How to allow external access to OpenLDAP service


Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.

Configure OpenLDAP to listen on all network interfaces

On CentOS, Rocky Linux

Open file /etc/systemd/system/slapd.service.d/override.conf, you can find line like below:

ExecStart=/usr/sbin/slapd -u ldap -h "ldapi:/// ldap://" -f /etc/openldap/slapd.conf


ExecStart=/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:///" -f /etc/openldap/slapd.conf

Save the changes and restart openldap service:

systemctl daemon-reload
service slapd restart

On Debian, Ubuntu Linux

Open file /etc/default/slapd, find parameter SLAPD_SERVICES and update it to below value:

SLAPD_SERVICES="ldap:/// ldapi:///"

Save the changes and restart openldap service:

service slapd restart

Configure firewall rules to allow access from external network

On CentOS, Rocky Linux

Please open file /etc/firewalld/zones/iredmail.xml, add 2 lines before the last </zone> line:

    <port port="389" protocol="tcp"/>
    <port port="636" protocol="tcp"/>

Restart the firewall:

service firewalld restart

On Debian, Ubuntu Linux

Debian 11 and Ubuntu 20.04 uses nftables as the default firewall software, please add 2 lines in its config file /etc/nftables.conf, inside the chain input {} block (before counter drop line) like below:

table inet filter {
    chain input {

        # Add below 3 lines.
        # ldap, ldaps
        tcp dport 389 accept
        tcp dport 636 accept

        counter drop


Restart the firewall service:

Note: some server may use other firewall service, for example, `ufw`,
`iptables`, don't forget to check and restart it.
service nftables restart