LDAP: Configure a LDAP directory service for user connection.

Share this link

This is a tutorial for RHEL 6.

Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).
Let’s assume that we use the example.com domain and the instructor.example.com hostname.

Install the following packages:

# yum install -y openldap openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):

# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
writing new private key to '/etc/openldap/certs/priv.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Secure the content of the /etc/openldap/certs directory:

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Start the configuration of the LDAP server:

# cd /etc/openldap/slapd.d/cn=config

Edit the olcDatabase={2}bdb.ldif file and replace/type the values specified in bold:

olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: passwd # password previously generated
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

Edit the olcDatabase={1}monitor.ldif file and replace/type the values specified in bold:

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Edit the /etc/sysconfig/ldap file and change the following option from ‘no‘ to ‘yes‘:


Check the LDAP configuration (there should be no error message):

# slaptest -u

Generate database files (don’t worry about error messages!):

# slaptest

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:

# chkconfig slapd on

Start the slapd service:

# service slapd start

Check the LDAP activity:

# netstat -lt | grep ldap

Create the /etc/openldap/base.ldif file with the following content:

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Build the structure of the directory service:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif

Create two users for testing:

# mkdir /home/guests
# useradd -d /home/guests/ldapuser01 ldapuser01
# passwd ldapuser01
# useradd -d /home/guests/ldapuser02 ldapuser02
# passwd ldapuser02

Go to the directory for the migration of the user accounts:

# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:

# grep ":5[0-9][0-9]" /etc/passwd > passwd
# ./migrate_passwd.pl passwd users.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
# grep ":5[0-9][0-9]" /etc/group > group
# ./migrate_group.pl group groups.ldif
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Add two new rules to the firewall:

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT

Save the firewall configuration:

# service iptables save

Edit the /etc/rsyslog.conf file and add the following line:

local4.* /var/log/ldap.log

Edit the /etc/openldap/slapd.d/cn=config.ldif file and add the following line in the middle of the file:

olcLogLevel: -1

Restart the rsyslog service:

# service rsyslog restart

In addition, Ramdev’s blog provides interesting information (configuration, troubleshooting, etc) on this topic.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

Please Login to comment
5 Comment threads
5 Thread replies
Most reacted comment
Hottest comment thread
7 Comment authors
CertDepotblahblahronniedss1821CertDepot Recent comment authors
newest oldest
Notify of

Isn’t there a mistake in the step :
Generate database files (don’t worry about error messages!):
# slaptest
Shouldn’t it be like this ? :
# slapadd [ switches arguments ]


At the point where I need to build the structure of the directory service, I get the message: base.ldif: no such file or directory. Any advice?


Getting error:
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
54c055c1 ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”

Not sure whats causing it or correct it.


Thanks for the guide, managed to get my ldap up, however no luck to create new user besides the original created 2 test user, any guide on that?


Managed to add user after trying, thanks!


might be best to add “RHEL6” to the title of this, accidentally got mixed up >.<

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a httpd server that executes a Perl script in the /var/www/cgi-bin directory displaying "Hello!".

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...