How to Set Up LDAP with OpenLDAP on RHEL 8

December 27, 2025
Linux
Comment off

LDAP (Lightweight Directory Access Protocol) is the industry-standard protocol for centralised identity management, used to store and query user accounts, groups, and organisational data. OpenLDAP is the most widely deployed open-source LDAP server and is available in RHEL 8’s default repositories. Rather than a flat configuration file, modern OpenLDAP uses the on-line configuration (OLC) backend, meaning all settings live in a special LDIF-based directory under /etc/openldap/slapd.d/. This tutorial covers installation, initialisation, adding your base directory information, creating users and groups, and querying the directory with ldapsearch.

Prerequisites

RHEL 8 server with a static IP and a resolvable hostname (e.g. ldap.example.com)
Root or sudo access
Port 389 (LDAP) open in firewalld; port 636 for LDAPS
Basic understanding of LDAP naming conventions (DN, DC, OU, CN)

Step 1 — Install OpenLDAP Packages

Install the server daemon and the client utilities. The openldap-servers package includes slapd and the administrative tools; openldap-clients provides ldapadd, ldapsearch, and related commands.

# Install server and client packages
dnf install -y openldap-servers openldap-clients

# Copy the sample DB config into place
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# Set correct ownership
chown ldap:ldap /var/lib/ldap/DB_CONFIG

# Enable and start slapd
systemctl enable --now slapd

# Confirm it is listening on port 389
ss -tlnp | grep 389

Step 2 — Generate a Root Password

Use slappasswd to create a hashed password for the LDAP administrator (root DN). Copy the output — you will need it in the next step.

# Generate a SSHA-hashed password (you will be prompted to enter it twice)
slappasswd

# Example output:
# {SSHA}5en0GmHreGnKQsGVkqYHQsmoAfhYIxCp

# Store it in a variable for use in LDIF files
LDAP_HASH=$(slappasswd -s YourSecurePassword)

Step 3 — Configure the Root DN and Admin Password via OLC

OLC configuration is modified by applying LDIF files with ldapmodify -Y EXTERNAL over the local UNIX socket as root. Create a file to set the domain and admin password.

# Create the OLC modification LDIF
cat > /tmp/chrootpw.ldif << 'EOF'
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}REPLACE_WITH_YOUR_HASH
EOF

# Apply it
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/chrootpw.ldif

# Load the standard schemas (cosine, inetorgperson, nis)
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 4 — Set the Base DN and Administrator Entry

Create a LDIF file that sets the database suffix (your domain) and the root DN (the admin account). Replace example and com with your actual domain components.

# Create the database configuration LDIF
cat > /tmp/chdomain.ldif < /tmp/basedomain.ldif << 'EOF'
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organisation
dc: example

dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin
description: LDAP Manager
EOF

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /tmp/basedomain.ldif

Step 5 — Add Organisational Units, Users, and Groups

Structure the directory by creating OUs for People and Groups, then populate them with entries.

# Create OUs and a sample user and group
cat > /tmp/people.ldif << 'EOF'
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: uid=jdoe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
cn: John Doe
sn: Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
uidNumber: 10001
gidNumber: 10001
userPassword: {SSHA}REPLACE_WITH_USER_HASH

dn: cn=devteam,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: devteam
gidNumber: 10001
memberUid: jdoe
EOF

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /tmp/people.ldif

Step 6 — Query the Directory and Open Firewall Port

Use ldapsearch to verify entries were added correctly, then open the LDAP port in firewalld.

# Search all entries under the base DN
ldapsearch -x -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W

# Search for a specific user
ldapsearch -x -b "ou=People,dc=example,dc=com" "(uid=jdoe)"

# Search all group members
ldapsearch -x -b "ou=Groups,dc=example,dc=com" "(objectClass=posixGroup)"

# Open LDAP port in firewalld
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload

Conclusion

You have installed OpenLDAP on RHEL 8, configured the OLC backend with your domain and admin credentials, built a structured directory with organisational units, and populated it with a user and group. The ldapsearch utility confirms the entries are queryable. Your LDAP server is now ready to serve as a centralised identity provider for Linux clients, web applications, and other services that support LDAP authentication.

Next steps: How to Secure OpenLDAP with TLS on RHEL 8, How to Configure PAM and NSS for LDAP Authentication on RHEL 8, and How to Set Up LDAP Replication with Provider-Consumer on RHEL 8.