How To Install, Configure and Test Open Ldap Server For Ubuntu – POFTUT

How To Install, Configure and Test Open Ldap Server For Ubuntu

by

Lightweight Directory Access Protocol is a protocol developed for managing users, groups access, rights in a IT environment.  There are different protocols used for authentication and authorization but LDAP is most popular and compatible protocol.

LDAP can be used to integrate Windows Active Directory with Linux and other non Windows systems. Active directory also provides LDAP services too.

In this tutorial we will look how to install, configure and test LDAP server installed on Ubuntu.

Install

There are different software that implements LDAP protocol. In this tutorial we will use popular tool suite named OpenLDAP. We will install all OpenLDAP related packages with the following command.

$ sudo apt install ldap*

Set Admin Password

We will set password for the admin suer in LDAP directory.

Set Admin Password
Set Admin Password

Verify Admin Password

Verify Admin Password
Verify Admin Password

Set LDAP URI

Set LDAP URI
Set LDAP URI

Set Search Base For Domain Name

Set Search Base For Domain Name
Set Search Base For Domain Name

Set Version

Set Version
Set Version

Set Password Change PAM

Set Password Change PAM
Set Password Change PAM

Set Login To Retrieve Entries

Set Login To Retrieve Entries
Set Login To Retrieve Entries

Set Root or Admin Account

Set Root or Admin Account
Set Root or Admin Account

LDIF File Format

LDAP Data Interchange Format or LDIF is a standard plain text data exchange format used mainly LDAP protocol. LDIF format is defined with RFC 2849 . LDIF is used for the following operations to provide data and configuration.

  • Add
  • Modify
  • Delete
  • Rename

Here is simple LDIF example

 dn: cn=ismail,dc=poftut,dc=com
 ou=admin
 objectClass: organizationalRole
 cn: The Postmaster

There are some important LDIF fields. Let’s look them.

dn

dn specifies distinguished name and used to indentify entry in the directory.

dc

dc specifies domain component and used to identify domain name like poftut.com which is equal

dc=poftut,dc=com

ou

ou specifies organizational unit and used for set the group. Following example specifies group admin

ou=admin

cn

cn specifies common name and used to set data about dn like user name , recipe name , job title

LEARN MORE  Security Roles and Responsibilities In Security Governance

LDAP Configuration Files

Ldap provides a lot of configurations files. But we will look most important configuration files where we will interact and change them.

  • config.ldif is the default and main configuration file which is read and applied by ldap service. It is located at /etc/ldap/slap.d/cn=config.ldif .
  • olcDatabase{2}bdb.ldif file is used to store form information about the domain. It is LDAP database file. This file also stores LDAP root user and the base Domain Name or DN.

Create LDAP Admin User

The best practice to manage the LDAP services is creating an admin user with full permissions. In order to create admin user we need to set the user name  with DN.

The admin user is specified with olcRootDN line in the configuration file named olcDatabase . We can find related olcDatabase file with grep like below.

$ grep -r "olcRootDN" /etc/ldap/

The database file is located at /etc/ldap/slapd.d/cn=config/olcDatabase={1}.mdb.lif this location and file may have minor changes according to your distributions and version. We change this line according to fully qualified domain name like below.

olcRootDN: cn=admin,dc=poftut,dc=com

Here our domain name is poftut.com and name admin . We need to change the olcSuffix too which is in the same file. Our new olcSuffix line is like below.

olcSuffix: dc=poftut,dc=com

Set LDAP Admin User Password

Previously we have set our user admin. Now we need to set password for this user. The password line is located in the same file with username. The password line is specified with olcRootDN .

Set LDAP Admin User Password
Set LDAP Admin User Password

As we see this value is stored as a hash so we need to convert our password into hash value. Hopefully there is a tool named slappasswd used for creating password hash values. We enter the password we want to use twice.

$ slappasswd
Set LDAP Admin User Password
Set LDAP Admin User Password

We add created value accordingly like below.

olcRootPW: {SSHA}Ru8OVQ9nCyts/LjYFj1SJ+va2f78YRmQ

Verify Configuration Files

As configuring LDAP with text files is tedious job we can make mistakes. This mistakes generally results the LDAP services do not starts. We can check the configuration files and verify syntax before taking any serious action. We will use tool named slaptest like below.

$ sudo slaptest -u
Verify Configuration Files
Verify Configuration Files

We can se the message config file testing succeeded .

LEARN MORE  How to Create New User In CentOS?

Restart LDAP Service

In previous step we have set the password value. Setting password value will not effect to the LDAP configuration immediately. We need to restart the LDAP service to make new configuration effective. We restart the service with systemctl command.

$ sudo systemctl restart slapd.service

And check if it is started correctly

$ sudo systemctl status slapd.service
Restart LDAP Service
Restart LDAP Service

Verify LDAP Search

Now it seems everything is OK. We can check our LDAP service by sending some example queries. We will use ldapsearch command to list our domain entries as count.

$ ldapsearch -x -b "dc=poftut,dc=com"
Verify LDAP Search
Verify LDAP Search

We can se that there are two search results

Leave a Comment