Set Up OpenLDAP¶
Deploy the internal OpenLDAP authentication server on the OIM using Omnia. This guide covers input configuration, deployment, and verification.
Overview¶
Omnia deploys an internal OpenLDAP server as a containerized service
(omnia_auth) on the OIM host. The server provides centralized user
authentication for all cluster nodes. During provisioning, each node
is automatically configured with SSSD to authenticate users against
this LDAP server.
The prepare_oim.yml playbook deploys the omnia_auth container on
the OIM with OpenLDAP configured using the domain name, admin
credentials, and TLS certificates. When nodes are subsequently
provisioned using provision.yml, SSSD is configured on each node
to connect to this OpenLDAP server for user authentication.
Components deployed:
- omnia_auth -- OpenLDAP container running on the OIM (ports 389 and 636)
- TLS certificates -- Auto-generated self-signed certificates for secure LDAP connections
- SSSD -- Configured on each cluster node during provisioning for LDAP client authentication
Prerequisites¶
- The OIM is prepared and the
omnia_corecontainer is accessible (see Prepare OIM).
Procedure¶
-
Enter the omnia_core container:
Run on: OIM hostssh omnia_coreAll subsequent commands run inside the
omnia_corecontainer. -
Edit software_config.json -- Add
openldapto thesoftwareslist insoftware_config.json:File: /opt/omnia/input/project_default/software_config.json{ "cluster_os_type": "rhel", "cluster_os_version": "10.0", "repo_config": "partial", "softwares": [ {"name": "default_packages", "arch": ["x86_64"]}, {"name": "openldap", "arch": ["x86_64"]} ] }Important
The
openldapentry insoftwaresis what triggers Omnia to deploy theomnia_authcontainer duringprepare_oim.ymland configure SSSD on nodes duringprovision.yml. -
Edit security_config.yml -- Set the LDAP connection type in
security_config.yml:File: /opt/omnia/input/project_default/security_config.ymlldap_connection_type: "TLS"Parameter Description ldap_connection_typeConnection security type: TLS(port 389) orSSL(port 636)For the full parameter reference, see security_config.yml Reference.
-
Run prepare_oim.yml -- Deploy the OIM infrastructure. When OpenLDAP is enabled in
software_config.json, this playbook automatically:- Generates SSHA password hashes for the OpenLDAP database
- Creates the
slapd.confconfiguration with the domain name and admin credentials - Generates the
bootstrap.ldiffile for initial directory setup - Creates self-signed TLS certificates for secure LDAP connections
- Deploys the
omnia_authcontainer via Podman Quadlet (systemd)
Run on: omnia_core containercd /omnia/prepare_oim ansible-playbook prepare_oim.yml
Verification¶
-
Verify the omnia_auth container:
Run on: OIM hostpodman ps --filter name=omnia_authExpected output:
Expected outputCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES abc123def456 omnia_auth:1.1 2 hours ago Up 2 hours 0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp omnia_auth -
Verify LDAP ports are listening:
Run on: OIM hostss -tlnp | grep -E '389|636' -
Test LDAP connectivity:
Run on: omnia_core containerldapsearch -x -H ldap://<oim_admin_ip>:389 -b "dc=omnia,dc=test" -D "cn=admin,dc=omnia,dc=test" -WReplace
<oim_admin_ip>with the OIM admin IP, and update the domain components (dc=omnia,dc=test) to match your domain name.
Next Steps¶
- Configure OpenLDAP as Proxy -- Configure the internal OpenLDAP server to proxy authentication requests to an external LDAP server.
- Deploy External LDAP -- Set up an external Bitnami OpenLDAP server for centralized authentication.
Troubleshooting¶
omnia_auth container fails to start
Check container logs for errors:
podman logs omnia_auth
podman images | grep omnia_auth
LDAP ports 389/636 are already in use
Check which process is using the ports:
ss -tlnp | grep -E '389|636'
Cannot connect to LDAP from cluster nodes
Verify that ports 389 and 636 are open on the OIM firewall:
firewall-cmd --list-ports
If the ports are not listed, prepare_oim.yml should have opened them.
Re-run the playbook or manually add them:
firewall-cmd --permanent --add-port=389/tcp --add-port=636/tcp
firewall-cmd --reload