Install and Configure OpenLDAP on Rocky Linux 9 (cn=config Guide)

In OpenLDAP | Tags: #openldap, #ldap, #cn=config, #ldapmodify
Install and Configure OpenLDAP on Rocky Linux 9 (cn=config Guide)

OpenLDAP is a widely used open-source implementation of the Lightweight Directory Access Protocol (LDAP). It provides a centralized directory service for authentication, authorization, and identity management across Linux systems.

This tutorial demonstrates a tested, production-ready workflow to install and configure OpenLDAP on Rocky Linux 9 (RHEL 9 compatible) using the modern cn=config backend and ldapmodify commands.

If you are new to LDAP concepts, start here:

OpenLDAP Command Quick Reference (Rocky Linux 9)

Task Command Purpose
Install OpenLDAP packages dnf install openldap openldap-servers openldap-clients Installs LDAP server, client tools, and utilities
Enable and start slapd systemctl enable slapd --now Starts OpenLDAP service at boot
Generate admin password slappasswd Creates SSHA-hashed LDAP admin password
List configured databases ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn Shows cn=config databases and backends
Modify LDAP configuration ldapmodify -Y EXTERNAL -H ldapi:/// -f file.ldif Updates cn=config using LDIF
Load LDAP schemas ldapadd -Y EXTERNAL -H ldapi:/// -f schema.ldif Adds required LDAP schemas
Add LDAP entries ldapadd -x -D cn=admin,dc=example,dc=com -W -f file.ldif Creates users, groups, or base entries
Search LDAP directory ldapsearch -x -b dc=example,dc=com Queries LDAP data
Modify LDAP entries ldapmodify -x -D cn=admin,dc=example,dc=com -W -f file.ldif Updates existing users or groups
Delete LDAP entries ldapdelete -x -D cn=admin,dc=example,dc=com -W dn Removes users or groups

Lab Environment

NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
SUPPORT_END="2032-05-31"

Single-node setup (LDAP server + client on same VM).

10.10.1.17  server.example.com server

Step 1: Update System Packages

sudo dnf update -y

Step 2: Install OpenLDAP Packages

Enable the Plus repository (required for openldap-servers on Rocky Linux 9 / RHEL 9):

sudo dnf config-manager --set-enabled plus
sudo dnf install -y openldap openldap-servers openldap-clients

Verify installed versions:

openldap-2.6.x
openldap-servers-2.6.x
openldap-clients-2.6.x

Step 3: Enable and Start slapd

Enable and start the OpenLDAP service (slapd):

sudo systemctl enable slapd --now

Verify that the service is running:

sudo systemctl status slapd

Step 4: Configure OpenLDAP (cn=config)

Rocky Linux 9 uses the dynamic cn=config backend, where all OpenLDAP configuration is stored inside the LDAP database itself and managed using ldapmodify. The legacy slapd.conf method is no longer used.

Generate Admin Password

Save the generated {SSHA} hash — this will be used to configure the LDAP administrator (cn=admin) password.

slappasswd

Save the generated {SSHA} hash.

Identify Database Backend

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

Rocky Linux 9 uses the MDB (Memory-Mapped Database) backend by default (olcDatabase={2}mdb), which is recommended for performance and stability.

Configure Base DN and Admin DN

Create db.ldif:

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

-
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com

-
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}YOUR_HASH_HERE

Apply configuration:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif

Step 5: Load Required Schemas

These schemas are required for creating standard LDAP users, groups, and POSIX accounts on Rocky Linux 9.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Verify:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Step 6: Create Base DN and OUs

Base DN

The Base DN represents the root of your LDAP directory tree. All users and groups will be created under this namespace.

add-base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f add-base.ldif

Organizational Units

Organizational Units (OUs) help logically separate users and groups inside the LDAP directory.

ou.ldif

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f ou.ldif

Step 7: Manage Users and Groups

Add User

new_user.ldif

dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: John Doe
sn: Doe
uid: jdoe
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/jdoe
loginShell: /bin/bash
mail: jdoe@example.com
userPassword: {SSHA}USER_HASH

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_user.ldif

Add Group

new_group.ldif

dn: cn=developers,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: developers
gidNumber: 1001

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_group.ldif

Modify User

dn: uid=jdoe,ou=people,dc=example,dc=com
changetype: modify
replace: loginShell
loginShell: /bin/zsh

sudo ldapmodify -x -D cn=admin,dc=example,dc=com -W -f modify_user.ldif

Delete User or Group

sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W uid=jdoe,ou=people,dc=example,dc=com
sudo ldapdelete -x -D cn=admin,dc=example,dc=com -W cn=developers,ou=groups,dc=example,dc=com

Frequently Asked Questions

1. Does Rocky Linux 9 use slapd.conf for OpenLDAP configuration?

No. Rocky Linux 9 uses the dynamic cn=config backend. All OpenLDAP configuration changes are performed using LDAP operations such as ldapmodify, not slapd.conf.

2. Which database backend is used by OpenLDAP on Rocky Linux 9?

OpenLDAP on Rocky Linux 9 uses the MDB (Memory-Mapped Database) backend by default, which is recommended for performance and stability.

3. Do I need the Plus repository to install OpenLDAP on Rocky Linux 9?

Yes. The openldap-servers package is provided through the Plus repository, which must be enabled before installation.

4. Can this OpenLDAP setup be used on RHEL 9 or AlmaLinux 9?

Yes. The steps in this guide are fully compatible with RHEL 9 and AlmaLinux 9, as they share the same base architecture.

5. Is this OpenLDAP setup suitable for production use?

Yes. This guide configures OpenLDAP using the supported cn=config backend and MDB database. For production environments, TLS (LDAPS) should also be configured.

Conclusion

You have successfully installed and configured OpenLDAP on Rocky Linux 9 using the modern cn=config backend. This setup provides a clean, extensible foundation for centralized authentication and directory services in RHEL-based environments.

References

For more detailed instructions and further information, refer to
Official OpenLDAP Admin Guide .

Related Articles