Centos 7 openldap server installation

Install and enable openldap

yum install openldap-servers openldap-clients

systemctl enable slapd.service
systemctl start slapd.service

Set password for the configuration database cn=config

slappasswd -s derp
{SSHA}+UAHWamdiKoLqE/6jUBVPninzX2eRUHV

Create a ldif file set_config_password.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}+UAHWamdiKoLqE/6jUBVPninzX2eRUHV

Modify olcDatabase={0}config,cn=config

ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_password.ldif

Set TLS certificate+key and enforce TLS (tls=1) and modern ciphers (TLSv1.2 without eNULL and aNULL), edit set_use_tls.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.local.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.local.key
-
add: olcSecurity
olcSecurity: tls=1
-
add: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1.2:!eNULL:!aNULL

Note. This will lock you out from socket connections (ldapi:///) and ldap.local.key must be readable by ldap user or group

Modify cn=config

ldapmodify -Y EXTERNAL -H ldapi:/// -f set_use_tls.ldif

Restart

systemctl restart slapd

And from this point on ldapmodify connects via 389 (STARTTLS)

ldapmodify -Z -H ldap://localhost -D "cn=config" -w derp

Notes

Adding self-signed certificate to Opendap's certificate database (nss) as a Trusted CA

certutil -A -n "ldap.local" -d /etc/openldap/certs -t C,, -a -i /etc/pki/tls/certs/ldap.local.crt