Install rpm packages

yum -y install openldap openldap-clients openldap-servers

First build a slapd.conf whith basic configuration

[root@lopenldap1 ~]# mkdir ldap ; cd ldap
[root@lopenldap1 ldap]# rpm -ql openldap-servers krb5-server-ldap | grep '\.schema$' | sed -e "/README/d" -e "s/^/include /g" | tee  -a slapd.conf.temp
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
[root@lopenldap1 ldap]# cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
[root@lopenldap1 ldap]# echo "include /etc/openldap/schema/sudo.schema" | tee  -a slapd.conf.temp

[root@lopenldap1 ldap]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
[root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF
database         bdb
directory /var/lib/ldap
suffix "dc=mydomain.org"
rootdn "cn=admin,dc=mydomain.org"
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
EOF

[root@lopenldap1 ldap]# cat >> slapd.conf.temp << EOF
# All access directives until the next ^database keyword will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file.
# Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

# Give access to the userPassword attribute for authentication.
access to attrs=userPassword by self write by * auth

# Let everyone search this suffix but don't let them read it
# This sounds strange, but it's required by OpenLDAP 2.4.
access to dn.base=dc=mydomain.org by * search
 by * none

# Configure the monitor backend.
# All the lines below this point will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file.
database monitor

# Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0
# and to the rootdn, but not to any other users.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain.org" manage
 by * none

# Configure the config backend.
# All lines below this point end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file.
database config

# Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage
# the configuration. But not any other users.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain.org" manage
 by * none

EOF

[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp
543f7cde /etc/openldap/schema/collective.schema: line 65 attributeType: AttributeType not found: "l"
slaptest: bad configuration file!

As the config is not successful, we have to reorder the lines like this:

[root@lopenldap1 ldap]# cat slapd.conf.temp
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema

database         bdb
directory /var/lib/ldap
suffix "dc=mydomain.org"
rootdn "cn=admin,dc=mydomain.org"
rootpw {SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# All access directives until the next ^database keyword will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif file.
# Give access to the bdb backend to SASL EXTERNAL users with UID 0 and GID 0.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

# Give access to the userPassword attribute for authentication.
access to attrs=userPassword by self write by * auth

# Let everyone search this suffix but don't let them read it
# This sounds strange, but it's required by OpenLDAP 2.4.
access to dn.base=dc=mydomain.org by * search
 by * none

# Configure the monitor backend.
# All the lines below this point will end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif file.
database monitor

# Provide access to this backend for SASL EXTERNAL users with UID 0 and GID 0
# and to the rootdn, but not to any other users.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain.org" manage
 by * none

# Configure the config backend.
# All lines below this point end up in the
# /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif file.
database config

# Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage
# the configuration. But not any other users.
access to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 by dn.base="cn=admin,dc=mydomain.org" manage
 by * none

# EOF

Now the test is successful:

[root@lopenldap1 ldap]# slaptest -uf slapd.conf.temp
config file testing succeeded

[root@lopenldap1 ldap]# slapcat -f slapd.conf.temp -F /root/ldap -n 0
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf.temp
olcConfigDir: /root/ldap
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
..............
[root@lopenldap1 ldap]# ll
total 12
drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config
-rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif
-rw-r--r--. 1 root root  808 Oct 16 10:23 slapd.conf.temp

Cleanup /etc/openldap/slapd.d, and move your new config files:

[root@lopenldap1 ldap]# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.unused
[root@lopenldap1 ldap]# mkdir /etc/openldap/slapd.d
[root@lopenldap1 ldap]# ll
total 12
drwxr-x---. 3 root root 4096 Oct 16 10:24 cn=config
-rw-------. 1 root root 1027 Oct 16 10:24 cn=config.ldif
-rw-r--r--. 1 root root  808 Oct 16 10:23 slapd.conf.temp
[root@lopenldap1 ldap]# cp -rp cn\=config* /etc/openldap/slapd.d
[root@lopenldap1 ldap]# chown -R ldap:ldap /etc/openldap/slapd.d

Prepare the DB config file:

[root@lopenldap1 ldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG  # (cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/DB_CONFIG)
[root@lopenldap1 ldap]# chown ldap:ldap /var/lib/ldap
[root@lopenldap1 ldap]# chmod 700 /var/lib/ldap

Modif the /etc/sysconfig/slapd

[root@lopenldap1 ldap]# vi /etc/sysconfig/slapd

# OpenLDAP server configuration
# see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"

# Any custom options: /usr/sbin/slapd -h
SLAPD_OPTIONS="-4 -d 2"

# Run slapd with -h "... ldap:/// ..."
#   yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
SLAPD_LDAPS=no

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
SLAPD_SHUTDOWN_TIMEOUT=15

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

Add the following lines after RULES in /etc/rsyslog.conf

#### RULES ####

# Send slapd(8c) logs to /var/log/slapd.log
if $programname == 'slapd' then /var/log/slapd.log
& ~

And restart rsyslog service:

systemctl restart rsyslog

Add an entry in logrotate:

[root@lopenldap1 ldap]# cat >> /etc/logrotate.d/slapd << EOF
# /etc/logrotate.d/slapd
#
# Rotate slapd(8) log file.

/var/log/slapd.log {
 rotate 7
 compress
}

EOF

Start manually:

[root@lopenldap1 ldap]# slapd -d 16383
.....
[root@lopenldap1 ldap]# netstat -an | grep LIST
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::389                  :::*                    LISTEN

Or start using services:

[root@lopenldap1 ldap]# systemctl start slapd.service
Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details.
[root@lopenldap1 ldap]# journalctl -xn
-- Logs begin at Wed 2014-10-15 16:29:34 CEST, end at Thu 2014-10-16 14:35:25 CEST. --
Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Oct 16 14:35:25 lopenldap1 runuser[12016]: pam_unix(runuser:session): session closed for user ldap
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: Checking configuration file failed:
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: 543fbb8d config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 14:35:25 lopenldap1 check-config.sh[12013]: slaptest: bad configuration file!
Oct 16 14:35:25 lopenldap1 slapd[12027]: @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
                                                 mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 16 14:35:25 lopenldap1 systemd[1]: slapd.service: control process exited, code=exited status=1
Oct 16 14:35:25 lopenldap1 systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit slapd.service has failed.
--
-- The result is failed.
Oct 16 14:35:25 lopenldap1 systemd[1]: Unit slapd.service entered failed state.

Before testing on another server, test on local:

[root@lopenldap1 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE    dc=mydomain.org
URI     ldap://lopenldap1

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

[root@lopenldap1 ~]# ldapwhoami -WD cn=admin,dc=mydomain.org
Enter LDAP Password:
dn:cn=admin,dc=mydomain.org

Debug on the server:

[root@lopenldap1 ldap]# slapd -d 2 -F /etc/openldap/slapd.d/ -u ldap
543fbd3e @(#) $OpenLDAP: slapd 2.4.39 (Jun  9 2014 23:23:12) $
        mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
543fbd3f slapd starting
ldap_read: want=8, got=8
  0000:  30 38 02 01 01 60 33 02                            08...`3.
ldap_read: want=50, got=50
  0000:  01 03 04 1d 63 6e 3d 61  64 6d 69 6e 2c 64 63 3d   ....cn=admin,dc=
  0010:  72 61 69 66 66 65 69 73  65 6e 2c 64 63 3d 6f 72   mydomain.or
  0020:  67 80 0f 72 61 69 66 66  65 69 73 73 65 6e 31 32   g..mydomain12
  0030:  33 34                                              34
ldap_read: want=8 error=Resource temporarily unavailable
ldap_write: want=14, written=14

Service don't start, but slapd can run manually on root user

[root@lopenldap1 ldap]# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled)
   Active: failed (Result: exit-code) since Thu 2014-10-16 17:09:22 CEST; 6min ago
  Process: 12371 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 12357 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_bv2dn(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272)
Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: => ldap_dn2bv(272)
Oct 16 17:09:22 lopenldap1 slapd[12371]: <= ldap_dn2bv(cn=admin,dc=mydomain,dc=org)=0
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 config error processing olcDatabase={1}bdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 send_ldap_result: err=80 matched="" text=""
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 slapd stopped.
Oct 16 17:09:22 lopenldap1 slapd[12371]: 543fdfa2 connections_destroy: nothing to destroy.
[root@lopenldap1 ldap]# cat /usr/lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

[root@lopenldap1 ldap]# chmod g+rw /var/lib/ldap/*
[root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh
Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.002' are required.
Read/write permissions for DB file '/var/lib/ldap/alock' are required.
Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.003' are required.
Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required.
Read/write permissions for DB file '/var/lib/ldap/__db.001' are required.
[root@lopenldap1 ldap]# ll /var/lib/ldap/
total 19124
-rw-rw-r--. 1 root root     2048 Oct 16 16:16 alock
-rw-rw----. 1 root root  2326528 Oct 16 16:16 __db.001
-rw-rw----. 1 root root 17448960 Oct 16 16:16 __db.002
-rw-rw----. 1 root root  1884160 Oct 16 16:16 __db.003
-rw-rw-r--. 1 ldap ldap      845 Oct 16 15:14 DB_CONFIG
-rw-rw----. 1 root root     8192 Oct 16 15:27 dn2id.bdb
-rw-rw----. 1 root root    32768 Oct 16 15:27 id2entry.bdb
-rw-rw----. 1 root root 10485760 Oct 16 16:16 log.0000000001
[root@lopenldap1 ldap]# ll /var/lib/
...
drwx------. 2 ldap    ldap    4096 Oct 16 17:17 ldap
...
[root@lopenldap1 ldap]# chown -R ldap.ldap /var/lib/
[root@lopenldap1 ldap]# ll /var/lib/ldap/
total 19124
-rw-rw-r--. 1 ldap ldap     2048 Oct 16 16:16 alock
-rw-rw----. 1 ldap ldap  2326528 Oct 16 16:16 __db.001
-rw-rw----. 1 ldap ldap 17448960 Oct 16 16:16 __db.002
-rw-rw----. 1 ldap ldap  1884160 Oct 16 16:16 __db.003
-rw-rw-r--. 1 ldap ldap      845 Oct 16 15:14 DB_CONFIG
-rw-rw----. 1 ldap ldap     8192 Oct 16 15:27 dn2id.bdb
-rw-rw----. 1 ldap ldap    32768 Oct 16 15:27 id2entry.bdb
-rw-rw----. 1 ldap ldap 10485760 Oct 16 16:16 log.0000000001
[root@lopenldap1 ldap]# /usr/libexec/openldap/check-config.sh

Now it works

Test the start options from /etc/sysconfig/slapd file: Ex:

/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:///" -4 -d 2

strace -f /etc/rc.d/init.d/slapd start >& /tmp/slapd.trace

During config file generation, my file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif has a bad format:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 1580b7b9
dn: olcDatabase={1}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=mydomain,dc=org
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
     l,cn=auth" manage
olcAccess: {1}to attrs=userPassword  by self write  by * auth
olcAccess: {2}to dn.base="dc=mydomain,dc=org"  by * search  by * none
olcAddContentAcl: FALSE

But after modifying file manually, I've a checksum error

http://www.flagword.net/2013/02/openldap-with-tls-ppolicy-and-master-master-replication-on-rhel6-3/comment-page-1/

http://www.vincentliefooghe.net/content/open-ldap-setup

http://itdavid.blogspot.lu/2012/05/howto-centos-6.html