LDAP stands for Lightweight Directory Access Protocol which can be used in numerous ways such as for authentication, shared directory (for mail clients), address book, etc. The LDAP protocol can be used to establish and store any kind of information. The OpenLDAP server gives you the possibility to access the information which is stored in a tree structure.
In this article we will show you how to install and configure an OpenLDAP server and how to administer it with phpLDAPadmin on Debian, Ubuntu and Linux Mint systems.
Installation Of OpenLDAP Server In Linux
By default the OpenLDAP server is in repositories under the package “slapd“. You can easily install it with the help of package manager tool called apt-get. But before installing the OpenLDAP server, make sure your system is up-to-date.
During installation, it will ask you to enter a password for the admin entry in your LDAP directory. Enter a strong password and confirm it by selecting OK.
$ sudo apt-get update $ sudo apt-get install slapd ldap-utils
Configure OpenLDAP Server
In order to configure the OpenLDAP server you need to edit the ldap.conf file, which is stored under the /etc directory. To edit the ldap.conf file you need a text editor like vim, nano etc. Run the following command to open the ldap configuration file for editing.
$ sudo nano /etc/ldap/ldap.conf
The output of the above command is shown in the below section.
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Uncomment the BASE and URI lines, so you can edit them with your own domain name and IP address. Since this is a testing installation and configuration I will use tecmint123.com as my domain name.
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=tecmint123,dc=com URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Save the file and run the following command to reconfigure the LDAP package.
$ sudo dpkg-reconfigure slapd
To construct the base DN of the LDAP directory you need a DNS domain name.
Enter your DNS domain name and hit Enter to confirm it. Then the ldap will ask to enter the name of the organization to use in the base DN of your LDAP directory. Enter the name of your company or organisation and hit Enter again.
After the organisation or company name is added, the package configuration will ask to enter the password for the admin entry in your LDAP
directory. You need to enter the password for the admin which you created in the previous steps.
After you have confirmed the administrator’s password, you have to select the database. There are two databases to select from, the BDB and HDB database. They both support the same configuration options, use similar storage formats, but since the HDB database adds support for sub-tree renames it is the recommended one.
You can select the database you think will work better for you. After you have decided which database you will use, hit Enter to confirm the selection. Then you will be prompted with another question. Select Yes to remove the database when slapd is purged.
Select again Yes and press Enter.
Select No and the LDAP server will start running.
[sudo] password for ravisaive: * Stopping OpenLDAP slapd [ OK ] Moving old database directory to /var/backups: - directory unknown... done. Creating initial configuration... done. Creating LDAP directory... done. * Starting OpenLDAP slapd [ OK ] Processing triggers for libc-bin ...
To test the LDAP server, the ldapsearch -x command is used.
ldapsearch -x
It produces the following output.
# extended LDIF # # LDAPv3 # base <dc=tecmint123,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # tecmint123.com dn: dc=tecmint123,dc=com objectClass: top objectClass: dcObject objectClass: organization o: tecmint dc: tecmint123 # admin, tecmint123.com dn: cn=admin,dc=tecmint123,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
LDAP Administration with phpLDAPadmin
phpLDAPadmin is a GUI administration tool for LDAP server administration. This GUI tool will help us to interact with your LDAP server through a web interface. It is available in the default repositories, it can be installed with the apt-get command.
But before installing phpLDAPadmin, you must have Apache web server and PHP installed and running. If not, install it using following command.
$ sudo apt-get install apache2 php5 php5-mysql
Next install the “phpldapadmin” package as shown below.
$ sudo apt-get install phpldapadmin
The same way we configured the ldap.conf file, we need to configure the phpldapadmin web interface configuration files before using it. Run the following command to open the phpldapadmin config.php file.
$ sudo nano /etc/phpldapadmin/config.php
All you need to do is to replace the domain names with your own values. The configuration part needed for this case is under the “Define your LDAP servers” section.
$servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','Tecmint LDAP Server'); $servers->setValue('server','host','127.0.0.1'); $servers->setValue('server','base',array('dc=tecmint123,dc=com')); $servers->setValue('login','bind_id','cn=admin,dc=tecmint123,dc=com');
After you have finished editing the config.php configuration file, open a tab in your web browser and tpye the “http://ip_address_here/phpldapadmin” URL. Enter your ldap login credentials and click login.
How about an update with TLS (self signed keys) and newer versions of Debian 10/Ubuntu 21.04, please? Would you be able to make it available?
@John,
Let me check and update the article with newer Debian and Ubuntu releases…
Any update on TLS/SSL, please?
I have configured ldap server on ubuntu 14.04, client also able to joining, but my intention was hide some built-in application and restrict 3rd party software’s but I am unable to do so, can you help me out from this please. it urgent.
@Tousif,
Use LDAP ACL for restricting applications to user specific. For more information read OPenLDAP documentation.
Hi Ravi,
We would like to install LDAP on Centos 7 and it should integration with windows 2012 R2 Active Directory OU’s please suggest to me how to configure it
@Sanjeevi,
Sorry not idea about Windows integration with LDAP, actually I never get chance to work on..
Hi,
could you please help me with I want a shell script that will lock a machine after certain idle time in the openLdap server.
Thank you
Hi Ravi Saive,
above ldap configuration is very good . but can you confirm how to login ldap user on ubuntu machine with GUI mode
I struggled with this piece. So to help future readers here is the fix that I had to apply to get the LDAP entries Sheldon, Leonard, Howard, and Rajesh to add.
Here is my Linux information…
Operating System Linux Mint 16 Cinnamon 64-bit
Cinnamon Version 2.0.14
Linux Kernal 3.11.0-12-generic
Here is the error message that I received when trying to add LDAP entries for the first time.
adding new entry “cn=Sheldon Cooper,ou=People,dc=homestead,dc=localdomain”
ldap_add: No such object (32)
matched DN: dc=homestead,dc=localdomain
(repeated three more times)
The fix is to add the missing and needed DN level for the “People”…
dn: ou=People,dc=homestead,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: People
Save the above four lines, and put them into another separate LDIF file. Like the below example.
/ $ ldapadd -x -W -D “cn=admin,dc=homestead,dc=localdomain” -f ~/Add_DN_Level.ldif
Enter LDAP Password:
adding new entry “ou=People,dc=homestead,dc=localdomain”
With the DN level added the four People can now be added to LDAP.
LDAP installation & Configuration on CentOS 6.5
[root@dhakal ~]# yum -y install openldap-servers.x86_64 0:2.4.23-34.el6_5.1
[root@dhakal ~]# yum -y install openldap-clients.x86_64 0:2.4.23-34.el6_5.1
[root@dhakal ~]# yum -y install portreserve.x86_64 0:0.0.4-9.el6
Packages Installed: openldap-clients.x86_64 0:2.4.23-34.el6_5.1
openldap-servers.x86_64 0:2.4.23-34.el6_5.1
Dependency Installed: portreserve.x86_64 0:0.0.4-9.el6
[root@dhakal ~]# yum -y update
Updated: cpio.x86_64 0:2.10-12.el6_5
[root@dhakal ~]# slappasswd -s 123dhakal
[root@dhakal ~]# cd /etc/openldap/slapd.d/cn\=config/
[root@dhakal cn=config]# ll
[root@dhakal cn=config]# vi olcDatabase={1}monitor.ldif
[root@dhakal cn=config]# vi olcDatabase={2}bdb.ldif
[root@dhakal ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@dhakal ~]# vi /etc/openldap/slapd.conf
[root@dhakal ~]# chkconfig slapd on
[root@dhakal run]# vi vastika.ldif
[root@dhakal run]# ldapadd -x -D “cn=Dhakal,dc=vastika,dc=com” -W -f vastika.ldif
[root@dhakal run]# ldapsearch -x -LLL -b dc=vastika,dc=com
[root@dhakal run]#
Complete!
Would be a nice tutorial if it actually would work. No luck with Linux Mint.
Hi Ravi,
I have installed openldap with phpldapadmin as you instructed on my ubuntu 12.0.4 box. But I can not login via phpldapadmin page. I can login there only as anonymous user.Could you please help me out?
Hi Amitesh!
I had the same problem with Linux Mint 17.
So the key is, when you configure the /etc/ldap/ldap.conf file you need to modify the URI row as well:
URI ldap://127.0.0.1:389
The phpldapadmin config file (/etc/phpldapadmin/config.php) needs to be fixed as well.
The base DNS should be the same as you entered after executed this command: “sudo dpkg-reconfigure slapd”.
Actually what you typed in at the second picture, that DNS needs to be typed into the phpldapadmin config file too.
eg.: $servers->setValue(‘server’,’base’,array(‘dc=test,dc=tecmint,dc=com’))
Restart the apache at the end:
sudo service apache2 restart
Good luck!
I am anable to find option or command to save phpldpapadmin config file
You can also try just using the IP for your ldap server in the URI
i.e.
URI ldap://192.168.1.10
Thanks for sharing this info! As to Soumitra’s error, entering the server into dns should resolve it, or at least enter it in the host table of the ldap server.
You get the error when you use ldapsearch x without the dash
ldapsearch -x should work
Well The error got resolved after restarting the slapd daemon.
Now how do we authenticate the client in ldap.
how to restarting the slapd daemon ??
is it true /etc/init.d/slapd restart ??
please help me, i’ve tried this but it didn’t work
Which OS you using?
I have done all the configuration and create object for contact sharing, when i tried to connect my LDAP with thunderbird is not sharing the contact from ldap.All running well .please get me back ASAP
ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1)
I confirm the problem in wheezy
Please change entry according to your domain in /etc/ldap/ldap.conf
my hostname is manoj-KVM.mint.local
$ sudo nano /etc/ldap/ldap.conf
BASE dc=mint,dc=local
URI ldap://manoj-KVM.mint.local ldap://manoj-KVM.mint.local:666
I’m getting same error as Soumitra. Ideas?
I haven’t received such error, let me check and give you proper solution to fix.
Please share the same for RHEL 6 / CENTOS 6 …..x86_64
And will be waiting for your post……………………………………
…………………………………………………………………….
………………………………………………………….
————————
————
——–
Very soon…
I am getting this error:
My hostname is ubuntults.com, I made the following changes in the .conf file
BASE dc=ubuntults,dc=com
URI ldap://ldap.ubuntults.com ldap://ldap-master.ubuntults.com:666
This is the error:
ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1)
ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1)
I had the same error on wheezy. If you recomment BASE and URI it should work.
Put it
URI ldap://127.0.0.1/
into /etc/openldap/ldap.conf.