This recipe covers the installation and initial configuration of LDAP. The Ubuntu package repository makes the installation easy by providing the required packages for the LDAP service.
Getting ready
You will need access to a root account or an account with sudo privileges.
How to do it…
Let's start with installing the LDAP package and helper utilities:
Update your repository using the apt-get update command and then install the OpenLDAP package, slapd:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils
You will be asked to enter the admin password and to confirm it.
The installation process simply installs the package without any configuration. We need to start the actual configuration process with the reconfiguration of the slapd package. Use the following command to start the re-configuration process:
$ sudo dpkg-reconfigure slapd
This command will ask you a series of questions including the domain name, admin account, password, database type, and others. Match your answers as follows:
Omit LDAP server configuration – NO.
DNS Domain name – Enter your domain name. You can use any domain name. For this setup, I will be using example.com. This domain name will determine the top structure of your directory:
Organization name – Enter your organization name. I am using example as my organization.
Admin password – Enter a password for the admin account. It can be the same as the one entered during installation, or a totally different one. Make sure you note this password as it will be used to access the admin account.
Database backend – HDB
Remove the database when slapd is purged - this is about removing the database in case you uninstall the slapd package. Choose NO as you don't want the database to be deleted:
Move old database - YES
Allow the LDAPv2 protocol - unless you are planning to use some old tools, choose NO:
Once you have answered all the questions, the process will reconfigure the LDAP service. Now your LDAP service is installed and ready to use:
Now you can use utility commands to query existing data. To test whether the LDAP service is installed and running properly, use the ldapsearch -x command. You should see output similar to following screenshot:
Use ldapsearch as follows to query our newly added domain, example.com:
$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
The following command will query the default content for example.com:
$ ldapsearch -x -LLL -b dc=example,dc=com
The ldap-utils package also provides more commands to configure the LDAP service, but it is quite a lengthy and complex task. In the next recipe, we will learn how to set up a web-based admin interface that make things a little easier.
How it works…
With the respective packages available in the Ubuntu package repository, installing OpenLDAP is quite an easy task. All we have to do is install the required binaries and then configure the LDAP system to serve our desired domain. We have installed two packages: one is slapd, the LDAP daemon, and the other is ldap-utils, which provides various commands to work with the LDAP daemon. After installation is complete, we have re-configured LDAP to match our required directory setup. We have chosen to go with LDAPv3 API and disabled LDAPv2. If you have any older systems working with LDAPv2, then you will need to enable support for old APIs.
Before we access the admin page, let's make some small changes in the configuration file. The file is located at /etc/phpldapadmin/config.php. By default, phpLDAPadmin shows warning messages for unused template files. These warning messages get shown in the main interface before the actual content. To hide them, search for hide_template_warning in the configuration file and set it to true. You will also need to uncomment the same line:
$config->custom->appearance['hide_template_warning'] = true;
The other settings should have already been set by the installation process. You can cross-check the following settings:
$servers->setValue('server','host','127.0.0.1');
$servers->setValue(
'login','bind_id',
'cn=admin,dc=example,
dc=com'
);
$servers->setValue(
'server','base',array('dc=example,dc=com')
);
Once you are done with the configuration file changes, save and close it and then access the admin interface through your browser:
Click on the login link on the left of the page to get the login dialogue box. The username (Login DN) field is already filled with details for the admin account. Make sure the details match the domain you have set up. Enter the password for the admin account and click the Authenticate button:
You should have noticed the warning on the login box saying the connection is unencrypted. This is just a reminder that you are using the admin console over a non-HTTPs connection. You can set up Apache with SSL certificates to get an encrypted, secure connection with your LDAP server. Check article 3, Working with Web Servers, for more details on how to set up SSL certificates on the Apache web server.
Once you log in to phpLDAPadmin, you can see the domain listed in the left-hand side menu. Click on the domain link to view its details.
Next, click on the small plus link (+) to expand the domain link and see its children. With the default settings, it should show only the admin account:
Along with the link for the admin account, you will see an option to create a new entry. Clicking on this link will show you a list of templates for the new entry:
|
While clicking on some of these templates, for example Generic: Open /usr/share/phpldapadmin/lib/TemplateRender.php. Search for the following line: $default = $this->getServer() ->getValue('appearance','password_hash'); Now update the preceding command as follows: $default = $this->getServer() ->getValue('appearance','password_hash_custom'); |
Now you are ready to create groups and respective user accounts on your LDAP server.
How it works…
In this recipe, we have installed a web-based administration console for the LDAP server. The ldap-utils package provides various commands to work with the LDAP server, but it is quite a complex and lengthy task. A graphical user interface gives you a better listing of all options and existing configurations, making things a little easier.
The phpLDAPadmin package is a PHP/Apache-based web application that provides a graphical interface for the LDAP server. It displays all options and configurations in an easy-to-use graphical format and passes all user actions to LDAP APIs.
There's more…
Apache directory studio is another user interface for LDAP administration. It is a desktop application based on Java. You can get more details at https://directory.apache.org/studio/ .
See also
A StackOverflow answer for the phpLDAPadmin error message at http://stackoverflow.com/a/21195761/1012809
