OpenLDAP Installation and Configuration on Linux
OpenLDAP provides centralized user authentication and directory services for Linux environments, allowing multiple servers to authenticate users against a single authoritative source instead of maintaining separate /etc/passwd files. This guide covers installing OpenLDAP (slapd), defining a directory structure, adding users and groups, enabling TLS, and configuring Linux clients to use LDAP for authentication.
Prerequisites
- Ubuntu 20.04/22.04 or CentOS/Rocky Linux 8/9 (server)
- A fully qualified domain name (FQDN) for the LDAP server
- Root or sudo access
- Open ports: 389 (LDAP), 636 (LDAPS)
Installing OpenLDAP
Ubuntu/Debian
# Set hostname first
sudo hostnamectl set-hostname ldap.example.com
echo "192.168.1.10 ldap.example.com ldap" | sudo tee -a /etc/hosts
# Install slapd and ldap utilities
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \
slapd ldap-utils
# Reconfigure to set base DN and admin password
sudo dpkg-reconfigure slapd
# Answer the prompts:
# Omit OpenLDAP server configuration? No
# DNS domain name: example.com (this becomes dc=example,dc=com)
# Organization name: Example Corp
# Administrator password: choose a strong password
# Database backend: MDB
# Remove database when slapd is purged? No
# Move old database? Yes
CentOS/Rocky Linux
sudo dnf install -y openldap openldap-servers openldap-clients
# Start the service
sudo systemctl enable --now slapd
# Set admin password
ldappasswd -x -D "cn=admin,cn=config" -W -S
# Or generate the password hash manually
slappasswd -h {SSHA}
# Copy the output hash
Verify Installation
# Check slapd is running
sudo systemctl status slapd
# Test a basic search
ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W
Configuring the Base Directory
Create the organizational units (OUs) for your directory:
cat > /tmp/base-structure.ldif << 'EOF'
# Users OU
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
# Groups OU
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
# Service accounts OU
dn: ou=services,dc=example,dc=com
objectClass: organizationalUnit
ou: services
EOF
# Apply the LDIF
ldapadd -x \
-H ldap://localhost \
-D "cn=admin,dc=example,dc=com" \
-W \
-f /tmp/base-structure.ldif
# Verify structure
ldapsearch -x \
-H ldap://localhost \
-b "dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" \
-W \
"(objectClass=organizationalUnit)"
Adding Users and Groups
Add a User
# Generate password hash
HASHED_PASS=$(slappasswd -s "user_password_here")
cat > /tmp/add-user.ldif << EOF
dn: uid=jsmith,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jsmith
cn: John Smith
sn: Smith
givenName: John
mail: [email protected]
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/jsmith
loginShell: /bin/bash
userPassword: ${HASHED_PASS}
shadowLastChange: 19800
shadowMax: 99999
shadowWarning: 7
EOF
ldapadd -x \
-H ldap://localhost \
-D "cn=admin,dc=example,dc=com" \
-W \
-f /tmp/add-user.ldif
Add a Group
cat > /tmp/add-group.ldif << 'EOF'
dn: cn=sysadmins,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: sysadmins
gidNumber: 10001
memberUid: jsmith
memberUid: anotheruser
EOF
ldapadd -x \
-H ldap://localhost \
-D "cn=admin,dc=example,dc=com" \
-W \
-f /tmp/add-group.ldif
Useful Search Commands
# Find a user
ldapsearch -x -H ldap://localhost \
-b "ou=users,dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -W \
"(uid=jsmith)"
# List all users
ldapsearch -x -H ldap://localhost \
-b "ou=users,dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -W \
"(objectClass=posixAccount)" uid cn mail
# List all groups
ldapsearch -x -H ldap://localhost \
-b "ou=groups,dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -W \
"(objectClass=posixGroup)"
Enabling TLS Encryption
# Generate TLS certificates (use Let's Encrypt or self-signed)
sudo apt-get install -y gnutls-bin ssl-cert
# For production, use Let's Encrypt:
sudo apt-get install -y certbot
sudo certbot certonly --standalone -d ldap.example.com
# Link certificates to OpenLDAP
sudo cp /etc/letsencrypt/live/ldap.example.com/fullchain.pem /etc/ssl/certs/ldap.crt
sudo cp /etc/letsencrypt/live/ldap.example.com/privkey.pem /etc/ssl/private/ldap.key
sudo chown openldap:openldap /etc/ssl/private/ldap.key
# Configure TLS in slapd
cat > /tmp/tls-config.ldif << 'EOF'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls-config.ldif
# Enable LDAPS port (636)
sudo tee -a /etc/default/slapd << 'EOF'
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
EOF
sudo systemctl restart slapd
# Test LDAPS
ldapsearch -x -H ldaps://ldap.example.com \
-b "dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -W \
"(objectClass=*)"
Configuring Linux Clients
Install and configure SSSD on client servers to authenticate via LDAP:
# Install on Ubuntu/Debian clients
sudo apt-get install -y sssd sssd-ldap libpam-sss libnss-sss
# Install on CentOS/Rocky clients
sudo dnf install -y sssd sssd-ldap
# Create SSSD configuration
sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
domains = LDAP
config_file_version = 2
services = nss, pam
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=readonly,dc=example,dc=com
ldap_default_authtok = readonly_password
ldap_user_search_base = ou=users,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
# Auto-create home directories on first login
override_homedir = /home/%u
EOF
sudo chmod 600 /etc/sssd/sssd.conf
# Enable PAM to use SSSD
sudo pam-auth-update --enable mkhomedir
sudo systemctl enable --now sssd
# Test LDAP resolution
id jsmith
getent passwd jsmith
Managing Users
# Change a user's password
ldappasswd -x \
-H ldaps://ldap.example.com \
-D "cn=admin,dc=example,dc=com" \
-W \
-S "uid=jsmith,ou=users,dc=example,dc=com"
# Add a user to a group
cat > /tmp/add-to-group.ldif << 'EOF'
dn: cn=sysadmins,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: newuser
EOF
ldapmodify -x -H ldap://localhost \
-D "cn=admin,dc=example,dc=com" -W \
-f /tmp/add-to-group.ldif
# Disable a user account (lock)
cat > /tmp/lock-user.ldif << 'EOF'
dn: uid=jsmith,ou=users,dc=example,dc=com
changetype: modify
replace: loginShell
loginShell: /sbin/nologin
EOF
ldapmodify -x -H ldap://localhost \
-D "cn=admin,dc=example,dc=com" -W \
-f /tmp/lock-user.ldif
# Delete a user
ldapdelete -x -H ldap://localhost \
-D "cn=admin,dc=example,dc=com" -W \
"uid=jsmith,ou=users,dc=example,dc=com"
Troubleshooting
slapd won't start
# Check configuration syntax
sudo slaptest -u
sudo journalctl -u slapd --since "5 minutes ago"
Authentication fails on client
# Test LDAP authentication directly
ldapwhoami -x -H ldaps://ldap.example.com \
-D "uid=jsmith,ou=users,dc=example,dc=com" -W
# Check SSSD logs
sudo journalctl -u sssd -f
sudo sssctl user-checks jsmith
TLS certificate errors
# Test TLS connection
openssl s_client -connect ldap.example.com:636
# Check certificate validity
openssl x509 -in /etc/ssl/certs/ldap.crt -noout -dates
User not found on client
# Clear SSSD cache and retry
sudo sss_cache -E
sudo systemctl restart sssd
getent passwd jsmith
Conclusion
OpenLDAP provides a robust, open-source centralized authentication solution for Linux environments that scales from small teams to large organizations. Pairing it with SSSD on client machines and TLS encryption ensures secure, reliable authentication across your entire server fleet from a single directory source.