How to Install and Configure an OpenLDAP Ubuntu Server

Published:25 March 2024 - 11 min. read

Michael Nguyen Tu Image

Michael Nguyen Tu

Read more tutorials by Michael Nguyen Tu!

In today’s fast-paced digital world, keeping tabs on user accounts and access control is no easy feat. But fear not! OpenLDAP is a solution to your woes, a widespread open-source implementation of the Lightweight Directory Access Protocol (LDAP).

This tutorial will walk you through the ins and outs of setting up an OpenLDAP server on your Ubuntu machine. Say goodbye to scattered user data and hello to centralized management, authentication, and authorization.

Read on to streamline your user management and simplify your IT workflows!

Prerequisites

This tutorial houses hands-on demonstrations in setting up an OpenLDAP server. If you wish to follow along, be sure you have the following:

  • Two machines (one for the server and one for the client) running Ubuntu 20.04 or later.
  • A non-root user with sudo privileges on both machines.

Installing the OpenLDAP Server on Ubuntu

From ensuring your system’s readiness, you now delve into the heart of your setup, installing the OpenLDAP server. LDAP holds significant weight in server administration, especially when managing user accounts and access control within an organization’s network.

To install OpenLDAP server on your system, proceed with the following:

đź’ˇ Throughout this guide, you must use your domain name to replace ata.com.

1. Open your terminal and execute the following command to set your machine’s hostname (i.e., ldap.ata.com). This command has no output to the terminal but allows other devices on the network to recognize your machine.

sudo hostnamectl set-hostname ldap.ata.com

2. Next, run the apt update command below to update your system’s package index.

sudo apt update -y
openldap1-Updating the system’s package list
Updating the system’s package list

3. Once updated, run the below apt install command to install the Apache web server and essential components (PHP modules). These components are necessary for the proper functioning of OpenLDAP.

sudo apt install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear -y
Installing Apache web server and essential PHP modules
Installing Apache web server and essential PHP modules

4. Now, invoke this command to install the OpenLDAP server and LDAP Account Manager (LAM), a convenient web-based management tool.

sudo apt install slapd ldap-utils -y && sudo apt install ldap-account-manager -y
Installing the OpenLDAP server and LAM
Installing the OpenLDAP server and LAM

5. Provide an admin password for your LDAP server when prompted during the installation.

Providing an admin password for the LDAP server
Providing an admin password for the LDAP server

6. Once installed, execute the following systemctl command to confirm the OpenLDAP server’s (slapd) status.

sudo systemctl status slapd
Confirming the OpenLDAP server is active and running
Confirming the OpenLDAP server is active and running

7. Lastly, run the slapcat command below to check the LDAP database contents.

sudo slapcat

A list of default schemas and configurations below indicates that OpenLDAP has been installed correctly.

Checking the LDAP database contents
Checking the LDAP database contents

Keeping the OpenLDAP Server Safe with UFW Firewall

You have successfully installed your OpenLDAP server, but you must fortify its defenses before it can guard your network. How? By enlisting the help of UFW, Ubuntu’s trusty default firewall.

Configuring the UFW Firewall is like setting up a digital moat around your castle. You will tailor the firewall to shield your server, allowing only essential traffic to pass through and keeping digital marauders at bay.

To ensure secure connections on your OpenLDAP server, you must open certain ports for the OpenLDAP server as follows:

Execute the following ufw commands to allow incoming traffic on ports for HTTP (80), HTTPS (443), and LDAP (389).

# Allow HTTP Traffic
sudo ufw allow 80
# Allow HTTPS Traffic
sudo ufw allow 443
# Allow LDAP Traffic
sudo ufw allow 389
Configuring the UFW Firewall for OpenLDAP Server
Configuring the UFW Firewall for OpenLDAP Server

Now, run the command below to check a detailed overview of the current status and configuration of UFW on your system.

sudo ufw status verbose

The output below confirms that the firewall rules you added were applied successfully.

Checking the UFW status
Checking the UFW status

Enabling PHP Support in Apache for LAM

After fortifying the security of your LDAP server with the UFW Firewall, you must ensure Apache recognizes and processes PHP files effectively. This critical step paves the way for seamless integration between Apache and LAM, enabling efficient management of your LDAP directory.

To enable PHP support in Apache, carry out the following:

1. Run the following a2enconf command to enable a configuration file for Apache’s PHP Common Gateway Interface (CGI).

These configuration files typically contain directives related to configuring PHP for Apache, such as setting up handlers or defining options for PHP execution. By enabling these configuration files, you ensure that Apache is properly configured to handle PHP scripts using the CGI interface.

sudo a2enconf php*-cgi
Enabling the PHP module
Enabling the PHP module

2. Once enabled, execute the command below to reload the Apache service (apache2) to apply the changes.

This command outputs nothing but ensures that any modifications made to the Apache configuration take effect. This process includes enabling the PHP CGI module without restarting the entire Apache service.

sudo systemctl reload apache2

3. Now, invoke this command to check the status of the apache2 service to ensure everything’s running smoothly.

sudo systemctl status apache2

The output will show the current status of the Apache web server as active (running) without any errors, as below.

Checking the status of the Apache service
Checking the status of the Apache service

Setting Up the LAM Web Interface

Moving on from enabling PHP support in Apache for LAM, you now focus on a centralized hub where you can control your OpenLDAP server—the LAM web interface. This web interface offers an intuitive platform for administrators like yourself to oversee directory services.

To set up the LAM web interface, proceed with these steps:

1. Run the ifconfig command below to display your network information.

ifconfig

Look for and note down your server’s IP address (i.e., 192.168.1.7), typically denoted by inet.

Noting down the server’s IP address
Noting down the server’s IP address

2. Open your favorite web browser, and navigate to your server’s IP address followed by /lam into the address bar (e.g., http://192.168.1.7/lam). Doing so redirects your browser to LAM’s web interface, as shown below.

Accessing the LAM web interface
Accessing the LAM web interface

3. Click LAM configuration (top-right) on the login page to access the LDAP Account Manager page (step four).

Accessing the LAM Account Manager
Accessing the LAM Account Manager

4. Now, click Edit server profiles to modify your LAM settings.

Editing server profiles to modify the LAM settings
Editing server profiles to modify the LAM settings

5. Input the default lam password on the second login page, and click OK to authenticate.

Authenticating access to the LAM web interface
Authenticating access to the LAM web interface

6. Once logged in, configure the following server and language settings under the General settings:

  • Tree suffix – Type in your directory’s base distinguished name (DN), such as dc=ata,dc=com, replacing them with your actual domain components.
  • Default language – Select your language preference for the LAM web interface.
  • Time zone – Choose the time zone that aligns with your server’s location, which is crucial for precise management of account expirations.
Configuring the server and language settings
Configuring the server and language settings

7. Scroll down and set the options for security and profile password with the following:

  • List of valid users – Insert the DN of your LDAP admin user, for example, cn=admin,dc=ata,dc=com.
  • New password and Reenter password – Create and confirm a strong password for the LAM admin account to replace the initial default password.
  • Keep other settings as default, and click Save to apply your configurations. Once saved, your browser will be redirected back to the login page.
Configuring security settings and profile password
Configuring security settings and profile password

Creating Groups and Users in LAM

With your LAM dashboard ready, you focus on laying the foundation for an organized and secure directory structure—groups and users. Creating groups and users is like organizing your team into departments and giving everyone their ID badge.

To create groups and users in LAM, execute the following:

1. Navigate to the LDAP Account Manager following steps three to five of the “Setting Up the LAM Web Interface” section. But this time, input your newly configured password for the OpenLDAP server.

2. In the LAM Account Manager, navigate to the Account types tab to view all access type options.

Accessing the account types
Accessing the account types

3. Next, scroll down and set the LDAP suffixes while replacing <base_DN> (i.e., dc=ata,dc=com), accordingly as follows:

  • Usersou=Departments,<base_DN>
  • Groupsou=Groups,<base_DN>
  • Leave other settings as default, and click Save.

After saving, your browser will be redirected to the admin login page (step four).

Setting the LDAP suffixes
Setting the LDAP suffixes

4. Now, enter the admin password you set during installation, and click Login to access your OpenLDAP server.

Logging in to the OpenLDAP server
Logging in to the OpenLDAP server

5. When prompted, click CREATE to establish the two missing suffixes.

Creating the two missing suffixes
Creating the two missing suffixes

6. Upon creation, click Tree view (upper-right) to see the new LDAP suffixes (Departments and Groups) displayed in a hierarchical structure, as shown below.

Viewing the hierarchical structure
Viewing the hierarchical structure

7. Moving on, click Tools (upper-right) and choose OU editor to configure a new department with the following:

  • Parent DN – Choose Department > ata > com for the Parent DN. This option specifies where the new department will be created within your LDAP directory.
  • Name – Input IT (arbitrary) as the department (OU) name.

Once configured, click OK to add a new department named IT.

Adding a new department within the LDAP directory
Adding a new department within the LDAP directory

8. Now, navigate to the Groups tab and click New group to create a new group.

Creating groups simplifies administration, promotes collaboration, enforces policies, and facilitates organizational scalability.

Creating a new group
Creating a new group

9. Provide a descriptive group name (i.e., My IP Group) and click Save to confirm the new group.

Naming the new group
Naming the new group

10. Once the group is created, navigate to the Users tab and click New user to create a new user.

Establishing a robust framework by grouping users according to their roles, departments, or other criteria is crucial. This framework helps manage resource access and promote efficient collaboration across your organization.

Creating a new user
Creating a new user

11. Subsequently, set the user’s Personal information as follows:

  • Select IT > Departments > ata > com from the Suffix dropdown to place the user in the IT department.
  • Under the Personal tab (left pane), input myituser (arbitrary) in the Last name field.
Setting the ne user’s personal information
Setting the ne user’s personal information

12. Configure the new user’s credentials with the following:

  • Navigate to the Unix tab (left pane), and ensure the newly created group’s name (i.e., My IP Group) is set as the Primary Group.
  • Click Set password, which opens a dialog box where you will set a password for the new user (step 13).
Initiating setting a password for the new user
Initiating setting a password for the new user

13. Provide a secure password for the new user, and click OK to confirm.

Providing a secure password
Providing a secure password

14. Keep other settings as is, and click Save to finalize the creation of the new user account.

Saving the new user
Saving the new user

15. Revisit the Tree view to see the updated structure with the new department (IT), group (My IP Group), and user account (myituser) included.

Verifying the updated structure
Verifying the updated structure

Installing and Configuring the OpenLDAP Client

Now that you have a great server setup, you need a way to interact with it by installing and configuring the OpenLDAP client. Setting up this client is essential for enabling centralized authentication and resource access across your network.

Integrating your Ubuntu system with the LDAP directory server establishes a unified authentication mechanism, enhancing security and simplifying user management.

To install and configure the OpenLDAP client, follow these steps:

1. Execute the following sh command to add the OpenLDAP server’s hostname and IP address to your client machine to the /etc/hosts file, allowing hostname-based communication.

Remember to replace 192.168.1.7 and ldap.ata.com with your server’s IP address and hostname.

sudo sh -c 'echo "192.168.1.7 ldap.ata.com" >> /etc/hosts'
Adding the OpenLDAP server's hostname and IP address to the hosts file
Adding the OpenLDAP server’s hostname and IP address to the hosts file

2. Once added, run the below ping command to check the connectivity between your system and your OpenLDAP server (ldap.ata.com).

ping -c3 ldap.ata.com

The output below confirms the client machine can successfully communicate with the OpenLDAP server using the specified IP address and hostname.

Pinging the LDAP server
Pinging the LDAP server

3. Next, run the command below to update your package lists and install the following necessary OpenLDAP client packages:

  • libnss-ldap – Enables your system to use LDAP for common configuration databases.
  • libpam-ldap – Allows system authentication against LDAP directories.
  • ldap-utils – Provides command-line tools for managing LDAP directory entries.
  • nscd – Caches NSS lookups, improving performance by reducing LDAP server queries.
sudo apt update && sudo apt install libnss-ldap libpam-ldap ldap-utils nscd -y

During installation, you will get a series of prompts to configure the OpenLDAP client (step four).

Updating the package lists and installing the necessary OpenLDAP client packages
Updating the package lists and installing the necessary OpenLDAP client packages

4. Now, enter ldap://192.168.1.7 in the LDAP server Uniform Resource Identifier field, which directs the client to your OpenLDAP server.

Setting the LDAP server Uniform Resource Identifier
Setting the LDAP server Uniform Resource Identifier

5. Input the DN of the search base (i.e., dc=ata,dc=com) for LDAP operations.

Entering the DN of the search base
Entering the DN of the search base

6. Choose 3 for the LDAP version to use for enhanced security and features

Selecting the preferred LDAP version
Selecting the preferred LDAP version

7. Next, select Yes to give the root user database admin privileges.

Making local root a Database admin
Making local root a Database admin

8. Afterward, choose No for root account management to disable the LDAP database login.

Disabling the LDAP database login
Disabling the LDAP database login

9. Input the LDAP account for root (i.e., cn=admin,dc=ata,dc=com). This configuration specifies the admin account for managing LDAP.

Provide the LDAP account for the root
Provide the LDAP account for the root

10. Provide a strong LDAP root account password (admin password).

Provide an LDAP root account password
Provide an LDAP root account password

11. After the client configuration, open the /etc/nsswitch.conf file in your preferred editor (i.e., nano or vim) to configure your system’s name service switch.

This file decides the pecking order for where the system looks up stuff like user accounts, groups, hosts, and services.

12. Change the value of the following lines in the /etc/nsswitch.conf file to include the following:

compat – Refers to local files like /etc/passwd.

ldap – Specifies the use of LDAP.

This configuration allows the use of LDAP user authentication and other system functions

passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat
Allowing the use of LDAP user authentication
Allowing the use of LDAP user authentication

13. Now, open the /etc/pam.d/common-password file, locate and remove the use_authtok option, as highlighted below, save the changes, and close the file.

This action lets you adjust the PAM password settings to use the password provided by the user.

Adjusting the PAM password settings
Adjusting the PAM password settings

14. Additionally, open the /etc/pam.d/common-session file, add the following line and save and close the file.

Upon user login, this configuration adds automatic home directory creation to ensure user home directories are created with proper permissions.

session optional pam_mkhomedir.so skel=/etc/skel umask=077
Adding automatic home directory creation upon user login
Adding automatic home directory creation upon user login

15. Lastly, run the command below to restart the Name Service Cache Daemon (nscd) and apply the configuration changes.

sudo systemctl restart nscd

Checking Your OpenLDAP Setup

With everything in place, you must ensure your OpenLDAP server and client configurations work as expected. You will test to confirm your LDAP directory is accessible, that users can authenticate successfully, and that data is being retrieved and updated correctly.

To ensure the integrity and functionality of your OpenLDAP server and client setup, perform the following:

Execute the following ldapsearch command to query your LDAP directory for all user accounts.

ldapsearch -x -H ldap://192.168.1.7 -b "dc=ata,dc=com"

You will see an output that looks something like the following, listing out the details of each user. This output tells that the OpenLDAP server responds correctly to your search queries.

Querying the LDAP directory for all user accounts
Querying the LDAP directory for all user accounts

Finally, attempt to log in (su) to the myituser user account.

su - myituser

Successful login indicates that the authentication against the OpenLDAP server is working as expected.

đź’ˇ A successful login message may not always be shown; instead, you might be just logged in and presented with a new command prompt, as shown below. If there are any errors, they will be displayed, and you will remain logged in as the current user.

Logging in as the myituser user
Logging in as the myituser user

Conclusion

You have done it! Your Ubuntu server now has a fully operational OpenLDAP system with a secure firewall, a PHP-enabled web server, and a sleek LDAP Account Manager interface.

Groups and user accounts are set, and your OpenLDAP client is ready to connect. Thus, you can be confident in your server’s performance.

Now, take some time to browse the comprehensive official document page of OpenLDAP, packed with valuable tips and tricks. Also, why not consider learning how to backup and restore your OpenLDAP server to ensure the safety of your user accounts and configurations?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!