June 23, 2024

Impact & Learning

Learn to impact

Get started with OpenLDAP

OpenLDAP is an open source implementation of the LDAP protocol. Its use allows us to have a full directory access for different kind of users, whose information and permissions are hierarchized and therefore contain profiles of each user and these in turn have access to certain directories, which is very useful for any large company or organization. To get started with OpenLDAP we will learn how to use it.


Before using commands in OpenLDAP, we will show you how to install OpenLDAP on your server. Because the installation and configuration process is a bit complicated, especially for new users, we will show a simple way to configure it on your computer and thus take advantage of all the advantages that the protocol offers us.

It is important to know the license when using the software or when sharing content related to OpenLDAP (such as this tutorial). This license can be found here.

1. Download the software

Here are the instructions for users of Linux environment. You can obtain a copy of the software by following the instructions on the OpenLDAP software download page (http://www.openldap.org/software/download/). It is recommended that new users download the latest version.

2. Unzip the version

Choose a directory to unzip to the directory, go to the desired directory and unpack the distribution with the following commands:

gunzip -c openldap-VERSION.tgz | tar xvfB -
# Go to the distribution directory
cd openldap-VERSION

You will need to replace VERSION with the number of the downloaded version.

3. Review the documentation

You should now review the COPYRIGHT, LICENSE, README, and INSTALL documents provided with the distribution. COPYRIGHT and LICENSE provide information on the acceptable use, copying and limitation of the OpenLDAP software guarantee.

4. Compile and build openLDAP

To compile the contents of the package, we have a configuration script provided by OpenLDAP to configure the distribution to build on your system. The setup script accepts many command line options that enable or disable optional software features. Defaults are generally fine, but you may want to change them. For a complete list of the options that you set accepts, use the —help option:

./configure --help

However, it is generally sufficient in most cases to do a default configuration of openLDAP, which is done by executing the following command:


Then you have to build the software. This step has two parts, first we build dependencies and then compile, verifying that there are no errors during construction:

make depend

If you want to verify that a successful build has been performed, you must run the test suite (it only takes a few minutes):

make test

The tests that apply to your configuration will run and all should pass. However, some tests, such as the replication test, may be skipped.

5. Install the software

We are now ready to install the software; this requires superuser privileges, which you can do like this if you are not in root mode:

su root -c 'make install'

The default content is installed in the /usr/local directory, however in configure you can change the prefix to store the software content.

6. Edit the configuration file

Here begins the exciting. Use your favorite editor to edit the default example slapd.ldif (usually located at /usr/local/etc/openldap/slapd.ldif) to contain an MDB database definition according to the following form:

 dn: olcDatabase = mdb, cn = config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: mdb
 OlcDbMaxSize: 1073741824
 olcSuffix: dc = [MY-DOMAIN], dc = [COM]
 olcRootDN: cn = Manager, dc = [MY-DOMAIN], dc = [COM]
 olcRootPW: secret
 olcDbDirectory: /usr/local/var/openldap-data
 olcDbIndex: objectClass eq

Be sure to replace [MY-DOMAIN] and [COM] with the appropriate domain components for your domain name. For example, if your domain is example.com, use the following configuration:

dn: olcDatabase = mdb, cn = config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: mdb
 OlcDbMaxSize: 1073741824
 olcSuffix: dc = example, dc = com
 olcRootDN: cn = Manager, dc = example, dc = com
 olcRootPW: secret
 olcDbDirectory: /usr/local/var/openldap-data
 olcDbIndex: objectClass eq

If your domain contains subdomains, for example: eng.uni.edu.eu, you have to apply the configuration:

 dn: olcDatabase = mdb, cn = config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: mdb
 OlcDbMaxSize: 1073741824
 olcSuffix: dc = eng, dc = uni, dc = edu, dc = eu
 olcRootDN: cn = Manager, dc = eng, dc = uni, dc = edu, dc = eu
 olcRootPW: secret
 olcDbDirectory: /usr/local/var/openldap-data
 olcDbIndex: objectClass eq

Details about slapd configuration can be found in slapd-config. It is very important that the olcDbDirectory directory must exist before slapd is started.

7. Import the configuration database

At this time, the configuration database must be imported to be used by slapd. For this we execute:

su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif

8. Start SLAPD

You are now ready to start the LDAP daemon (slapd), which is going to run as a background service capable of catching user requests, for this we execute the command:

su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config

To verify that the server is working and that it is configured correctly, it is sufficient to run a search on it with the ldapsearch command. By default, ldapsearch runs like this:

ldapsearch -x -b '' -s base '(objectclass = *)' namingContexts

Note the use of single quotes around the command parameters to prevent special characters from interacting. The result should show as follows:

 namingContexts: dc=example, dc=com

9. Add initial entries to your directory

You can use ldapadd to add entries to your LDAP directory. ldapadd expects an entry in ldif format. To do this we must create an ldif file and run ldapadd on that file. The basic structure of an ldif file could be as follows:

dn: dc=[MY-DOMAIN], dc=[COM]
objectclass: dcObject
objectclass: organization

dn: cn=Manager, dc=[MY-DOMAIN], dc=[COM]
 objectclass: organizationalRole
 cn: Manager

Where you have to replace [MY-DOMAIN] and [COM] with the components of your domain. [MY ORGANIZATION] must be replaced with the name of your organization. You will be prompted for the “secret” specified in the inslapd.conf file. For example, for the example.com domain it would be:

ldapadd -x -D "cn=Manager, dc=example, dc=com" -W -f example.ldif

Where example.ldif is the file that was created earlier.

10. Validate operations

Finally, to verify that the added entries are in your directory, any LDAP client can be used. As an example we use the ldapsearch tool. For the example example.com domain, we use the following query:

ldapsearch -x -b 'dc = example, dc = com' '(objectclass = *)'

This command will search and retrieve each entry in the existing database.

Now that you are ready to add more entries using ldapadd or another LDAP client, experiment with various configuration options, backend fixes, etc. Note that, by default, the slapd database grants read access to all records except the superuser (as specified in the rootdn configuration directive). It is recommended that you set permissions to restrict access to authorized users.