OpenLDAP Installation and Configuration — Offline Environment

The main focus of this article is to share my experience on installing OpenLDAP in a internet connectivity restricted environment and some of the other areas I spent more time to get understood to do the configuration.

Hope this helps someone in the similar situation.

When I started the installation, below are my considerations.

  1. Need to install without pulling the libraries using yum ( As working with CentOS 7 / Red Hat 7.5).
  2. Need to enable ldaps connectivity.
  3. Need to enable the logging and move it to a preferred location.
  4. Need to move the default database location to my preferred location where the disk space is high.

Let’s get started.

Initial Installation

As a first step download all the rpm files from or Here are the list of needed RPMs.


The above list worked fine with centos 7, but with Red Hat 7.5 required additional library:

cyrus-sasl-2.1.26–23.el7.x86_64.rpm and this needed by the cyrus-sasl-devel-2.1.26–23.el7.x86_64.rpm

Then you need to use the Ansible Script ( Download it from Github ) to execute the initial installation. when you go through my script you can refer the comments to understand the reason for each of them. You can execute

ansible-playbook -i inventories/dev/hosts site.yml — tags=openldapinstallation


In two steps, to verify the initial and the do the configuration update can execute as below.

ansible-playbook -i inventories/dev/hosts site.yml — tags=ldapinstallstep1

ansible-playbook -i inventories/dev/hosts site.yml — tags=ldapinstallstep2

After a successful execution, check the status “systemctl status slapd.service” or “service slapd status”.

Enabling SSL

SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///”

Then do a “systemctl restart slapd”, If it is failed go to

vi /etc/sysconfig/selinux and update enforcing to permissive Or else you set it using the below command but this is temporary.

sudo setenforce Permissive

Then do a “systemctl restart slapd”. Now if you execute the below command you will see that the 636 port is started to listen.

netstat -antup | grep -i 636

Enabling Logs

- block:
— name: “Enable Logs”
command: “/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f {{openldap_directory}}/openldap/ldifs/logenable.ldif”
become: yes
become_user: root
tags: [ logenable, ldapinstallstep2 ]

Then we need to update the rsyslog.conf

sudo vi /etc/rsyslog.conf

add the blow to the file.

local4.* /openldapserver/openldap/logs/slapd.log

after that do a restart

service rsyslog restart

After a successful update if you do a ldap search then you will see that the logs get printed.

Moving the Database

Execute slapcat -b “cn=config” >> slapdbackup.ldif and get a backup of the configuration.

copy the database files to the new location:

cp -R /var/lib/ldap /openldapserver/openldap/data/

Note: In DB_CONFIG you need to specify the same location.

Update the owner of the data directory

chown -R ldap:ldap /openldapserver/openldap/data

Open the slapdbackup.ldif and update the “olcDbDirectory” to your preferred location here it is /openldapserver/openldap/data/ldap as i copied the directory also.

Now remove all the conf files inside /etc/ldap/slapd.d

Execute the below give ownership to ldap user:

sudo chown -R ldap:ldap /etc/openldap/slapd.d

To apply the configuration execute the below:

sudo slapadd -F /etc/openldap/slapd.d -b cn=config -l slapdbackup.ldif

Again add ownership to ldap user: sudo chown -R ldap:ldap /etc/openldap/slapd.d

Now start the service: service slapd start

That’s it all done.

If you need to contact from a third party application through ldaps then you need to get the certificate from the ldap server and upload it to the truststore. You can use the below command to that.

keytool -importcert -file ldaps.cert -keystore truststore.jks -alias “ldapssl”





Senior Tech Lead — Enterprise Integration | WSO2 Certified Solution Architect |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store