setup openldap-server on CentOS-6.7

install openldap package

# yum install openldap-server openldap-clients

service openldap is called slapd on centos/redhat, by dafault is stop and you can start if all configuration already done

configure openldap
all configuration file is under /etc/openldap/slapd.d/cn\=config

# cd /etc/openldap/slapd.d/cn\=config

first step is change default domain on two files olcDatabase={1}monitor.ldif and olcDatabase={2}bdb.ldif
open two files with vi or another editor, replace string my-domain to to replace can use under the following command in vi editor


next step is setup password for ldap admin, for generating password admin, can use command slappasswd

# slappasswd
New password: 
Re-enter new password:

look for line on files olcDatabase={1}monitor.ldif and olcDatabase={2}bdb.ldif that start with olcRootDN, add the following line

olcRootPW: {SSHA}PlOJU60HjF+WTt9/8L10fjPyTugQ79V

copy database config file
copy DB_CONFIG example from /usr/share/openldap-servers to /var/lib/ldap and set owner to ldap

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap

configure ldap logging
Now lets set up logging. Open /etc/rsyslog.conf

# vi /etc/rsyslog.conf
Add the below line
local4.*                         /var/log/slapd/slapd.log

Set up permissions appropriately

# mkdir /var/log/slapd
# chmod 755 /var/log/slapd
# chown -R ldap:ldap /var/log/slapd

restart service rsyslog

# /etc/init.d/rsyslog restart

setup iptables

# iptables -I INPUT -m tcp -p tcp --dport 389 -j ACCEPT
# iptables -I INPUT -m tcp -p tcp --dport 636 -j ACCEPT
# service iptables save

ldap port :
389 ldap
636 ldaps
or you can flush iptables if you want

# /etc/init.d/iptables stop

start and restart service
if all config has finish, service can start or restart to apply changes

# service slapd start
# service rsyslog restart

verify service slapd

# netstat -tpln | grep slapd
# tail -f /var/log/slapd/slapd.log

Set up first import using ldapadd
Next ste we need to do is create a root entry for ldap. Create a file named root.ldif

# vi root.ldif

dn: dc=yess,dc=com
dc: yess
o: yess
objectclass: dcObject
objectclass: organization

Now add this entry to ldap using the below command

# ldapadd -x -D "cn=Manager,dc=yess,dc=com" -W -f root.ldif

Enter the admin password that you created earlier when asked. This command will add the root entry to the ldap server.
-x : use simple authentication instead of SASL
-D : binddn, the distinguished name to bind to the ldap directory
-W : prompt for authentication instead of entering password in the command line
-f : read information from the given file instead of the standard input

Verify import using ldapsearch
Now that we have added a single entry, we will verify it by querying the ldap server as below

# ldapsearch -x -b dc=yess,dc=com

# extended LDIF
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL

dn: dc=yess,dc=com
dc: yess
o: yess
objectClass: dcObject
objectClass: organization

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

If you want to see the actual query output without comments and ldap version information use -LLL option as shown below.

# ldapsearch -x -LLL -b dc=yess,dc=com 

dn: dc=yess,dc=com 
dc: yess 
o: yess 
objectClass: dcObject 
objectClass: organization

Create LDAP Users
We have got a root entry dc=yess,dc=com. Now lets add some OUs organizational units and some users.

Add organizational units OU:
Create a file named usersou.ldif and enter the below contents

dn: ou=users,dc=yess,dc=com
ObjectClass: organizationalUnit
ou: users
dn: ou=groups,dc=yess,dc=com
ObjectClass: organizationalUnit
ou: groups

Now add it to LDAP using the below command

# ldapadd -x -D "cn=Manager,dc=yess,dc=com" -W -f usersou.ldif 
Enter LDAP Password: 
adding new entry "ou=users,dc=yess,dc=com"
adding new entry "ou=groups,dc=yess,dc=com"
Add a user to OU users:

We shall add a user to the newly created users organizational unit. Create a file named users.ldif and enter the below content.

# Section for User's primary group
dn: cn=erick,ou=groups,dc=yess,dc=com
cn: erick
objectClass: top
objectClass: posixGroup
gidNumber: 5000

# Section for User
dn: uid=erick,ou=users,dc=yess,dc=com
cn: erick saputra
givenName: erick
sn: saputra
uid: erick
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/erick
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {CRYPT}*

Add it to LDAP using the below command

# ldapadd -x -D "cn=Manager,dc=yess,dc=com" -W -f erick.ldif

Set up password for the newly created user using the below command

# ldappasswd -x -D "cn=Manager,dc=yess,dc=com" -W -S "uid=erick,ou=users,dc=yess,dc=com"

We are done adding an user and his primary group.

Query LDAP for users
Lets query the user we created in the previous step. You can use any of the user fields to query ldap. Try the following search commands.

# ldapsearch -x -LLL "uid=erick" -b "ou=users,dc=yess,dc=com"
# ldapsearch -x -LLL "cn=erick saputra" -b "ou=users,dc=yess,dc=com"

#source :

*hope this article help you fully


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.