Install OpenLDAP in CentOS

1. Prepare

First, install the packages

yum -y install openldap openldap-clients openldap-servers<

Verify that LDAP ports are free

netstat -tlnp | egrep "389|636"<

Setup certificate authority as described here< and obtain the CA certificate /etc/pki/ca/ca.crt.

Create SSL certificate for LDAP server as described here< and obtain certificate /etc/pki/ldap/server.cert and key /etc/pki/ldap/server.key.

2. Setup LDAP server

Configure Berkeley database

cp /etc/openldap/DB_CONFIG.example /etc/openldap/DB_CONFIG
ln -s /etc/openldap/DB_CONFIG /var/lib/ldap/

Setup slapd password

mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.orig
slappasswd > /etc/openldap/slapd.conf

Edit /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/
argsfile        /var/run/openldap/slapd.args

TLSCACertificateFile  /etc/pki/ca/ca.crt
TLSCertificateFile    /etc/pki/ldap/server.crt
TLSCertificateKeyFile /etc/pki/ldap/server.key
#TLSVerifyClient never

# require secure connections only (LDAP+StartTLS or LDAPS)
security ssf=128
password-hash {SSHA}

access to attrs=userPassword by self write by * auth
access to * by self write by users read by anonymous none

database  bdb
suffix    ""
rootdn    "cn=root,"
rootpw    {SSHA}dYFhmHySSrpCR5WUF3KlpWY8N1v8ltZ/

directory       /var/lib/ldap

index objectClass             eq,pres
index ou,cn,mail              eq,pres,sub
index uidNumber,gidNumber     eq,pres
index uid,memberUid           eq,pres,sub

Since the file contains root LDAP password, even in encrypted form, noone but slapd daemon should have access to it:

 cd /etc/openldap
chown root:ldap slapd.conf
chmod 640 slapd.conf 

Enable LDAPS in /etc/sysconfig/ldap


Start the service

chkconfig ldap on
service ldap restart

Create bundle of server certificates

cat /etc/pki/ca/ca.crt /etc/pki/ldap/server.crt >> /etc/openldap/cacerts.pem
cd /etc/openldap/cacerts
cp /etc/pki/ca/ca.crt .
ln -s ca.crt `cat ca.crt | openssl x509 -hash -noout`.0

3. Configure LDAP client

Edit /etc/openldap/ldap.conf

URI  ldaps://
 TLS_CACERTDIR  /etc/openldap/cacerts
TLS_CACERT  /etc/openldap/cacerts.pem
DEREF  never

4. Initialize LDAP database

 Import an initial LDAP tree from a file like attached below<:

ldapadd -D cn=root, -x -w ROOTPASS -f /path/to/dump.ldif<

Remember the line "access to * ... by anonymous none". It is a good practice to prevent browsing your directory by anonymous users from outside. One needs a LDAP account to browse the directory. Unfortunately the standard NSS PAM LDAP LDAP library bundled with such Linuxes as Ubuntu or CentOS takes credentials of such an account from the /etc/ldap.conf file which is readable by every user logged on to the machine. Apparently we cannot use a real login account for this, or everybody on the system would know its password.

Let's create a special LDAP entry just to password-protect LDAP reads. Run the shell script< attached to this page:

 sh browse secretpass > temp.ldif
ldapadd -D cn=root, -x -w ROOTPASS -f temp.ldif<

The first argument is your LDAP search base. The second argument gives a CN name of the created entry. The last one is the password. The new entry will be similar to this:

 dn: cn=browse,
cn: browse
sn: browse
objectClass: top
objectClass: person
userPassword:: e1NxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKT3IK 

Now verify the results:

ldapsearch -D cn=root, -x -w ROOTPASS -LLL '(cn=ibunin)' 'cn'<

Repeat the test with your browsing user "-D cn=browse," and check the results.

You are done.