Install and Configure OpenLDAP Server on Ubuntu [Guide]

OpenLDAP is the go-to open source LDAP server when you need centralized authentication without the overhead of FreeIPA or Active Directory. If all you need is a lightweight directory for user accounts, groups, and SSH key distribution across a handful of Linux servers, OpenLDAP does the job with minimal resources. For larger environments with Kerberos, DNS, and certificate management baked in, FreeIPA or AD are better fits.

Original content from computingforgeeks.com - post 4316

This guide walks through a complete OpenLDAP installation on Ubuntu 24.04 LTS (also covers 22.04), from package installation and debconf pre-seeding to adding organizational units, users, and groups. By the end you’ll have a functional LDAP directory ready for client authentication or integration with web applications.

Tested March 2026 on Ubuntu 24.04.4 LTS with OpenLDAP (slapd) 2.6.10

Prerequisites

You’ll need the following before starting:

Ubuntu 24.04 or 22.04 LTS server with root or sudo access
A static IP address configured on the server
A fully qualified domain name (FQDN) for the server, e.g. ldap.example.com
Tested on: Ubuntu 24.04.4 LTS, OpenLDAP 2.6.10

Set the Hostname

OpenLDAP uses the system hostname to derive the base DN during installation. Set it correctly before installing slapd to avoid reconfiguration headaches.

sudo hostnamectl set-hostname ldap.example.com

Update /etc/hosts so the FQDN resolves locally. Replace 192.168.1.50 with your server’s actual IP:

sudo vi /etc/hosts

Add this line (adjust the IP and domain to match your environment):

192.168.1.50   ldap.example.com   ldap

Confirm the hostname resolves correctly:

hostname -f

The output should show your FQDN:

ldap.example.com

Install OpenLDAP Server

The slapd package is OpenLDAP’s standalone daemon, and ldap-utils provides the command-line tools (ldapsearch, ldapadd, ldapmodify, etc.) you’ll use to manage the directory. Pre-seed the debconf database before installation to skip the interactive prompts.

Set the debconf values for slapd. Replace your_admin_password with a strong password:

sudo debconf-set-selections <<< "slapd slapd/internal/adminpw password your_admin_password"
sudo debconf-set-selections <<< "slapd slapd/password1 password your_admin_password"
sudo debconf-set-selections <<< "slapd slapd/password2 password your_admin_password"
sudo debconf-set-selections <<< "slapd slapd/domain string example.com"
sudo debconf-set-selections <<< "slapd shared/organization string Example Inc"

Now install the packages:

sudo apt update
sudo apt install -y slapd ldap-utils

Here’s the part that catches most people: even with debconf pre-seeding, the initial slapd installation on Ubuntu 24.04 may default the base DN to your hostname instead of dc=example,dc=com. Run dpkg-reconfigure in noninteractive mode to apply the debconf values properly:

sudo dpkg-reconfigure -f noninteractive slapd

This reconfigures slapd with your pre-seeded domain (example.com) and organization name. Without this step, the directory tree won’t match what you expect.

Confirm slapd is running:

sudo systemctl enable --now slapd
sudo systemctl status slapd

The service should show active (running). OpenLDAP listens on port 389 (LDAP) and 636 (LDAPS) by default.

Allow LDAP traffic through the firewall if UFW is enabled:

sudo ufw allow 389/tcp
sudo ufw allow 636/tcp

Verify the Installation

Use slapcat to dump the current directory contents. This reads directly from the backend database, so it works even if the LDAP service has issues.

sudo slapcat

You should see the base entry with your configured domain:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc
dc: example
structuralObjectClass: organization
entryUUID: 1163281c-bdee-1040-8bcd-07145e28c9a0
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20260327060057Z

If the dn line shows something like dc=ldap,dc=example,dc=com instead of dc=example,dc=com, the debconf domain wasn’t applied. Go back and run the dpkg-reconfigure step.

Add Base Organizational Units

A clean LDAP directory needs organizational units (OUs) to hold users and groups. Create an LDIF file with the two base OUs:

sudo vi /tmp/basedn.ldif

Add the following content:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

Import the LDIF file using ldapadd. The -D flag specifies the bind DN (the admin account), and -w provides the password. Replace password with the admin password you set during installation:

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f /tmp/basedn.ldif

Both entries should be added successfully:

adding new entry "ou=people,dc=example,dc=com"
adding new entry "ou=groups,dc=example,dc=com"

For production use, you can use -W (uppercase) instead of -w password to be prompted for the password interactively, which avoids leaving credentials in shell history.

Add a User Account

LDAP user accounts use the posixAccount object class, which provides the UID, GID, home directory, and shell attributes that Linux systems expect for authentication.

First, generate a hashed password for the new user. The slappasswd utility creates an SSHA hash:

slappasswd

You’ll be prompted to enter and confirm the password. The output is a hash like this (yours will differ since each hash includes a unique salt):

{SSHA}W3ipFKHeFr6bR7a0r1WgOJlhbkRbMQPl

Copy the hash output. Now create the user LDIF file:

sudo vi /tmp/user.ldif

Paste the following, replacing the userPassword value with the hash you generated:

dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: John Doe
sn: Doe
uid: jdoe
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/jdoe
loginShell: /bin/bash
userPassword: {SSHA}W3ipFKHeFr6bR7a0r1WgOJlhbkRbMQPl

A few things to note: uidNumber and gidNumber should start at 10000 or higher to avoid conflicts with local system accounts. The inetOrgPerson class provides the cn (common name) and sn (surname) attributes, while posixAccount provides the POSIX attributes Linux needs.

Import the user:

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f /tmp/user.ldif

The entry should be added without errors:

adding new entry "uid=jdoe,ou=people,dc=example,dc=com"

Add a Group

Groups in LDAP use the posixGroup object class, which maps directly to Linux groups. The memberUid attribute lists users who belong to the group.

sudo vi /tmp/group.ldif

Add the group definition:

dn: cn=developers,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: developers
gidNumber: 10001
memberUid: jdoe

Import it:

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f /tmp/group.ldif

Confirm the group was created:

adding new entry "cn=developers,ou=groups,dc=example,dc=com"

Verify the Directory

With the base OUs, a user, and a group in place, run a few ldapsearch queries to confirm everything looks right.

Search for the user account:

ldapsearch -x -LLL -b "dc=example,dc=com" "(uid=jdoe)" cn uid uidNumber homeDirectory

The output should return the user’s attributes:

dn: uid=jdoe,ou=people,dc=example,dc=com
cn: John Doe
uid: jdoe
uidNumber: 10001
homeDirectory: /home/jdoe

Query the group:

ldapsearch -x -LLL -b "dc=example,dc=com" "(cn=developers)" cn memberUid

This confirms group membership:

dn: cn=developers,ou=groups,dc=example,dc=com
cn: developers
memberUid: jdoe

Test authentication by binding as the user with ldapwhoami:

ldapwhoami -x -D "uid=jdoe,ou=people,dc=example,dc=com" -w user_password

Replace user_password with the password you set for jdoe. A successful bind returns:

dn:uid=jdoe,ou=people,dc=example,dc=com

If this fails with ldap_bind: Invalid credentials (49), double-check that the password hash in the LDIF matches what slappasswd generated.

To see the full directory tree at a glance:

ldapsearch -x -LLL -b "dc=example,dc=com" dn

All five entries should appear:

dn: dc=example,dc=com
dn: ou=people,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
dn: uid=jdoe,ou=people,dc=example,dc=com
dn: cn=developers,ou=groups,dc=example,dc=com

Manage LDAP with a Web Interface

Managing LDAP from the command line works, but gets tedious once you have dozens of users. LDAP Account Manager (LAM) provides a web-based interface for creating and managing users, groups, and organizational units without writing LDIF files. It’s particularly useful for delegating user management to team leads who aren’t comfortable with ldapadd and ldapmodify.

Configure LDAP Client Authentication

The server is ready, but client machines need configuration to authenticate against it. This involves installing libnss-ldapd and libpam-ldapd, then pointing them to your LDAP server’s base DN. See our guide on configuring Ubuntu as an LDAP client for the full walkthrough.

Secure OpenLDAP with TLS/SSL

The setup so far uses unencrypted LDAP on port 389, which means passwords travel in cleartext. For anything beyond a lab environment, you need TLS. This involves generating or obtaining certificates, configuring slapd to use them, and switching clients to LDAPS (port 636) or StartTLS. Our guide to securing OpenLDAP with TLS covers the full process including certificate creation and slapd configuration.

Ubuntu 22.04 Differences

Ubuntu 22.04 ships with OpenLDAP 2.5.x instead of 2.6.x, but the installation and configuration process is identical. The same debconf pre-seeding, dpkg-reconfigure workaround, LDIF files, and ldapsearch commands work without modification. The only practical difference is the slapd version number in package metadata. If you’re on 22.04, follow this guide as-is.

Going Further

With a working OpenLDAP directory in place, here are some next steps to consider:

Password policies – Load the ppolicy overlay to enforce password complexity, expiration, and lockout rules
Replication – Set up syncrepl between two slapd instances for high availability
SSH key storage – Store SSH public keys in LDAP and configure sshd with AuthorizedKeysCommand to fetch them at login
Access control – Fine-tune ACLs so users can change their own passwords but not read other users’ hashed credentials
Backup – Schedule slapcat exports via cron. The LDIF output is easy to restore with slapadd

7 thoughts on “Configure OpenLDAP Server on Ubuntu 24.04 / 22.04”

Nelio

July 19, 2021 at 3:54 pm

What is this password when I have to add the basedn.ldif?
- Josphat Mutai
  
  May 10, 2022 at 5:12 pm
  
  The one asked while running sudo apt -y install slapd ldap-utils
  - John
    
    November 23, 2022 at 12:37 pm
    
    sudo – superuser do would usually require the login of the user loged in at that time. If that user does not have su permissions, then you would need to log in with one. Last resort would be to use root.
    Hope that helps.
John

November 23, 2022 at 12:38 pm

“Create a file named basedn.ldif”

Where should this file be created? The article does not say.
John

November 23, 2022 at 12:46 pm

“$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f basedn.ldif
Enter LDAP Password:”

Article does not state which password should be used.
It is not the Admin password created above this step, nor is it the user password, nor is it the root password.
John

November 23, 2022 at 12:58 pm

Sorry to say, but I am giving up on this Article and will find the info elsewhere.
The lack of specificity and the ambiguity lead me to believe that this article is badly written and was not proof read before it was published.
RL

February 19, 2023 at 2:45 am

Great tutorial.

I want to have users authenticate against openLDAP, but at the same time I also want to integrate openLDAP with MS Active Directory as the database. Is this possible? If so,
could you please provide me the steps-by-steps instructions on how to do this?