Lightweight Directory Access Protocol is a protocol developed for managing users, groups access, rights in a IT environment. There are different protocols used for authentication and authorization but LDAP is most popular and compatible protocol.

LDAP can be used to integrate Windows Active Directory with Linux and other non Windows systems. Active directory also provides LDAP services too.

In this tutorial we will look how to install, configure and test LDAP server installed on Ubuntu.

Install

There are different software that implements LDAP protocol. In this tutorial we will use popular tool suite named OpenLDAP. We will install all OpenLDAP related packages with the following command.

$ sudo apt install ldap*

Set Admin Password

We will set password for the admin suer in LDAP directory.

Verify Admin Password

Set LDAP URI

Set Search Base For Domain Name

Set Version

Set Password Change PAM

Set Login To Retrieve Entries

Set Root or Admin Account

LDIF File Format

LDAP Data Interchange Format or LDIF is a standard plain text data exchange format used mainly LDAP protocol. LDIF format is defined with RFC 2849 . LDIF is used for the following operations to provide data and configuration.

Add

Modify

Delete

Rename

Here is simple LDIF example

dn: cn=ismail,dc=poftut,dc=com ou=admin objectClass: organizationalRole cn: The Postmaster

There are some important LDIF fields. Let’s look them.

dn

dn specifies distinguished name and used to indentify entry in the directory.

dc

dc specifies domain component and used to identify domain name like poftut.com which is equal

dc=poftut,dc=com

ou

ou specifies organizational unit and used for set the group. Following example specifies group admin

ou=admin

cn

cn specifies common name and used to set data about dn like user name , recipe name , job title

LDAP Configuration Files

Ldap provides a lot of configurations files. But we will look most important configuration files where we will interact and change them.

config.ldif is the default and main configuration file which is read and applied by ldap service. It is located at /etc/ldap/slap.d/cn=config.ldif .

is the default and main configuration file which is read and applied by service. It is located at . olcDatabase{2}bdb.ldif file is used to store form information about the domain. It is LDAP database file. This file also stores LDAP root user and the base Domain Name or DN.

Create LDAP Admin User

The best practice to manage the LDAP services is creating an admin user with full permissions. In order to create admin user we need to set the user name with DN.

The admin user is specified with olcRootDN line in the configuration file named olcDatabase . We can find related olcDatabase file with grep like below.

$ grep -r "olcRootDN" /etc/ldap/

The database file is located at /etc/ldap/slapd.d/cn=config/olcDatabase={1}.mdb.lif this location and file may have minor changes according to your distributions and version. We change this line according to fully qualified domain name like below.

olcRootDN: cn=admin,dc=poftut,dc=com

Here our domain name is poftut.com and name admin . We need to change the olcSuffix too which is in the same file. Our new olcSuffix line is like below.

olcSuffix: dc=poftut,dc=com

Set LDAP Admin User Password

Previously we have set our user admin. Now we need to set password for this user. The password line is located in the same file with username. The password line is specified with olcRootDN .

As we see this value is stored as a hash so we need to convert our password into hash value. Hopefully there is a tool named slappasswd used for creating password hash values. We enter the password we want to use twice.

$ slappasswd

We add created value accordingly like below.

olcRootPW: {SSHA}Ru8OVQ9nCyts/LjYFj1SJ+va2f78YRmQ

Verify Configuration Files

As configuring LDAP with text files is tedious job we can make mistakes. This mistakes generally results the LDAP services do not starts. We can check the configuration files and verify syntax before taking any serious action. We will use tool named slaptest like below.

$ sudo slaptest -u

We can se the message config file testing succeeded .

Restart LDAP Service

In previous step we have set the password value. Setting password value will not effect to the LDAP configuration immediately. We need to restart the LDAP service to make new configuration effective. We restart the service with systemctl command.

$ sudo systemctl restart slapd.service

And check if it is started correctly

$ sudo systemctl status slapd.service

Verify LDAP Search

Now it seems everything is OK. We can check our LDAP service by sending some example queries. We will use ldapsearch command to list our domain entries as count.

$ ldapsearch -x -b "dc=poftut,dc=com"

We can se that there are two search results