How to setup a simple OpenLDAP server for your home lab

Some certification tests may require you to know how to setup an LDAP client. Rather hard to do in your home lab if you don't have an LDAP Server! Here's some basic instructions on how to setup something that will work.

Step 1: Install the required packages:
#yum install openldap-servers migrationtools

Step2: The configuration for LDAPD is stored inside the LDAP server itself. The configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Create the ldap password:

You’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the encrypted string we will have to add to the bdb.ldif config file.

# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif

Substitute with

Step 3: Set the admin password and specify the location of the encryption certificate and key.

Add these 3 lines at the end of the file bdb.ldif file, replacing the encrypted string shown, with the one you created in step 2:

olcRootPW: {SSHA}V7TQ2kZ7IWEHOb2Qs4zrXi4ufvlU9W/O
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Specify the monitoring privileges:

#vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

We have to replace the default domain name with our domain name:


Step 5: Configure the Database Cache


#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Set up a certificate for TLS. Edit the /etc/sysconfig/ldap file and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap

Create the certificate:
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. Make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem ; chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Test the configuration

# slaptest -u
config file testing succeeded

Step 8: Start the ldap server

#service slapd start

Check if the ldap server works:

#ldapsearch -x -b "dc=yourdomain,dc=com"

If you get a "search: 2" then it's working

Step 9: Configure the base domain

#vi base.ldif

dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain

dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=yourdomain,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

Import base information to the ldap directory:

#ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif

Step 10: Migrate the users

Go to the directory /usr/share/migrationtools. Edit the file

# vi /usr/share/migrationtools/

# Default DNS domain
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;

#grep ":5[0-9][0-9]" /etc/passwd > passwd
#grep ":5[0-9][0-9]" /etc/group > group
#./ passwd > users.ldif
#./ group > group.ldif
#sed -e "s/ou=Group/ou=Groups/g" group.ldif > groups.ldif
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f users.ldif
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f groups.ldif

Step 11: Test the ldap server. Check if user "mani" exists. (try this with a userid that does exist)

#ldapsearch -x "cn=mani" -b "dc=example,dc=com"

If the test is successful, you're done!