LDAP Server on Ubuntu

Install on Ubuntu

If you want to run LDAP server on Ubuntu you will need to install several programs. slapd and ldap-utils. Use apt-get as root or with sudo for these two programs and it will also install all the dependencies.

# apt-get install slapd ldap-utils

This series of articles will help you understand the benefits of LDAP as well as implementation of LDAP.
LDAP Basics for Ubuntu
LDAP Server for Ubuntu
LDAP Client for Ubuntu

During the installation process you will be asked to supply a password for the Administrator.

  After the initial password that you create, whenever you need to create passwords use the slappasswd application which will create an encrypted password for you.

Create a root Password:

# slappasswd

New password:

Re-enter new password:

{SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd

For example, if you needed to create a new password for admin user you would use slappasswd and then copy the password that was created and insert it in your /etc/ldap/slapd.conf.

# rootdn directive for specifying a superuser on the database. This is needed

# for syncrepl.

rootdn "cn=admin,dc=example,dc=com"

rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd

Preparation to Start LDAP

Before starting LDAP you must set your database type for Database #1, the suffix for your domain, set your rootdn, rootdn password and the directory location for you files. Note that example.com is the domain that is used here.

Edit /etc/ldap/slapd.conf and make the necessary changes.

database hdb

suffix "dc=example,dc=com"

rootdn "cn=admin,dc=example,dc=com"

rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd

directory "/var/lib/ldap"

You will also need to edit the BASE location in your ldap.conf file.

Edit /etc/ldap/ldap.conf

BASE dc=example,dc=com

Add Information to the Tree

In order to use slapadd, slapcat or slapindex the directory must be stopped to preserve the database integrity. Here is the command:

/etc/init.d/slapd stop

Add your init.ltif
Before you can add your init.ltif you need to remove the old directories.

# rm -rf /var/lib/ldap/*

Configure your init.ltif

Here is the init.ltif File

Create this file so you may add the content for your system.
dn: dc=example,dc=com

objectClass: dcObject

objectClass: organizationalUnit

dc: example

ou: Example Dot Com

dn: cn=admin,dc=example,dc=com

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: admin

description: LDAP administrator

userPassword: {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd

dn: ou=people,dc=example,dc=com

objectClass: organizationalUnit

ou: people

dn: ou=groups,dc=example,dc=com

objectClass: organizationalUnit

ou: groups

dn: uid=fsmith,ou=people,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: fsmith

sn: Smith

givenName: Fred

cn: Fred Smith

displayName: Fred Smith

uidNumber: 1001

gidNumber: 1001

userPassword: {SSHA}w5tiDXpVXOWr4cCujbrqUNdlUX+wYPY0

gecos: Fred Smith

loginShell: /bin/bash

homeDirectory: /home/fsmith

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

shadowLastChange: 10877

mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

initials: FS

Add the init.ltif file to LDAP system
# slapadd -l init.ldif

Note that this program must be run as root, however, the server, due to security concerns, runs as the ldap user. Therefore, once you add an ldif file you must change the ownership of the /var/lib/ldap directory.

Change Permissions
chown -R openldap:openldap /var/lib/ldap/

Modify tcp_wrappers
If you are using tcp_wrappers, which you should be, you will need to provide an entry so that your slapd server is available.

Edit tcp_wrappers /etc/hosts.allow

SSHD: ALL

SLAPD: ALL

Start the LDAP Server

# /etc/init.d/slapd start

Note that this program must be run as root, however, the server, due to security concerns, runs as the ldap user. Therefore, once you add an ldif file you must change the ownership of the /var/lib/ldap directory.

Change Permissions
# chown -R openldap:openldap /var/lib/ldap/

Verify that the server started by checking port 389 which is the default port.

netstat -aunt

You should see the port listening like so.

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN

Test Your Database
# ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'

-x                                                          perform simple bind (do not use SASL authentication)
LLL                                                      do not print
-b "dc=example,dc=com"                defines the DN where the search will begin
'(objectclass=*)'                                search filter, matches any value in objectclass

 Example Output:
This example output is from the LDIF file that was created and added above.

ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organizationalUnit

dc: example

ou: Example Dot Com

dn: cn=admin,dc=example,dc=com

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: admin

description: LDAP administrator

dn: ou=people,dc=example,dc=com

objectClass: organizationalUnit

ou: people

dn: ou=groups,dc=example,dc=com

objectClass: organizationalUnit

ou: groups

dn: uid=fsmith,ou=people,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: fsmith

sn: Smith

givenName: Fred

cn: Fred Smith

displayName: Fred Smith

uidNumber: 1001

gidNumber: 1001

gecos: Fred Smith

loginShell: /bin/bash

homeDirectory: /home/fsmith

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

initials: FS