Cover image for Setup an OpenLDAP Server in Centos

Setup an OpenLDAP Server in Centos

tomahawkpilot profile image syamkumar ・4 min read

Alt Text

OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.

Follow the following steps to setup an OpenLDAP server in centos

  • login as Sudo. sudo --login

  • Run package updates yum update -y

  • Install Epel Release yum install -y epel-release

  • Install nano editor yum install -y nano

  • Install OpenLDAP

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
  • start the LDAP daemon and enable it on boot
systemctl start slapd
systemctl enable slapd
systemctl status slapd 
  • Now create an OpenLDAP administrative user and assign a password for that user
    slappasswd will generate a hashed value for a given password which we can use to configure admin auth

  • create an LDIF file (ldaprootpasswd.ldif) which is used to add an entry to the LDAP directory.

nano ldaprootpasswd.ldif

Add the following contents in it:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
  • add the corresponding LDAP entry by specifying the URI referring to the LDAP server and the file above.
ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
  • copy the sample database configuration file for slapd into the /var/lib/ldap directory, and set the correct permissions on the file.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl restart slapd
  • import some basic LDAP schemas from the /etc/openldap/schema directory
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  • add your domain in the LDAP database and create a file called ldapdomain.ldif for your domain.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=auth,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=auth,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=auth,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=auth,dc=example,dc=com" write by * read
  • add the above configuration to the LDAP database
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
  • create baseldapdomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=auth,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 
  • add the entries to the LDAP directory.
ldapadd -Y EXTERNAL -x -D cn=auth,dc=example,dc=com -W -f baseldapdomain.ldif
  • create an LDAP User
useradd tomahawk
passwd tomahawk
  • create an LDAP group create a file called ldapgroup.ldif
dn: cn=auth,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

gidNumber is the GID in /etc/group for tomahawk and add it to the OpenLDAP directory.

  • Add to OpenLDAP directory.
ldapadd -Y EXTERNAL -x  -W -D "cn=auth,dc=example,dc=com" -f ldapgroup.ldif
  • Create an LDAP user create a file named tomahawk.ldif
dn: uid=tomahawk,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tomahawk
uid: tomahawk
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tomahawk
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

** Run slappasswd to generate a hashed password **

  • Add the above file to LDAP directory
ldapadd -Y EXTERNAL  -x -D cn=auth,dc=example,dc=com -W -f  tomahawk.ldif

You can also download Tools like
Apache Directory Studio to manage LDAP after following the above steps to add more user and groups without creating config files.

Optional Steps


  • Now we will generate a certificate and a private key so we can communicate securely with the OpenLDAP server using OpenSSL
openssl req -new -x509 -nodes -out \
/etc/openldap/certs/auth.example.com.cert \
-keyout /etc/openldap/certs/auth.example.com.key \
-days 365
  • Change the owner and group permissions so OpenLDAP can read the files:
chown -R ldap:ldap /etc/openldap/certs
  • Now create ssl.ldif to configure OpenLDAP to use the LDAPS protocol:
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/auth.example.com.cert

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/auth.example.com.key
  • Add the above file to LDAP directory
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
  • Test SSL configuration using
slaptest -u

You have completed Openldap Setup in Centos 7


Editor guide