BestHub
search
Sign in
Databases 68 min read

Step-by-Step Guide to Building a Secure OpenLDAP Server with High Availability

This comprehensive tutorial walks you through preparing the environment, installing and configuring OpenLDAP on CentOS, securing it with TLS/SSL, setting up phpldapadmin, defining ACLs, enabling master‑slave replication, and implementing Keepalived for VIP‑based high availability, all with ready‑to‑use scripts and configuration files.

Ops Development Stories
Ops Development Stories
Ops Development Stories
Step-by-Step Guide to Building a Secure OpenLDAP Server with High Availability

Environment Preparation

List the server specifications (ldap‑master, ldap‑slave, CA server, client) and their IP addresses.

1. Install OpenLDAP and Dependencies

<code># yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel migrationtools samba* freeradius*</code>

2. Initialize Configuration

Backup the default

slapd.d

directory, create a new one, and generate the root password using

slappasswd

. Place the initial

slapd.ldif

and

config_init.sh

scripts in

/etc/openldap

and run the script to create the database directory and set permissions.

3. Schema and Database Setup

Copy required schema files (FreeRADIUS, Samba) into

/etc/openldap/schema

and create the Berkeley DB configuration file.

4. Logging Configuration

<code># mkdir /var/log/slapd
# touch /var/log/slapd/slapd.log
# chown -R ldap:ldap /var/log/slapd</code>

Configure

/etc/rsyslog.conf

and

/etc/logrotate.d/slapd

to rotate logs daily and keep five backups.

5. Install and Configure phpLDAPadmin

<code># yum -y install epel-release
# yum -y install phpldapadmin</code>

Edit

/etc/httpd/conf.d/phpldapadmin.conf

and

/etc/phpldapadmin/config.php

to allow access from all networks, then enable and start the Apache service.

6. TLS/SSL Setup

Generate a private key and CSR on the LDAP server, sign it with the internal CA, and copy the CA certificate, server certificate, and key back to

/etc/openldap/certs

. Update

slapd.ldif

with the paths to

cacert.pem

,

openldapcert*.crt

, and

openldapkey*.pem

, then restart the LDAP service.

7. LDAP ACL Configuration

Define access controls in

slapd.ldif

to allow administrators to read/write, regular users to read, and disable anonymous binds. Example ACL entries include permissions for

cn=ldapadmin

,

cn=configadmin

, and specific groups.

8. Create Test Entries

<code># /usr/share/migrationtools/migrate_base.pl > basedomin.ldif
# /usr/share/migrationtools/migrate_passwd.pl testuser > testuser.ldif
# /usr/share/migrationtools/migrate_group.pl testgroup > testgroup.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f basedomin.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testuser.ldif
# ldapadd -x -D "cn=acadmin,dc=test,dc=net,dc=cn" -w 123456 -f testgroup.ldif</code>

Verify entries using phpLDAPadmin or

ldapsearch

.

9. Master‑Slave Replication

Export the master data to an LDIF file and import it on the slave. Enable the

syncprov

overlay on the master and configure

olcSyncRepl

on the slave with a dedicated sync user (e.g.,

uid=syncuser1

).

<code># sync_master.ldif (enable syncprov and add index)
# sync_slave.ldif (enable syncprov, add index, and configure olcSyncRepl)
# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_master.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f sync_slave.ldif</code>

10. High Availability with Keepalived

Install

keepalived

, generate a VIP (e.g., 192.168.2.250), and create a

keepalived.conf

that defines a VRRP instance with priority, authentication, and a health‑check script that monitors the

slapd

process. Add scripts

to_master.sh

,

to_stop.sh

, and

check-ldap-server.sh

to start/stop LDAP automatically.

<code># /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress { 192.168.2.250 }
    notify_master "/etc/keepalived/to_master.sh"
    notify_backup "/etc/keepalived/to_master.sh"
    notify_stop   "/etc/keepalived/to_stop.sh"
    track_script { check_ldap_server_status }
}
</code>

Enable and start

keepalived

on both nodes. When the master LDAP service stops, the VIP moves to the slave, and the client continues to connect to

192.168.2.250

without certificate warnings.

11. Final Testing

Use

ldapsearch

or phpLDAPadmin to connect to the VIP over LDAPS, verify that the directory entries are synchronized, and confirm that the VIP fails over correctly when the master goes down.

Import the provided LDIF files, adjust hostnames in /etc/hosts , and replace placeholder passwords with securely generated ones before deployment.
phpLDAPadmin login
phpLDAPadmin login
LDAP over TLS
LDAP over TLS
high availabilityLinuxTLSKeepalivedOpenLDAPLDAP setup
Ops Development Stories
Written by

Ops Development Stories

Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment