OpenLDAP step by step how-to

By | 2014年4月14日

I need an authentication system with compatibility and many extended features(like bio-device). So, I’ve got AD, IPA and OpenLDAP to choose from. AD comes from MS and it is too “heavy” for the not-very-large system. IPA and OpenLDAP are almost same, but I prefer latter, since it’s compatible with oVirt(This why I choose CentOS rather than debian).

The simplest OpenLDAP server

A basic LDAP without any security or additional features.

OpenLDAP with SASL

Add SASL to our LDAP.


To add Windows PC to our domain.

OpenLDAP with Kerberos

This is what we want finally.

1. The simplest OpenLDAP server

I’ve got 2 ways to setup an openldap server: 389-ds script and manually configure.

1.1 Using 389-ds script

Here’s the original article.


Before setup, this configuration should be modified.
Add following:

Add following:

Add following:

Add following:

Then reboot the machine to make above configurations work.

Setup 389-ds

Then you’ll see some questions like this(sorry for the high-lighting…):

Then make these two services start on startup.

With 389-ds scripts, you could use 389-console, please refer to the link above.

1.2 Manually configure

Here’s the original article.

Install the packages

Change the configuration

Delete olcAllows: bind_v2 if you want only v3.
Modify olcIdleTimeout from 0 to 30 if you want close the idle connection for more than 30 seconds.

Before next step, run this command to generate a SHA encrypted password.

Then copy the output to your clipboard.

Modify olcSuffix, RootDN, olcRootPW to this:

Start service

Add rootdn and groups

Import the ldif:

Create a user

Add following content to user.ldif

Provide a password:

Add or delete a member from group(myteam)




Here’s the original article.


Follow this script.

I think you should notice that the private key password is “mypassword”.
Then you will get three files: cacert.p12, cacert.pem, servercert.p12.
And, that’s all.

2. Add SASL to OpenLDAP

OKay, we’ll add SASL to our ldap connections.

Install cyrus-sasl package.