No Gravatar

Here’s my take on how to setup the OpenLDAP server 2.4.X on CentOS 6. I’ve got an actual system working in a test environment.

Start by installing the required packages.

yum install openldap-servers openldap-clients

Now we need to do the backend configuration, this used to be in configuration files, but it is now stored in a database.

Next generate the Manager or Root password for the openldap server.


Edit the file /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
Make sure you Substitute dc=my-domain,dc=com with you domain, for this example I’ll use dc=example,dc=com.
Here’s a nice vi regular expression: :%s/dc=my-domain,dc=com/dc=example,dc=com/g

You’ll need to change the “olcRootPW” line and add your root password has you generated earlier with slappasswd. Here’s an example.

olcRootPW: {SSHA}yourhashhere

Add these certificate lines as well, we will generate these later (for TLS encryption)

olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Now you need to edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif , again, subsitute the default domain name. This will set the “root” account of your Ldap Server, I use Manager for my account name.


Create the basic database LDAP needs the first time it runs. The example database may also be in /usr/share/openldap-servers.

cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Change the ownership of /var/lib/ldap to ldap.ldap

chown -R ldap:ldap /var/lib/ldap/

Enable TLS encryption ldap

#vi /etc/sysconfig/ldap

Generate the required certificates

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

Set the correct permissions for the certificates

chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Lets test the configuration:

# slaptest -u
config file testing succeeded

So now your backend is setup, lets do the frontend (the user accounts, groups etc)

I’ve created some ldif files which should make creating accounts easier. Just editing the files accordingly, remember to change your dc, cn etc.

UPDATE: I’ve recreated these files as I believe there was some windows crappy formatting in them!

The base.ldif:
the newgroup.ldif:
the newpeople.ldif:

Now you need to import the base, user and group templates. You will need to authenticate as your Manager account.

ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f base.ldif
ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f newgroup.ldif
ldapadd -x -W -D “cn=Manager,dc=ersa,dc=edu,dc=au” -f newpeople.ldif

Now query your ldap and see what happens!
ldapsearch -x -b “dc=example,dc=com”

« »