Setup LDAP authentication in CentOS (openldap+sssd)

1) Install openldap server in CentOS 6.5

yum install -y openldap*

2) Copy the sample slapd.conf configuration

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

3) Generate encrypted password for later use


4) Modify /etc/openldap/slapd.conf, use the encrypted password created in above step.

#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password

database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=mylab,dc=local” read
by * none

database bdb
suffix “dc=mylab,dc=local”
checkpoint 1024 15
rootdn “cn=Manager,dc=mylab,dc=local”
rootpw {SSHA}TgnKeaT3EArzI1xqW/CpzmCRFa88xPS0
loglevel 256
sizelimit unlimited

5) Copy the sample DB_CONFIG file

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
chmod 600 /var/lib/ldap/DB_CONFIG

6) Start service

service slapd start
chkconfig slapd on

7) Use the following two commands to verify. (The default LDAP port is 389)

netstat -ntlup | grep slapd
ps -ef | grep slapd

8) Generate a certificate pair for secured LDAP connection

openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem

chown ldap. /etc/openldap/certs/ldap*

9) Configure the olcDatabase={0}config.ldif file

cd /etc/openldap/slapd.d/cn=config

Add the following two lines into: olcDatabase\=\{0\}config.ldif

olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem

10) Modify /etc/sysconfig/ldap to only allow secure ldap (ldaps)


11) Restart the slapd.

service slapd restart

12) Verify it (secure ldap port is 636, and ldaps only in the ‘ps -ef’ command results)

netstat -ntlup | grep slapd
ps -ef | grep slapd

13) Add OU, users to your ldap database.

create /etc/openldap/base.ldif, then run the ldapadd command. The password is created in step 3).

ldapadd -x -D “cn=Manager,dc=mylab,dc=local” -f base.ldif -H ldaps://ldap.mylab.local -W

14) Use ldapsearch to query the ldap database.

ldapsearch -x -D “cn=Manager,dc=mylab,dc=local” -H ldaps://ldap.mylab.local -W

15) Use ldapmodify to modify the exisiting value in ldap database. I include a sample here:

ldapmodify -D “cn=Manager,dc=mylab,dc=local” -f modify.ldif -H ldaps://ldap -W

16) Set up the openldap client

yum install -y openldap-clients sssd

17) Copy the the public certificat that generated in step 8) to /etc/openldap/cacerts in the client machine.

cp the ldap-pub.pem to /etc/openldap/cacerts

18) Modify /etc/openldap/ldap.conf to add the following entries:

TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
BASE dc=mylab,dc=local
URI ldaps://ldap.mylab.local/

19) Define your ldap URI in the sssd.conf

chmod 600 /etc/sssd/sssd.conf

Sample:  /etc/sssd/sssd.conf

20) Set up the ldap authentication

authconfig –enablesssd –enablesssdauth –enableldap –enableldapauth –enablemkhomedir –ldapserver=ldaps://ldap.mylab.local –ldapbasedn=dc=mylab,dc=local –enablelocauthorize –enableldaptls –update

21) Test by looking for the ldap user

getent passwd jchen
id jchen


9 thoughts on “Setup LDAP authentication in CentOS (openldap+sssd)

  1. Hello Jackie,
    I followed your guide, but after step 13 – ldapadd returns error: ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
    Do you have any suggestions what might ‘ve gone wrong?

  2. Great guide,
    now i don’t have to spend all the rest of my life figuring out how to confgure this f**k ldap.
    Anyway, why don’t configure slapd.conf with these two directives instead of modify them in the config dir slapd.d ?

    TLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
    TLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem

    Mostly because, if you modifying ldif file, after the slapd restart you get a checksum error alert :

    checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif”

    Tnx again !

  3. Hello
    I followed your guide, but I am stuck at the beginning. I have installed CentOS 7 and OpenLdap but I cannot find file /usr/share/openldap-servers/slapd.conf. In this directory I have only two files, slapd.ldif and DB_CONFIG.example. Don’t know what I am doing wrong. Please help.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s