OpenLDAP is the most widely deployed open-source LDAP directory server and is commonly used for centralised identity management across Linux systems. On RHEL 9, OpenLDAP server packages are available directly from the base repositories, providing a standards-compliant LDAPv3 directory that integrates with SSSD for system authentication. This tutorial covers installing OpenLDAP, configuring the directory database, populating it with organisational entries and users, enabling TLS, and connecting clients for authentication.
Prerequisites
- RHEL 9 server with a static IP and a resolvable FQDN (e.g.,
ldap.example.com) - Root or sudo access
- Firewall access on TCP port 389 (LDAP) and optionally 636 (LDAPS)
- A TLS certificate and key (self-signed or from a CA) for LDAP over TLS
- SSSD installed on client machines (
dnf install -y sssd sssd-ldap oddjob-mkhomedir)
Step 1 — Install OpenLDAP Server and Client Packages
Install the server daemon and the command-line client utilities. The openldap-servers package provides slapd, while openldap-clients provides tools like ldapadd, ldapsearch, and ldapmodify.
dnf install -y openldap-servers openldap-clients
# Copy the default DB_CONFIG file to the data directory
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap
# Enable and start slapd
systemctl enable --now slapdOpen the LDAP port in firewalld:
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reloadStep 2 — Generate an Admin Password Hash and Configure the Root DN
OpenLDAP on RHEL 9 uses the OLC (On-Line Configuration) backend, which means all configuration is managed through the LDAP protocol itself via the cn=config DIT rather than flat files. Generate a salted SHA password hash with slappasswd, then apply it with an LDIF modification.
slappasswd -s YourAdminPassword
# Outputs something like: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
# Copy that hash for use in the next LDIFCreate an LDIF file to set the suffix, root DN, and root password:
cat > /tmp/olc_base.ldif << 'EOF'
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/olc_base.ldifStep 3 — Import the Base Schema and Create the Directory Structure
Load the standard schemas required for user and group objects, then create the top-level domain component and organisational units:
# Load required schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldifCreate the base directory LDIF:
cat > /tmp/base.ldif << 'EOF'
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
EOF
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /tmp/base.ldifStep 4 — Add Users with ldapadd
Create a user LDIF using the inetOrgPerson and posixAccount object classes. The userPassword attribute should contain a hashed value generated by slappasswd.
cat > /tmp/users.ldif << 'EOF'
dn: uid=jdoe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: John Doe
sn: Doe
uid: jdoe
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/jdoe
loginShell: /bin/bash
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
EOF
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /tmp/users.ldifVerify the entry was added:
ldapsearch -x -LLL -b "dc=example,dc=com" "(uid=jdoe)"Step 5 — Enable TLS for LDAP
Copy your TLS certificate, key, and CA certificate to a location readable by the ldap user, then configure OpenLDAP to use them via an OLC LDIF:
cp /etc/pki/tls/certs/ldap.crt /etc/openldap/certs/
cp /etc/pki/tls/private/ldap.key /etc/openldap/certs/
cp /etc/pki/ca-trust/source/anchors/myca.crt /etc/openldap/certs/
chown -R ldap:ldap /etc/openldap/certs/
cat > /tmp/olc_tls.ldif << 'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/myca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/olc_tls.ldifEdit /etc/openldap/ldap.conf on clients to trust the CA and point to the server:
TLS_CACERT /etc/openldap/certs/myca.crt
URI ldap://ldap.example.com
BASE dc=example,dc=comStep 6 — Configure SSSD for LDAP Client Authentication
SSSD provides system authentication against the LDAP directory. Create a minimal /etc/sssd/sssd.conf on the client:
cat > /etc/sssd/sssd.conf << 'EOF'
[sssd]
services = nss, pam
domains = example.com
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_cacert = /etc/openldap/certs/myca.crt
EOF
chmod 600 /etc/sssd/sssd.conf
systemctl enable --now sssd
authselect select sssd with-mkhomedir --forceTest that the client can resolve the LDAP user:
id jdoeConclusion
You have installed and configured OpenLDAP on RHEL 9 with an OLC-managed backend, populated the directory with an organisational structure and a test user, enabled TLS encryption, and configured SSSD on a client to authenticate against the directory. This forms the foundation for centralised identity management across your Linux infrastructure.
Next steps: How to Configure Kerberos Authentication on RHEL 9, How to Install and Configure FreeIPA on RHEL 9, and How to Integrate LDAP with Nginx Basic Authentication on RHEL 9.
