Install and Setup OpenLDAP server on Ubuntu 22.04

In this tutorial, you will learn how to install and setup OpenLDAP Server on Ubuntu 22.04.

Installing OpenLDAP Server on Ubuntu 22.04

Update your System Package Cache

Before you begin, ensure your system package cache is up-to-date.

apt update

Build and Install OpenLDAP Server on Ubuntu 22.04

The default Ubuntu 22.04 repositories provides OpenLDAP 2.5.6;

apt-cache policy slapd
slapd:
  Installed: (none)
  Candidate: 2.5.6+dfsg-1~exp1ubuntu1
  Version table:
     2.5.6+dfsg-1~exp1ubuntu1 500
        500 http://ke.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

As of this writing, OpenLDAP 2.6.0 is the current stable release, as per the release page.

To ensure you run the latest version of OpenLDAP, you need then to build it from the source.

Create OpenLDAP System Account

Create a non-privileged system user to run OpenLDAP.

useradd -r -M -d /var/lib/openldap -s /usr/sbin/nologin ldap

Install Required Dependencies and Build Tools

There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source which can be installed by running the command below;

apt install libsasl2-dev \
	make \
	libtool \
	libperl-dev \
	build-essential \
	openssl \
	libevent-dev \
	libargon2-dev \
	wget \
	pkg-config \
	wiredtiger \
	libsystemd-dev \
	libssl-dev -y

Download OpenLDAP Source Code

Navigate to the OpenLDAP download’s page and grab the tarball.

VER=2.6.0
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$VER.tgz

Extract the OpenLDAP Source Code

The tarball can be extracted by running the command;

tar xzf openldap-$VER.tgz

Install OpenLDAP Server on Ubuntu 22.04

Compile and install OpenLDAP server on Ubuntu 22.04 as follows;

cd openldap-$VER
./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
    --disable-static \
    --enable-debug \
    --with-tls=openssl \
    --with-cyrus-sasl \
    --enable-dynamic \
    --enable-crypt \
    --enable-spasswd \
    --enable-slapd \
    --enable-modules \
    --enable-rlookups \
    --enable-backends=mod \
    --disable-sql \
    --enable-ppolicy=mod \
    --enable-syslog \
    --enable-overlays=mod \
    --with-systemd \
    --enable-wt=no

If the command ends with an error, fix it before you can proceed. Otherwise, with no error, the command should end with such output;


Configuring OpenLDAP 2.6.0-Release ...
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking configure arguments... done
checking for cc... cc
checking for ar... ar
checking for strip... strip
checking whether make sets $(MAKE)... yes
checking how to print strings... printf
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by cc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for ranlib... ranlib
checking for gawk... no
checking for mawk... mawk
checking command to parse /usr/bin/nm -B output from cc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... cc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if cc supports -fno-rtti -fno-exceptions... no
checking for cc option to produce PIC... -fPIC -DPIC
checking if cc PIC flag -fPIC -DPIC works... yes
checking if cc static flag -static works... yes
checking if cc supports -c -o file.o... yes
checking if cc supports -c -o file.o... (cached) yes
checking whether the cc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... no
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for perl... /usr/bin/perl
checking how to run the C preprocessor... cc -E
checking whether we are using MS Visual C++... no
checking for windres... no
checking for be_app in -lbe... no
checking whether we are using the GNU C compiler... (cached) yes
checking whether cc accepts -g... (cached) yes
checking for cc option to accept ISO C89... (cached) none needed
checking for cc depend flag... -M
checking for afopen in -ls... no
checking ltdl.h usability... yes
checking ltdl.h presence... yes
checking for ltdl.h... yes
checking for lt_dlinit in -lltdl... yes
checking for EBCDIC... no
checking for ANSI C header files... yes
checking for dirent.h that defines DIR... yes
checking for library containing opendir... none required
checking for sys/wait.h that is POSIX.1 compatible... yes
checking whether termios.h defines TIOCGWINSZ... no
checking whether sys/ioctl.h defines TIOCGWINSZ... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking arpa/nameser.h usability... yes
checking arpa/nameser.h presence... yes
checking for arpa/nameser.h... yes
checking assert.h usability... yes
checking assert.h presence... yes
checking for assert.h... yes
checking bits/types.h usability... yes
checking bits/types.h presence... yes
checking for bits/types.h... yes
checking conio.h usability... no
checking conio.h presence... no
checking for conio.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking direct.h usability... no
checking direct.h presence... no
checking for direct.h... no
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking filio.h usability... no
checking filio.h presence... no
checking for filio.h... no
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking grp.h usability... yes
checking grp.h presence... yes
checking for grp.h... yes
checking io.h usability... no
checking io.h presence... no
checking for io.h... no
checking libutil.h usability... no
checking libutil.h presence... no
checking for libutil.h... no
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking locale.h usability... yes
checking locale.h presence... yes
checking for locale.h... yes
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking for memory.h... (cached) yes
checking psap.h usability... no
checking psap.h presence... no
checking for psap.h... no
checking pwd.h usability... yes
checking pwd.h presence... yes
checking for pwd.h... yes
checking process.h usability... no
checking process.h presence... no
checking for process.h... no
checking sgtty.h usability... yes
checking sgtty.h presence... yes
checking for sgtty.h... yes
checking shadow.h usability... yes
checking shadow.h presence... yes
checking for shadow.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sysexits.h usability... yes
checking sysexits.h presence... yes
checking for sysexits.h... yes
checking sys/file.h usability... yes
checking sys/file.h presence... yes
checking for sys/file.h... yes
checking sys/filio.h usability... no
checking sys/filio.h presence... no
checking for sys/filio.h... no
checking sys/fstyp.h usability... no
checking sys/fstyp.h presence... no
checking for sys/fstyp.h... no
checking sys/errno.h usability... yes
checking sys/errno.h presence... yes
checking for sys/errno.h... yes
checking sys/ioctl.h usability... yes
checking sys/ioctl.h presence... yes
checking for sys/ioctl.h... yes
checking sys/param.h usability... yes
checking sys/param.h presence... yes
checking for sys/param.h... yes
checking sys/privgrp.h usability... no
checking sys/privgrp.h presence... no
checking for sys/privgrp.h... no
checking sys/resource.h usability... yes
checking sys/resource.h presence... yes
checking for sys/resource.h... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/stat.h... (cached) yes
checking sys/syslog.h usability... yes
checking sys/syslog.h presence... yes
checking for sys/syslog.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for sys/types.h... (cached) yes
checking sys/uio.h usability... yes
checking sys/uio.h presence... yes
checking for sys/uio.h... yes
checking sys/vmount.h usability... no
checking sys/vmount.h presence... no
checking for sys/vmount.h... no
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking for unistd.h... (cached) yes
checking utime.h usability... yes
checking utime.h presence... yes
checking for utime.h... yes
checking for resolv.h... yes
checking for netinet/tcp.h... yes
checking for sys/ucred.h... no
checking for sigaction... yes
checking for sigset... yes
checking for fmemopen... yes
checking for socket... yes
checking for select... yes
checking for sys/select.h... (cached) yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking for poll... yes
checking poll.h usability... yes
checking poll.h presence... yes
checking for poll.h... yes
checking sys/poll.h usability... yes
checking sys/poll.h presence... yes
checking for sys/poll.h... yes
checking sys/epoll.h usability... yes
checking sys/epoll.h presence... yes
checking for sys/epoll.h... yes
checking for epoll system call... yes
checking sys/event.h usability... no
checking sys/event.h presence... no
checking for sys/event.h... no
checking sys/devpoll.h usability... no
checking sys/devpoll.h presence... no
checking for sys/devpoll.h... no
checking for strerror... yes
checking for strerror_r... yes
checking non-posix strerror_r... no
checking for regex.h... yes
checking for library containing regfree... none required
checking for compatible POSIX regex... yes
checking sys/uuid.h usability... no
checking sys/uuid.h presence... no
checking for sys/uuid.h... no
checking uuid/uuid.h usability... no
checking uuid/uuid.h presence... no
checking for uuid/uuid.h... no
checking to see if -lrpcrt4 is needed for win32 UUID support... no
checking for resolver link (default)... yes
checking for hstrerror... yes
checking for getaddrinfo... yes
checking for getnameinfo... yes
checking for gai_strerror... yes
checking for inet_ntop... yes
checking INET6_ADDRSTRLEN... yes
checking struct sockaddr_storage... yes
checking sys/un.h usability... yes
checking sys/un.h presence... yes
checking for sys/un.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_export_keying_material_early in -lssl... yes
checking for _beginthread... no
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking POSIX thread version... 10
checking for LinuxThreads pthread.h... no
checking for GNU Pth pthread.h... no
checking sched.h usability... yes
checking sched.h presence... yes
checking for sched.h... yes
checking for pthread_create in default libraries... yes
checking for sched_yield... yes
checking for pthread_yield... no
checking for thr_yield... no
checking for pthread_kill... yes
checking for pthread_rwlock_destroy with ... yes
checking for pthread_detach with ... yes
checking for pthread_setconcurrency... yes
checking for pthread_getconcurrency... yes
checking for thr_setconcurrency... no
checking for thr_getconcurrency... no
checking for pthread_kill_other_threads_np... no
checking for LinuxThreads implementation... no
checking for LinuxThreads consistency... no
checking if pthread_create() works... yes
checking if select yields when using pthreads... yes
checking for thread specific errno... yes
checking for thread specific h_errno... yes
checking for ctime_r... yes
checking for gmtime_r... yes
checking for localtime_r... yes
checking for gethostbyname_r... yes
checking for gethostbyaddr_r... yes
checking number of arguments of ctime_r... 2
checking number of arguments of gethostbyname_r... 6
checking number of arguments of gethostbyaddr_r... 8
checking for openlog... yes
checking sasl/sasl.h usability... yes
checking sasl/sasl.h presence... yes
checking for sasl/sasl.h... yes
checking sasl.h usability... no
checking sasl.h presence... no
checking for sasl.h... no
checking for sasl_client_init in -lsasl2... yes
checking Cyrus SASL library version... yes
checking for sasl_version... yes
checking systemd/sd-daemon.h usability... yes
checking systemd/sd-daemon.h presence... yes
checking for systemd/sd-daemon.h... yes
checking for sd_notify in -lsystemd... yes
checking fetch(3) library... no
checking for crypt... no
checking for crypt in -lcrypt... yes
checking for crypt_r in -lcrypt... yes
checking for mode_t... yes
checking for off_t... yes
checking for pid_t... yes
checking for ssize_t... yes
checking for caddr_t... yes
checking for size_t... yes
checking for long long... yes
checking for ptrdiff_t... yes
checking for socklen_t... yes
checking the type of arg 3 to accept()... socklen_t *
checking for sig_atomic_t... yes
checking for uid_t in sys/types.h... yes
checking for sys/time.h... (cached) yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking for struct stat.st_blksize... yes
checking for struct passwd.pw_gecos... yes
checking for struct passwd.pw_passwd... yes
checking if toupper() requires islower()... no
checking for an ANSI C-conforming const... yes
checking if compiler understands volatile... yes
checking whether byte ordering is bigendian... no
checking size of short... 2
checking size of int... 4
checking size of long... 8
checking size of long long... 8
checking size of wchar_t... 4
checking for working memcmp... yes
checking for strftime... yes
checking for inet_aton()... yes
checking for _spawnlp... no
checking for _snprintf... no
checking for vsnprintf... yes
checking for _vsnprintf... no
checking for vprintf... yes
checking for _doprnt... no
checking for snprintf... yes
checking for vsnprintf... (cached) yes
checking for bcopy... yes
checking for clock_gettime... yes
checking for closesocket... no
checking for chroot... yes
checking for endgrent... yes
checking for endpwent... yes
checking for fcntl... yes
checking for flock... yes
checking for fstat... yes
checking for getdtablesize... yes
checking for geteuid... yes
checking for getgrgid... yes
checking for gethostname... yes
checking for getpassphrase... no
checking for getpwuid... yes
checking for getpwnam... yes
checking for getspnam... yes
checking for gettimeofday... yes
checking for initgroups... yes
checking for inet_ntoa_b... no
checking for ioctl... yes
checking for lockf... yes
checking for memcpy... yes
checking for memmove... yes
checking for memrchr... yes
checking for mkstemp... yes
checking for mktemp... yes
checking for pipe... yes
checking for read... yes
checking for recv... yes
checking for recvfrom... yes
checking for setpwfile... no
checking for setgid... yes
checking for setegid... yes
checking for setsid... yes
checking for setuid... yes
checking for seteuid... yes
checking for signal... yes
checking for strdup... yes
checking for strpbrk... yes
checking for strrchr... yes
checking for strsep... yes
checking for strstr... yes
checking for strtol... yes
checking for strtoul... yes
checking for strtoq... yes
checking for strtouq... yes
checking for strtoll... yes
checking for strtoull... yes
checking for strspn... yes
checking for sysconf... yes
checking for waitpid... yes
checking for wait4... yes
checking for write... yes
checking for send... yes
checking for sendmsg... yes
checking for sendto... yes
checking for getopt... yes
checking for getpeereid... no
checking for getpeerucred... no
checking for struct msghdr.msg_accrightslen... no
checking for struct msghdr.msg_control... yes
checking for struct stat.st_fstype... no
checking for struct stat.st_vfstype... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating doc/man/Makefile
config.status: creating doc/man/man1/Makefile
config.status: creating doc/man/man3/Makefile
config.status: creating doc/man/man5/Makefile
config.status: creating doc/man/man8/Makefile
config.status: creating clients/Makefile
config.status: creating clients/tools/Makefile
config.status: creating include/Makefile
config.status: creating libraries/Makefile
config.status: creating libraries/liblber/Makefile
config.status: creating libraries/liblber/lber.pc
config.status: creating libraries/libldap/Makefile
config.status: creating libraries/libldap/ldap.pc
config.status: creating libraries/liblunicode/Makefile
config.status: creating libraries/liblutil/Makefile
config.status: creating libraries/librewrite/Makefile
config.status: creating servers/Makefile
config.status: creating servers/slapd/Makefile
config.status: creating servers/slapd/back-dnssrv/Makefile
config.status: creating servers/slapd/back-ldap/Makefile
config.status: creating servers/slapd/back-ldif/Makefile
config.status: creating servers/slapd/back-mdb/Makefile
config.status: creating servers/slapd/back-meta/Makefile
config.status: creating servers/slapd/back-asyncmeta/Makefile
config.status: creating servers/slapd/back-monitor/Makefile
config.status: creating servers/slapd/back-null/Makefile
config.status: creating servers/slapd/back-passwd/Makefile
config.status: creating servers/slapd/back-perl/Makefile
config.status: creating servers/slapd/back-relay/Makefile
config.status: creating servers/slapd/back-sock/Makefile
config.status: creating servers/slapd/back-sql/Makefile
config.status: creating servers/slapd/back-wt/Makefile
config.status: creating servers/slapd/slapi/Makefile
config.status: creating servers/slapd/overlays/Makefile
config.status: creating servers/slapd/pwmods/Makefile
config.status: creating servers/lloadd/Makefile
config.status: creating servers/lloadd/Makefile.server
config.status: creating servers/lloadd/Makefile.module
config.status: creating tests/Makefile
config.status: creating tests/run
config.status: creating tests/progs/Makefile
config.status: creating include/portable.h
config.status: creating include/ldap_features.h
config.status: creating include/lber_types.h
config.status: executing libtool commands
config.status: executing default commands
Making servers/slapd/backends.c
    Add config ...
    Add ldif ...
    Add monitor ...
Making servers/slapd/overlays/statover.c
Please run "make depend" to build dependencies

Next, run the make depend command to build OpenLDAP dependencies.

make depend

Compile OpenLDAP on Ubuntu 22.04.

make
make install

Sample installation output;


----------------------------------------------------------------------
Libraries have been installed in:
   /usr/libexec/openldap

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the 'LD_RUN_PATH' environment variable
     during linking
   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to '/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[3]: Leaving directory '/root/openldap-2.6.0/servers/slapd/overlays'

  cd pwmods && make -w install
make[3]: Entering directory '/root/openldap-2.6.0/servers/slapd/pwmods'
make[3]: Leaving directory '/root/openldap-2.6.0/servers/slapd/pwmods'
../../build/shtool mkdir -p /usr/sbin
for i in slapadd slapcat slapdn slapindex slapmodify slappasswd slaptest slapauth slapacl slapschema; do \
	rm -f /usr/sbin/$i; \
	../../build/shtool mkln -s -f /usr/libexec/slapd /usr/sbin/$i; \
done
../../build/shtool install -c  -m 600 slapd.conf.tmp /etc/openldap/slapd.conf.default
if test ! -f /etc/openldap/slapd.conf; then \
	echo "installing slapd.conf in /etc/openldap"; \
	echo "../../build/shtool install -c  -m 600 slapd.conf.tmp /etc/openldap/slapd.conf"; \
	../../build/shtool install -c  -m 600 slapd.conf.tmp /etc/openldap/slapd.conf; \
else \
	echo "PRESERVING EXISTING CONFIGURATION FILE /etc/openldap/slapd.conf" ; \
fi
installing slapd.conf in /etc/openldap
../../build/shtool install -c  -m 600 slapd.conf.tmp /etc/openldap/slapd.conf
../../build/shtool install -c  -m 600 slapd.ldif.tmp /etc/openldap/slapd.ldif.default
if test ! -f /etc/openldap/slapd.ldif; then \
	echo "installing slapd.ldif in /etc/openldap"; \
	echo "../../build/shtool install -c  -m 600 slapd.ldif.tmp /etc/openldap/slapd.ldif"; \
	../../build/shtool install -c  -m 600 slapd.ldif.tmp /etc/openldap/slapd.ldif; \
else \
	echo "PRESERVING EXISTING CONFIGURATION FILE /etc/openldap/slapd.ldif" ; \
fi
installing slapd.ldif in /etc/openldap
../../build/shtool install -c  -m 600 slapd.ldif.tmp /etc/openldap/slapd.ldif
if test -n "/usr/lib/systemd/system" && test ! -f /usr/lib/systemd/system/slapd.service; then \
	../../build/shtool mkdir -p /usr/lib/systemd/system; \
	echo "installing slapd.service in /usr/lib/systemd/system"; \
	echo "../../build/shtool install -c  -m 644 slapd.service.tmp /usr/lib/systemd/system/slapd.service"; \
	../../build/shtool install -c  -m 644 slapd.service.tmp /usr/lib/systemd/system/slapd.service; \
fi
installing slapd.service in /usr/lib/systemd/system
../../build/shtool install -c  -m 644 slapd.service.tmp /usr/lib/systemd/system/slapd.service
../../build/shtool mkdir -p /etc/openldap/schema
../../build/shtool install -c -m 444 schema/README /etc/openldap/schema/README
../../build/shtool install -c -m 444 schema/collective.ldif /etc/openldap/schema/collective.ldif
../../build/shtool install -c -m 444 schema/corba.ldif /etc/openldap/schema/corba.ldif
../../build/shtool install -c -m 444 schema/core.ldif /etc/openldap/schema/core.ldif
../../build/shtool install -c -m 444 schema/cosine.ldif /etc/openldap/schema/cosine.ldif
../../build/shtool install -c -m 444 schema/dsee.ldif /etc/openldap/schema/dsee.ldif
../../build/shtool install -c -m 444 schema/duaconf.ldif /etc/openldap/schema/duaconf.ldif
../../build/shtool install -c -m 444 schema/dyngroup.ldif /etc/openldap/schema/dyngroup.ldif
../../build/shtool install -c -m 444 schema/inetorgperson.ldif /etc/openldap/schema/inetorgperson.ldif
../../build/shtool install -c -m 444 schema/java.ldif /etc/openldap/schema/java.ldif
../../build/shtool install -c -m 444 schema/misc.ldif /etc/openldap/schema/misc.ldif
../../build/shtool install -c -m 444 schema/msuser.ldif /etc/openldap/schema/msuser.ldif
../../build/shtool install -c -m 444 schema/namedobject.ldif /etc/openldap/schema/namedobject.ldif
../../build/shtool install -c -m 444 schema/nis.ldif /etc/openldap/schema/nis.ldif
../../build/shtool install -c -m 444 schema/openldap.ldif /etc/openldap/schema/openldap.ldif
../../build/shtool install -c -m 444 schema/pmi.ldif /etc/openldap/schema/pmi.ldif
../../build/shtool install -c -m 444 schema/collective.schema /etc/openldap/schema/collective.schema
../../build/shtool install -c -m 444 schema/corba.schema /etc/openldap/schema/corba.schema
../../build/shtool install -c -m 444 schema/core.schema /etc/openldap/schema/core.schema
../../build/shtool install -c -m 444 schema/cosine.schema /etc/openldap/schema/cosine.schema
../../build/shtool install -c -m 444 schema/dsee.schema /etc/openldap/schema/dsee.schema
../../build/shtool install -c -m 444 schema/duaconf.schema /etc/openldap/schema/duaconf.schema
../../build/shtool install -c -m 444 schema/dyngroup.schema /etc/openldap/schema/dyngroup.schema
../../build/shtool install -c -m 444 schema/inetorgperson.schema /etc/openldap/schema/inetorgperson.schema
../../build/shtool install -c -m 444 schema/java.schema /etc/openldap/schema/java.schema
../../build/shtool install -c -m 444 schema/misc.schema /etc/openldap/schema/misc.schema
../../build/shtool install -c -m 444 schema/msuser.schema /etc/openldap/schema/msuser.schema
../../build/shtool install -c -m 444 schema/namedobject.schema /etc/openldap/schema/namedobject.schema
../../build/shtool install -c -m 444 schema/nis.schema /etc/openldap/schema/nis.schema
../../build/shtool install -c -m 444 schema/openldap.schema /etc/openldap/schema/openldap.schema
../../build/shtool install -c -m 444 schema/pmi.schema /etc/openldap/schema/pmi.schema
make[2]: Leaving directory '/root/openldap-2.6.0/servers/slapd'
 
  Entering subdirectory lloadd
make[2]: Entering directory '/root/openldap-2.6.0/servers/lloadd'
make[2]: Nothing to be done for 'install'.
make[2]: Leaving directory '/root/openldap-2.6.0/servers/lloadd'
 
make[1]: Leaving directory '/root/openldap-2.6.0/servers'
 
  Entering subdirectory tests
make[1]: Entering directory '/root/openldap-2.6.0/tests'
Making install in /root/openldap-2.6.0/tests
  Entering subdirectory progs
make[2]: Entering directory '/root/openldap-2.6.0/tests/progs'
make[2]: Nothing to be done for 'install'.
make[2]: Leaving directory '/root/openldap-2.6.0/tests/progs'
 
make[1]: Leaving directory '/root/openldap-2.6.0/tests'
 
  Entering subdirectory doc
make[1]: Entering directory '/root/openldap-2.6.0/doc'
Making install in /root/openldap-2.6.0/doc
  Entering subdirectory man
make[2]: Entering directory '/root/openldap-2.6.0/doc/man'
Making install in /root/openldap-2.6.0/doc/man
  Entering subdirectory man1
make[3]: Entering directory '/root/openldap-2.6.0/doc/man/man1'
../../../build/shtool mkdir -p /usr/share/man/man1
PAGES=`cd .; echo *.1`; \
for page in $PAGES; do \
	echo "installing $page in /usr/share/man/man1"; \
	rm -f /usr/share/man/man1/$page; \
	../../../build/shtool install -c  -m 644 $page.tmp /usr/share/man/man1/$page; \
	if test -f "./$page.links" ; then \
		for link in `cat ./$page.links`; do \
			echo "installing $link in /usr/share/man/man1 as link to $page"; \
			rm -f /usr/share/man/man1/$link ; \
			../../../build/shtool mkln -s /usr/share/man/man1/$page /usr/share/man/man1/$link; \
		done; \
	fi; \
done
installing ldapcompare.1 in /usr/share/man/man1
installing ldapdelete.1 in /usr/share/man/man1
installing ldapexop.1 in /usr/share/man/man1
installing ldapmodify.1 in /usr/share/man/man1
installing ldapadd.1 in /usr/share/man/man1 as link to ldapmodify.1
installing ldapmodrdn.1 in /usr/share/man/man1
installing ldappasswd.1 in /usr/share/man/man1
installing ldapsearch.1 in /usr/share/man/man1
installing ldapurl.1 in /usr/share/man/man1
installing ldapvc.1 in /usr/share/man/man1
installing ldapwhoami.1 in /usr/share/man/man1
make[3]: Leaving directory '/root/openldap-2.6.0/doc/man/man1'
 
  Entering subdirectory man3
make[3]: Entering directory '/root/openldap-2.6.0/doc/man/man3'
../../../build/shtool mkdir -p /usr/share/man/man3
PAGES=`cd .; echo *.3`; \
for page in $PAGES; do \
	echo "installing $page in /usr/share/man/man3"; \
	rm -f /usr/share/man/man3/$page; \
	../../../build/shtool install -c  -m 644 $page.tmp /usr/share/man/man3/$page; \
	if test -f "./$page.links" ; then \
		for link in `cat ./$page.links`; do \
			echo "installing $link in /usr/share/man/man3 as link to $page"; \
			rm -f /usr/share/man/man3/$link ; \
			../../../build/shtool mkln -s /usr/share/man/man3/$page /usr/share/man/man3/$link; \
		done; \
	fi; \
done
installing lber-decode.3 in /usr/share/man/man3
installing ber_get_next.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_skip_tag.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_peek_tag.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_scanf.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_int.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_stringa.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_stringb.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_null.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_enum.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_boolean.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_get_bitstring.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_first_element.3 in /usr/share/man/man3 as link to lber-decode.3
installing ber_next_element.3 in /usr/share/man/man3 as link to lber-decode.3
installing lber-encode.3 in /usr/share/man/man3
installing ber_alloc_t.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_flush.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_printf.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_int.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_ostring.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_string.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_null.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_enum.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_start_set.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_seq.3 in /usr/share/man/man3 as link to lber-encode.3
installing ber_put_set.3 in /usr/share/man/man3 as link to lber-encode.3
installing lber-memory.3 in /usr/share/man/man3
installing lber-sockbuf.3 in /usr/share/man/man3
installing lber-types.3 in /usr/share/man/man3
installing ber_bvarray_add.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvarray_free.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvdup.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvecadd.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvecfree.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvfree.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvstr.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_bvstrdup.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_dupbv.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_free.3 in /usr/share/man/man3 as link to lber-types.3
installing ber_str2bv.3 in /usr/share/man/man3 as link to lber-types.3
installing ldap.3 in /usr/share/man/man3
installing ldap_abandon.3 in /usr/share/man/man3
installing ldap_abandon_ext.3 in /usr/share/man/man3 as link to ldap_abandon.3
installing ldap_add.3 in /usr/share/man/man3
installing ldap_add_s.3 in /usr/share/man/man3 as link to ldap_add.3
installing ldap_add_ext.3 in /usr/share/man/man3 as link to ldap_add.3
installing ldap_add_ext_s.3 in /usr/share/man/man3 as link to ldap_add.3
installing ldap_bind.3 in /usr/share/man/man3
installing ldap_bind_s.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_simple_bind.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_simple_bind_s.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_sasl_bind.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_sasl_bind_s.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_unbind.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_unbind_ext.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_unbind_s.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_unbind_ext_s.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_set_rebind_proc.3 in /usr/share/man/man3 as link to ldap_bind.3
installing ldap_compare.3 in /usr/share/man/man3
installing ldap_compare_s.3 in /usr/share/man/man3 as link to ldap_compare.3
installing ldap_compare_ext.3 in /usr/share/man/man3 as link to ldap_compare.3
installing ldap_compare_ext_s.3 in /usr/share/man/man3 as link to ldap_compare.3
installing ldap_controls.3 in /usr/share/man/man3
installing ldap_control_create.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_control_find.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_control_dup.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_controls_dup.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_control_free.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_controls_free.3 in /usr/share/man/man3 as link to ldap_controls.3
installing ldap_delete.3 in /usr/share/man/man3
installing ldap_delete_s.3 in /usr/share/man/man3 as link to ldap_delete.3
installing ldap_delete_ext.3 in /usr/share/man/man3 as link to ldap_delete.3
installing ldap_delete_ext_s.3 in /usr/share/man/man3 as link to ldap_delete.3
installing ldap_dup.3 in /usr/share/man/man3
installing ldap_destroy.3 in /usr/share/man/man3 as link to ldap_dup.3
installing ldap_error.3 in /usr/share/man/man3
installing ldap_perror.3 in /usr/share/man/man3 as link to ldap_error.3
installing ld_errno.3 in /usr/share/man/man3 as link to ldap_error.3
installing ldap_result2error.3 in /usr/share/man/man3 as link to ldap_error.3
installing ldap_errlist.3 in /usr/share/man/man3 as link to ldap_error.3
installing ldap_err2string.3 in /usr/share/man/man3 as link to ldap_error.3
installing ldap_extended_operation.3 in /usr/share/man/man3
installing ldap_extended_operation_s.3 in /usr/share/man/man3 as link to ldap_extended_operation.3
installing ldap_first_attribute.3 in /usr/share/man/man3
installing ldap_next_attribute.3 in /usr/share/man/man3 as link to ldap_first_attribute.3
installing ldap_get_attribute_ber.3 in /usr/share/man/man3 as link to ldap_first_attribute.3
installing ldap_first_entry.3 in /usr/share/man/man3
installing ldap_next_entry.3 in /usr/share/man/man3 as link to ldap_first_entry.3
installing ldap_count_entries.3 in /usr/share/man/man3 as link to ldap_first_entry.3
installing ldap_first_message.3 in /usr/share/man/man3
installing ldap_next_message.3 in /usr/share/man/man3 as link to ldap_first_message.3
installing ldap_count_messages.3 in /usr/share/man/man3 as link to ldap_first_message.3
installing ldap_first_reference.3 in /usr/share/man/man3
installing ldap_next_reference.3 in /usr/share/man/man3 as link to ldap_first_reference.3
installing ldap_count_references.3 in /usr/share/man/man3 as link to ldap_first_reference.3
installing ldap_get_dn.3 in /usr/share/man/man3
installing ldap_explode_dn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_explode_rdn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dn2ufn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_str2dn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dnfree.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dn2str.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dn2dcedn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dcedn2dn.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_dn2ad_canonical.3 in /usr/share/man/man3 as link to ldap_get_dn.3
installing ldap_get_option.3 in /usr/share/man/man3
installing ldap_set_option.3 in /usr/share/man/man3 as link to ldap_get_option.3
installing ldap_get_values.3 in /usr/share/man/man3
installing ldap_get_values_len.3 in /usr/share/man/man3 as link to ldap_get_values.3
installing ldap_value_free.3 in /usr/share/man/man3 as link to ldap_get_values.3
installing ldap_value_free_len.3 in /usr/share/man/man3 as link to ldap_get_values.3
installing ldap_count_values.3 in /usr/share/man/man3 as link to ldap_get_values.3
installing ldap_count_values_len.3 in /usr/share/man/man3 as link to ldap_get_values.3
installing ldap_memory.3 in /usr/share/man/man3
installing ldap_memfree.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_memvfree.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_memalloc.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_memcalloc.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_memrealloc.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_strdup.3 in /usr/share/man/man3 as link to ldap_memory.3
installing ldap_modify.3 in /usr/share/man/man3
installing ldap_modify_s.3 in /usr/share/man/man3 as link to ldap_modify.3
installing ldap_modify_ext.3 in /usr/share/man/man3 as link to ldap_modify.3
installing ldap_modify_ext_s.3 in /usr/share/man/man3 as link to ldap_modify.3
installing ldap_mods_free.3 in /usr/share/man/man3 as link to ldap_modify.3
installing ldap_modrdn.3 in /usr/share/man/man3
installing ldap_modrdn_s.3 in /usr/share/man/man3 as link to ldap_modrdn.3
installing ldap_modrdn2.3 in /usr/share/man/man3 as link to ldap_modrdn.3
installing ldap_modrdn2_s.3 in /usr/share/man/man3 as link to ldap_modrdn.3
installing ldap_open.3 in /usr/share/man/man3
installing ldap_init.3 in /usr/share/man/man3 as link to ldap_open.3
installing ldap_initialize.3 in /usr/share/man/man3 as link to ldap_open.3
installing ldap_set_urllist_proc.3 in /usr/share/man/man3 as link to ldap_open.3
installing ldap_init_fd.3 in /usr/share/man/man3 as link to ldap_open.3
installing ldap_parse_reference.3 in /usr/share/man/man3
installing ldap_parse_result.3 in /usr/share/man/man3
installing ldap_parse_sasl_bind_result.3 in /usr/share/man/man3 as link to ldap_parse_result.3
installing ldap_parse_extended_result.3 in /usr/share/man/man3 as link to ldap_parse_result.3
installing ldap_parse_intermediate.3 in /usr/share/man/man3 as link to ldap_parse_result.3
installing ldap_parse_sort_control.3 in /usr/share/man/man3
installing ldap_parse_vlv_control.3 in /usr/share/man/man3
installing ldap_rename.3 in /usr/share/man/man3
installing ldap_rename_s.3 in /usr/share/man/man3 as link to ldap_rename.3
installing ldap_result.3 in /usr/share/man/man3
installing ldap_msgfree.3 in /usr/share/man/man3 as link to ldap_result.3
installing ldap_msgtype.3 in /usr/share/man/man3 as link to ldap_result.3
installing ldap_msgid.3 in /usr/share/man/man3 as link to ldap_result.3
installing ldap_schema.3 in /usr/share/man/man3
installing ldap_str2syntax.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_syntax2str.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_syntax2name.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_syntax_free.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_str2matchingrule.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_matchingrule2str.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_matchingrule2name.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_matchingrule_free.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_str2attributetype.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_attributetype2str.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_attributetype2name.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_attributetype_free.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_str2objectclass.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_objectclass2str.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_objectclass2name.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_objectclass_free.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_scherr2str.3 in /usr/share/man/man3 as link to ldap_schema.3
installing ldap_search.3 in /usr/share/man/man3
installing ldap_search_s.3 in /usr/share/man/man3 as link to ldap_search.3
installing ldap_search_st.3 in /usr/share/man/man3 as link to ldap_search.3
installing ldap_search_ext.3 in /usr/share/man/man3 as link to ldap_search.3
installing ldap_search_ext_s.3 in /usr/share/man/man3 as link to ldap_search.3
installing ldap_sort.3 in /usr/share/man/man3
installing ldap_sort_entries.3 in /usr/share/man/man3 as link to ldap_sort.3
installing ldap_sort_values.3 in /usr/share/man/man3 as link to ldap_sort.3
installing ldap_sort_strcasecmp.3 in /usr/share/man/man3 as link to ldap_sort.3
installing ldap_sync.3 in /usr/share/man/man3
installing ldap_tls.3 in /usr/share/man/man3
installing ldap_start_tls.3 in /usr/share/man/man3 as link to ldap_tls.3
installing ldap_start_tls_s.3 in /usr/share/man/man3 as link to ldap_tls.3
installing ldap_tls_inplace.3 in /usr/share/man/man3 as link to ldap_tls.3
installing ldap_install_tls.3 in /usr/share/man/man3 as link to ldap_tls.3
installing ldap_url.3 in /usr/share/man/man3
installing ldap_is_ldap_url.3 in /usr/share/man/man3 as link to ldap_url.3
installing ldap_url_parse.3 in /usr/share/man/man3 as link to ldap_url.3
installing ldap_free_urldesc.3 in /usr/share/man/man3 as link to ldap_url.3
make[3]: Leaving directory '/root/openldap-2.6.0/doc/man/man3'
 
  Entering subdirectory man5
make[3]: Entering directory '/root/openldap-2.6.0/doc/man/man5'
../../../build/shtool mkdir -p /usr/share/man/man5
PAGES=`cd .; echo *.5`; \
for page in $PAGES; do \
	echo "installing $page in /usr/share/man/man5"; \
	rm -f /usr/share/man/man5/$page; \
	../../../build/shtool install -c  -m 644 $page.tmp /usr/share/man/man5/$page; \
	if test -f "./$page.links" ; then \
		for link in `cat ./$page.links`; do \
			echo "installing $link in /usr/share/man/man5 as link to $page"; \
			rm -f /usr/share/man/man5/$link ; \
			../../../build/shtool mkln -s /usr/share/man/man5/$page /usr/share/man/man5/$link; \
		done; \
	fi; \
done
installing ldap.conf.5 in /usr/share/man/man5
installing ldif.5 in /usr/share/man/man5
installing lloadd.conf.5 in /usr/share/man/man5
installing slapd-asyncmeta.5 in /usr/share/man/man5
installing slapd-config.5 in /usr/share/man/man5
installing slapd-dnssrv.5 in /usr/share/man/man5
installing slapd-ldap.5 in /usr/share/man/man5
installing slapd-ldif.5 in /usr/share/man/man5
installing slapd-mdb.5 in /usr/share/man/man5
installing slapd-meta.5 in /usr/share/man/man5
installing slapd-monitor.5 in /usr/share/man/man5
installing slapd-null.5 in /usr/share/man/man5
installing slapd-passwd.5 in /usr/share/man/man5
installing slapd-perl.5 in /usr/share/man/man5
installing slapd-relay.5 in /usr/share/man/man5
installing slapd-sock.5 in /usr/share/man/man5
installing slapo-sock.5 in /usr/share/man/man5 as link to slapd-sock.5
installing slapd-sql.5 in /usr/share/man/man5
installing slapd-wt.5 in /usr/share/man/man5
installing slapd.access.5 in /usr/share/man/man5
installing slapd.backends.5 in /usr/share/man/man5
installing slapd.conf.5 in /usr/share/man/man5
installing slapd.overlays.5 in /usr/share/man/man5
installing slapd.plugin.5 in /usr/share/man/man5
installing slapo-accesslog.5 in /usr/share/man/man5
installing slapo-auditlog.5 in /usr/share/man/man5
installing slapo-autoca.5 in /usr/share/man/man5
installing slapo-chain.5 in /usr/share/man/man5
installing slapo-collect.5 in /usr/share/man/man5
installing slapo-constraint.5 in /usr/share/man/man5
installing slapo-dds.5 in /usr/share/man/man5
installing slapo-deref.5 in /usr/share/man/man5
installing slapo-dyngroup.5 in /usr/share/man/man5
installing slapo-dynlist.5 in /usr/share/man/man5
installing slapo-homedir.5 in /usr/share/man/man5
installing slapo-memberof.5 in /usr/share/man/man5
installing slapo-otp.5 in /usr/share/man/man5
installing slapo-pbind.5 in /usr/share/man/man5
installing slapo-pcache.5 in /usr/share/man/man5
installing slapo-ppolicy.5 in /usr/share/man/man5
installing slapo-refint.5 in /usr/share/man/man5
installing slapo-remoteauth.5 in /usr/share/man/man5
installing slapo-retcode.5 in /usr/share/man/man5
installing slapo-rwm.5 in /usr/share/man/man5
installing slapo-sssvlv.5 in /usr/share/man/man5
installing slapo-syncprov.5 in /usr/share/man/man5
installing slapo-translucent.5 in /usr/share/man/man5
installing slapo-unique.5 in /usr/share/man/man5
installing slapo-valsort.5 in /usr/share/man/man5
installing slappw-argon2.5 in /usr/share/man/man5
make[3]: Leaving directory '/root/openldap-2.6.0/doc/man/man5'
 
  Entering subdirectory man8
make[3]: Entering directory '/root/openldap-2.6.0/doc/man/man8'
../../../build/shtool mkdir -p /usr/share/man/man8
PAGES=`cd .; echo *.8`; \
for page in $PAGES; do \
	echo "installing $page in /usr/share/man/man8"; \
	rm -f /usr/share/man/man8/$page; \
	../../../build/shtool install -c  -m 644 $page.tmp /usr/share/man/man8/$page; \
	if test -f "./$page.links" ; then \
		for link in `cat ./$page.links`; do \
			echo "installing $link in /usr/share/man/man8 as link to $page"; \
			rm -f /usr/share/man/man8/$link ; \
			../../../build/shtool mkln -s /usr/share/man/man8/$page /usr/share/man/man8/$link; \
		done; \
	fi; \
done
installing lloadd.8 in /usr/share/man/man8
installing slapacl.8 in /usr/share/man/man8
installing slapadd.8 in /usr/share/man/man8
installing slapauth.8 in /usr/share/man/man8
installing slapcat.8 in /usr/share/man/man8
installing slapd.8 in /usr/share/man/man8
installing slapdn.8 in /usr/share/man/man8
installing slapindex.8 in /usr/share/man/man8
installing slapmodify.8 in /usr/share/man/man8
installing slappasswd.8 in /usr/share/man/man8
installing slapschema.8 in /usr/share/man/man8
installing slaptest.8 in /usr/share/man/man8
make[3]: Leaving directory '/root/openldap-2.6.0/doc/man/man8'
 
make[2]: Leaving directory '/root/openldap-2.6.0/doc/man'
 
make[1]: Leaving directory '/root/openldap-2.6.0/doc'

Configuring OpenLDAP on Ubuntu 22.04

Create Data and Database Directories

Create OpenLDAP data and database directories

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set the proper ownership and permissions on OpenLDAP directories and configuration files.

chown -R ldap:ldap /var/lib/openldap
chown root:ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf

Update OpenLDAP Service

We will update the created OpenLDAP service file;

mv /lib/systemd/system/slapd.service{,.old}

cat > /etc/systemd/system/slapd.service << 'EOL'
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target
EOL

Create OpenLDAP SUDO Schema

To configure LDAP with support sudo, first, install sudo-ldap package.

SUDO_FORCE_REMOVE=yes apt install sudo-ldap -y

You can then verify the sudo OpenLDAP.

sudo -V |  grep -i "ldap"

If sudo supports LDAP, you should see the lines below;


Configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-ldap --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo-ldap/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --disable-setresuid --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-ldap-conf-file=/etc/sudo-ldap.conf --libexecdir=/usr/lib --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes MVPROG=/bin/mv
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Check if LDAP sudo schema is available.

find /usr/share/doc/ -iname schema.openldap
/usr/share/doc/sudo-ldap/schema.OpenLDAP

Copy the schema.OpenLDAP to the schema directory.

cp /usr/share/doc/sudo-ldap/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Next, you need to create sudo schema ldif file.

Run the command below to create the sudo.ldif file. This ldif file is obtained from Lullabot github repository.


cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOL

Update SLAPD Database

Edit the SLAPD LDIF file, /etc/openldap/slapd.ldif, and update it as follows;

mv /etc/openldap/slapd.ldif{,.bak}

cat > /etc/openldap/slapd.ldif << 'EOL'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/sudo.ldif
#include: file:///etc/openldap/schema/ppolicy.ldif
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none
EOL
  • To update the SLAPD database from the information provided on the SLAPD LDIF file above, use slapadd command with the option -n 0 which creates the first database.
  • To specify the configuration directory, /etc/openldap/slapd.d, use option -F and option -l to specify location of the LDIF file above.

Before you can write the changes to the database, perform a dry run to see what would happen. Pass -u option to slapadd command.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

If the command do not output any error, then all is fine.

Then implement the changes if all is well.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

This command creates slapd database configurations under /etc/openldap/slapd.d directory.

ls /etc/openldap/slapd.d
'cn=config'  'cn=config.ldif'

Set the user and group ownership of the /etc/openldap/slapd.d directory and the files in it to ldap user.

chown -R ldap:ldap /etc/openldap/slapd.d

Running OpenLDAP Service

Reload systemd configurations and start OpenLDAP service.

systemctl daemon-reload
systemctl enable --now slapd

Check status;

systemctl status slapd

● slapd.service - OpenLDAP Server Daemon
     Loaded: loaded (/etc/systemd/system/slapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-01-05 20:57:14 EAT; 1s ago
       Docs: man:slapd
             man:slapd-mdb
    Process: 77537 ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 77538 (slapd)
      Tasks: 2 (limit: 3519)
     Memory: 3.0M
        CPU: 28ms
     CGroup: /system.slice/slapd.service
             └─77538 /usr/libexec/slapd -u ldap -g ldap -h "ldap:/// ldapi:/// ldaps:///" -F /etc/openldap/slapd.d

Jan 05 20:57:14 kifarunix-demo.com systemd[1]: Starting OpenLDAP Server Daemon...
Jan 05 20:57:14 kifarunix-demo.com slapd[77537]: @(#) $OpenLDAP: slapd 2.6.0 (Jan  5 2022 20:35:20) $
                                                         root@kifarunix-demo:/root/openldap-2.6.0/servers/slapd
Jan 05 20:57:14 kifarunix-demo.com slapd[77538]: slapd starting
Jan 05 20:57:14 kifarunix-demo.com systemd[1]: Started OpenLDAP Server Daemon.

Configure OpenLDAP Logging on Ubuntu 22.04

By default, OpenLDAP logging level is set to none which is required to have high priority messages only logged.

You can change this to a different log level, say to stats level (logs connections/operations/results), run the command below;

ldapmodify -Y EXTERNAL -H ldapi:/// -Q

The copy and paste the content below on the prompt to modify the log level.

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

Next, press ENTER twice. Once you see a line, modifying entry "cn=config", then press Ctrl+d.

You can as well use LDIF files to update this information if you like.

To confirm the changes;

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q
dn: cn=config
olcLogLevel: stats

Next, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to local4 facility, hence, to configure it to log to /var/log/slapd.log for example, execute the command below;

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.d/51-slapd.conf

Restart Rsyslog and SLAPD service

systemctl restart rsyslog slapd

You should now be able to read the LDAP logs on, /var/log/slapd.log.

You can as well configure log rotation;


cat > /etc/logrotate.d/slapd << EOL
/var/log/slapd.log
{ 
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}
EOL

Restart log rotation service;

systemctl restart logrotate

Create OpenLDAP Default Root DN

Next, create MDB database defining the root DN as well as the access control lists.

First, generate the root DN password.

slappasswd
New password: ENTER PASSWORD
Re-enter new password: RE-ENTER PASSWORD
{SSHA}mkWcb8AsesQrsmA9ZZNFW4jCMnuHiJaf

Copy and paste the password hash generated above, {SSHA}mkWcb8AsesQrsmA9ZZNFW4jCMnuHiJaf, as the value of olcRootPW in the Root DN ldif file below.

Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com with your appropriate names.


cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootPW: {SSHA}mkWcb8AsesQrsmA9ZZNFW4jCMnuHiJaf
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none
EOL

Read more about ACL on OpenLDAP Access Control.

Updated the slapd database with the content above;

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Sample command output;

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"

Configure OpenLDAP with SSL/TLS

To secure OpenLDAP communication between the client and the server, configured it to use SSL/TLS certificates.

In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/ssl/ldapserver.key -out /etc/ssl/ldapserver.crt
chown ldap:ldap /etc/ssl/{ldapserver.crt,ldapserver.key}

Update the OpenLDAP Server TLS certificates attributes.


cat > tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.key
EOL

Note that we have used self-signed certificate as both the certificate and the CA certificate.

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Once the command runs, you can confirm TLS settings by running the command below;

slapcat -b "cn=config" | grep olcTLS
olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.key

Change the location of the CA certificate on /etc/ldap/ldap.conf.

sed -i 's|/etc/ssl/certs/ca-certificates.crt|/etc/ssl/ldapserver.crt|' /etc/ldap/ldap.conf

Create OpenLDAP Base DN

Next, create your base DN or search base to define your organization structure and directory.

Replace the domain components and organization units accordingly.


cat > basedn.ldif << 'EOL'
dn: dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: Kifarunix-demo
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Sample output;


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "dc=ldapmaster,dc=kifarunix-demo,dc=com"

adding new entry "ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"

adding new entry "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Create OpenLDAP User Accounts

You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.


cat > users.ldif << 'EOL'
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: johndoe
gidNumber: 10000
memberUid: johndoe
EOL

Add the user to the OpenLDAP database.

ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Setting password for LDAP User

To set the password for user above, run the command below;

ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Create OpenLDAP Bind DN and Bind DN User

Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.

In this guide, we create a bind DN ou called system.

Note the access controls associated with this ou as defined on the root DN above.

List the Access control lists on the database;

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ
 e by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=ext
 ernal,cn=auth" manage  by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-de
 mo,dc=com" read by * none
olcAccess: {1}to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com"
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mana
 ge by * none
olcAccess: {2}to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.sub
 tree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by user
 s read  by * none

Create the LDAP BindDN user password.

slappasswd
New password: 
Re-enter new password: 
{SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf

Copy and Paste the password hash value above as the value of userPassword attribute in the file below;


cat > bindDNuser.ldif << 'EOL'
dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf
description: Bind DN user for LDAP Operations
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Enable OpenLDAP Password Policies

If you want to implement OpenLDAP password policies, ensure that the Password Policy Schema is enabled.

To enable the Password policy schema, run the command below;


cat > ppolicy.ldif << 'EOL'
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
  integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
  integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
 LITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.
 121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
 UALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
 ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
 QUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.1
 15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
 val' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' 
 EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
 oadable module that instantiates "check_password() function' EQUALITY caseExa
 ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
 e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
  AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
 LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
 Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
  $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif

Next, read the guide below to learn how to implement password policies.

Implement OpenLDAP Password Policies

Allow OpenLDAP Service on Firewall

If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;

ufw allow "OpenLDAP LDAP"
ufw allow "OpenLDAP LDAPS"

Authenticate Via OpenLDAP Server

And that is how to install and setup OpenLDAP Server.

To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.

See the guides below;

Configure SSSD for LDAP Authentication on Ubuntu 20.04

Configure SSSD for LDAP Authentication on Rocky Linux 8

Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment