You can support us by downloading this article as PDF from the Link below. Download the guide as PDF
install openldap on centos 8

This tutorial will cover how to install OpenLDAP on CentOS 8. LDAP is a lightweight domain authentication protocol. This means that you can use LDAP as a central authentication system for both users and systems such as Postfix. It can be compared to Microsoft’s Active Directory. OpenLDAP is an opensource LDAP system that runs on Linux systems.

Install OpenLDAP on CentOS 8

In this guide, we shall build the latest source release of OpenLDAP as opposed to using the available version provided by PowerTools.

Follow the steps below to setup OpenLDAP server on CentOS 8.

Update System

Run system updates and upgrade the packages.

sudo dnf update
sudo dnf upgrade -y

Install required software Packages

Install the required packages that will allow you to successfully build OpenLDAP.

sudo dnf install wget vim cyrus-sasl-devel libtool-ltdl-devel openssl-devel libdb-devel make libtool autoconf  tar gcc perl perl-devel 

Create LDAP system account

We need to create a non-privileged system user for OpenLDAP.

sudo useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin ldap

Download OpenLDAP Source file

At the time of this tutorial, the latest version for OpenLDAP was 2.4.57.

Declare the version to your shell


Download the latest release from this page.


Extract the downloaded file:

tar xzf openldap-$VER.tgz

Install OpenLDAP

Move the extracted files to /opt/ then compile the source files.

sudo mv openldap-$VER /opt
cd /opt/openldap-$VER

Compile the source files

sudo ./configure --prefix=/usr --sysconfdir=/etc --disable-static \
--enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic \
--enable-crypt --enable-spasswd --enable-slapd --enable-modules \
--enable-rlookups --enable-backends=mod --disable-ndb --disable-sql \
--disable-shell --disable-bdb --disable-hdb --enable-overlays=mod

Upon successful compilation, you should see an output that says: “Please run “make depend” to build dependencies”

Run make depend to build OpenLDAP dependencies.

sudo make depend


sudo make

Install OpenLDAP

sudo make install

A successful installation creates configuration files at /etc/openldap. The following files are available after installation:

certs  ldap.conf  ldap.conf.default  schema  slapd.conf  slapd.conf.default  slapd.ldif  slapd.ldif.default

Configuring OpenLDAP

Let’s proceed to configuring OpenLDAP.

First, we need to create OpenLDAP database directories.

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set the proper permisions to he OpenLDAP directories

sudo chown -R ldap:ldap /var/lib/openldap
sudo chown root:ldap /etc/openldap/slapd.conf
sudo chmod 640 /etc/openldap/slapd.conf

Create OpenLDAP SUDO schema

Check if your sudo version supports LDAP.

sudo -V |  grep -i "ldap"

You should see the lines below in the output if your system supports LDAP.

ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Confirm if LDAP sudo schema is available on your system

rpm -ql sudo |  grep -i schema.openldap

Sample output

Install OPENLDAP on centos8

Copy the schema to the ldap schema directory.

sudo cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Create a sudo schema ldif file.

sudo su -

Run below to add lines to the file:

cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX )
olcAttributeTypes: ( NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX )
olcAttributeTypes: ( NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX )
olcAttributeTypes: ( NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX )
olcAttributeTypes: ( NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX )
olcAttributeTypes: ( NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX )
olcAttributeTypes: ( NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX )
olcObjectClasses: ( NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )

Configure SLAPD database

Update the content of the /etc/openldap/slapd.ldif

sudo mv /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif.bak
sudo vi /etc/openldap/slapd.ldif

Paster below data:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/sudo.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

Perform a dry run to check the configurarion

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

Execute the command to write the changes

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

The above command creates slapd database configurations and puts them under /etc/openldap/slapd.d.

$ ls /etc/openldap/slapd.d
'cn=config'  'cn=config.ldif'

Set the right ownership to the slapd directory

sudo chown -R ldap:ldap /etc/openldap/slapd.d

Create OpenLDAP Service

Create a systemd service

$ sudo vim /etc/systemd/system/slapd.service

Description=OpenLDAP Server Daemon

Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS


Restart daemon

sudo systemctl daemon-reload

Start slapd service

sudo systemctl enable --now slapd

Check status

$ systemctl status slapd
install openldap on centos8 1

Configure OpenLDAP Default Root DN

Create MDB database with the root DN and the ACLs.

Generate root password:

$ sudo slappasswd

Copy the generated hash password to a text editor. This will be needed in the rootdn.ldif file at the olcRootPW entry.

vim rootdn.ldif

Add the content below replacing dc=ldapmaster,dc=computingforgeeks,dc=com with your domain information.

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=computingforgeeks,dc=com
olcRootPW: {SSHA}0phayAb6bQA9rONibLb97O5B89KPeNlW
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=computingforgeeks,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none

Update the slapd database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Define your Organization structure

Create the basedn.ldif file to define your organization structure.

vim basedn.ldif

With info similar to below – update to suit your domain.

dn: dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: computingforgeeks
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

Update database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Configure SSL/TLS

You can secure client-server communication between OpenLDAP and the client systems by enabling TLS/SSL.

You could use a self signed cert or Let’s Encrypt for this. We shall be using a self signed cert in this guide.

$ sudo openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/pki/tls/ldapserver.key \
  -out /etc/pki/tls/ldapserver.crt

Set correct ownership.

sudo chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

Create SSL configuration file:

$ sudo vi add-tls.ldif

With below information:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Update slapd database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif

Update the CA locatin for OpenLDAP.

$ sudo vim /etc/openldap/ldap.conf

#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

Create OpenLDAP Users

Define your users in the users.ldif file as follows:

$ sudo vim users.ldif

Here is sample data:

dn: uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: vshamallah
cn: Vic
sn: Shamallah
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/vshamallah
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=vshamallah,ou=groups,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: posixGroup
cn: vshamallah
gidNumber: 10000
memberUid: vshamallah

Update the LDAP database to add the new user

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Set the password for the user above with the command below:

sudo ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com"

Create LDAP Bind user

Create the OpenLDAP Bind DN and bind user. This is a user that will be used to perform LDAP openrations such as resolving user IDs and group IDs.

Create the BindDN password.

$ sudo slappasswd
New password: 
Re-enter new password: 

Obtain the hashed password and save it somewhere.

Create the bindDNuser.ldif file and add the content below, remember to replace the hashed password and the domain information with your details.

vim bindDNuser.ldif

Here is my configurations:

dn: ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=computingforgeeks,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}9Sx4MzBieiojFsXLgXDVnJavwt4vql4p
description: Bind DN user for LDAP Operations

Update ldap database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Allow OpenLDAP through Firewall

Allow OpenLDAP through the firewall to allow connections.

sudo firewall-cmd --add-service={ldap,ldaps} --permanent
sudo firewall-cmd --reload

At this point, OpenLDAP is configured and ready for use. You need to configure OpenLDAP clients on your systems to be able to connect to the OpenLDAP server.

Follow the guide below to configure OpenLDAP clients:

Configure LDAP Client on Ubuntu

As an appreciation for the content we put out,
we would be thrilled if you support us!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


  1. Hello,

    At the step “Configure OpenLDAP Default Root DN”

    we have to edit the rootdn.ldif file, but I can’t find it.

    Where can I find it, and if i have to create it, where ?

    By the way, thanks for the guide, very helpful.



Please enter your comment!
Please enter your name here