Setting Up of LDAP Server in Ubuntu 16.04
Setting Up of LDAP Server in Ubuntu 16.04
4
Document Change History
What is LDAP
LDAP is Lightweight Directory Access Protocol for accessing and maintaining the
directory services over the Network. Think of it as a look table which is storing the
information in hierarchical structure. It contains various columns as "containers"
to store the "rule" or information.
Step 7: Give No
Step 8: Give Yes
Step 9: Give No
Note: We can reconfigure the LDAP package at any time with the help of this
command “dpkg-reconfigure slapd”
How to install LDAP admin tool in Ubuntu:
Step 5: The next value to modify will use the same domain components that you
just set up in the last entry. Add these after the "cn=admin" in the entry below
Before: $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
After: $servers->setValue('login','bind_id','cn=admin,dc=coretesting,dc=com');
Step 1: You can access by giving your domain name or IP address followed by
"/phpldapadmin" in your web browser.
Step 2: Click on the "login" link on the left-hand side. You will receive a login
prompt. The correct Login DN (distinguished name) should be pre-populated if
you have configured PHPldapadmin correctly. In our case, this would be
"cn=admin,dc=coretesting,dc=com".
Step 3: Enter password to login. You will see your root domain listed in the left
hand side.
How to create LDIF data for adding groups and users for root
domain:
Step 1: Create one ldif file in Ubuntu and add the following data for adding groups
and users.
#vi ldap.ldif
dn: cn=group,dc=coretesting,dc=com
objectClass: groupOfNames
cn: group
member: cn=megarac,dc=coretesting,dc=com
dn: cn=megarac,dc=coretesting,dc=com
objectClass: uidObject
objectClass: top
objectClass: person
cn: megarac
sn: megarac
uid: megarac
userPassword: megarac
With this ldif data, one group named as “group” and one user named as
“megarac” will be added in the domain coretesting.com
Step 2: After saving that ldif file, try the below command in the command line of
Ubuntu,
This will add the entries to the ldap tree. You can check this in phpldapadmin
client.
Step 2: After that we need to create certificate authority (CA) for this purpose.
#certtool --generate-privkey > /etc/ssl/private/cakey.pem
Step 3: After that create a template file (/etc/ssl/ca.info) to assist the creation of
self-sign CA
#vi /etc/ssl/ca.info
cn = ami
ca
cert_signing_key
Step 5: Now create the key for slapd and sign it using generated CA
#certtool --generate-privkey --outfile /etc/ssl/private/slapd01_key.pem
Step 6: Create a template file (/etc/ssl/slapd01.info)
#vi /etc/ssl/slapd01.info
organization = AMI
cn = 10.0.124.53
tls_www_server
encryption_key
signing_key
expiration_days = 3650
Step 8: Update the private key's permissions to make it readable by the system's
ssl-cert group.
# chown :ssl-cert /etc/ssl/private/slapd01_key.pem
# chmod 640 /etc/ssl/private/slapd01_key.pem
Step 9: We need to add the openldap user to the ssl-cert group so slapd can read
the private key
Step 13: Now enable SSL in /etc/default/slapd as below (add ldaps:/// entry
additionally)
#vi /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
SSL:
Step 1: Enable SSL and enter port number as 636 and leave other credentials as
same.
Step 1: Download the certificate files from the Ubuntu LDAP server
Step 2: Copy those files in your client machine. Login to BMC from your client
machine.
Step 3: Enable starttls, change the port number to 389 and upload the copied
certificates files from your client machine. Other things can remain unchanged.
Step 4: Login using our LDAP user “megarac”.
Note: To make STARTTLS work with FQDN, please provide common name as
“Fully Qualified Domain Name” while generating the certificates in Step 6.
Repeat Step 2 to Step 10 for generating certificates with FQDN with the only
change in Step 6 as:
#vi /etc/ssl/slapd01.info
organization = AMI
cn = ldap.m.t.i.co.in ( Where “ldap” is host name of LDAP server and “m.t.i.co.in”
is domain name of LDAP server. i.e LDAP sever has been registered with the
domain “m.t.i.co.in”. So the FQDN of LDAP server is “ldap.m.t.i.co.in”
tls_www_server
encryption_key
signing_key
expiration_days = 3650
And in BMC side, we need to select FQDN option for STARTTLS and provide the
LDAP’s FQDN.
#vi /etc/ldap/ldap.conf
#vi /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
olcRootDN: uid=admin,dc=coretesting,dc=com
#/etc/init.d/slapd restart
Now we can login phpldapadmin client with both attributes uid and cn for admin
Step 3: Now create ldif file for adding group and user with uid attribute
#vi uid.ldif
dn: uid=groups,dc=coretesting,dc=com
objectClass: groupOfNames
objectClass: uidObject
cn: groups
member: uid=testing,dc=coretesting,dc=com
dn: uid=testing,dc=coretesting,dc=com
objectClass: uidObject
objectClass: top
objectClass: person
cn: testing
sn: testing
uid: testing
userPassword: testing