Installing LDAP on Centos 6.2

  1. Install Centos 6.2 Basic Server

  2. Name your server “” (Where ever you see “” change for your own domain name)

  3. Install “openldap-servers” and “openldap-clients” with yum


yum install openldap-servers openldap-clients


  1. Create the following scripts, changing the “” (remember to make it executable “chmod 777”)


----------start example-----------


#Change to the directory and clear out the old certs

cd /etc/openldap/certs

rm -rf *

#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help

#automate the process. This will be the password for your certificate. Change this as appropriate

echo "password" > /etc/openldap/certs/password

export PATH=/usr/bin/:$PATH

echo falkdjfdajkhfaksj >> noise.txt


#Associate the password with the certificates which will be generated in the current directory

certutil -N -d . -f /etc/openldap/certs/password

certutil -G -d . -z noise.txt -f /etc/openldap/certs/password


#Generate a CA certificate for the 389 server

certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password


#anwsers are Y, <enter accepting defaults>, Y

#This builds the server cert

certutil -S -n "OpenLDAP Server" -s "" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password


#This exports the cacert in case you need it

pk12util -d . -o cacert.p12 -n "CA certificate"


#This exports the server-cert which you will need on the windows AD

pk12util -d . -o servercert.p12 -n "OpenLDAP Server"


#This exports the CA cert for ldap clients

certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem


#Make the files in here readable

chmod 644 *


#Set the system to use LDAPS

sed -i 's/SLAPD_LDAPS=no/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap


#Add a firewall exception in case the user has not configured their firewall properly

iptables -I INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT

/etc/init.d/iptables save


#Restart slapd to make the changes take effect

/etc/init.d/slapd restart


----------end example------------


  1. Run the script

  2. type the following commands.



cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -Rf ldap:ldap /var/lib/ldap/

  1. Type the following command to generate a password.




  1. Edit the following file by typing the following at the prompt


vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif


  1. Change the “olcRootDN” and “olcSuffix:” to suit your domain.

  2. Add “olcRootPW:” and put in the password you got in previous step as per the following example:

olcRootPW: {SSHA}cEBU4qaLUXvUY4pCRzYMpT4yYPN34L30

  1. Edit /etc/openldap/schema/base.ldif as per the example below, changing “”


-----------begin example---------

dn: dc=yourdomain,dc=com

dc: yourdomain

objectClass: top

objectClass: domain


dn: ou=People,dc=yourdomain,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit


dn: ou=Group,dc=yourdomain,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

-----------End example-----------

  1. Create a group called “fred” by creating /etc/openldap/schema/group.ldif with the following content:


--------Start Example-------

dn: cn=fred,ou=People,dc=yourdomain,dc=com

objectClass: posixGroup

objectClass: top

cn: fred

userPassword: password

gidNumber: 1000

--------End example--------



  1. Create a User called “fred” by creating /etc/openldap/schema/people.ldif with the following content:

---------Start Example--------

dn: uid=fred,ou=People,dc=yourdomain,dc=com

uid: fred

cn: fred fred

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: password

shadowLastChange: 15140

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/fred

---------End Example---------


  1. Type the following command:

cd /etc/openldap/slapd.d/cn\=config


vi olcDatabase\=\{1\}monitor.ldif


  1. Edit the file to change “” as needed as follows:

----------Start Example--------------

dn: olcDatabase={1}monitor

objectClass: olcDatabaseConfig

olcDatabase: {1}monitor

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa

l,cn=auth" read by dn.base="cn=manager,dc=yourdomain,dc=com" read by * none

olcAddContentAcl: FALSE

olcLastMod: TRUE

olcMaxDerefDepth: 15

olcReadOnly: FALSE

olcSyncUseSubentry: FALSE

olcMonitoring: FALSE

structuralObjectClass: olcDatabaseConfig

entryUUID: 5ff4ae96-b538-1032-99cc-8b417a2755b7

creatorsName: cn=config

createTimestamp: 20130919053044Z

entryCSN: 20130919053044.317836Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20130919053044Z

----------End Example---------------



  1. Add the above to the LDAP Database by running the following commands (change


ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f base.ldif

ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f people.ldif

ldapadd -x -W -D "cn=Manager,dc=yourdomain,dc=com" -f group.ldif


  1. Check to see if they have been added with the following command (Change the


ldapsearch -x -b "dc=stratus,dc=local"


  1. Reboot the server