How to Set Up LDAP with OpenLDAP on RHEL 7

How to Set Up LDAP with OpenLDAP on RHEL 7

OpenLDAP is the most widely deployed open-source implementation of the Lightweight Directory Access Protocol and serves as the foundation for centralized authentication, authorization, and user directory services across Linux environments. On RHEL 7, OpenLDAP is available directly from the base repositories and integrates tightly with PAM, NSS, and other system services. Setting up an LDAP directory allows you to manage user accounts and groups in a single place and have every enrolled system authenticate against it, eliminating the need to maintain identical /etc/passwd entries across multiple servers. This guide walks through installing OpenLDAP server and client packages, configuring the directory service, populating it with base entries, securing it with TLS, and providing a web-based management interface.

Prerequisites

• RHEL 7 server with root or sudo access
• A fully qualified domain name (FQDN) for the server, with forward DNS resolution working
• Firewall access: TCP port 389 (LDAP) and optionally 636 (LDAPS)
• Basic understanding of LDAP concepts: Distinguished Name (DN), Object Class, Attribute
• Sufficient storage for the directory database (typically /var/lib/ldap/)

Step 1: Install OpenLDAP Packages

Install both the server and client packages from the base RHEL 7 repository. The openldap-servers package includes the slapd daemon and administration utilities; openldap-clients provides command-line tools such as ldapadd, ldapsearch, and ldapmodify.

sudo yum install -y openldap-servers openldap-clients

After installation, copy the default DB configuration file to the data directory and set correct ownership:

sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown -R ldap:ldap /var/lib/ldap/

Step 2: Start and Enable the slapd Service

sudo systemctl enable slapd
sudo systemctl start slapd
sudo systemctl status slapd

Verify that slapd is listening on port 389:

sudo ss -tlnp | grep slapd

Step 3: Set the OpenLDAP Root Password

Generate a hashed password using slappasswd, then create an LDIF file to apply it to the configuration database.

# Generate hash — copy the output (e.g., {SSHA}abc123...)
slappasswd -h {SSHA}

Create a file named /tmp/chrootpw.ldif with the following content, substituting the hash you generated:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YOUR_HASH_HERE

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/chrootpw.ldif

Step 4: Configure the Directory Suffix and Root DN

The directory suffix defines the top of the DIT (Directory Information Tree). For a domain of example.com, the suffix is dc=example,dc=com. The root DN is the superuser account for directory operations.

Create /tmp/chdomain.ldif:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YOUR_HASH_HERE

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/chdomain.ldif

Step 5: Load Required Schemas

OpenLDAP ships with standard schemas in /etc/openldap/schema/. Load the commonly required ones before adding user entries:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 6: Create the Base DN and Organizational Units

Create /tmp/basedomain.ldif to add the root domain entry and two OUs — one for users and one for groups:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/basedomain.ldif

You will be prompted for the Manager password you set earlier.

Step 7: Add a User Entry

Create /tmp/adduser.ldif:

dn: uid=jdoe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
cn: John Doe
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/jdoe
loginShell: /bin/bash
userPassword: {SSHA}USER_PASSWORD_HASH

sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/adduser.ldif

Step 8: Verify with ldapsearch

# Search anonymously for all entries under the base DN
ldapsearch -x -b "dc=example,dc=com" "(objectClass=*)"

# Search as Manager with authentication
ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W 
  -b "ou=People,dc=example,dc=com" "(uid=jdoe)"

Step 9: Configure the LDAP Client

Edit /etc/openldap/ldap.conf on any RHEL 7 client machine to point to the LDAP server:

URI     ldap://ldap.example.com
BASE    dc=example,dc=com
TLS_CACERTDIR   /etc/openldap/certs

To enable LDAP-based authentication on clients, install nss-pam-ldapd and run authconfig:

sudo yum install -y nss-pam-ldapd
sudo authconfig --enableldap --enableldapauth 
  --ldapserver=ldap://ldap.example.com 
  --ldapbasedn="dc=example,dc=com" 
  --update

Step 10: Enable TLS for Secure LDAP

Generate or obtain a TLS certificate for the LDAP server, then create /tmp/ldap-tls.ldif:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldap-tls.ldif

Configure slapd to listen on the LDAPS port by editing /etc/sysconfig/slapd:

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

sudo systemctl restart slapd
sudo firewall-cmd --permanent --add-port=636/tcp
sudo firewall-cmd --reload

Step 11: Install phpLDAPadmin for Web Management

phpLDAPadmin provides a browser-based interface for managing the directory. It is available in the EPEL repository.

sudo yum install -y epel-release
sudo yum install -y phpldapadmin

# Configure in /etc/phpldapadmin/config.php — set the server host:
# $servers->setValue('server','host','ldap.example.com');
# $servers->setValue('server','base',array('dc=example,dc=com'));

sudo systemctl restart httpd

Edit /etc/httpd/conf.d/phpldapadmin.conf to restrict access to trusted IP ranges before exposing it to the network.

Conclusion

A functioning OpenLDAP installation on RHEL 7 provides a robust foundation for centralized identity management across your infrastructure. From this baseline you can add group-based access policies, integrate with PAM for SSH login, connect application services such as Postfix or Samba to the directory, and replicate the directory to secondary servers for high availability. Regular backups using slapcat to export the database as LDIF, combined with TLS encryption and strict ACL definitions, keep the directory both reliable and secure over its operational lifetime.