OpenLDAP configuration for Linux made easy

OpenLDAP is a simple, free, fully functional alternative to Active Directory. Follow these steps to set up OpenLDAP on Linux platforms.

For some, a corporate directory server is synonymous with Active Directory. Alternatives such as OpenLDAP are free and provide the same functionality on Linux and other platforms. And OpenLDAP configuration on Linux is easy.

This open source Lightweight Directory Access Protocol (LDAP) comes in the default package for many Linux distributions. While this tip specifically addresses an OpenLDAP server on Red Hat Enterprise Linux and similar distributions, these steps will work on other distributions with some differences, such as directory locations and some code.

To configure a basic OpenLDAP server, install the OpenLDAP software, configure the LDAP process to service your needs then run the server. Once you've accomplished these steps, you can continue and add information to the LDAP database.

Basic OpenLDAP installation and configuration

Installing OpenLDAP is not hard. Run the following command to install everything you need on your server:

yum install -y openldap openldap-clients openldap-servers

This will copy about 5 megabytes of files to your Linux server, after which you can start configuration. In contrast to other services, the latest version of OpenLDAP doesn't contain a configuration file, though on some older installations you may still find one with the name /etc/openldap/slapd.conf. Instead, it uses a configuration directory, which is organized in typical LDAP fashion. You'll have to run some specific utilities against this directory to configure it how you like.

In most cases, you don't need to change anything from the default configuration that is specified in /etc/openldap/slapd.d/cn=config.ldif.

The configuration information for the LDAP is stored in a Lightweight Directory Interchange format (LDIF) file. LDIF is a specific format that allows you to enter information into the LDAP Directory. You'll use this format later when adding users and other entries to the database, and you'll use this format to change the basic OpenLDAP configuration of your server.

Apart from the basic LDAP parameters that you'll use to specify items like the number of connections the server can support or the timeouts it should apply, there are some database-specific settings as well in /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif. These contain parameters like the LDAP root user and the base domain name, which is the starting point from where LDAP searches out information.

Changing the basic OpenLDAP configuration

To change a few basic parameters for your LDAP server, start by opening a root terminal, then type service slapd stop. You'll probably get a FAILED message as the service wasn't running yet, but it's important to make sure the LDAP service is stopped before modifying its configuration.

Use a text or code editor to open the file /etc/openldap/slapd.d/cn=config.ldif and find the parameter oldConnMaxPending, which specifies the maximum amount of pending requests, 100 by default. If you want to configure the LDAP server to offer unauthenticated access to its information, reset this parameter a bit higher to 200.

Now find the olcIdleTimeout parameter. This specifies how long the LDAP server waits before closing an idle session; default is 180. If your LDAP server suffers from performance problems, cut this time in half by changing the default value to 90.

Locate the olcReferral parameter. You're not going to change it right now, but with this parameter you can tell your LDAP server to check another LDAP server if it can't find specific information. Use the URL format to refer to the other server, as in olcReferral: ldap://server.example.com. You can now close the cn=config.ldif file and write your changes, finishing basic configuration for your LDAP server.

Now, to change some parameters in the LDAP database backend, open /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif with a text or code editor. Create a dedicated root user account that has permissions to change information in the LDAP database. Look for the parameter olcRootDN and change it to something like: olcRootDN: cn=linda,dc=example,dc=com.

Open a second terminal window and enter the slappasswd command to create a hash for the root password you want to use. Back in the cn=config.ldif file, find the olcRootPW parameter and copy the hashed password to the argument of this parameter (see Example 1).

Example 1. Setting a Password for the LDAP Root User

[[email protected] ~]# slappasswd

New password:

Re-enter new password:


olcRootPW: {SSHA}mrMb/MJ30amKUnP3KYP0Mz9KNBfAB8pQ

Search the olcSuffix directory and make sure it has the default, fully qualified domain name that you want to use to start LDAP searches. To set this domain to dc=example,dc=com, type olcSuffix: dc=example,dc=com. Use something logical and easy to remember, like the DNS name for your organization. Save and close the editor with the configuration file.

Use service slapd restart to restart the LDAP server. Ensure that the slapd process starts automatically when your server boots with chkconfig slapd on.

Go forth and populate the LDAP database, and integrate LDAP with the network file system.

About the author:

Sander van Vugt is an independent trainer and consultant based in the Netherlands. He is an expert in Linux high availability, virtualization and performance. He has authored many books on Linux topics, including Beginning the Linux Command LineBeginning Ubuntu LTS Server Administration and Pro Ubuntu Server Administration.

[email protected]

Dig Deeper on Linux servers