OpenLDAP Server Configuration on RHEL7/Centos7

OpenLDAP Server Configuration on RHEL7/Centos7



An SSL certificate for Secure Socket Layer is used to secure and secure communications between the browser and the server. An SSL certificate is also known as a digital certificate.

Login into a main server –

Step 1: Install the required "Openldap" Packages:

[root@fosnix ~]# yum -y install openldap* migrationtools

Create LDAP root password for adminstration purpose:

[root@fosnix ~]# slappasswd
New password:
Re-enter new password:

Copy your encrypted password as shown above “{SSHA}MPxEsQsKYHLoXhXN+mSggQAg5RJvSRY4” & keep it aside

Step 2: Changes in OpenLDAP Server Configuration

[root@fosnix ~]# cd /etc/openldap/slapd.d/cn=config
[root@fosnix cn=config]# vi olcDatabase={2}hdb.ldif

Changes in details of “olcSuffix” & “olcRootDN” to your Domain name as shown below :

Copy paste these below three lines in the same file & also replace the “oldRootPW” encrypted  password with your one which you copied before:

olcTLSCertificateFile: /etc/pki/tls/certs/learnitguideldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/learnitguideldapkey.pem

 Save & exit 

Step 3 : Provide the Moniter Privileges

Open the olcDatabase file from the below command & go to the line “olcAccess” – Replace the value “dc=my-domain,dc=net” to YOUR_DOMAIN

[root@fosnix cn=config]# vim olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by
dn.base="cn=Manager,dc=learnitguide,dc=net" read by * none

Verify the Configuration –

[root@fosnix cn=config]# slaptest -u
5ec183d3 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5ec183d3 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

Ignore the checksum error.

Step 4 : Create the self-signed certificate

[root@fosnix cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/fosnix.pem -keyout /etc/pki/tls/certs/fosnixkey.pem -days 365

Enter your company details to generate certificate as shown below :

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:UP
Locality Name (eg, city) [Default City]:Noida
Organization Name (eg, company) [Default Company Ltd]:Fosnix
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []
Email Address []

Verify the created certificates under the location below :

[root@fosnix cn=config]# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 May 18 10:03 /etc/pki/tls/certs/fosnixkey.pem
-rw-r--r--. 1 root root 1379 May 18 10:03 /etc/pki/tls/certs/fosnix.pem

Step 5 : Start, Enable the Slapd Services & Configure the LDAP Services

[root@fosnix cn=config]# systemctl start slapd
[root@fosnix cn=config]# systemctl enable slapd

Configuring the LDAP Services –

[root@fosnix cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@fosnix cn=config]# chown -R ldap:ldap /var/lib/ldap/

Add the following schemes as follow:

[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@fosnix cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 6 : Create Base Objects in OpenLDAP

[root@fosnix cn=config]# cd /usr/share/migrationtools/
[root@fosnix migrationtools]# vim

Go to line 71 and change to your domain name


Go to line 74 and change to your base name

$DEFAULT_BASE = "dc=example,dc=com";

Go to line 71 and change to your External Schema “0 to 1”:


Save & Exit

Step 7: Generate a base.ldif file

[root@fosnix migrationtools]# touch /root/base.ldif
[root@fosnix migrationtools]# vim /root/base.ldif

Copy paste the below lines into your base.ldif file & also Change your domain name instead of

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Save & Exit

Step 8: Create the Users

Create Users & Set the Passwords

[root@fosnix migrationtools]# useradd user1
[root@fosnix migrationtools]# useradd user2
[root@fosnix migrationtools]# passwd user1
[root@fosnix migrationtools]# passwd user2

Filter out the users & user groups

[root@fosnix migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd
[root@fosnix migrationtools]# grep ":10[0-9][0-9]" /etc/group > /root/group

Now Create the Individual Users to LDIF
Generate a ldif file for users & groups

[root@fosnix migrationtools]# ./ /root/passwd /root/users.ldif
[root@fosnix migrationtools]# ./ /root/group /root/groups.ldif

Step 9: Import Users to the LDAP Database

[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
[root@fosnix migrationtools]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif

Step 10: Test the Configuration & Stop Firewall to allow the Connection

[root@fosnix migrationtools]# ldapsearch -x cn=user1 -b dc=example,dc=com
[root@fosnix migrationtools]# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
[root@fosnix migrationtools]# systemctl stop firewalld

Step 10: NFS Configuration to export the Home Dorectory

Edit the export file & add an entry below to export the home directory

[root@fosnix migrationtools]# vim /etc/exports
/home *(rw,sync)

Save & Exit

Start, Enable rpcbind  & nfs services

[root@fosnix migrationtools]# yum -y install rpcbind nfs-utils
[root@fosnix migrationtools]# systemctl start rpcbind
[root@fosnix migrationtools]# systemctl start nfs
[root@fosnix migrationtools]# systemctl enable rpcbind
[root@fosnix migrationtools]# systemctl enable nfs

Test the NFS Configuration

[root@fosnix migrationtools]# showmount -e
Export list for
/home *

Step 11: Client Configurtion

Login into a client server – 

[root@client ~]# yum install -y openldap-clients nss-pam-ldapd
[root@client ~]# authconfig-tui

Steps for  LDAP Authentication

  1. Put ‘*’ Mark on “Use LDAP”
  2. Put ‘*’ Mark on “Use LDAP Authentication”
  3. Select “Next” 
  4. Enter the server field as “ldap://YOUR_DOMAIN/”
  5. If Base field is empty so fill it as “dc=YOUR_DOMAIN”
  6. Select “OK”.

Test the Configuration

[root@Client ~]# getent passwd user1

If you get the ouput as above, them our Configurations are working properly

Mount the LDAP Users Home Directory

[root@client ~]# mount /home

Similar Posts