25.6.1. Editing /etc/openldap/slapd.conf

25.6.1. Editing /etc/openldap/slapd.conf

To use the slapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.

The suffix line names the domain for which the LDAP server provides information and should be changed from:

suffix          "dc=your-domain,dc=com"

Edit it accordingly so that it reflects a fully qualified domain name. For example:

suffix          "dc=example,dc=com"

The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:

rootdn          "cn=root,dc=example,dc=com"

When populating an LDAP directory over a network, change the rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:


When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.

Next, copy the newly created encrypted password into the /etc/openldap/slapd.conf on one of the rootpw lines and remove the hash mark (#).

When finished, the line should look similar to the following example:

rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u


LDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.

To enable TLS encryption, review the comments in /etc/openldap/slapd.conf and refer to the man page for slapd.conf.

For added security, the rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).

When using the /usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.


Only the root user can use /usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:

chown -R ldap /var/lib/ldap

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.