BestHub
Sign in
Databases 68 min read

Step-by-Step Guide to Building a Secure OpenLDAP Server with High Availability

This comprehensive tutorial walks you through preparing the environment, installing and configuring OpenLDAP on CentOS, securing it with TLS/SSL, setting up phpldapadmin, defining ACLs, enabling master‑slave replication, and implementing Keepalived for VIP‑based high availability, all with ready‑to‑use scripts and configuration files.

Ops Development Stories
Ops Development Stories
Ops Development Stories
Step-by-Step Guide to Building a Secure OpenLDAP Server with High Availability

Environment Preparation

List the server specifications (ldap‑master, ldap‑slave, CA server, client) and their IP addresses.

1. Install OpenLDAP and Dependencies

# yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel migrationtools samba* freeradius*

2. Initialize Configuration

Backup the default slapd.d directory, create a new one, and generate the root password using slappasswd. Place the initial slapd.ldif and config_init.sh scripts in /etc/openldap and run the script to create the database directory and set permissions.

3. Schema and Database Setup

Copy required schema files (FreeRADIUS, Samba) into /etc/openldap/schema and create the Berkeley DB configuration file.

4. Logging Configuration

# mkdir /var/log/slapd
# touch /var/log/slapd/slapd.log
# chown -R ldap:ldap /var/log/slapd

Configure /etc/rsyslog.conf and /etc/logrotate.d/slapd to rotate logs daily and keep five backups.

5. Install and Configure phpLDAPadmin

# yum -y install epel-release
# yum -y install phpldapadmin

Edit /etc/httpd/conf.d/phpldapadmin.conf and /etc/phpldapadmin/config.php to allow access from all networks, then enable and start the Apache service.

6. TLS/SSL Setup

Generate a private key and CSR on the LDAP server, sign it with the internal CA, and copy the CA certificate, server certificate, and key back to /etc/openldap/certs. Update slapd.ldif with the paths to cacert.pem, openldapcert*.crt, and openldapkey*.pem, then restart the LDAP service.

7. LDAP ACL Configuration

Define access controls in slapd.ldif to allow administrators to read/write, regular users to read, and disable anonymous binds. Example ACL entries include permissions for cn=ldapadmin, cn=configadmin, and specific groups.

8. Create Test Entries

# /usr/share/migrationtools/migrate_base.pl > basedomin.ldif
# /usr/share/migrationtools/migrate_passwd.pl testuser > testuser.ldif
# /usr/share/migrationtools/migrate_group.pl testgroup > testgroup.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f basedomin.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testuser.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testgroup.ldif

Verify entries using phpLDAPadmin or ldapsearch.

9. Master‑Slave Replication

Export the master data to an LDIF file and import it on the slave. Enable the syncprov overlay on the master and configure olcSyncRepl on the slave with a dedicated sync user (e.g., uid=syncuser1).

# sync_master.ldif (enable syncprov and add index)
# sync_slave.ldif (enable syncprov, add index, and configure olcSyncRepl)
# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_master.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_slave.ldif

10. High Availability with Keepalived

Install keepalived, generate a VIP (e.g., 192.168.2.250), and create a keepalived.conf that defines a VRRP instance with priority, authentication, and a health‑check script that monitors the slapd process. Add scripts to_master.sh, to_stop.sh, and check-ldap-server.sh to start/stop LDAP automatically.

# /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress { 192.168.2.250 }
    notify_master "/etc/keepalived/to_master.sh"
    notify_backup "/etc/keepalived/to_master.sh"
    notify_stop   "/etc/keepalived/to_stop.sh"
    track_script { check_ldap_server_status }
}

Enable and start keepalived on both nodes. When the master LDAP service stops, the VIP moves to the slave, and the client continues to connect to 192.168.2.250 without certificate warnings.

11. Final Testing

Use ldapsearch or phpLDAPadmin to connect to the VIP over LDAPS, verify that the directory entries are synchronized, and confirm that the VIP fails over correctly when the master goes down.

Import the provided LDIF files, adjust hostnames in /etc/hosts , and replace placeholder passwords with securely generated ones before deployment.
phpLDAPadmin login
phpLDAPadmin login
LDAP over TLS
LDAP over TLS
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

high availabilityLinuxkeepalivedOpenLDAPLDAP setup
Ops Development Stories
Written by

Ops Development Stories

Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment