≑ Menu

How Install and Configure OpenLDAP on CentOS / RHEL Linux

OpenLDAPLDAP stands for Lightweight Directory Access Protocol.

LDAP is a solution to access centrally stored information over network. This centrally stored information is organized in a directory that follows X.500 standard.

The information is stored and organized in a hierarchical manner and the advantage of this approach is that the information can be grouped into containers and clients can access these containers whenever needed.

The OpenLDAP hierarchy is almost similar to the DNS hierarchy.

The following are the two most commonly used objects in OpenLDAP:

  1. cn (common name) – This refers to the leaf entries, which are end objects (for example: users and groups)
  2. dc (domain component) – This refers to one of the container entries in the LDAP hierarchy. If in a setup the LDAP hierarchy is mapped to a DNS hierarchy, typically all DNS domains are referred to as DC objects.

For example, if there is user in the hierarchy sam.thegeekstuff.com, the fully distinguished name of this user is referred as cn=sam, dc=thegeekstuff, dc=com. If you noticed in the FDN (fully distinguished name), a comma is used a separator and not a dot, which is common in DNS.

By using the different LDAP entry types, you can setup a hierarchical directory structure. This is the reason why openLDAP is so widely used. You can easily build an openLDAP hierarchy where objects in the other locations are easily referred to without storing them on local servers. This makes OpenLDAP a lightweight directory, especially when compared to other directory servers such as Microsoft’s Active directory.

Now lets see how to setup a single instance of an LDAP server that can be used by multiple clients in your network for authentication.

Install OpenLDAP Packages

On CentOS and RedHat, use yum install as shown below, to install the openldap related packages.

yum install -y openldap openldap-clients openldap-servers

You should install the following three packages:

  1. openldap-servers – This is the main LDAP server
  2. openldap-clients – This contains all required LDAP client utilities
  3. openldap – This packages contains the LDAP support libraries

LDAP Config Files

  • config.ldif – The LDAP default configuration is stored under a file in /etc/openldap/slapd.d/cn=config.ldif that is created in the LDIF format. This is the LDAP Input Format (LDIF), a specific format that allows you to enter information in to the LDAP directory.
  • olcDatabase{2}bdb.ldif – You can also modify the settings like number of connections the server can support, timeouts and other database settings under the file /etc/openldap/slapd.d/cn=config/olcDatabase{2}bdb.ldif. This is the file that also contains the parameters like LDAP root user and the base DN.

Create olcRootDN Account as Admin

It is always recommended to create a dedicated user account first with the full permissions to change information on the LDAP database.

Modify the olcDatabase={2}bdb.ldif file, and change the olcRootDN entry. The following is the default entry.

# grep olcRootDN /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com

Change the above line to an admin user. In this example, user “ramesh” will be the olcRootDN.

olcRootDN: cn=ramesh,dc=thegeekstuff,dc=com

Create olcRootPW Root Password

Now use slappasswd command to create a hash for the root password you want to use. Once the password is generated, open the cn=config.ldif file, include the olcRootPW parameter, and copy the hashed password as shown below.

Execute the following command and specify a password. This will generate the hash for the given password.

# slappasswd
New password: SecretLDAPRootPass2015
Re-enter new password: SecretLDAPRootPass2015
{SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below.

# vi /etc/openldap/slapd.d/cn=config.ldif
olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

Create olcSuffix Domain Name

Now setup the olcSuffix and to set the domain that you want. Simply modify the line that starts with olcSuffix in the file olcDatabase={2}bdb.ldif as shown below.

# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=thegeekstuff,dc=com

Verify The Configuration Files

Use slaptest command to verify the configuration file as shown below. This should display “testing succeeded” message as shown below.

# slaptest -u
config file testing succeeded

You might get the following messages during the above command, which you can ignore for now.

54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
54a39508 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"

Start the LDAP Server

Start the ldap server as shown below.

# service slapd start
Checking configuration files for slapd: [WARNING]
config file testing succeeded
Starting slapd:                         [  OK  ]

Verify the LDAP Search

To verify the ldap server is configured successfully, you can use the below command and verify that the domain entry is present.

# ldapsearch -x -b "dc=thegeekstuff,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=thegeekstuff,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1

Base LDAP Structure in base.ldif

The use of OU (organizational unit) objects can help you in providing additional structure to the LDAP database. If you are planning on adding in different types of entries, such as users, groups, computers, printers and more to the LDAP directory, it makes it easier to put every entry type into its own container.

To create these OU’s, you can create an initial LDIF file as shown in the below example. In this example, this file allows you to create the base container which is dc=thegeekstuff,dc=com and it creates two organizational units with the names users and groups in that container.

# cat base.ldif
dn: dc=thegeekstuff,dc=com
objectClass: dcObject
objectClass: organization
o: thegeekstuff.com
dc: thegeekstuff
dn: ou=users,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

Import Base Structure Using ldapadd

Now we can import the base structure in to the LDAP directory using the ldapadd command as shown below.

# ldapadd -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=thegeekstuff,dc=com"
adding new entry "ou=users,dc=thegeekstuff,dc=com"
adding new entry "ou=groups,dc=thegeekstuff,dc=com"

Verify the Base Structure using ldapsearch

To verify the OUs are successfully created, use the following ldapsearch command.

# ldapsearch -x -W -D "cn=ramesh,dc=thegeekstuff,dc=com" -b "dc=thegeekstuff,dc=com" "(objectclass=*)"
Enter LDAP Password:

The output of the above command will display all the objects in the LDAP directory structure.

# extended LDIF
#
# LDAPv3
# base <dc=thegeekstuff,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# thegeekstuff.com
dn: dc=thegeekstuff,dc=com
objectClass: dcObject
objectClass: organization
o: thegeekstuff.com
dc: thegeekstuff
# users, thegeekstuff.com
dn: ou=users,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, thegeekstuff.com
dn: ou=groups,dc=thegeekstuff,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3

In the next OpenLDAP article, we’ll explain how to add new users and groups to the LDAP Directory.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Jalal Hajigholamali January 7, 2015, 2:09 am

    Hi,
    Thanks a lot for very nice article.

  • ManojK January 7, 2015, 3:00 am

    How to create a group called testgroup and a user (testuser1) where testuser1 belongs to only testgroup.

  • Trung Le Viet January 7, 2015, 6:59 am

    Great, thanks for very nice article. Please post next article soon. πŸ™‚

  • Anton January 7, 2015, 9:09 am

    The problem with this kind of how-to is that its too general and not actually useful.

    What I’d want to see is, for example, how to set up LDAP to support my database of contacts supporting both my Thunderbird on PC and on my tablet and phone emailers. And that database is not of “internal, corporate” but of all the different classes of contacts, for example, I’m currently managing under Thunderbird.

  • Matt Yakel January 7, 2015, 2:54 pm

    Good article thanks, do you think that you could cover how to implement TLS on the OpenLDAP for CentOS 6.6 & 7 Thanks again.

  • Dnyaneshwar Sonawane January 8, 2015, 6:34 am

    Hi

    Thanks for such a nice article.

    Do you know how to configure openldap with mysql backend, Password Policy with replication (syncrepl)

  • neeraj January 8, 2015, 2:02 pm

    I am new to this. pls excuse my dumb question.
    In other online posts that i have seen, they ask to configure slapd.conf file but here you dont do that. Instead you are doing your config in config.ldif file. What’s the difference between the two approaches?

  • Dipanjan Mukherjee January 10, 2015, 1:52 pm

    Very useful article. Waiting for the next part..

  • Rajavel January 13, 2015, 5:33 am

    Waiting for next LDAP article…. πŸ™‚

  • hansel January 16, 2015, 2:07 am

    You mention that the checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif” and “..{2}bdb.ldif” can be ignored “for now”. I agree, I get the message on my system but the ldap server is functioning fine.
    But I would like to correct the crc32 checkum now. Can you tell us how to deal with this error?

  • Golden John January 21, 2015, 7:49 am

    This steps are done i was successfully configured in centos6.6 version , but i need to configured the client authentication steps

    i got the result when i giving this command ” ldapsearch -x -b “dc=goldenjohn,dc=com”
    but my doubt is i can’t view the user when i giving the ” getent passwd” command

    1 . I can able to view the “getent passwd “in older version centos 5.8 , But i was not seeing the centos 6.6 ,

    2. When i create any users in older version openlldap (centos 5.8) , i can able to login the super user in command prompt at the same openldapserver (su – username) , But i can’t able to login in locally configured server in openldap(centos6.6) using the super users ( su – ) its showing the error message like this “user golden does not exist” .

    this command result : ldapsearch -x -b “dc=goldenjohn,dc=com”

    dn: uid= golden,ou=People,dc=goldenjohn,dc=com
    uid: golden
    cn: golden
    mail: golden@goldenjohn.om
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    userPassword;: e1NTSEF9dTJCbTV1YUhJK205MBRN2pRbmNybkdJdnNvc2x5UTUg
    shadowLastChange: 16443
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 506
    gidNumber: 502
    homeDirectory: /home/golden

    # search result
    search : 1
    result : 0 Success

    I was waiting for next steps to configure in client authentication with the TLS .

  • mnorin February 2, 2015, 12:19 am

    DO NOT MODIFY ldif-files in /etc/openldap/slapd.d manually. Use ldapmodify instead.

  • Candido February 2, 2015, 1:27 am

    Great tutorial.
    Well done.

  • Tarun February 2, 2015, 5:00 am

    Hello,
    I have some trouble in adding the password.
    You said to: vi /etc/openldap/slapd.d/cn=config.ldif and modify olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6.

    But i can’t find olcRootPW in cn=config.ldif. Do i need to add the olcRootPW line with my password?

  • Erix February 3, 2015, 12:42 am

    Hi,

    Thank you and Thank you again to share with you knowledge!
    As always it’s brilliant and clear. I thinl as the other readers, I’m waitinng few more of your “news” about OpenLdap. We know, now, what it is, how it works, with your big help. Can we see few options of it, like implementing TLS, but as well how to use it on different platform. Let’s imagine we have our OpenLdap server on, let’s say one of our prefered Linux server and after implementing, how will we do for :
    – having a master/slave (read only or copy of the master OpenLdap server, kind of redundancy) ?
    – “connecting” different kind of *nix systems for using it (Solaris, HP/UX, AIX…) ?
    – using this brand new OpenLdap server for authentificating the users who wants to connect/login on Win2008/12-R2.
    In fact using this new OpenLdap server as our uniq source for User authentification for our Lab ?

    A BIG thanks AGAIN for your Brilliant work and thanks for sharing with us your knowledge.

    All the best
    Regards
    Erix

  • kouete February 4, 2015, 5:05 am

    hi,
    nice article
    rather than create a new structure, t is it possible to import an existing structure associate whit the users and all…?
    what inconveniant or advantage?

  • hansel February 5, 2015, 7:23 am

    @Tarun, yes, add the value yourself. It should be in there.

  • Golden John February 17, 2015, 6:14 am

    Thanks very useful to deploy it.

  • Golden John February 17, 2015, 6:27 am

    Ramesh if you giving the openldap documents , installation and configuration steps in your blogs means its very useful for everyone

    Installation in server side and client side

    Need client with TLS login authentication methods and steps , I was eagerly waiting for your input on this topic , Kindly reply back because i was already demonstrate this on partially.

  • Tarun February 23, 2015, 12:17 am

    Hello, When i the command : ldapadd -x -W -D “cn=ramesh,dc=thegeekstuff,dc=com” -f base.ldif and when i enter the password i get the following error : ldap_bind: Invalid credentials (49) .

  • hansel February 23, 2015, 3:51 am

    Seems you are using the wrong password. Which one are you using? You should use the LDAP admin password you made yourself. Note: not the encrypted one ({SSHA}xxxxxxxxxxxxxxx) but the “readable” one.

  • Tarun February 23, 2015, 5:41 am

    I used the “readable” but i still get the same error ldap_bind: Invalid credentials (49)
    πŸ™

  • Tarun March 9, 2015, 3:39 am

    Yeah it’s working fine now thanks. Do you have an article on how to add users and groups?

  • Golden John April 20, 2015, 1:26 am

    Kindly mentioned this installation was supported whether redhat 7 / centos 7

    I have done it the centos 6.6 openldap installation , refer my blog http://sysadmin3.blogspot.in/

    Many Thanks
    Golden John S

  • Melissa May 5, 2015, 11:48 pm

    Would LOVE so get a notification or something when the next article about client configuration is up! Thanks a ton for the article it was extremely helpful!

  • sundar May 13, 2015, 2:19 pm

    Take the hash output of the above command and add it to the oclRootPW parameter in the config.ldif file as shown below.

    # vi /etc/openldap/slapd.d/cn=config.ldif
    olcRootPW: {SSHA}1pgok6qWn24lpBkVreTDboTr81rg4QC6

    ================================

    as olcRootPW: will come under root DN and root dn will be at config.ldif, instead it must be at olcDatabase={2}bdb.ldi.

  • Gerry May 25, 2015, 11:08 am

    I was getting the error:
    ldap_add: Type or value exists (20)
    additional info: objectClass: value #2 provided more than once

    When adding base.ldif. Turns out I needed a blank line between entries. In my case.

    dn: dc=lava, dc=com
    objectClass: dcObject
    objectClass: organization
    o: lava.com
    dc: lava

    dn: ou=users, dc=lava, dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: users

    dn: ou=groups, dc=lava, dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: groups

  • james May 30, 2015, 12:01 am

    Very helpful. Thanks.
    A bit to tidy up. In base.ldif file, you get this error.
    ldapadd: attributeDescription “dn”: (possible missing newline after line 9, entry “dc=xxx,dc=com”?)

    Solution
    Add a new like before each of the “dn”, solve the problem.
    For those do not have the base.ldif just do a copy and paste and create a new file :0

  • kathiresh July 12, 2015, 12:55 am

    Thanks for the article !!! very helpful !!!!!

  • Richard Christofferson August 17, 2015, 3:49 pm

    This isn’t the first time I’ve used your howtos.
    Thanks Much.

  • rick October 15, 2015, 7:22 pm

    once I set this up how do I get it to act as a backup server (slave) to the current master LDAP server running Xandros (very old and being replaced)

  • Yong November 9, 2015, 4:31 am

    Thanks for the guide! however I hit with error on the olcRootPW which after I put in {2}bdb.ldif, it solved the error.

    and I hit with error on the base.ldif section which I need to enter empty lines between the dc, users and groups then it fixed the error.

  • Bob March 20, 2016, 7:05 pm

    Thanks for the info.

    You recommended placing the olcRootPW in /etc/openldap/slapd.d/cn=config.ldif but that actually failed, says it has to go under the Suffix. I moved it to the other file and it works fine now.

    I tried creating a second dn set for example.com and now I always get credential errors. Do I need to create a 2nd root password for the 2nd domain? How does that work?

    Did you ever create the 2nd article on adding users and groups?

    Thanks for your help. Thanks for your site, I learn a lot from you.

    Bob

  • Shebin September 9, 2016, 1:47 pm

    Good one, Thanks!

  • Raghuveer November 27, 2016, 12:11 pm

    Hi sir,
    It is very helpful and clearly understood. Many thanks for great help!!!
    Br,
    Raghuveer.

  • Xavier November 29, 2016, 5:50 pm

    It really helped me a lot!! Thank u very much, for taking the time to explain this kind of stuff. I really appreciate it. Once againt, Thank you.