔑 AlmaLinux LDAP: Complete Active Directory Integration Guide
Hey there, directory services champion! 🎉 Ready to master centralized authentication and user management? Today we’re diving deep into LDAP and Active Directory integration on AlmaLinux – the backbone of enterprise identity management! 🚀
Whether you’re setting up OpenLDAP from scratch, integrating with existing Active Directory, or building a hybrid authentication system, this guide will turn your AlmaLinux server into an identity management powerhouse! 💪
🤔 Why is LDAP/AD Integration Important?
Imagine managing user accounts on hundreds of servers manually – it’s a nightmare! 😱 LDAP provides centralized authentication, so users have one password for everything!
Here’s why LDAP/AD on AlmaLinux is essential:
- 🎯 Single Sign-On (SSO) - One password for all systems
- 👥 Centralized User Management - Manage thousands of users from one place
- 🔒 Enhanced Security - Consistent password policies everywhere
- 🌍 Scalability - Add servers without duplicating user accounts
- 📊 Audit Trail - Track authentication across the enterprise
- 🔄 Automated Provisioning - Create accounts automatically
- 💼 Group Management - Organize users by department or role
- 🛡️ Access Control - Fine-grained permissions based on LDAP groups
🎯 What You Need
Before we build your identity management system, let’s check prerequisites:
✅ AlmaLinux 9.x server (minimum 2GB RAM) ✅ Network connectivity to domain controllers ✅ DNS resolution properly configured ✅ Time synchronization (NTP is crucial!) ✅ Firewall access for LDAP ports (389, 636) ✅ Domain admin credentials (for AD integration) ✅ SSL certificates for secure connections ✅ Basic understanding of directory services 🌲
📝 Step 1: Install and Configure OpenLDAP Server
Let’s start by setting up our own OpenLDAP server! 🎯
# Install OpenLDAP packages
sudo dnf install -y openldap openldap-servers openldap-clients
# Set up LDAP database
sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown ldap:ldap /var/lib/ldap/DB_CONFIG
# Generate admin password hash
ADMIN_PASSWORD=$(slappasswd -s AdminPassword123)
echo "Admin password hash: $ADMIN_PASSWORD"
# Create base LDAP configuration
sudo tee /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=company,dc=local
olcRootDN: cn=admin,dc=company,dc=local
olcRootPW: $ADMIN_PASSWORD
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcLastMod: TRUE
olcAccess: to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=local" write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by self write by dn="cn=admin,dc=company,dc=local" write by * read
EOF
# Start and enable OpenLDAP
sudo systemctl enable slapd
sudo systemctl start slapd
# Import base schemas
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# Create base directory structure
cat > /tmp/base.ldif << 'EOF'
dn: dc=company,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: Company
dc: company
dn: cn=admin,dc=company,dc=local
objectClass: organizationalRole
cn: admin
description: LDAP Manager
dn: ou=People,dc=company,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=company,dc=local
objectClass: organizationalUnit
ou: Groups
EOF
# Add base structure
ldapadd -x -D "cn=admin,dc=company,dc=local" -W -f /tmp/base.ldif
Perfect! OpenLDAP server is running! 🎉
🔧 Step 2: Configure LDAP Client Authentication
Now let’s configure AlmaLinux to authenticate against LDAP:
# Install LDAP client packages
sudo dnf install -y sssd sssd-ldap authselect
# Configure SSSD for LDAP
sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = company.local
[domain/company.local]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://localhost:389
ldap_search_base = dc=company,dc=local
ldap_default_bind_dn = cn=admin,dc=company,dc=local
ldap_default_authtok = AdminPassword123
# User and group mappings
ldap_user_search_base = ou=People,dc=company,dc=local
ldap_group_search_base = ou=Groups,dc=company,dc=local
ldap_user_object_class = inetOrgPerson
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
# Group settings
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = memberUid
# Security settings
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
# Caching
cache_credentials = true
enumerate = false
EOF
# Set SSSD permissions
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
# Configure system authentication
sudo authselect select sssd --force
# Enable and start SSSD
sudo systemctl enable sssd
sudo systemctl start sssd
# Enable home directory creation
sudo authselect enable-feature with-mkhomedir
Excellent! LDAP authentication is configured! 🌟
🌟 Step 3: Integrate with Active Directory
Let’s configure integration with Windows Active Directory:
# Install Active Directory integration packages
sudo dnf install -y realmd adcli samba-common-tools krb5-workstation
# Join domain (replace with your domain)
sudo realm discover COMPANY.COM
# Configure Kerberos
sudo tee /etc/krb5.conf << 'EOF'
[libdefaults]
default_realm = COMPANY.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
[realms]
COMPANY.COM = {
kdc = dc1.company.com
admin_server = dc1.company.com
}
[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
EOF
# Join the Active Directory domain
sudo realm join --user=administrator COMPANY.COM
# Configure SSSD for AD
sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam
[domain/company.com]
ad_domain = company.com
krb5_realm = COMPANY.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
# Performance tuning
ldap_referrals = false
enumerate = false
ldap_page_size = 1000
EOF
# Restart SSSD
sudo systemctl restart sssd
# Test AD authentication
getent passwd domain_user
id domain_user
✅ Step 4: LDAP User and Group Management
Let’s create tools for managing LDAP users and groups:
# Create LDAP management script
cat > /usr/local/bin/ldap-manager.sh << 'EOF'
#!/bin/bash
# LDAP User and Group Management Tool
LDAP_BASE="dc=company,dc=local"
LDAP_ADMIN="cn=admin,$LDAP_BASE"
LDAP_USERS_OU="ou=People,$LDAP_BASE"
LDAP_GROUPS_OU="ou=Groups,$LDAP_BASE"
add_user() {
read -p "Username: " USERNAME
read -p "First Name: " FIRSTNAME
read -p "Last Name: " LASTNAME
read -p "Email: " EMAIL
read -sp "Password: " PASSWORD
echo
read -p "UID Number: " UIDNUMBER
read -p "GID Number: " GIDNUMBER
# Generate password hash
PASSHASH=$(slappasswd -s "$PASSWORD")
# Create LDIF
cat > /tmp/user_$USERNAME.ldif << USERLDIF
dn: uid=$USERNAME,$LDAP_USERS_OU
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: $USERNAME
sn: $LASTNAME
givenName: $FIRSTNAME
cn: $FIRSTNAME $LASTNAME
displayName: $FIRSTNAME $LASTNAME
uidNumber: $UIDNUMBER
gidNumber: $GIDNUMBER
userPassword: $PASSHASH
gecos: $FIRSTNAME $LASTNAME
loginShell: /bin/bash
homeDirectory: /home/$USERNAME
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: $EMAIL
USERLDIF
# Add user to LDAP
ldapadd -x -D "$LDAP_ADMIN" -W -f /tmp/user_$USERNAME.ldif
rm /tmp/user_$USERNAME.ldif
echo "✅ User $USERNAME created successfully"
}
add_group() {
read -p "Group Name: " GROUPNAME
read -p "GID Number: " GIDNUMBER
read -p "Description: " DESCRIPTION
cat > /tmp/group_$GROUPNAME.ldif << GROUPLDIF
dn: cn=$GROUPNAME,$LDAP_GROUPS_OU
objectClass: posixGroup
cn: $GROUPNAME
gidNumber: $GIDNUMBER
description: $DESCRIPTION
GROUPLDIF
ldapadd -x -D "$LDAP_ADMIN" -W -f /tmp/group_$GROUPNAME.ldif
rm /tmp/group_$GROUPNAME.ldif
echo "✅ Group $GROUPNAME created successfully"
}
add_user_to_group() {
read -p "Username: " USERNAME
read -p "Group Name: " GROUPNAME
cat > /tmp/add_to_group.ldif << ADDLDIF
dn: cn=$GROUPNAME,$LDAP_GROUPS_OU
changetype: modify
add: memberUid
memberUid: $USERNAME
ADDLDIF
ldapmodify -x -D "$LDAP_ADMIN" -W -f /tmp/add_to_group.ldif
rm /tmp/add_to_group.ldif
echo "✅ User $USERNAME added to group $GROUPNAME"
}
list_users() {
echo "👥 LDAP Users:"
ldapsearch -x -b "$LDAP_USERS_OU" "(objectClass=inetOrgPerson)" uid cn mail | grep -E "^uid:|^cn:|^mail:"
}
list_groups() {
echo "👤 LDAP Groups:"
ldapsearch -x -b "$LDAP_GROUPS_OU" "(objectClass=posixGroup)" cn gidNumber description | grep -E "^cn:|^gidNumber:|^description:"
}
search_user() {
read -p "Search term: " SEARCH
echo "🔍 Search results:"
ldapsearch -x -b "$LDAP_USERS_OU" "(|(uid=*$SEARCH*)(cn=*$SEARCH*)(mail=*$SEARCH*))" uid cn mail
}
case "$1" in
add-user) add_user ;;
add-group) add_group ;;
add-to-group) add_user_to_group ;;
list-users) list_users ;;
list-groups) list_groups ;;
search) search_user ;;
*) echo "Usage: $0 {add-user|add-group|add-to-group|list-users|list-groups|search}" ;;
esac
EOF
chmod +x /usr/local/bin/ldap-manager.sh
🎮 Quick Examples
Example 1: LDAP SSL/TLS Security
# Generate SSL certificate for LDAP
sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt \
-keyout /etc/openldap/certs/ldap.key -days 365 \
-subj "/C=US/ST=State/L=City/O=Company/CN=ldap.company.local"
# Set permissions
sudo chown ldap:ldap /etc/openldap/certs/ldap.*
sudo chmod 600 /etc/openldap/certs/ldap.key
# Configure LDAP for SSL
cat > /tmp/ssl.ldif << 'EOF'
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif
Example 2: LDAP Backup and Restore
# Create LDAP backup script
cat > /usr/local/bin/ldap-backup.sh << 'EOF'
#!/bin/bash
# LDAP Backup Script
BACKUP_DIR="/backup/ldap"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
# Backup LDAP data
slapcat > $BACKUP_DIR/ldap_data_$DATE.ldif
# Backup configuration
sudo cp -r /etc/openldap/slapd.d $BACKUP_DIR/config_$DATE
echo "✅ LDAP backup completed: $BACKUP_DIR/ldap_data_$DATE.ldif"
EOF
chmod +x /usr/local/bin/ldap-backup.sh
# Schedule daily backups
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/ldap-backup.sh") | crontab -
Example 3: LDAP Monitoring
# Create LDAP monitoring script
cat > /usr/local/bin/ldap-monitor.sh << 'EOF'
#!/bin/bash
# LDAP Server Monitoring
echo "🔍 LDAP Server Status"
echo "===================="
# Check service status
systemctl is-active slapd && echo "✅ SLAPD Service: Running" || echo "❌ SLAPD Service: Stopped"
# Check connections
CONNECTIONS=$(netstat -an | grep :389 | wc -l)
echo "🔗 Active connections: $CONNECTIONS"
# Check database size
DB_SIZE=$(du -sh /var/lib/ldap | cut -f1)
echo "💾 Database size: $DB_SIZE"
# Test search
if ldapsearch -x -b "dc=company,dc=local" "(objectClass=*)" dn > /dev/null 2>&1; then
echo "✅ LDAP search: Working"
else
echo "❌ LDAP search: Failed"
fi
# Count users and groups
USERS=$(ldapsearch -x -b "ou=People,dc=company,dc=local" "(objectClass=inetOrgPerson)" | grep -c "dn:")
GROUPS=$(ldapsearch -x -b "ou=Groups,dc=company,dc=local" "(objectClass=posixGroup)" | grep -c "dn:")
echo "👥 Users: $USERS"
echo "👤 Groups: $GROUPS"
EOF
chmod +x /usr/local/bin/ldap-monitor.sh
🚨 Fix Common Problems
Problem 1: LDAP Authentication Failing
# Check SSSD status
sudo systemctl status sssd
# Test LDAP connectivity
ldapsearch -x -H ldap://localhost -b "dc=company,dc=local"
# Check SSSD logs
sudo tail -f /var/log/sssd/sssd.log
# Restart SSSD
sudo systemctl restart sssd
# Clear SSSD cache
sudo sss_cache -E
Problem 2: Active Directory Join Fails
# Check DNS resolution
nslookup company.com
# Check time synchronization
timedatectl status
# Test Kerberos
kinit [email protected]
# Re-join domain
sudo realm leave
sudo realm join --user=administrator COMPANY.COM
Problem 3: Slow LDAP Queries
# Check LDAP indexes
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDbIndex=*)"
# Add indexes for better performance
cat > /tmp/index.ldif << 'EOF'
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: mail eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: sn eq,sub
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/index.ldif
📋 Simple Commands Summary
Command | Purpose |
---|---|
sudo systemctl status slapd | Check OpenLDAP status |
ldapsearch -x -b "dc=company,dc=local" | Search LDAP directory |
sudo realm list | Show joined domains |
getent passwd username | Test user lookup |
ldap-manager.sh add-user | Add LDAP user |
sudo sss_cache -E | Clear SSSD cache |
kinit [email protected] | Test Kerberos authentication |
ldap-monitor.sh | Monitor LDAP server |
🏆 What You Learned
Congratulations! You’ve mastered LDAP and Active Directory integration on AlmaLinux! 🎉
✅ Installed OpenLDAP server from scratch ✅ Configured LDAP authentication for Linux systems ✅ Integrated with Active Directory for Windows compatibility ✅ Created user management tools ✅ Implemented SSL/TLS security ✅ Built monitoring and backup systems
🎯 Why This Matters
Centralized authentication is the foundation of enterprise security! 🌟 You now have the skills to manage identity services for organizations of any size, providing secure, scalable authentication solutions! 🚀
Keep your directory services updated and monitored for optimal security and performance! ⭐🙌