OpenLDAP-Based Central Authentication Architecture (Part 2) — Server Installation and Initial Configuration

1. Overview

This post describes how to install and configure an OpenLDAP server on CentOS 7.
The same configuration applies to Ubuntu, Rocky, or AlmaLinux,
with only minor differences in package names and file paths.

⚠️ Note:
All IP addresses, hostnames, domain names, and account names shown here are examples.
Replace them with values that match your organization’s environment and security policy.

2. Installing OpenLDAP

2.1 Install Packages

For CentOS 7:

# yum install -y openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

For Ubuntu:

# apt install slapd ldap-utils

2.2 Enable and Start the Service

# systemctl enable slapd
# systemctl start slapd
# systemctl status slapd

OpenLDAP uses TCP port 389 by default.
Verify the port status:

# netstat -tulnp | grep 389

3. Generate the Administrator Password

Use the slappasswd command to generate the manager password hash.

# slappasswd
New password:
Re-enter new password:
{SSHA}wL2YjR1iZ2VfK3s9bHbF4vAozLzLzFqC

Keep the resulting {SSHA}… hash securely —
it will be assigned as the password for the cn=manager account.

4. Initial Database Configuration (LDIF Method)

Since OpenLDAP 2.4, configuration files under /etc/openldap/slapd.d/
must not be edited directly.
All changes are made using LDIF files applied via ldapmodify.

4.1 Create a Directory for LDIF Files

# mkdir /etc/openldap/ldif

4.2 Create the Database Definition

File: /etc/openldap/ldif/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}wL2YjR1iZ2VfK3s9bHbF4vAozLzLzFqC

4.3 Apply the Configuration

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/db.ldif

Expected output:

modifying entry "olcDatabase={2}hdb,cn=config"

5. Restrict Access to the Monitoring Database

Limit monitoring access (cn=monitor) to the root and LDAP manager.

File: /etc/openldap/ldif/monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
  by dn.base="cn=manager,dc=example,dc=com" read 
  by * none

Apply:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/monitor.ldif

6. Apply Core Schemas

Load the standard schema files required by most directory structures.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

7. Create the Initial Directory Structure

Assume the organization domain is example.com.
Create base entries as follows.

File: /etc/openldap/ldif/base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

dn: cn=manager,dc=example,dc=com
objectClass: organizationalRole
cn: manager
description: LDAP Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Apply:

# ldapadd -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/base.ldif

Expected output:

adding new entry "dc=example,dc=com"
adding new entry "cn=manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

8. Configuration Precautions

Never edit files directly under /etc/openldap/slapd.d/.
Doing so may cause the slapd service to fail on restart.
Always create separate LDIF files and apply them using ldapmodify.
The legacy slapd.conf format is deprecated since version 2.4.
Ensure all configuration files are restricted to root access (chmod 600).

9. Basic Validation

Run a test query to confirm the directory structure.

# ldapsearch -x -LLL -b "dc=example,dc=com"

Expected result:

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

If the entries appear correctly, the initial setup is complete.

10. Next Step

In the next post, we’ll configure LDAP client integration for Linux servers,
using authconfig, nslcd, and sssd to enable centralized SSH login, sudo/su control,
and group-based access policies directly from OpenLDAP.

ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. 본문 및 이미지를 무단 복제·배포할 수 없습니다. 공유 시 반드시 원문 링크를 명시해 주세요.
ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. All rights reserved. Unauthorized copying or redistribution of the text and images is prohibited. When sharing, please include the original source link.

🛠 마지막 수정일: 2025.10.23