Write Review


LDAP protocol allows for location of organizations, individuals and other resources over the internet or in an organization’s intranet using TCP/IP. It is arranged in a hierarchical structure:

  • The root which is the source and branches to
  • Countries which branches out to
  • Organizations which branches out to
  • Organizational units which finally branches out to
  • Individuals ( including files, directories, and other resources)

OpenLDAP is an implementation of the LDAP protocol. It is an optimized non-relational database which is an address book that is used to emulate a domain controller by providing controlled access to backend services which may include samba services etc.



Update System Packages

$ sudo yum update

Install OpenLDAP services

$ sudo yum install openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel compat-openldap

Start the LDAP services

$ sudo systemctl enable slapd
$ sudo systemctl start slapd

Create a new password

$ sudo slappasswd

Special Note: Ensure you save the hashed password output, you will need it later.

Configure OpenLDAP

Create a file called db.ldif using your favorite text editor copy paste in the below content. In my case my domain is example.hostadvice.local hence, you should replace your dc and cn values the following configuration:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=hostadvice,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=example,dc=hostadvice,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: hashed_output_from_the_slappasswd_command

Deploy the following configuration:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Restrict access to monitor to ldapadm user alone. Create another file called monitor.ldif and paste the contents below. Remember to replace the dc and cn names.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth"readby dn.base="cn=ldapadm,dc=example,dc=hostadvice,dc=local"readby * none

Deploy the configuration:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

For secure communication, we will generate a certificate and a private key
$ sudo openssl req -new -x509 -nodes -out /etc/openldap/certs/myldap.example.local.cert -keyout /etc/openldap/certs/myldap.example.local.key -days 365

Follow the prompts; filling in your details
Change the access rights of the cert folder to read-only

$ sudo chown -R ldap:ldap /etc/openldap/certs

Configure the OpenLDAP to use the LDAP protocol. Create a file called certs.ldif and paste in the following contents while replacing your cert and key names:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.example.hostadvice.local.cert

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.example.hostadvice.local.key

Setting up the Database

We need to copy the configuration file and change its permission

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown -R ldap:ldap /var/lib/ldap

Add the database schemas as follows:

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Lastly, create a base.ldif file for the domain and write the following while replacing your dc values:

dn: dc=example,dc=hostadvice,dc=local
dc: example
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=example,dc=hostadvice,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=example,dc=hostadvice,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=hostadvice,dc=local
objectClass: organizationalUnit
ou: Group

Deploy the configurations using the ldapadm user:

$ ldapadd -x -W -D "cn=ldapadm,dc=example,dc=hostadvice,dc=local" -f base.ldif


If you have not run any errors, it means you have successfully installed OpenLDAP on your CentOS 7 successfully. Now you can add new users to the server. It is always easier to manage the LDAP server via a GUI, so make sure to check out How to Install and Configure phpLDAP on CentOS 7 / Ubuntu 18.04.

Check out these top 3 VPS services:

Was this article helpful?