Loading...

VONDS ©

Lab 91: OpenLDAP Server Installation and Initial Configuration

Back to Lab Index

Install and bring up an OpenLDAP directory service, define a base DN, and initialize core directory entries using LDIF. Validate service health and confirm query results with ldapsearch before adding users and groups.

identity ldap services

Scenario

You are standardizing identity lookups across Linux systems and need a baseline directory service that can answer queries reliably. Your task is to install OpenLDAP, establish a base DN, and load initial directory structure so the environment has a known-good starting point.

Operator context

LDAP becomes foundational quickly. Treat the base DN, schema state, and admin bind as baseline configuration, and verify each step before you start adding users and groups.

Objective

  • Install OpenLDAP server components and client utilities.
  • Confirm slapd is running and reachable locally.
  • Generate a password hash for directory configuration or LDIF use.
  • Load core schema when required by distro layout.
  • Create and apply a base LDIF to initialize directory structure.
  • Query the directory to confirm expected entries are present.

Concepts

  • Directory naming: base DN structure (for example dc=example,dc=com ) and admin bind DN.
  • Service ownership and health validation under systemd ( systemctl ).
  • Password hashing for LDAP using slappasswd .
  • Schema as the definition layer for objects and attributes ( core.ldif ).
  • LDIF as the declarative format for creating directory entries ( ldapadd ).
  • Read-only verification using ldapsearch with scoped base DN queries.

Walkthrough

Step 1 : Install OpenLDAP server and client utilities.
Command 
# Debian/Ubuntu
sudo apt install slapd ldap-utils -y

# RHEL/Fedora family
sudo dnf install openldap-servers openldap-clients -y

# Arch
sudo pacman -S openldap

Install the server daemon and client tools so you can configure and validate the directory from the CLI. If you cannot run client queries locally, you do not have a reliable baseline to build on.

Step 2 : Initialize the directory configuration (Debian/Ubuntu flow).
Command 
sudo dpkg-reconfigure slapd

On Debian/Ubuntu, dpkg-reconfigure drives initial configuration (domain, base DN, admin password, database backend). On other distributions the initialization differs, but the target state is the same: a defined base DN and a working admin bind. 

# Outcome (example):
slapd configured with your specified domain and base DN.
Step 3 : Generate an LDAP password hash.
Command 
slappasswd

slappasswd produces an SSHA hash suitable for LDAP password fields. Use this when you are writing LDIF and need a hashed value instead of a plaintext secret. 

{SSHA}REDACTED_HASH_OUTPUT
Step 4 : Verify slapd is running under systemd.
Command 
sudo systemctl status slapd

This is your baseline service-health check. If slapd is not active, schema and LDIF operations are premature. 

# Expected pattern:
slapd is active (running)
Step 5 : Load core schema if required by your distro layout.
Commands 
# Debian/Ubuntu schema path example:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif

# RHEL/Fedora schema path example:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif

Schema defines object types and attributes your directory can store. Some deployments have core schema loaded by default; others require explicit loading using SASL EXTERNAL over the local LDAPI socket. 

core.ldif schema loaded successfully.
Step 6 : Create a base LDIF for the domain.
Command 
nano ~/base.ldif
# or
vim ~/base.ldif

This LDIF initializes the base DN entry for your directory. Your DN must match the domain you configured; the lab uses dc=example,dc=com as a placeholder. 

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example
Step 7 : Add the base DN using ldapadd.
Command 
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ~/base.ldif

This performs a simple bind ( -x ) as the admin DN and adds the LDIF content into the directory. In production you typically use TLS and may bind to a dedicated directory manager DN depending on the deployment model. 

Base DN structure added to LDAP directory.
Step 8 : Verify directory content with ldapsearch.
Command 
ldapsearch -x -LLL -b dc=example,dc=com

This performs a read-only search and returns entries under the base DN. It validates that slapd is responding and your base entries exist. 

# Expected pattern:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
...

Common breakpoints

slapd service is inactive or fails to start

If systemctl status slapd shows errors, do not proceed with schema or LDIF operations. Validate package install, check logs, and confirm the service unit is present and enabled.

ldapadd with SASL EXTERNAL fails over ldapi

This usually means the LDAPI socket is not available or permissions do not allow the EXTERNAL bind. Confirm slapd is running and that the ldapi:/// endpoint exists on your system.

ldapadd simple bind returns invalid credentials

Confirm the bind DN matches your configured directory manager DN and that the base DN matches the directory domain. A mismatched DN is a common cause of failed binds in early setup.

ldapsearch returns no entries under the base DN

This usually indicates the base LDIF was not applied or the search base is incorrect. Verify the DN in your LDIF and re-run the query with the exact base DN you configured.

Cleanup checklist

This lab changes system state by installing packages and starting the directory service. If you are using a disposable environment, stop the service and remove packages when you are done.

Commands 
# Stop the service (optional)
sudo systemctl stop slapd

# Remove packages (optional)
# Debian/Ubuntu
sudo apt remove --purge slapd ldap-utils -y

# RHEL/Fedora
sudo dnf remove openldap-servers openldap-clients -y

# Arch
sudo pacman -Rns openldap

Reference

  • apt install slapd ldap-utils : Installs OpenLDAP server and client tools on Debian/Ubuntu.
    • slapd : OpenLDAP directory server daemon.
    • ldap-utils : Client utilities including ldapadd and ldapsearch .
  • dnf install openldap-servers openldap-clients : Installs OpenLDAP server and client tools on RHEL/Fedora.
    • openldap-servers : Server components for slapd .
    • openldap-clients : Client utilities including ldapadd and ldapsearch .
  • pacman -S openldap : Installs OpenLDAP on Arch-based systems.
    • -S : Installs packages from sync repositories.
  • dpkg-reconfigure slapd : Runs Debian/Ubuntu interactive initialization for slapd .
  • slappasswd : Generates SSHA password hashes for LDAP configuration or LDIF use.
  • systemctl status slapd : Shows service status for the OpenLDAP daemon.
    • status : Displays current unit state and recent log lines.
  • ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif> : Adds entries using SASL EXTERNAL over the local LDAPI socket.
    • -Y EXTERNAL : Uses the EXTERNAL SASL mechanism (local identity).
    • -H ldapi:/// : Targets the local LDAP IPC endpoint.
    • -f <file.ldif> : Reads LDIF content from a file.
  • ldapadd -x -D <binddn> -W -f <file.ldif> : Adds entries using a simple bind as a specified DN.
    • -x : Uses simple authentication (non-SASL).
    • -D <binddn> : Sets the bind DN (for example cn=admin,dc=example,dc=com ).
    • -W : Prompts for the bind password.
    • -f <file.ldif> : Reads LDIF content from a file.
  • ldapsearch -x -LLL -b <baseDN> : Queries entries under a base DN with clean output formatting.
    • -x : Uses simple authentication (bindless by default if no -D is provided).
    • -LLL : Produces simplified output (suppresses comments and version lines).
    • -b <baseDN> : Sets the search base (for example dc=example,dc=com ).