LDAP Proxy Configuration
This section provides step-by-step instructions to install and configure OpenLDAP as an LDAP proxy on RHEL 8.
Requirements before proceeding:
- LDAP Server FQDN (e.g., ldaps://<ldap_server_fqdn>:636)
- LDAP server CA certificate to trust
- Proxy server TLS certificate and key trusted by the CA
Step 1: Install OpenLDAP Packages
Enable the CodeReady Builder repository:
subscription-manager repos --enable codeready-builder-for-rhel-8-$(uname -m)-rpmsInstall OpenLDAP server and client
packages:
sudo dnf install openldap-servers openldap-clients -yStep 2: Enable and Start OpenLDAP Service
sudo systemctl enable slapd
sudo systemctl start slapd
sudo systemctl status slapdStep 3: Stop slapd
sudo systemctl stop slapdStep 4: Create OpenLDAP Proxy Configuration
Create the file /etc/openldap/slapd.conf with the following sample content:
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load backend modules
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap
# ======================
# GLOBAL TLS SETTINGS
# ======================
TLSCACertificateFile /path/to/ca.crt
TLSCertificateFile /path/to/proxy-cert.crt
TLSCertificateKeyFile /path/to/proxy-key.key
TLSProtocolMin 3.1
TLSCipherSuite HIGH:!aNULL:!MD5
TLSVerifyClient never
# ======================
# PROXY DATABASE CONFIG
# ======================
database ldap
suffix "dc=example,dc=com"
uri "ldaps://directory.example.com:636"
chase-referrals no
# Log level
loglevel 256Update the slapd.conf configurations with the actual TLS certificate paths and proxy database settings, as explained below:
TLS Certificate Configuration:
TLSCACertificateFile /path/to/ca.crt
TLSCertificateFile /path/to/proxy-cert.crt
TLSCertificateKeyFile /path/to/proxy-key.key| Directive | Placeholder | Description | Example |
| TLSCACertificateFile | /path/to/ca.crt | Path to the CA certificate that signed the LDAP server certificate. This is required to trust the backend LDAP server (AD or OpenLDAP). | /opt/ldap-proxy/rootca.crt |
|
TLSCertificateFile |
/path/to/proxy-cert.crt | Path to the LDAP proxy’s own certificate. This certificate will be presented to clients connecting to the proxy. |
/etc/openldap/certs/proxy-ldap.cer |
| TLSCertificateKeyFile | /path/to/proxy-key.key | Path to the private key corresponding to the proxy certificate. Ensure it is readable only by ldap user (chmod 600). |
/etc/openldap/certs/proxy-ldap.key |
Note: Replace the paths with the actual
location of the certificate files. Certificates and keys
must match and be valid for the domain.
9.4.2 Proxy Database Configuration
suffix "dc=example,dc=com"
uri "ldaps://directory.example.com:636"| Directive | Placeholder | Description | Example |
| suffix | "dc=<val1>,dc=<val2>” | Base DN for the LDAP directory being proxied. All queries will be within this namespace. |
"dc=example,dc=com" |
|
uri |
"ldaps://<ldap_server_fqdn>:636" | URL of the backend LDAP server the proxy connects to. Use ldaps:// for secure connections (port 636). |
"ldaps://directory.example.com:636" |
Note: Replace <ldap_server_fqdn>
with actual LDAP server hostname or IP address. Ensure the
backend server certificate is trusted by the proxy (matches
TLSCACertificateFile).
Step 5: Change Ownership of Configuration File
sudo chown ldap:ldap /etc/openldap/slapd.confStep 6: Change Ownership of Certificates
sudo chown ldap:ldap /path/to/proxy-cert.crt
sudo chown ldap:ldap /path/to/proxy-cert.key
sudo chmod 600 /path/to/proxy-cert.keyStep 7: Remove Existing slapd.d Content
sudo rm -rf /etc/openldap/slapd.d/*Step 8: Test Configuration
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/Step 9: Fix Ownership of Generated Files
sudo chown -Rf ldap:ldap /etc/openldap/slapd.d/Step 10: Restart slapd
sudo systemctl restart slapdStep 11: Allow Port 636 Through Firewall
sudo firewall-cmd --list-all
sudo firewall-cmd --add-port=636/tcp --permanent
sudo firewall-cmd --reload