Install and Setup OpenLDAP Server on Debian 11

Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 11.

Installing OpenLDAP Server on Debian 11

Run System Update

Before you begin, ensure your system package cache is up-to-date.

apt update

apt upgrade

Build and Install OpenLDAP Server on Debian 11

The default Debian 11 repositories provides OpenLDAP 2.4.57;

apt-cache policy slapd

slapd:
  Installed: (none)
  Candidate: 2.4.57+dfsg-3
  Version table:
     2.4.57+dfsg-3 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

As of this writing, OpenLDAP 2.5.7 is the current stable release, as per the release page.

To ensure you run the latest version of OpenLDAP, you need then to build it from the source.

Create OpenLDAP System Account

Create a non-privileged system user to run OpenLDAP.

useradd -r -M -d /var/lib/openldap -s /usr/sbin/nologin ldap

Install Required Dependencies and Build Tools

There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source which can be installed by running the command below;

apt install libsasl2-dev make libtool build-essential openssl \
libevent-dev libargon2-dev sudo wget pkg-config wiredtiger \
libsystemd-dev libssl-dev

Download OpenLDAP Source Code

Navigate to the OpenLDAP download’s page and grab the tarball.

VER=2.5.7

wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$VER.tgz

Extract the OpenLDAP Source Code

The tarball can be extracted by running the command;

tar xzf openldap-$VER.tgz

Install OpenLDAP Server on Debian 11

Compile and install OpenLDAP server on Debian 11 as follows;

cd openldap-$VER

./configure --prefix=/usr --sysconfdir=/etc --disable-static \
--enable-debug --with-tls=openssl --with-cyrus-sasl \
--enable-dynamic --enable-crypt --enable-spasswd \
--enable-slapd --enable-modules --enable-rlookups \
--enable-backends=mod --disable-sql --enable-ppolicy=mod \
--enable-syslog --enable-overlays=mod --with-systemd --enable-wt=no

If the command ends with an error, fix it before you can proceed. Otherwise, with no error, the command should end with such output;

...
config.status: executing libtool commands
config.status: executing default commands
Making servers/slapd/backends.c
    Add config ...
    Add ldif ...
    Add monitor ...
Making servers/slapd/overlays/statover.c
    Add ppolicy ...
Please run "make depend" to build dependencies

Next, run the make depend command to build OpenLDAP dependencies.

make depend

Compile OpenLDAP on Debian 11.

make

make install

Configuring OpenLDAP on Debian 11

Create Data and Database Directories

Create OpenLDAP data and database directories

mkdir /var/lib/openldap /etc/openldap/slapd.d

Set the proper ownership and permissions on OpenLDAP directories and configuration files.

chown -R ldap:ldap /var/lib/openldap

chown root:ldap /etc/openldap/slapd.conf

chmod 640 /etc/openldap/slapd.conf

Update OpenLDAP Service

We will update the created OpenLDAP service file;

mv /lib/systemd/system/slapd.service{,.old}

cat > /etc/systemd/system/slapd.service << 'EOL'
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target
EOL

Create OpenLDAP SUDO Schema

To configure LDAP with support sudo, first, install sudo-ldap package.

apt install sudo-ldap

You can then verify the sudo OpenLDAP.

sudo -V |  grep -i "ldap"

If sudo supports LDAP, you should see the lines below;

...
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

Check if LDAP sudo schema is available.

find /usr/share/doc/ -iname schema.openldap

/usr/share/doc/sudo-ldap/schema.OpenLDAP

Copy the schema.OpenLDAP to the schema directory.

cp /usr/share/doc/sudo-ldap/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Next, you need to create sudo schema ldif file.

Run the command below to create the sudo.ldif file. This ldif file is obtained from Lullabot github repository.

cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOL

Update SLAPD Database

Edit the SLAPD LDIF file, /etc/openldap/slapd.ldif, and update it as follows;

mv /etc/openldap/slapd.ldif{,.bak}

cat > /etc/openldap/slapd.ldif << 'EOL'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/sudo.ldif
#include: file:///etc/openldap/schema/ppolicy.ldif
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by * none
EOL

• To update the SLAPD database from the information provided on the SLAPD LDIF file above, use slapadd command with the option -n 0 which creates the first database.
• To specify the configuration directory, /etc/openldap/slapd.d, use option -F and option -l to specify location of the LDIF file above.

Before you can write the changes to the database, perform a dry run to see what would happen. Pass -u option to slapadd command.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -u

If the command do not output anything, then all is fine.

Then implement the changes if all is well.

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

This command creates slapd database configurations under /etc/openldap/slapd.d directory.

ls /etc/openldap/slapd.d

'cn=config'  'cn=config.ldif'

Set the user and group ownership of the /etc/openldap/slapd.d directory and the files in it to ldap user.

chown -R ldap:ldap /etc/openldap/slapd.d

Running OpenLDAP Service

Reload systemd configurations and start OpenLDAP service.

systemctl daemon-reload

systemctl enable --now slapd

Check status;

systemctl status slapd

● slapd.service - OpenLDAP Server Daemon
     Loaded: loaded (/etc/systemd/system/slapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-09-16 07:49:19 EAT; 3min 32s ago
       Docs: man:slapd
             man:slapd-mdb
   Main PID: 1422 (slapd)
      Tasks: 4 (limit: 2341)
     Memory: 3.0M
        CPU: 31ms
     CGroup: /system.slice/slapd.service
             └─1422 /usr/libexec/slapd -u ldap -g ldap -h ldap:/// ldapi:/// ldaps:/// -F /etc/openldap/slapd.d

Sep 16 07:49:19 bullseye.kifarunix-demo.com systemd[1]: Started OpenLDAP Server Daemon.
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 fd=12 ACCEPT from PATH=/usr/var/run/ldapi (PATH=/usr/var/run/ldapi)
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND dn="" method=163
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumb>
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000058 etime=0.000590 text=
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=1 SRCH base="cn=config" scope=2 deref=0 filter="(objectClass=*)"
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000039 etime=0.002017 nentries=10 text=
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 op=2 UNBIND
Sep 16 07:49:34 bullseye.kifarunix-demo.com slapd[1422]: conn=1000 fd=12 closed

Configure OpenLDAP Logging on Debian 11

By default, OpenLDAP logging level is set to none which is required to have high priority messages only logged.

You can change this to a different log level, say to stats level (logs connections/operations/results), run the command below;

ldapmodify -Y EXTERNAL -H ldapi:/// -Q

The copy and paste the content below on the prompt to modify the log level.

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

Next, press ENTER twice. Once you see a line, modifying entry "cn=config", then press Ctrl+d.

You can as well use LDIF files to update this information if you like.

To confirm the changes;

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q

dn: cn=config
olcLogLevel: stats

Next, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to local4 facility, hence, to configure it to log to /var/log/slapd.log for example, execute the command below;

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.d/51-slapd.conf

Restart Rsyslog and SLAPD service

systemctl restart rsyslog slapd

You should now be able to read the LDAP logs on, /var/log/slapd.log.

You can as well configure log rotation;

cat > /etc/logrotate.d/slapd << EOL
/var/log/slapd.log
{ 
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}
EOL

Restart log rotation service;

systemctl restart logrotate

Create OpenLDAP Default Root DN

Next, create MDB database defining the root DN as well as the access control lists.

First, generate the root DN password.

slappasswd

New password: ENTER PASSWORD
Re-enter new password: RE-ENTER PASSWORD
{SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y/BD

Copy and paste the password hash generated above, {SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y/BD, as the value of olcRootPW in the Root DN ldif file below.

Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com with your appropriate names.

cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootPW: {SSHA}OH74PoJJKTsYIEg75iuwGk0OKbJ8y/BD
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none
EOL

Read more about ACL on OpenLDAP Access Control.

Updated the slapd database with the content above;

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Sample command output;

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"

Configure OpenLDAP with SSL/TLS

To secure OpenLDAP communication between the client and the server, configured it to use SSL/TLS certificates.

In this guide, we are self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/ssl/ldapserver.key -out /etc/ssl/ldapserver.crt

chown ldap:ldap /etc/ssl/{ldapserver.crt,ldapserver.key}

Update the OpenLDAP Server TLS certificates attributes.

cat > tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.key
EOL

Note that we have used self-signed certificate as both the certificate and the CA certificate.

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

You can confirm this by running;

slapcat -b "cn=config" | grep olcTLS

olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.key

Change the location of the CA certificate on /etc/ldap/ldap.conf.

sed -i 's|/etc/ssl/certs/ca-certificates.crt|/etc/ssl/ldapserver.crt|' /etc/ldap/ldap.conf

Create OpenLDAP Base DN

Next, create your base DN or search base to define your organization structure and directory.

Replace the domain components and organization units accordingly.

cat > basedn.ldif << 'EOL'
dn: dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: Kifarunix-demo
dc: ldapmaster

dn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldif

Sample output;

...
adding new entry "dc=ldapmaster,dc=kifarunix-demo,dc=com"

adding new entry "ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"

adding new entry "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Create OpenLDAP User Accounts

You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.

cat > users.ldif << 'EOL'
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: johndoe
gidNumber: 10000
memberUid: johndoe
EOL

Add the user to the OpenLDAP database.

ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldif

Setting password for LDAP User

To set the password for user above, run the command below;

ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Create OpenLDAP Bind DN and Bind DN User

Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.

In this guide, we create a bind DN ou called system.

Note the access controls associated with this ou as defined on the root DN above.

List the Access control lists on the database;

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ
 e by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=ext
 ernal,cn=auth" manage  by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-de
 mo,dc=com" read by * none
olcAccess: {1}to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com"
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mana
 ge by * none
olcAccess: {2}to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.sub
 tree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by user
 s read  by * none

Create the LDAP BindDN user password.

slappasswd

New password: 
Re-enter new password: 
{SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf

Copy and Paste the password hash value above as the value of userPassword attribute in the file below;

cat > bindDNuser.ldif << 'EOL'
dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system

dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}51i5ZSBTbCULaS8IwRrLDnrcsrM00czf
description: Bind DN user for LDAP Operations
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldif

Enable OpenLDAP Password Policies

If you want to implement OpenLDAP password policies, ensure that the Password Policy Schema is enabled.

To enable the Password policy schema, run the command below;

cat > ppolicy.ldif << 'EOL'
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
  integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
  integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
 LITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.
 121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
 UALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
 ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
 QUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.1
 15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
 val' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' 
 EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
 oadable module that instantiates "check_password() function' EQUALITY caseExa
 ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
 e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
  AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
 LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
 Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
  $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif

Next, read the guide below to learn how to implement password policies.

Implement OpenLDAP Password Policies

Allow OpenLDAP Service on Firewall

If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;

ufw allow "OpenLDAP LDAP"

ufw allow "OpenLDAP LDAPS"

Authenticate Via OpenLDAP Server

To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.

See the guides below;

Configure SSSD for LDAP Authentication on Rocky Linux 8

Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30

Configure SSSD for LDAP Authentication on Ubuntu 20.04