Installation

$ dnf install openldap-servers

Configuring Database

To create OpenLDAP database:

$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ chown ldap.ldap /var/lib/ldap/DB_CONFIG

Systemd Service

Create /etc/systemd/system/slapd.service:

$ cp /usr/lib/systemd/system/slapd.service /etc/systemd/system

To change the port numbers, edit /etc/systemd/system/slapd.service, for example:

ExecStart=/usr/sbin/slapd -u ldap -h "ldap://:10389/ ldaps://:10636/ ldapi:///"

or use the following commnand:

$ sed -i 's/ExecStart=.*/ExecStart=\/usr\/sbin\/slapd -u ldap -h "ldap:\/\/:10389\/ ldaps:\/\/:10636\/ ldapi:\/\/\/"/' /etc/systemd/system/slapd.service

If SELinux is enabled, enable the new ports:

$ semanage port -a -t ldap_port_t -p tcp 10389
$ semanage port -a -t ldap_port_t -p tcp 10636

To start the systemd service:

$ systemctl start slapd

To run the server in the foreground:

$ /usr/sbin/slapd -d any -u ldap -h "ldap://:10389/ ldaps://:10636/ ldapi:///"

To monitor the systemd logs:

$ journalctl -fu slapd

Importing Schema

To import schema:

$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/nis.ldif
$ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/inetorgperson.ldif

To verify schema:

$ ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=Subschema" -s base +

Alternatively:

$ ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn={4}acme,cn=schema,cn=config"

Configuring Root User

To create OpenLDAP admin password:

$ slappasswd
xxxxxxxxxxxxxxxxxxxxxxxx

Prepare an LDAP file (e.g. root.ldif):

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: xxxxxxxxxxxxxxxxxxxxxxxx

Execute the following command:

$ ldapmodify -H ldapi:/// -Y EXTERNAL -f root.ldif

Creating New Domain

Prepare an LDIF file (e.g. domain.ldif):

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

Then execute the following command:

$ ldapmodify -H ldapi:/// -Y EXTERNAL -f domain.ldif

Adding Base Entries

Prepare an LDIF file (e.g. base.ldif):

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

dn: dc=pki,dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: PKI
dc: pki

Then execute the following command:

$ ldapadd -H ldap://$HOSTNAME:10389/ -x -D cn=Manager,dc=example,dc=com -w Secret.123 -f base.ldif

See Also

• OpenLDAP

• OpenLDAP: Configure LDAP Server

• OpenLDAP using OLC (cn=config)

• PKI CA with OpenLDAP Database

• Deploying OpenLDAP on OpenShift