Press "Enter" to skip to content

rfc2307bis openldap server configuration on centos 7

I set up an openldap server using the excellent guide over at  However I wanted to to use the rfc2307-bis schema and have the server available over ldaps.  Here’s my modified version:

Install the packages:

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

Edit the service:

#Edited by systemctl edit slapd
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///" $SLAPD_OPTIONS

Start slapd:

systemctl enable slapd --now

Use slappasswd to get a password hash for the admin user (you’ll need it for the next step):

[root@localhost /]# slappasswd 
New password: 
Re-enter new password: 

Create an ldif file that contains the initial configuration:

#vim initial.ldif

#set olc suffix
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=m4ldonado,dc=io

#set distinguished name for admin user
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadmin,dc=ldap,dc=m4ldonado,dc=io

#set password for admin user with hash generated with slappasswd
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Ppw0oKx+jQ4tZuUTQz+Jqlhpt+aqKxov

#only allow ldapadmin to have monitor access
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadmin,dc=ldap,dc=m4ldonado,dc=io" read by * none

#add cert info
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/

Load the ldif file:

ldapmodify -Y EXTERNAL  -H ldapi:/// -f initial.ldif

Copy example database file:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG && chown -R ldap:ldap /var/lib/ldap

Download the rfc2307bis schema and enable it:

curl > /etc/openldap/schema/rfc2307bis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/rfc2307bis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Create base configuration:

# vim base.ldif

dn: dc=ldap,dc=m4ldonado,dc=io
dc: ldap
objectClass: top
objectClass: domain

#admin user
dn: cn=ldapadmin,dc=ldap,dc=m4ldonado,dc=io
objectClass: organizationalRole
cn: ldapadmin
description: LDAP Manager

#location for users
dn: ou=users,dc=ldap,dc=m4ldonado,dc=io
objectClass: organizationalUnit
ou: users

#location for groups
dn: ou=groups,dc=ldap,dc=m4ldonado,dc=io
objectClass: organizationalUnit
ou: groups

Load base configuration:

ldapadd -x -W -D "cn=ldapadmin,dc=ldap,dc=m4ldonado,dc=io" -f base.ldif

Open the ldap and ldaps ports on the firewall:

firewall-cmd --permanent --add-service={ldap,ldaps}
firewall-cmd --reload


You’re now ready to start using your ldap server.  For a gui I use open directory studio.  There are plenty of ways of getting at the openldap server programatically.  Here are a couple of examples:

Searching ldap with perl

Creating an ldap user with python