Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


This is an old revision of the document!

OpenLDAP 2.4 server with TLS

This guide will install OpenLDAP with TLS. Tested on CentOS 6.5 minimal install. ~~TOC~~

Configure iptables

  • Edit /etc/sysconfig/iptables. The example below will insert the rules on line 6 and 7, then saves the ruleset to make it persistent across reboots.
iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -m comment --comment LDAP
iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -m comment --comment LDAPS

service iptables save

Install OpenLDAP 2.4

Install packages

yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel

Configure SSL certificates

Put your CA root certificate, server certificate and private key in the directories below.

/etc/openldap/certs/cacert.pem #CA root certificate
/etc/openldap/certs/server.key #private key
/etc/openldap/certs/server.crt #server certificate


vi /etc/sysconfig/ldap

Use DB config example

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Set permissons

chown -Rf ldap:ldap /var/lib/ldap

Set LDAP root password

New password: <password>
Re-enter new password: <password>

Change default DN

vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: <your DN>

To enable password change from users, append the next lines after the last olcDbIndex line in the same file.

olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,<your DN>" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,<your DN>" write
       by * read

Set root password, last line of same file file:


Correct the DN in olcDatabase={1}monitor.ldif

vi olcDatabase={1}monitor.ldif
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=manager,<your DN>" read  by * none

Test server config and start

slaptest -u
service slapd start
chkconfig slapd on

Configure as client

[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient

[*] Use TLS
Server: ldaps://<server:636>
Base DN: <your DN>


ldapsearch -x -b "dc=localdomain,dc=com"

Output: search: 2

Test TLS:

ldapsearch -x -b "dc=localdomain,dc=com" -ZZ

Output: search: 3

Configure LDAP server

Configure base domain

# ldapadd -x -W -D "cn=Manager,<your DN>" -f base.ldif

dn: <your DN>
dc: <your org name>
objectClass: top
objectClass: domain

dn: ou=People,<your DN>
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,<your DN>
ou: Group
objectClass: top
objectClass: organizationalUnit

Create posix user

# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_user.ldif
# set password
# ldappasswd -s newpassword -D "cn=Manager,<your DN>" -W -x uid=ben,ou=People,<your DN>

dn: uid=username,ou=People,<your DN>
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: User Name
uid: username
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/username
loginShell: /bin/bash
gecos: User Name
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Create posix group

# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_group.ldif

dn: cn=ben,ou=Group,<your DN>
objectClass: top
objectClass: posixGroup
cn: username
gidNumber: 3000
openldap_server_with_tls_centos_6.5.1440598926.txt.gz · Last modified: 2015/08/26 14:22 by admin