Deploying OpenLDAP server on CentOS7 – Getting Started Guide
Hello there! In this post, I’m going to cover the installation and initial configuration of open-source directory server called OpenLDAP. The platform I’m using here is CentOS 7. So, if you’re on different distribution or maybe in different version, the mentioned steps might slightly vary.
What is OpenLDAP?

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol, which is developed and maintained by OpenLDAP Project. LDAP is a platform-independent protocol and most of the linux distribution utilizes it for directory service. It also runs on various BSD and Microsoft platforms as well.
Installation
Now, without any further adieu, let’s get into the installation of OpenLDAP server in CentOS. OpenLDAP packages can be installed from CentOS’s base repository as well.
$ sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Once installed, let’s run the server and also set it to run in system startup.
$ sudo systemctl start slapd $ sudo systemctl enable slapd
Before getting into configuration of directory service, let’s create a password for admin user i.e. ldapadm.
$ sudo slappasswd
This will display a SHA1 hash value, which we need to keep safely for future use. Next, let’s define our domain suffix and admin password for our directory server.
$ vi db.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=sajjan,dc=com,dc=np dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=sajjan,dc=com,dc=np dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: <output of slappasswd> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
In above config, olcSuffix defines the domain name of the server. olcRootDn defines the root/admin user to manage this domain. And olcRootPW defines the password of the root user.
Then, let’s restrict monitor access to ldapadm user so that other users cannot do that.
$ vi monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=sajjan,dc=com,dc=np" read by * none $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
It is also a best practice to use SSL for LDAP communications. In this post, I’m using a self-signed certificate for this purpose. You may prefer to use a commercial one.
$ sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/sajjan.pem -keyout /etc/openldap/certs/sajjankey.pem -days 365 # Change certifcates' owner to ldap $ sudo chown -R ldap:ldap /etc/openldap/certs/*.pem
Configure OpenLDAP server to use this certificate.
$ vi certs.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/sajjan.pem dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/sajjankey.pem $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
This completes the basic setup of OpenLDAP server. We can verify the correctness of our configuration like this:
$ sudo slaptest -u config file testing succeeded
Next, let’s also populate our directory server with a sample database. To do so, we need to copy the sample database into /var/lib/ldap with updated file permissions.
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown ldap:ldap /var/lib/ldap/* $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Then, let’s create a base database for our domain and insert it to our directory.
$ vi base.ldif dn: dc=sajjan,dc=com,dc=np dc: sajjan objectClass: top objectClass: domain dn: cn=ldapadm ,dc=sajjan,dc=com,dc=np objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=sajjan,dc=com,dc=np objectClass: organizationalUnit ou: People dn: ou=Group,dc=dristi,dc=com,dc=np objectClass: organizationalUnit ou: Group $ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f base.ldif # Enter the password that you set using slappasswd above
Now, I’m adding a user account for myself in this directory server. First, I define a ldif file and then add it to the directory.
$ vi sajjan.ldif dn: uid=sajjan,ou=People,dc=sajjan,dc=com,dc=np objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: sajjan uid: sajjan uidNumber: 9999 gidNumber: 100 homeDirectory: /home/sajjan loginShell: /bin/bash gecos: Sajjan [Admin (at) Sajjan.com.np] userPassword: {crypt}x shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 $ sudo ldapadd -x -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -f sajjan.ldif # Set password for this user $ sudo ldappasswd -s sajjan123 -W -D "cn=ldapadm,dc=sajjan,dc=com,dc=np" -x "uid =sajjan,ou=People,dc=sajjan,dc=com,dc=np"
Finally, let’s confirm that the user sajjan has been successfully added.
$ ldapsearch -x cn=sajjan -b dc=sajjan,dc=com,dc=np
This completes the initial configuration of OpenLDAP server. To assist with the administration task, it is also useful to enable its logging.
$ sudo vi /etc/rsyslog.conf # Append this line to the end local4.* /var/log/ldap.log $ sudo systemctl restart rsyslog
Finally, let’s also permit LDAP connections to this server from the network.
$ sudo firewall-cmd --permanent --add-service=ldap $ sudo firewall-cmd --reload
Authentication in Linux System Using OpenLDAP Server
Now that we’ve got our OpenLDAP server ready,we can perform external authentication in our Linux servers using user accounts defined in our directory server. In my case, the IP address of LDAP server is 192.168.1.10 and that of the client server is 192.168.1.20. Now, let’s configure the client machine to authenticate with LDAP server.
# In client machine, first install client packages $ sudo yum install -y openldap-clients nss-pam-ldapd $ sudo authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=sajjan,dc=com,dc=np" --enablemkhomedir --update $ sudo systemctl restart nslcd
If you’ve completed all the earlier steps correctly, your client machine should now be connected with the OpenLDAP server. We can verify this by querying for the user account in LDAP server. In my case, I had created a user called sajjan in LDAP server earlier. I can also login to this client machine using the LDAP user and once I login, a home directory is created in client machine for this user.
$ sudo getent passwd sajjan sajjan:x:9999:100:Sajjan [Admin (at) Sajjan.com.np]:/home/sajjan:/bin/bash $ su - sajjan [sajjan@ldap ~]$ pwd /home/sajjan
Well, this is it for this post. To summarize, we’ve learned about the OpenLDAP, its installation, basic configuration and integration with LDAP clients. I hope this has been useful for you. If you’ve any question or feedback, please let me know in the Comments section below. Thank you for reading!