LFCS – Creating LDAP on Ubuntu

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
368
Reaction score
420
Credits
13,526
I hope you have looked over the previous article to set up OpenLDAP on CentOS 7 system found here. This will build on that article somewhat.

We are going to install and configure OpenLDAP on Ubuntu and create an initial database. I did not do some things done here in the previous article, so you may learn something useful here for CentOS or Ubuntu.

LDAP Installation

Just as with CentOS, we need to set up a Fully Qualified Domain Name (FQDN) for our server. I will try to stick to the same naming conventions as we did with CentOS, so later articles will work for both systems.

NOTE: If you did not look over the CentOS 7 article for this subject, I suggest you look it over and be a little familiar with it. Some of the information will be similar, but some will be different.

Open a terminal and run ‘ifconfig’ to get the IP Address of the system. Make note of the IP address.

Next, you need to open the ‘/etc/hosts’ file for an editor. You will need to add a line similar to the following, but change your information as needed:

192.168.56.106 server1.linux.org server1

Reboot the system for these changes to take effect after you save the file.

Once the system has completed the reboot, open a terminal again. You will run the following commands and make sure that you get a valid response so you know the hostname change was successful:

ping server1
ping server1.linux.org


NOTE: Change your server name and FQDN appropriately. Throughout the rest of the article, I will use ‘server1.linux.org’, so when you see these, use the names you chose.

To install OpenLDAP, perform the following command:

Code:
sudo apt install slapd ldap-utils

After the install starts, it should ask you to make an ‘admin’ password for the LDAP database. Enter the password you want and verify it when asked. The installation should continue and complete.

To verify the installation of the LDAP Daemon and the system started it, use the command:

Code:
systemctl status slapd

You should see a result that shows the service is active and running. If there is a problem with the service, look at the section towards the end of this article to remove the LDAP. Once removed, start again.

If you look in the folder ‘/var/lib/ldap’ you should see two files present there: ‘data.mdb’ and ‘lock.mdb’.

Now we need to make a slight configuration change in the file ‘/etc/ldap/ldap.conf’. Edit the file and remove the Hash tags (#) from the following two lines and make the changes as you need:

Code:
BASE dc=linux,dc=org 
URI ldap://localhost:389

Save the file and exit your editor.

Run the following command ‘sudo dpkg-reconfigure slapd’. The command will cause you to be prompted for:

Omit LDAP Server configuration? No
DNS Domain Name: linux.org
Organization Name: linux
Administrator password: <password you entered previously>
Confirm Password: <password you entered previously>
Database backend: MDB
Remove Database: No
Move Old Database: Yes


It should set the main database up and be ready to add the top level. Before we add entries, let’s look at the database. Use the command ‘sudo tree /etc/ldap/slapd.d’.

NOTE: You may need to install the ‘tree’ program by entering ‘sudo apt install tree’.

The result should be like:


/etc/ldap/slapd.d
├── cn=config
│ ├── cn=module{0}.ldif
│ ├── cn=schema
│ │ ├── cn={0}core.ldif
│ │ ├── cn={1}cosine.ldif
│ │ ├── cn={2}nis.ldif
│ │ └── cn={3}inetorgperson.ldif
│ ├── cn=schema.ldif
│ ├── olcBackend={0}mdb.ldif
│ ├── olcDatabase={0}config.ldif
│ ├── olcDatabase={-1}frontend.ldif
│ └── olcDatabase={1}mdb.ldif
└── cn=config.ldif

The directory structure shows the folders inside the ‘/etc/ldap/slapd.d’ folder.

To see the actual contents of the database, use the command:

Code:
ldapsearch -x

My result is an empty database:

# extended LDIF
#
# LDAPv3
# base <dc=linux,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# linux.org
dn: dc=linux,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: linux
dc: linux

# admin, linux.org
dn: cn=admin,dc=linux,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2


Now that we know there is only a basic layout, we need to add entries. The current layout is like what we made in the CentOS article with the ‘form.ldif’ file.

Configure LDAP Databases

In the article for installing on a CentOS system, we used LDIF files. The database contains the top level information for ‘linux.org’ and the ‘admin’ user for the database.

We need to add an ‘organizationUnit’ for ‘people’ and ‘groups’. Edit an empty file named ‘top-structure.ldif’ and add in:

dn: ou=People,dc=linux,dc=org
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=linux,dc=org
objectClass: organizationalUnit
ou: Groups


Save the file and, at a terminal prompt, enter:

Code:
ldapadd -x -D cn=admin,dc=linux,dc=org -W -f top-structure.ldif

There should be two lines stating that it added entries to the database. If there is an error, go back and make sure the LDIF file is exact to what is above.

To list the new entries, perform the command ‘ldapsearch -x’. If an error had occurred, remove any entries that were successful from ‘top-structure.ldif’. Correct the failed entries and add the ‘LDIF’ file again. If the first entry was successful and the second entry failed, you need to remove the first entry from the LDIF file. When you try to add it again, the first entry will fail since it exists, and it skips the second entry.

Now we only need to add users and groups into the database using an LDIF file.

Creating Test Users and Groups

Create a file named ‘user-groups.ldif’ and put the following into it:

Code:
dn: cn=testgroup,ou=Groups,dc=linux,dc=org
objectClass: posixGroup
cn: testgroup
gidNumber: 4000

dn: uid=Test,ou=People,dc=linux,dc=org
uid: Test
cn: Test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: user
uidNumber: 1002
gidNumber: 4000
userPassword: Test123
loginShell: /bin/bash
homeDirectory: /home/Test

The user we are adding is part of the ‘testgroup’. The ‘testgroup’ has a ‘gidNumber’ of ‘4000’. User ‘Test’ has a ‘gidNumber’ of ‘4000’ meaning that it is being placed into the ‘testgroup’.

Once you have added the entries, you can check on them with the command ‘ldapsearch -x’.

NOTE: If during the creation of an entry you get an error similar to ‘additional info: object class 'inetOrgPerson' requires attribute 'sn'’ this means that you need to add an ‘sn’ line for the entry. The ‘sn’ is for ‘surname’. Since our ‘Test’ user has no last name, I just used ‘user’.

Modifying an Entry

Let’s assume that the ‘Test’ user is a real user and has a last name of ‘Jones’. So, we need to change ‘user’ to ‘Jones’. To do this, we create another LDIF. We’ll call it ‘modification.ldif’.

Add the following entries:

Code:
dn: uid=Test,ou=People,dc=linux,dc=org
changeType: modify
replace: sn
sn: Jones

Save the file and run the command ‘ldapmodify -x -D cn=admin,cn=linux,cn=org -W -f modification.ldif’. Once the entry is changed, perform an ‘ldapsearch -x’ and verify the user entry has changed for ‘sn’.

If anything major occurs, you may need to remove LDAP completely. In that case, perform the following:

Code:
systemctl stop slapd
systemctl disable slapd
apt remove --purge slapd ldap-utils
rm -rf /var/lib/ldap

Reboot your system and everything should be back to the way it was before you installed LDAP.

Conclusion

The process isn’t as bad for Ubuntu as it is for CentOS.

In my next article, we’ll look into logging into the LDAP service using the database.
 

Members online


Top