RHEL6 openldap server

Please note that all  double quote characters in this example are plain ASCII ” characters not  typographical ones!

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g

Step 3: We now  set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb

#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Time to test our configuration

# slaptest -u
config file testing succeeded

Step 8:  Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x  -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif

dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain

dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit

now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file

# vim /usr/share/migrationtools/migrate_common.ph

Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;

#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists

#ldapsearch -x ”cn=mani”  -b ”dc=mycompany,dc=com”

If the test is successful your done 🙂

 

 

 

 

 

80 thoughts on “RHEL6 openldap server

  • Hey, this is a great posting. Thanks so much for taking the time to do this.

    I do have one question though..

    When I add: olcRootPW: {SSHA}…. as part of your instructions

    I get the following message when I run the slaptest -u
    olcRootPW: value #0: can only be set when rootdn is under suffix

    I can’t see what I’ve missed. If I comment that line out of the olcDatabase={2}monitor.ldif the error goes away, but I of course can’t authenticate either.

    Any ideas?

    • Yes the 3 lines

      olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
      olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
      olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

      have to be added to the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file not the olcDatabase={2}monitor.ldif.

  • Hi, thanks for the help. I’ve been looking for some help for a while. I stuck on a certain point. Where you import base information:
    ldapadd -x -W -D “cn=Manager,dc=yourdomain,dc=com” -f base.ldif

    I get an error:
    Enter LDAP Password:
    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN

    I don’t know why I’m getting this error. I changed yourdomain to example which is my domain.

    Any help would be appreciated, thanks,
    Rob

    • Hi Robert,

      You have to pay attention the syntax in the ldif file:

      Here an example:
      dn: dc=domb,dc=net // (dn:[whitespace] dc=domb,dc=net [ENTER])
      dc: domb
      objectClass: top
      objectClass: domain [ENTER]
      [ENTER]
      dn: ou=People,dc=domb,dc=net
      ou: People
      objectClass: top
      objectClass: organizationalUnit[ENTER]
      [ENTER]
      dn: ou=Group,dc=domb,dc=net
      ou: Group
      objectClass: top
      objectClass: organizationalUnit

      Hope this helps to solve your problem. If not post me your base.ldif

  • hello i finally found someone doing it on rhel6 thanks, but when i run the
    slaptest -u
    i get
    <= str2entry: str2ad({SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK): empty AttributeDescription
    slaptest: bad configuration file!

    the {SSHA…..} string is what i added to my file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif . these are the lines that i added to that file (how it looks)

    {SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK
    olcRootPW: {SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK
    olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
    olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

    what am i doing wrong?

    thank you
    dave

    • create the ssl cert and run the test again. When you run the slaptest -u before creating the certificate you’ll get that error.

  • Thank you very much for the post, and all of the others here too! I’m studying for the RHCE and although I have a good background with a lot of the material from working in webhosting for many years, LDAP is brand new to me and this was the simplest and most lucid tutorial I’ve yet found.

    I do have one suggestion, and it may help others too. Please change the double quote characters in your example to use the plain ASCII ” character instead of the typographical open and close quote characters. Like Robert above, the ldapadd command initially gave me this error

    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN

    It turned out to be the result of the UTF-8 open and clsoe quote chars. I had to change the command from this

    ldapadd -x -W -D “cn=Manager,dc=yourdomain,dc=com” -f base.ldif

    to this

    ldapadd -x -W -D “cn=Manager,dc=yourdomain,dc=com” -f base.ldif

    (And I hope WordPress doesn’t auto change those quotes on me! The second line should have the non-curved typewriter double quote symbol from the ASCII set.)

  • Thank you very much for detailed instruction! When I restarted slapd, I met the following issue:
    Checking configuration files for slapd: [FAILED]
    PROXIED attributeDescription “DC” inserted.
    <= str2entry: str2ad(dc): attribute type undefined
    slaptest: bad configuration file!

    If I did not do a slapd restart, the ldap server seemed working fine. Do you know why it happened?
    Thanks.

      • Did encounter this error, but resolved after removing my base.ldif and user.ldif files from the /etc/openldap/slapd.d/cn=config/ dir. Think that no other files should be kept within this cn=config besides the slapd generated ldifs.

  • hi
    Thank you so much.
    I been trying so long time with like old ldap configuration.
    Finally I got though you. Thanking you lot
    Thanks
    Ramakrishna

  • # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

    After step #ldapsearch -x -b ”dc=yourdomain,dc=com”

    Also, I am not finding the following file to configure:
    Step 9: Configure the base domain

    #vi base.ldif

    Where is this config file located at?

    Any help would be great.

  • plz tell me where is the error

    dn: dc=sridhar,dc=net
    dc: sridhar
    objectClass: top
    objectClass: domain

    dn: ou=People,dc=sridhar,dc=net
    ou: People
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=Group,dc=sridhar,dc=net
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

  • Plz tell me how I can add a new custom attribute which is not included presently to this OpenLDAP server of RHEL 6. I would like to extend the schema of the same.

  • Hello, First of all thank you for the tutorial.

    Running into a similar issue as the first comment. I have only add the 3 lines:
    olcRootPW: {SSHA}my-hash
    olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
    olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

    To the end of:
    /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

    And I get the error:
    [root@directory ~]# slaptest -u
    olcRootPW: value #0: can only be set when rootdn is under suffix
    config error processing olcDatabase={1}bdb,cn=config: can only be set when rootdn is under suffix
    slaptest: bad configuration file!

    Not sure whats up and don’t know what else to change. Thanks !

  • I just have to say thank you for this how-to

    I only had to do one thing differently:
    chown -f root:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/certs/slapdkey.pem

  • I am tring on my localhost with dc=test,dc=com

    however LDAPSEARCH gave the following output :

    ldapsearch -x -b “dc=test,dc=com”

    which gave me error as below:

    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    here I have added localhost and given me following output:

    ldapsearch -x -h localhost -b “dc=test,dc=com”

    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1
    —————————————-
    Am I correct here?

    I have created the base.ldif and tried ldapadd command as:

    ldapadd -x -h 127.0.0.1 -D “cn=Manager,dc=test,dc=com” -W -f base.ldif
    ldapadd -x -h locahost -D “cn=Manager,dc=test,dc=com” -W -f base.ldif
    ldapadd -x -h -D “cn=Manager,dc=test,dc=com” -W -f base.ldif
    with the password which was generated with cammand

    #slappasswd

    This gaves error as:
    ldap_bind: Invalid credentials (49)

    What is wrong ? Please help!!!!

  • Thank you for this how-to. Everything works.
    NOTE: Do not directly copy text of this how-to, better you enter the text on a new

  • Iam not able to find the the DB_CONFIG File in openldap-servers path
    #cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

    AND
    Please tell me the location of “base.ldif” file…

  • i have done all steps upto 7 steps and all are working fine but when i start the slapd service ,it failed,when i start the slapd service 1st time it show me the warning suffix of DB_CONFIG file has changed,performing data base recovery to apply new settings
    dbb_db_open: database “dc=example.com,dc=com”:recpvery skipped in read only mode.run manual recovery if error persist
    config file testing succeded.

    starting slapd: [Failed]
    and it shows service failed whenever i start the service
    please help 🙁

  • Thanks for he tutorial. I’m not proficient with Openldap. This is he first time I’m trying to implement it at home. I’m running Centos 6.0 I’m stuck on step #9. When I do the <> I get the following error

    ldap_bind: Invalid credentials (49)

    where do u think I may have gone wrong?

    Thanks

  • Sorry, had to repost

    Thanks for he tutorial. I’m not proficient with Openldap. This is he first time I’m trying to implement it at home. I’m running Centos 6.0 I’m stuck on step #9. When I do the
    # ldapadd -x -W -D “cn=Manager,dc=rmasonfamily,dc=info” -f /root/base.ldif
    I get the following error

    ldap_bind: Invalid credentials (49)

    where do u think I may have gone wrong?

    Thanks

  • Hey any one can help me to build my ldapserver after slaptest -u.
    i have successfully tested my slaptest -u opting but as I start my slapd deamon it get failed neither it stops nor starts. And I want to inform that my eth0 is also creating problem I cant configure Static IP it fails after service network restart. I am using COMPAQ CQ 40 series laptop. and RHEL 6.0. Plz help me.

  • what is wrong with my configuration? please see message below. tnx

    #ldapadd -x -W -D ”cn=Manager,dc=ncfs” -f ncfs.ldif
    Enter LDAP Password:
    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN

    My ldif file:
    ==============
    dn: dc=ncfs
    dc: ncfs
    objectClass: top
    objectClass: domain

    dn: ou=People,dc=ncfs
    ou: People
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=Group,dc=ncfs
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

  • For those of you with errors:
    ————
    PROBLEM
    ————
    ldap_bind: Invalid credentials (49)

    —————————————-
    SOLUTION/TROUBLESHOOTING
    —————————————-
    Use ldapsearch in debug mode to identify the issue:
    No encryption:
    # ldapsearch -x -b “dc=yourdomain,dc=net” -d -1
    With TLS:
    # ldapsearch -x -b “dc=yourdomain,dc=net” -ZZ -d -1

    One add on to Laurent’s entry if you use a self-signed Certification. Remember to add below line as well to bdb.ldif:
    olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem

    Otherwise, you will get complaints about self-signed certificate. 🙂

  • It seems there’s a typo:


    dn: ou=Group,dc=yourdomain,dc=net
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

    … as later Group is replaced with Groups. Anyway, I’ve got an error with plural and passed through with singular :).

  • Hi, thanks for telling us the configuration of openldap server for RHEL 6. I have done all that you have written in this blog and my openldap service has started…but
    Can you tell me how i can integrate openldap with Samba as a PDC for RHEL 6?

    • Did you manage to successfully configure samba with the ldap backend. I am looking for a solution to this.

      If anyone has a solution please share

  • When trying to add the ldap ,am getting the error…………….

    ldapadd -x -W -D “cn=Manager,dc=rhceldap,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    where is the location of base.ldif file?………..

    Thanks in advance………..

  • ldap_bind: Invalid credentials (49)

    get solved by adding

    URI ldap://192.168.0.4/
    BASE dc=rhceldap,dc=com
    TLS_CACERTDIR /etc/openldap/cacerts

    on /etc/openldap/ldap.conf

  • A question on base.ldif.

    The example for base.ldif is alway dc=yourdomain,dc=com. But the dc assigned to me at work is dc=area,dc=test,dc=org (my domain is area.test.org).

    How would my base.ldif look like? What do I use on the dc:?
    dn: dc=area,dc=test,dc=org
    dc: ????
    objectClass: top
    objectClass: domain

    Thanks!

  • Great posting… Thank you…

    I configured LDAP as described above i didn’t got any errors but when i Start the LDAP service its failed .. i couldn’t figure out the error… When i checked the certifacate folder /etc/pki/tls/certs i couldn’t find any certificates generated… So can you help me in this case…

    Thankyou…

  • I get the following error when I try and do a slaptest -u
    slaptest -u
    database init failed (monitor)
    olcDatabase: value #0: only one monitor database allowed (monitor)
    config error processing olcDatabase={1}monitor,cn=config: only one monitor database allowed
    slaptest: bad configuration file!

    Can anyone help out ?

  • My five cents in addition to this very helpful howto:

    Add
    TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
    to ldap.conf.

    Otherwise, running request with TLS
    ldapsearch -x -b “dc=yourdomain,dc=net” -ZZ
    you’ll get ‘Self-signed certificate’ error.

  • I got the following error
    <= str2entry: str2ad(New Passowrd): AttributeDescription contains inappropriate characters
    slaptest: bad configuration file!

    What I done mistake???

  • lol.. I got, I done a silly mistake.. when i redirect that password, i forgot to remove the New Password:
    Re-enter new password:
    lines….. what a silly mistake i done.

  • Excellent posting. I teach Linux at a local community college and after reading some of the postings I suspect some of the above users are coping and pasting your text into their config files. This changes the formatting and will give them errors; even the command dos2unix will not always fix this. There is one typo that may throw a newbie off: you have “service sladp start” Like me, you probably have large fingers. Thanks again fro supporting the community.
    Kind regards,
    Randy

  • Thank you so much for an easy to follow guide.
    I have installed and configured openldap on my rhel6 server and would want to use FreeRadius with openldap. The two are working well separatley and I would now like to set them up such that users can connect through Freeradius and authenticate on an openldap backend. Can you point me to documentation for doing this on rhel6?
    The documentation that i am currently getting refers to a different version and I have configuration files (unedited) that are completely different from what I am referred to. I understand that RHEL has a different radius configuration file and I wold want to know how to configure freeradius to se openldap for authentication.

  • Ok To answer my own question , the authenticate and authorisation modules are in the modules directory. Another question, is there anyone who knows where documentation fro rhel6 is?

  • Thank you for putting out this step by step guide. Without it, it is almost impossible to get openLDAP setup with RHEL6. You should consider contributing this piece to openldap project as there are many people who might be able to save time using this.

    I had to change dc=com from dc=net in base.ldif because I was getting error when using dc=net.

    Thanks again.

  • #slaptest -u
    config file testing succeeded —NEXT— And ERROR I am getting down there is as……

    [root@newspeak openldap]# ldapadd -x -W -D ”cn=Manager,dc=newspeak,dc=org” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN ——————–NEXT———————–“GOT ERROR”———-

    #vi base.ldif
    dn: dc=newspeak,dc=org
    dc: newspeak
    objectClass: top
    objectClass: domain

    dn: ou=People,dc=newspeak,dc=org
    ou: People
    objectClass: topdn: olcDatabase={2}monitor
    objectClass: olcDatabaseConfig
    olcDatabase: {2}monitor
    olcAccess: {0}to * by dn.base=”cn=Manager,dc=newspeak,dc=org” read by * non
    e
    olcAddContentAcl: FALSE
    olcLastMod: TRUE
    olcMaxDerefDepth: 15
    olcReadOnly: FALSE
    olcMonitoring: FALSE
    structuralObjectClass: olcDatabaseConfig
    entryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ff
    creatorsName: cn=config
    createTimestamp: 20111012032406Z
    entryCSN: 20111012032406.106705Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20111012032406Z

    objectClass: organizationalUnit

    dn: ou=Group,dc=newspeak,dc=org
    ou: Group
    objectClass: top
    objectClass: organizationalUnit ——–NEXT———
    #vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
    dn: olcDatabase={1}bdb
    objectClass: olcDatabaseConfig
    objectClass: olcBdbConfig
    olcDatabase: {1}bdb
    olcSuffix: dc=newspeak,dc=org
    olcAddContentAcl: FALSE
    olcLastMod: TRUE
    olcMaxDerefDepth: 15
    olcReadOnly: FALSE
    olcRootDN: cn=Manager,dc=newspeak,dc=org
    olcMonitoring: TRUE
    olcDbDirectory: /var/lib/ldap
    olcDbCacheSize: 1000
    olcDbCheckpoint: 1024 15
    olcDbNoSync: FALSE
    olcDbDirtyRead: FALSE
    olcDbIDLcacheSize: 0
    olcDbIndex: objectClass pres,eq
    olcDbIndex: cn pres,eq,sub
    olcDbIndex: uid pres,eq,sub
    olcDbIndex: uidNumber pres,eq
    olcDbIndex: gidNumber pres,eq
    olcDbIndex: mail pres,eq,sub
    olcDbIndex: ou pres,eq,sub
    olcDbIndex: loginShell pres,eq
    olcDbIndex: sn pres,eq,sub
    olcDbIndex: givenName pres,eq,sub
    olcDbIndex: memberUid pres,eq,sub
    olcDbIndex: nisMapName pres,eq,sub
    olcDbIndex: nisMapEntry pres,eq,sub
    olcDbLinearIndex: FALSE
    olcDbMode: 0600
    olcDbSearchStack: 16
    olcDbShmKey: 0
    olcDbCacheFree: 1
    olcDbDNcacheSize: 0
    structuralObjectClass: olcBdbConfig
    entryUUID: 629b5454-88cd-1030-94b4-5b8c5298a3ff
    creatorsName: cn=config
    createTimestamp: 20111012032406Z
    entryCSN: 20111012032406.106705Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20111012032406Z
    olcRootPW: {SSHA}eCf/UCxBWzZuWc0Dd/mkW+jlaXxy++RF
    olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
    olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem ———NEXT———

    #vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
    dn: olcDatabase={2}monitor
    objectClass: olcDatabaseConfig
    olcDatabase: {2}monitor
    olcAccess: {0}to * by dn.base=”cn=Manager,dc=newspeak,dc=org” read by * non
    e
    olcAddContentAcl: FALSE
    olcLastMod: TRUE
    olcMaxDerefDepth: 15
    olcReadOnly: FALSE
    olcMonitoring: FALSE
    structuralObjectClass: olcDatabaseConfig
    entryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ff
    creatorsName: cn=config
    createTimestamp: 20111012032406Z
    entryCSN: 20111012032406.106705Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20111012032406Z

    Can anyone help regarding the same??? Thanks in advance!!

  • hey…thank you for the wonderful guide…
    but i’m getting following error while ldapsearch

    ldapsearch -x -b “dc=example,dc=com”
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    please help me..

  • RHEL 6.0 Documentation

    System name: ldap.example.com
    Domain name: example.com
    System IP: 192.168.1.250
    Step #1. Requirements
    compat-openldap
    openldap-clients
    openldap-devel
    openldap-servers
    migrationtools
    You can install them using the command:
    yum install *openldap* migrationtools

    Step #2. Create LDAP root user password
    [root@ldap ~]# slappasswd
    New password:
    Re-enter new password:
    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW
    [root@ldap ~]# mkdir -m 700 /var/lib/ldap/example.com
    [root@ldap ~]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    [root@ldap ~]# chown -Rvf ldap:ldap /var/lib/ldap/

    Step #3. Update /etc/openldap/slapd.conf for the root password
    [root@ldap ~]# cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.conf
    [root@ldap ~]# vim /etc/openldap/slapd.conf
    Esc :%s/my-domain/example/gEnter. Check the below lines same as in config file
    database bdb
    suffix “dc=example,dc=com”
    rootdn “cn=Manager,dc=example,dc=com”
    rootpw {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

    Step #4. vim /usr/share/migrationtools/migrate_common.ph change padl to example
    Esc :%s/padl/example/g & check the below line(71 & 74) is same in config
    $DEFAULT_MAIL_DOMAIN = “example.comm”;
    $DEFAULT_BASE = “dc=example,dc=com”;

    Step # 5. Create a domain ldif file (/etc/openldap/example.com.ldif)
    [root@ldap ~]# vim /etc/openldap/example.com.ldif
    dn: dc=example,dc=com
    dc: example
    description: LDAP Admin
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: rootobject

    dn: ou=People, dc=example,dc=com
    ou: people
    description: Users of example
    objectClass: organizationalUnit

    dn: ou=Group, dc=example,dc=com
    ou: Group
    description: Groups of example
    objectClass: organizationalUnit
    Step# 6 create a new config files using slaptest command
    —————————————————————————————–
    1. Delete all files in directory /etc/openldap/slapd.d/ with the command
    [root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*
    2. Run slaptest for test the configuration file and create new configuration in directory /etc/openldap/slapd.d/.
    [root@ezylinux ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    3. Set permissions for a new configuration file.
    [root@ezylinux ~]# chown -R ldap:ldap /etc/openldap/slapd.d
    [root@ezylinux ~]# chmod -R 000 /etc/openldap/slapd.d
    [root@ezylinux ~]# chmod -R u+rwX /etc/openldap/slapd.d

    # service slapd restart (if any warning provide permission as chown ldap:ldap /var/lib/ldap –Rvf or chown ldap:ldap /etc/openldap/slapd.d)

    Step # 7. Import all users in to the LDAP
    Add the Domain ldif file
    [root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/example.com.ldif
    Enter LDAP Password:
    adding new entry “dc=example,dc=com”
    adding new entry “ou=People, dc=example,dc=com”
    adding new entry “ou=group, dc=example,dc=com”
    [root@ldap ~]#

    Add the users:
    [root@ldap ~]# mkdir /ldaphome
    [root@ldap ~]# useradd –u 1000 -d /ldaphome/testusr testusr
    [root@ldap ~]# passwd testusr
    Changing password for user testusr.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.

    Step # 8. Migrate local users to LDAP
    [root@ldap ~]# grep testusr /etc/passwd > /etc/openldap/passwd.testusr
    [root@ldap ~]# grep testusr /etc/group > /etc/openldap/group.testusr

    [root@ldap ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/passwd.testusr /etc/openldap/testusr.ldif
    [root@ldap ~]# /usr/share/migrationtools/migrate_group.pl /etc/openldap/group.testusr /etc/openldap/testusr-group.ldif
    Setp# 9 Adding users & groups into Ldap server
    [root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/testusr.ldif
    Enter LDAP Password:
    adding new entry “uid=ldapuser1,ou=People,dc=example,dc=com”
    [root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/testusr-group.ldif
    Enter LDAP Password:
    adding new entry “uid=ldapuser1,ou=Group,dc=example,dc=com”

    Step # 10. Test LDAP Server
    It prints all the user information:
    [root@ldap ~]# ldapsearch -x -b ‘dc=example,dc=com’ ‘(objectclass=*)’

    Step# 11 NFS for ldapuser home share:
    #yum install nfs-utils
    #service rpcbind restart

    Vim /etc/exports
    /ldaphome *(rw,sync)
    #Chkconfig nfs on
    #Service nfs restart

    Home directory Creation in LDAP server(optional)

    Reference from: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Create_The_Home_Directory_For_ldapuser_On_The_LDAP_Client

    [root@smallfry tmp]# mkdir /ldaphome/wml
    [root@smallfry tmp]# chmod 700 /home/ldaphome/wml
    [root@smallfry tmp]# cp /etc/skel/.* /home/ldaphome/wml
    cp: omitting directory /etc/skel/.'
    cp: omitting directory
    /etc/skel/..’
    cp: omitting directory `/etc/skel/.kde’
    [root@smallfry tmp]# chown -R wml:group /home/ldaphome/wml
    [root@smallfry tmp]#

    2. 0. Step-by-step OpenLDAP Installation and Configuration of Client System
    LDAP Client Configuration

    Step # 1. Installation
    [root@ldapclient ~]# yum install nss-pam-ldapd nfs-utils autofs
    Step # 2. Autofs configuration
    [root@ldapclient ~] vim /etc/auto.master
    Add the below line in end:
    /ldaphome /etc/auto.misc – -timeout=60
    [root@ldapclient ~] vim /etc/auto.misc
    Add the below line in end
    * -rw,soft,intr 192.168.1.250:/ldaphome/&
    [root@ldapclient ~] service autofs stop
    [root@ldapclient ~] service autofs start
    [root@ldapclient ~] service autofs reload
    [root@ldapclient ~] service autofs restart
    [root@ldapclient ~] service nfs restart

    Step# 3 Settings ldap configuration
    [root@ldapclient ~]# setup

    Step #3. Settings
    [*] Use LDAP [*] Use LDAP Authentication
    [Both should be checked]
    Click “Next”.
    [ ] Use TLS
    Server: ldap.example.com
    Base DN: dc=example,dc=com
    Click “Ok” to confirm.
    OR
    [root@ldapclient ~]# vim /etc/openldap/ldap.conf
    URI ldap://ldap1.example.com
    BASE dc=example,dc=com

    [root@ldapclient ~] vim /etc/nssswitch.conf
    passwd: files ldap
    shadow: files ldap
    group: files ldap
    netgroup: files ldap
    automount: files ldap

    #chkconfig nfs on
    #chkconfig autofs on
    #chkconfig rpcbind on
    [root@ldapclient ~] vim /etc/nslcd.conf
    uid nslcd
    gid ldap
    uri ldap://ldap1.example.com
    base dc=example,dc=com
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    [root@ldapclient ~] vim /etc/pam_ldap.conf
    Comment #host 127.0.0.1
    base dc=example,dc=com
    uri ldap://ldap1.example.com
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5

  • Hello Laurent,

    Here is my monitor section :

    cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

    dn: olcDatabase={2}monitor,cn=config
    objectclass: olcDatabaseConfig
    olcaccess: {0}to * by dn.exact=”cn=Manager,dc=exemple,dc=fr”
    by * none
    olcaddcontentacl: FALSE
    olcdatabase: {2}monitor
    olclastmod: TRUE
    olcmaxderefdepth: 15
    olcmonitoring: FALSE
    olcreadonly: FALSE
    olcsyncusesubentry: FALSE
    ….

    slapd runs and respond :
    ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b ‘olcDatabase={2}monitor,cn=config’ -s base 1.1

    # {2}monitor, config
    dn: olcDatabase={2}monitor,cn=config

    # search result
    search: 2
    result: 0 Success

    However I can’t get any monitoring information :

    $ ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b ‘cn=Monitor’ -s base 1.1

    # search result
    search: 2
    result: 32 No such object

    Would you have any advice to use openldap monitoring abilities ?

    # cat /etc/issue
    Red Hat Enterprise Linux Server release 6.2 (Santiago)

    openldap-servers-2.4.23-20.el6.x86_64

    # slapd -VVV
    @(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) $
    mockbuild@x86-010.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

    Thanks !

  • hi,

    you really did best and i was successful through your steps, thing was i dont fine any /usr/share/migration folder in my server. mine is rhel-64bit.

    i dont know why it was not ther ldap search is fine, ok,

    please help me finish the last 2 stepsa

    thank you.

  • slaptest -u
    PROXIED attributeDescription “DC” inserted.
    <= str2entry: str2ad(dc): attribute type undefined
    slaptest: bad configuration file!
    [root@dc share]# ldapsearch -x -b .dc=hamdard,dc=com.
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    Can any one help me on this. I have follow this post step by step.

  • I have followed this doc as it is i did not change any thing. Before generating the certificate and key it was working fine but when i did that then you said to restart the slapd and i did that it was down but it wasn’t up again.

    Please guide me where i am going wrong.

  • Hi,

    Thank you for your all help i have configured successfully ldap server by following this guide.

    Now my next question is how to move it into production environment where users can login on this ldap server.

    I am configuring DNS with my domain on this server as well.

    when i am trying to access this server by using above url ldap://192.168.0.6:389 it is not processing further can ou please tell me why ?

    • Thanks, very helpful.

      I am configuring postfix+squirrelmail+dovecot with openldap on RHEL6.1_64 bit.

      kindly help me to getthe rh-mail.schema.

      Thanks,
      Shankar

  • hello,

    Thanks for you help in providing steps to configure LDAP server in RHEL6 and everything seems to be working but I am not able to login into the client machine using ldap server can any one please help me how can I do it?

    My email address is
    priyank.gupta.1984@gmail.com, please if possible reply me there or here

  • Hi,

    I went thru the steps and it is working.
    The clients I setup with the command

    authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=10.24.0.55 –enablemd5 –ldapbasedn=dc=mydomain,dc=com –updateall

    The clients are able to authenticate the logins.
    but if a user is added or an existing user’s passwd is changed, that user is unable to login with the new password. what could be the issue please? any help would be greatly appreciated, as I am a newbie.

    thanks

    Ping

  • Hello I am getting the following errors when i start slapd service:

    service slapd start
    Checking configuration files for slapd: [FAILED]
    olcRootPW: value #0: can only be set when rootdn is under suffix
    config error processing olcDatabase={2}bdb,cn=config: can only be set when rootdn is under suffix
    slaptest: bad configuration file!

    But, if remove the lines that contains olcRootPW, olcTLSCertificateFile and
    olcTLSCertificateKeyFile the service starts fine.

    I have CentOS release 6.3 and OpenLDAP: slapd 2.4.23

    Thanks for your help,
    G

  • Hi, thanks a lot for this tutorial, it has been very helpful!
    I had a small question:
    why do we need this command:
    sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif

    I think this will replace or=Group with ou=Groups, but in the base.ldif, we are using:
    dn: ou=Group,dc=yourdomain,dc=net

    Please let me know!

    Thanks again!
    Abhisek

  • Hi, thanks for the help. I’ve been looking for some help for a while. I stuck on a certain point. Where you import base information:

    dn: dc=example,dc=com
    dc: example
    objectClass: top
    objectClass: example

    dn: ou=Administration,dc=example,dc=com
    ou: Adninistration
    objectClass: top
    objectClass: Administration
    Hi, thanks for the help. I’ve been looking for some help for a while. I stuck on a certain point. Where you import base information:

    dn: ou=Group,dc=example,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

    Error:
    #ldapadd -x -W “cn=manager,dc=example,dc=com” -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    MY ldap details:

    MY DOMAIN IS : example.com
    ORGANIZATION UNIT NAME : administration
    Ldap password is : password

    please give me the solution to this error.

  • if i run ldapsearch -x -b ”dc=example,dc=com”

    i got searchresult 2 then i got 34 dn syntax error
    give me the solution

  • Nice post. I was checking continuously this blog and I am impressed!
    Very useful info particularly the last part 🙂 I care
    for such info much. I was seeking this particular information for
    a long time. Thank you and good luck.

  • Hi,

    I am novice to openldap. I have to install and configure openldap in Rhel 5.7. I required it for user authentication for middleware servers. I have installed openldap server, openldap sql, openldap client successfully. Afterwards, i did not find slapd.conf, DB_CONFIG.example files. I have searched for those files in all file systems but they do not exist. So, please guide what am i missing with? what are all the prerequisites which are needed in order to install and configure Openldap. Thank you in advance.

  • Followed the instructions on this site for installing the openldap server on Centos 6.4, but just couldn’t get TLS to work.

    For me at least, the problem was the self signed certificate and the permissions on the certificate and key.

    (a) The self-signed certificate

    Add the following line to /etc/openldap/ldap.conf,

    TLS_REQCERT allow

    (b) Permissions on cert and key

    # chown ldap:ldap /etc/pki/tls/certs/slapdcert.pem
    # chmod 600 /etc/pki/tls/certs/slapdcert.pem

    # chown ldap:ldap /etc/pki/tls/certs/slapdkey.pem
    # chmod 600 /etc/pki/tls/certs/slapdkey.pem

    Restart the slapd server:

    # service slapd restart

    Test it

    # ldapsearch -x -b “dc=home,dc=com” -ZZ “cn=michael” homeDirectory
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: cn=michael
    # requesting: homeDirectory
    #

    # michael, People, home.com
    dn: uid=michael,ou=People,dc=home,dc=com
    homeDirectory: /home/michael

    # michael, Group, home.com
    dn: cn=michael,ou=Group,dc=home,dc=com

    # search result
    search: 3
    result: 0 Success

    # numResponses: 3
    # numEntries: 2

  • whoah this blog is wonderful i really like studying your posts.

    Stay up the good work! You recognize, many individuals
    are searching around for this info, you could aid them greatly.

  • Hi laurent,

    Really Informative Post…!!!

    Hope you can sort out below issue…..

    I am having so many trouble connecting the LDAP server to Oracle SQL Database….Seeking help from you in this regards…

    Requirement:—
    A LDAP client which will query to one of the table in ORACLE SQL DB…for getting several info….

    Current Set Up from my side to achieve above task:——–

    1. RHEL 6.4
    2.Oracle XE 11g Database- Up & Running
    3. OpenLDAP 2.4.40- Currently installed but not working
    4. Easysoft ODBC Oracle driver–Optional

    ——————————————————–
    Please guide me how to properly install & Configure OpenLDAP on RHEL in my case….
    Do I need the Driver ?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Hit Counter provided by laptop reviews