1) Install openldap server in CentOS 6.5
yum install -y openldap*
2) Copy the sample slapd.conf configuration
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
3) Generate encrypted password for later use
slappasswd
4) Modify /etc/openldap/slapd.conf, use the encrypted password created in above step.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=mylab,dc=local” read
by * none
database bdb
suffix “dc=mylab,dc=local”
checkpoint 1024 15
rootdn “cn=Manager,dc=mylab,dc=local”
rootpw {SSHA}TgnKeaT3EArzI1xqW/CpzmCRFa88xPS0
loglevel 256
sizelimit unlimited
5) Copy the sample DB_CONFIG file
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
chmod 600 /var/lib/ldap/DB_CONFIG
6) Start service
service slapd start
chkconfig slapd on
7) Use the following two commands to verify. (The default LDAP port is 389)
netstat -ntlup | grep slapd
ps -ef | grep slapd
8) Generate a certificate pair for secured LDAP connection
openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem
chown ldap. /etc/openldap/certs/ldap*
9) Configure the olcDatabase={0}config.ldif file
cd /etc/openldap/slapd.d/cn=config
Add the following two lines into: olcDatabase\=\{0\}config.ldif
olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem
10) Modify /etc/sysconfig/ldap to only allow secure ldap (ldaps)
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes
11) Restart the slapd.
service slapd restart
12) Verify it (secure ldap port is 636, and ldaps only in the ‘ps -ef’ command results)
netstat -ntlup | grep slapd
ps -ef | grep slapd
13) Add OU, users to your ldap database.
create /etc/openldap/base.ldif, then run the ldapadd command. The password is created in step 3).
ldapadd -x -D “cn=Manager,dc=mylab,dc=local” -f base.ldif -H ldaps://ldap.mylab.local -W
14) Use ldapsearch to query the ldap database.
ldapsearch -x -D “cn=Manager,dc=mylab,dc=local” -H ldaps://ldap.mylab.local -W
15) Use ldapmodify to modify the exisiting value in ldap database. I include a sample here:
ldapmodify -D “cn=Manager,dc=mylab,dc=local” -f modify.ldif -H ldaps://ldap -W
16) Set up the openldap client
yum install -y openldap-clients sssd
17) Copy the the public certificat that generated in step 8) to /etc/openldap/cacerts in the client machine.
cp the ldap-pub.pem to /etc/openldap/cacerts
18) Modify /etc/openldap/ldap.conf to add the following entries:
TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=mylab,dc=local
URI ldaps://ldap.mylab.local/
HOST 192.168.56.11
19) Define your ldap URI in the sssd.conf
chmod 600 /etc/sssd/sssd.conf
Sample: /etc/sssd/sssd.conf
20) Set up the ldap authentication
authconfig –enablesssd –enablesssdauth –enableldap –enableldapauth –enablemkhomedir –ldapserver=ldaps://ldap.mylab.local –ldapbasedn=dc=mylab,dc=local –enablelocauthorize –enableldaptls –update
21) Test by looking for the ldap user
getent passwd jchen
id jchen
Jackie Chen's IT Workshop 
There is an error on the copy command in step 5.
Should be “share” folder instead of “shaire” 🙂
Good observation. Fixed.
Hello Jackie,
I followed your guide, but after step 13 – ldapadd returns error: ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
Do you have any suggestions what might ‘ve gone wrong?
Seems your LDAP server is not running. Have you run the following command to ensure it is running?
netstat -ntlup | grep slapd
ps -ef | grep slapd
Great guide,
now i don’t have to spend all the rest of my life figuring out how to confgure this f**k ldap.
Anyway, why don’t configure slapd.conf with these two directives instead of modify them in the config dir slapd.d ?
TLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
TLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem
Mostly because, if you modifying ldif file, after the slapd restart you get a checksum error alert :
checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif”
Tnx again !
Hello
I followed your guide, but I am stuck at the beginning. I have installed CentOS 7 and OpenLdap but I cannot find file /usr/share/openldap-servers/slapd.conf. In this directory I have only two files, slapd.ldif and DB_CONFIG.example. Don’t know what I am doing wrong. Please help.
The path might be changed in CentOS 7? You can search it by running: find / -name “slapd.conf*”