Modern OpenLDAP installations (2.4+) use a runtime configuration system stored in LDIF format under /etc/openldap/slapd.d/. This replaces the traditional slapd.conf file. The main advantage is that configuration changes can be made dynamically while the server is running.
First, verify your installation is running:
sudo systemctl status slapd
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
If you get output showing the config DNs, your server is running but lacks a database configuration.
We'll create a minimal database configuration. Create a file named base.ldif:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}hashedpassword
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
Add this configuration:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
Create another file structure.ldif for your DIT:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin
description: LDAP administrator
Add this to your database:
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f structure.ldif
In Luma or another GUI client:
- Create a new connection
- Set the base DN to
dc=example,dc=com - Use
cn=admin,dc=example,dc=comfor binding - Set the connection method to "Simple"
If you get "No such object":
# Check what databases exist
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase
# Verify ACLs allow reading
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config
Consider adding these security measures:
# Create password policy
dn: cn=password,cn=config
objectClass: olcPasswordConfig
cn: password
olcPasswordHash: {SSHA}
# Set minimum password length
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=password,cn=config
olcPPolicyHashCleartext: TRUE
When setting up OpenLDAP 2.4+ on RHEL-based systems like Oracle Linux, the shift from slapd.conf to dynamic slapd.d configuration often leaves administrators confused. The core issue manifests when tools like LUMAP fail to browse the directory with "No such object" errors, indicating missing base DN configuration.
First confirm your installation status:
# Check installed packages
rpm -qa | grep openldap-servers
# Verify slapd is running
systemctl status slapd
The critical step missing in most guides is creating the initial database structure. Use this ldapmodify command sequence:
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
replace: olcRootPW
olcRootPW: {SSHA}hashedpassword
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
After configuring the backend, populate the directory with initial entries:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
Configure your LDAP browser with these parameters:
Host: localhost
Port: 389
Base DN: dc=example,dc=com
Bind DN: cn=Manager,dc=example,dc=com
If you still encounter problems:
# Check configuration errors
slaptest -u
# Verify directory content
ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -W
Remember to replace example.com with your actual domain and generate proper password hashes using slappasswd.