How to setup LDAP Server on Ubuntu

LDAP (Lightweight Directory Access Protocol), in short, is an application protocol used to lookup for information on a server. As far as I figured, it is used mostly for user authorization or (e-mail) address books. The Wikipedia article on LDAP is quite good, so you can get basic info/ideas there.

1. Installing OpenLDAP server and utilities

apt-get install slapd ldap-utils

slapd – the OpenLDAP server
ldap-utils – Utilities for manipulating the directory structure in LDAP

When installing slapd you will be asked to fill in an admin password, so just enter something.

2. Configure

Configure the LDAP server using

dpkg-reconfigure slapd
Omit OpenLDAP server configuration? ... No

(This creates a default server configuration and fills the directory structure with the DNS domain name you enter, if you choose Yes, you will have to manually import schemas and create complete directory structure)

DNS domain name: ... localhost.slapd

(This is the base DN you are going to use. This example uses localhost.slapd which is saved as dc=localhost,dc=slapd)

Name of your organization: ... Whatever
Admin Password: ******
Confirm Password: ******
Database: BDB/HDB

(Choose whatever you need. Both are versions of Berkley DB)

Do you want your database to be removed when slapd is purged? ... Yes

(If you want to save the databases, just choose No)

Move old database? ... Yes

(The LDAP databases are stored in /var/lib/ldap, so this will move them and create a new database)

Allow LDAPv2 Protocol? ... No

3. Test

Restart the server to be sure it’s running

service slapd restart

and do a search using your base DN

ldapsearch -x -b dc=localhost,dc=slapd

and you should get something similar to

# extended LDIF
#
# LDAPv3
# base <dc=localhost,dc=slapd> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# localhost.slapd
dn: dc=localhost,dc=slapd
objectClass: top
objectClass: dcObject
objectClass: organization
o: Sugar
dc: localhost
# admin, localhost.slapd
dn: cn=admin,dc=localhost,dc=slapd
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

which is the default Directory configuration dpkg created for you using the DNS domain name entered. You can create all this manually, if you choose

Omit OpenLDAP server configuration? ... Yes

in the configuration step, and import it later. Mind that this new Directory should also use the DNS domain name you entered in the configuration.

4. Populating the directory tree

Here is a starting point entry using default schemas. Create a file called entry.ldif somewhere:

dn: ou=people,dc=localhost,dc=slapd
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=localhost,dc=slapd
objectClass: organizationalUnit
ou: groups
dn: uid=test,ou=people,dc=localhost,dc=slapd
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test
sn: Test
givenName: Tester
cn: Test Tester
displayName: Test Tester
uidNumber: 1000
gidNumber: 10000
userPassword: test
gecos: Test Tester
homeDirectory: /tmp/test/
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: test.tester@example.com
postalCode: 31000
l: Paris
o: Example
mobile: +38 (1)67 xxx xx xx
homePhone: +38 (1)20 xxx xxx
title: Administrator
postalAddress: Test Home
initials: TT
dn: cn=example,ou=groups,dc=localhost,dc=slapd
objectClass: posixGroup
cn: example
gidNumber: 10000
dn: cn=example2,ou=groups,dc=localhost,dc=slapd
objectClass: posixGroup
cn: example2
gidNumber: 10001

Import the file into LDAP. First stop the server

service slapd stop

then import the file

slapadd -l entry.ldif

You should see this message if it was successful

_#################### 100.00% eta none elapsed none fast!
Closing DB...

Start the server

service slapd start

Try to run this

ldapsearch -x -b cn=example,ou=groups,dc=localhost,dc=slapd

and if you get the entry from the file we imported, your OpenLDAP server is up and running.

5. Useful stuff

5.1. Stuck importing entry.ldif

If you got stuck with importing the entry.ldif, you can do it again by starting the tutorial again from step 2. Configuration, or remove the default database created

rm -rf /var/lib/ldap/*

and try importing again, but appending

dn: dc=localhost,dc=slapd
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: cn=admin,dc=locahost,dc=slapd
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:

to the beginning of the entry.ldif file.

5.2. Setting the user password

The userPassword attributes can be entered in plain text, or you can use

slappasswd -s password

to generate SSHA and MD5 passwords, where password is the actual password.

SSHA

slappasswd -s password

MD5

slappasswd -s password -h {MD5}

Just copy the generated strings to the userPassword.

5.3. Different base DN for LDAP operations

If you want to use a different base DN, you can edit the

/etc/ldap/ldap.conf

file, uncomment and change BASE entry

BASE dc=localhost,dc=slapd

5.4. Simple use-case

Simple PHP script to test your OpenLDAP server by binding to the server with the created user, and querying for groups.


// Taken from http://www.php.net/manual/en/ldap.examples-basic.php and edited for this example

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";

// Connect to LDAP Server
$connection = ldap_connect("localhost");
echo "Connect result is " . $connection . "<br />";

echo "Binding ...";

$userDn = "uid=test,ou=people,dc=localhost,dc=slapd";
$userPassword = "test";
// Bind with our user DN and password
ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3);
$bind = ldap_bind($connection, $userDn, $userPassword);

// Show bind result
if ($bind) {
	echo "Bind result is " . $bind . "<br />";
} else {
	die("Bind error, " . ldap_err2str(ldap_errno($connection)). "<br />");
}

echo "Searching for (cn=e*) ...";
// Search inside ou=groups,dc=localhost,dc=slapd for cn starting with e
$search = ldap_search($connection, "ou=groups,dc=localhost,dc=slapd", "cn=e*");
echo "Search result is " . $search . "<br />";

echo "Number of entires returned is " . ldap_count_entries($connection, $search) . "<br />";

// Getting and printing entries
echo "Getting entries ...<p>";
$info = ldap_get_entries($connection, $search);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i < $info["count"]; $i++) {
	echo "dn is: " . $info[$i]["dn"] . "<br />";
	echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
	echo "first gidnumber entry is: " . $info[$i]["gidnumber"][0] . "<br /><hr />";
}

echo "Closing connection";
ldap_close($connection);

Tagged , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.