How to Setup OpenLDAP Server and Authenticate Client Workstation

LDAP or lightweight directory access protocol allows anyone to locate and connect to organizations, peoples and other resources like files and devices in a network (public/private). LDAP follows X.500 standard, a standard for directory service in a network that typically uses usual client/server paradigm. LDAP is lighter because in its initial version it did not include security features. The primary use of directory services is storing users and object data in a central system and make this data available to other applications mainly for authentication or as an address book and we can accomplish this using an OpenLDAP Server. This articles covers how to Setup OpenLDAP server and authenticate client workstation using Lightweight directory access protocol in Ubuntu 16.04

This articles covers how to Setup OpenLDAP server and authenticate client workstation using Lightweight directory access protocol in Ubuntu 16.04.

Uses of LDAP

→LDAP keeps users and other network objects in a central database.

→LDAP stores information such as plain textual information, images, binary data, public key certificates in the central database.

→LDAP provide authentication and authorization services like login management.

→LDAP can also store DNS records in its database.

→LDAP can be used like yellow pages directory service for any organization.

LDAP terminology

LDAP terminologies are parts of the X.500 Directory Specification, which defines nodes in a LDAP directory.

CN             commonName
L                localityName
ST              stateOrProvinceName
O               organizationName
OU             organizationalUnitName
C               countryName
STREET     streetAddress
DC             domainComponent
UID            userid
DN             Distinguished name

The last one i.e DN (Distinguished Name) is a series of comma-separated key/value pairs used to identify entries uniquely in the directory hierarchy. The DN is actually the entry's fully qualified name. e.g The string  "CN=India,OU=Distribution Groups, DC=gp, DC=gl, DC=linoxide, DC=com" is a path from an hierarchical structure called Directory Information Tree and should be read from right (root) to left (leaf).

In this article, we will setup OpenLDAP server in Ubuntu 16 and configure an OpenLDAP client which will retrieve login credentials from the server and authenticate the users.

IP Address
OpenLDAP Server
10.0.0.196
OpenLDAP client
10.0.0.33

Install OpenLDAP Server

Install OpenLDAP and its utilities using apt-get and enable it during start-up. While installing, it will ask to provide admin password.

# sudo apt-get update
# apt-get install slapd ldap-utils
# systemctl enable slapd

Using netstat, check if the slapd is running in the port no 389

# netstat -pltn

Ubuntu 16 shipped with firewall UFW by default. If UFW is enabled then open the port no 389 using following commands.

# sudo ufw allow tcp/389
# sudo ufw reload

The OpenLDAP package have been installed and now we are going to reconfigure all the defaults those are shipped with ubuntu. Execute the following command to bring up package configuration tool.

# sudo dpkg-reconfigure slapd

The package configuration tool will ask a series of question for re-configuring OpenLDAP

→Omit OpenLDAP server configuration? <No>

→DNS domain name: linoxide.com

→Organization name: linoxide

→Enter password and confirm it: password

→Database backend to use: HDB

→Do you want the database to be removed when slapd is purged? <No>

→Move old database? <Yes>

→Allow LDAPv2 protocol? <No>

Restart OpenLDAP

# systemctl restart slapd

You can change the admin password for OpenLDAP at later stage using the following command.

# ldappassword

At this stage, we have installed and reconfigured OpenLDAP server. To find the entry for admin in the OpenLDAP database, we will use ldapsearch command. ldapsearch will prompt for admin password that we have provided during reconfiguration of OpenLDAP.

# ldapsearch -x -W -D cn=admin,dc=linoxide,dc=com -b dc=linoxide,dc=com -LLL

Enter LDAP Password:
dn: dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linoxide
dc: linoxide

dn: cn=admin,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9MkdIK2p1enlxQ3hFNmtMSE56TUE5NzZzOFQxVGdxSUE=

Add organizational unit (OU)

To add OU, we will create a LDIF (LDAP Data Interchange Format)  file which is the standard text format designed to exchange information from LDAP server. Add an organizational unit by the name 'groups'.

# vi ou_group.ldif

dn: ou=groups,dc=linoxide,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: groups

We will use ldapadd to add the above organizational unit.

# ldapadd -W -D "cn=admin,dc=linoxide,dc=com" -f ou_group.ldif

Modify organizational unit (OU)

To modify an organizational unit, create a ldif file with the following content. In this example, we are adding an entry for postal code to the existing OU.

# vi modify_ou.ldif
dn: ou=groups,dc=linoxide,dc=com
changetype: modify
add: postalCode
postalCode: 788109
-

Use ldapmodify to modify the the OU

# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_ou.ldif
Enter LDAP Password:
modifying entry "ou=groups,dc=linoxide,dc=com"

Delete organizational unit (OU)

To delete an organizational unit, use ldapdelete specifying the distinguished name for the OU

# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "ou=groups,dc=linoxide,dc=com"
Enter LDAP Password:

Add groups

To add a posix group, we will create a LDIF file for it.

# vi irc_users.ldif
dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
objectClass: posixGroup
objectClass: top
cn: ircusers
gidNumber: 4000

Use ldapadd command like before to add the group

# ldapadd -x -W -D "cn=admin,dc=linoxide,dc=com" -f irc_users.ldif
Enter LDAP Password:
adding new entry "cn=ircusers,ou=groups,dc=linoxide,dc=com"

Modify groups

Define the ldif file for modifying groups, we will add 'description' for the existing ircusers group.

# vi modify_irc_users.ldif
dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
changetype: modify
add: description
description: Groups under OU

Use ldapmodify to modify the the the group

# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_irc_users.ldif
Enter LDAP Password:
modifying entry "cn=ircusers,ou=groups,dc=linoxide,dc=com"

Delete groups

To delete a group use ldapdelete specifying distinguished name for the group.

# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "cn=ircusers,ou=groups,dc=linoxide,dc=com"
Enter LDAP Password:

Add user

At first generate the SSHA password for the user using slappasswd

# slappasswd -h {SSHA} -s mypass
{SSHA}d9NeiNx4RLSEtXNuMxq7+jWK/5yxwCWT

Next create a ldif file for a user

# vi mike_user.ldif
dn: uid=mike,ou=groups,dc=linoxide,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mike
sn: smith
givenName: mike
cn: mike
uidNumber: 4000
gidNumber: 4000
userPassword: {SSHA}d9NeiNx4RLSEtXNuMxq7+jWK/5yxwCWT
loginShell: /bin/bash
homeDirectory: /home/mike

Make sure to provide correct group id number (gidNumber) which is 4000 in our case. Add the above user using ldapadd command.

# ldapadd -x -W -D "cn=admin,dc=linoxide,dc=com" -f mike_user.ldif
Enter LDAP Password:
adding new entry "uid=mike,ou=users,dc=linoxide,dc=com"

Delete user

To delete an user use ldapdelete command

# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "uid=mike,ou=groups,dc=linoxide,dc=com"

Check if the entry has been deleted using following command.

# ldapsearch -x -b "dc=linoxide,dc=com"

Modify user

To modify an user, create a ldif file and then use ldapmodify to achieve it.

# vi modify_mike.ldif
dn: uid=mike,ou=groups,dc=linoxide,dc=com
changetype: modify
replace: smith
sn: smt
-
add: title
title: Grand Poobah
-
add: jpegPhoto
jpegPhoto: /tmp/smith.png

Now execute the ldapmodify command

# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_mike.ldif
Enter LDAP Password:
modifying entry "uid=mike,ou=users,dc=linoxide,dc=com"

Search OpenLDAP database

From the server itself, you can now check to see if you can read the database. The command below will dump entire directory.

# ldapsearch -x -LLL -H ldap:/// -b dc=linoxide,dc=com
dn: dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linoxide
dc: linoxide

dn: cn=admin,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=groups,dc=linoxide,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=users,dc=linoxide,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

dn: cn=dbagrp,ou=groups,dc=linoxide,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 678
cn: dbagrp

dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
objectClass: posixGroup
objectClass: top
cn: ircusers
gidNumber: 4000

dn: uid=mike,ou=users,dc=linoxide,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mike
sn: smith
givenName: mike
cn: mike
uidNumber: 4000
gidNumber: 4000
loginShell: /bin/bash
homeDirectory: /home/mike

Using phpMyAdmin

We have created/edited/searched OU, groups, users through command line. However you can do the same using a web interface called phpldapadmin. The phpldapadmin is shipped along with ubuntu by default. Use apt-get to install it.

# sudo apt-get install phpldapadmin

Edit the config file for phpldapadmin to reflect the directory structure that we have created earlier.

# vi /etc/phpldapadmin/config.php
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','LDAP-SERVER-IP');
$servers->setValue('server','base',array('dc=linoxide,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=admin,dc=linoxide,dc=com');

You can now access phpldapadmin through http://LDAP-SERVER-IP/phpldapadmin. Login with user as default directory structure and password as 'password'. To password protect the phpldapadmin location, create an user using apache utils htpasswd.

# sudo htpasswd -c /etc/apache2/htpasswd ldapadminuser
New password:
Re-type new password:
Adding password for user ldapadminuser

Append the following section in apache's main configuration file /etc/apache2/apache2.conf

# vi /etc/apache2/apache2.conf

<Location /phpldapadmin>
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require valid-user
</Location>

Restart Apache

# systemctl restart apache2

Refresh the phpldapadmin page, you will see the password prompt that you configured using htpasswd utils.

Install OpenLDAP client

We will install few packages in the client machine to make authentication function correctly with an OpenLDAP server.

# apt-get install ldap-auth-client nscd

You will be asked a series of questions similar to what was asked during server configuration.

→ LDAP server Uniform Resource Identifier: ldap://10.0.0.196

→ Distinguished name of the search base: dc=linoxide,dc=com

→LDAP version: 3

→Make local root Database admin: <Yes>

→Does the LDAP database require login? <No>

→LDAP account for root: cn=admin,dc=linoxide,dc=com

→LDAP root account password: password

You can always change the configuration by executing the following command in the terminal.

#  sudo dpkg-reconfigure ldap-auth-config

Configure OpenLDAP client

We need to edit the file /etc/nsswitch.conf to inform the authentication files about the presence of a OpenLDAP server. Edit /etc/nsswitch.conf file and modify the lines that starts with passwd, group, shadow to look like the below.

# vi /etc/nsswitch.conf
passwd:         ldap compat
group:            ldap compat
shadow:         ldap compat

Edit  /etc/pam.d/common-session and the following line at the end of the file.

# vi /etc/pam.d/common-session
....................
....................

session required        pam_mkhomedir.so skel=/etc/skel umask=0022

Setup nss using auth-client-config with ldap

# auth-client-config -t nss -p lac_ldap
# cd /usr/share/pam-configs/
# vi mkhomedir

Name: Create home directory on login for Linoxide
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

The last line of the above file will create a home directory on the client machine when an LDAP user logs in and does not have a home directory. Now update the pam authentication.

# pam-auth-update

Enable the line that says "Create home directory on login......" and select 'Ok'. Restart nscd.

# /etc/init.d/nscd restart
[ ok ] Restarting nscd (via systemctl): nscd.service.

List the entry of password file using getent. The list will include the LDAP user 'mike' which we have created earlier in the server.

# getent passwd
mike:x:4000:4000:mike:/home/mike:/bin/bash

If you have not installed SSH earlier then install it using SSH.

# apt-get install ssh

Make sure you have set the the following to yes in /etc/ssh/sshd_config

PermitRootLogin yes
UsePAM yes

Connect to the LDAP server using SSH

# ssh mike@10.0.0.33

Another way to get the shell of mike is by using sudo in the client machine.

# su - mike
mike@ip-10-0-0-33:~$

While configuring OpenLDAP server, we have created the LDAP administrator with distinguished name "cn=admin,dc=linoxide,dc=com" This value admin matched with the admin group that is there in Ubuntu by default. The LDAP users that we have created to the admin group will have access to the sudo command since there is an entry for it in the /etc/sudoers file like below-

%admin ALL=(ALL) ALL

To revoke access to sudo for the admin group, comment the above line by placing a hash in the beginning of the line. You can also grant sudo access to specific user by adding %user ALL=(ALL) ALL to /etc/sudoers file.

Conclusion

The advantages of using OpenLDAP server is that information of an entire organization can be placed in a central repository. LDAP can be used as a central directory accessible from anywhere on the network rather than managing users of each group separately. Also LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security  (TLS), so the sensitive data can be protected from prying eyes. Browse OpenLDAP documentation to know more about OpenLDAP administration.

About Dwijadas Dey

Dwijadas Dey is working with GNU/Linux, Open source systems since 2005. Having avid follower of GNU/Linux, He believes in sharing and spreading the open source ideas to the targeted audience. Apart from freelancing he also writes for community. His current interest includes information and network security.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.