Setting up of LDAP server in Ubuntu 16.04.

4
Document Change History

Date Version Created by Reviewed by Approved by Description

10/17/2016 0.1 Sowmiya K Govindarajan Setting up of OpenLDAP

N server in Ubuntu 16.04
7/31/2018 0.2 Sowmiya K Updated steps for the latest
version of LDAP

5/10/2019 0.3 Sowmiya K Updated the steps for the

latest version of LDAP.
6/27/2019 0.4 Sowmiya K Updated the steps for LDAP
to work with FQDN in
STARTTLS
Setup details:

Installed in: Ubuntu 16.04.4 LTS 64 bit

LDAP browser: PHPldapadmin

What is LDAP
LDAP is Lightweight Directory Access Protocol for accessing and maintaining the
directory services over the Network. Think of it as a look table which is storing the
information in hierarchical structure. It contains various columns as "containers"
to store the "rule" or information.

How to install LDAP in Ubuntu:

Step 1: Install LDAP with the help of apt-get command

#apt-get update
#apt-get install slapd ldap-utils
Step 2: Enter DNS domain name for your LDAP directory

Step 3: Give organization name

Step 4: Give password for admin account

Step 5: Reenter admin password

Step 6: Select Berkley datdabase.

Note: We can choose MDB also.

Step 7: Give No
Step 8: Give Yes

Step 9: Give No

Note: We can reconfigure the LDAP package at any time with the help of this
command “dpkg-reconfigure slapd”
How to install LDAP admin tool in Ubuntu:

Step 1: Install PHPldapadmin in Ubuntu using apt-get command

#apt-get install phpldapadmin

Step 2: Open the configuration file

#vi /etc/phpldapadmin/config.php

Step 3: Search for the line “$servers->setValue('server','host','127.0.0.1');” and

replace local host IP with your LDAP server IP.
$servers->setValue('server','host','10.0.124.53');

Step 4: Search for the line

“$servers>setValue('server','base',array('dc=example,dc=com'));” and replace
example.com with your LDAP server domain.
$servers->setValue('server','base',array('dc=coretesting,dc=com'));

Step 5: The next value to modify will use the same domain components that you
just set up in the last entry. Add these after the "cn=admin" in the entry below
Before: $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
After: $servers->setValue('login','bind_id','cn=admin,dc=coretesting,dc=com');

Step 6: Search for the following section about the "hide_template_warning"

attribute. We want to uncomment this line and set the value to "true" to avoid
some annoying warnings that are unimportant.
$config->custom->appearance['hide_template_warning'] = true;

Step 7: Save and close the file.

How to login into the web interface of LDAP client:

Step 1: You can access by giving your domain name or IP address followed by
"/phpldapadmin" in your web browser.

Step 2: Click on the "login" link on the left-hand side. You will receive a login
prompt. The correct Login DN (distinguished name) should be pre-populated if
you have configured PHPldapadmin correctly. In our case, this would be
"cn=admin,dc=coretesting,dc=com".
Step 3: Enter password to login. You will see your root domain listed in the left
hand side.

How to create LDIF data for adding groups and users for root
domain:

Step 1: Create one ldif file in Ubuntu and add the following data for adding groups
and users.

#vi ldap.ldif

dn: cn=group,dc=coretesting,dc=com

objectClass: groupOfNames

cn: group

member: cn=megarac,dc=coretesting,dc=com

dn: cn=megarac,dc=coretesting,dc=com
objectClass: uidObject

objectClass: top

objectClass: person

cn: megarac

sn: megarac

uid: megarac

userPassword: megarac

With this ldif data, one group named as “group” and one user named as
“megarac” will be added in the domain coretesting.com

Step 2: After saving that ldif file, try the below command in the command line of
Ubuntu,

#ldapadd -x -D cn=admin,dc=coretesting,dc=com -W -f ldap.ldif

This will add the entries to the ldap tree. You can check this in phpldapadmin
client.

How to test LDAP in BMC (without encryption):

Step 1: Login into BMC Go to Settings External User Services 

LDAP/E-directory SettingsGeneral Settings Configure as below:
Step 2: Login into BMC Go to Settings External User Services  LDAP/E-
directory SettingsRole GroupsConfigure as below:
Step 3: Logout from admin user and login using our ldap user “megarac”.

How to configure SSL and starttls in Ubuntu:

Step 1: Install the following packages in Ubuntu

#apt-get install gnutls-bin

Step 2: After that we need to create certificate authority (CA) for this purpose.
#certtool --generate-privkey > /etc/ssl/private/cakey.pem

Step 3: After that create a template file (/etc/ssl/ca.info) to assist the creation of
self-sign CA
#vi /etc/ssl/ca.info
cn = ami
ca
cert_signing_key

Step 4: Now sign the generated CA

#certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem
--template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem

Step 5: Now create the key for slapd and sign it using generated CA
#certtool --generate-privkey --outfile /etc/ssl/private/slapd01_key.pem
Step 6: Create a template file (/etc/ssl/slapd01.info)
#vi /etc/ssl/slapd01.info
organization = AMI
cn = 10.0.124.53
tls_www_server
encryption_key
signing_key
expiration_days = 3650

Step 7: Create a certificate and sign it with previously created CA

#certtool --generate-certificate --load-privkey /etc/ssl/private/slapd01_key.pem
--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey
/etc/ssl/private/cakey.pem --template /etc/ssl/slapd01.info --outfile
/etc/ssl/certs/slapd01.pem

Step 8: Update the private key's permissions to make it readable by the system's
ssl-cert group.
# chown :ssl-cert /etc/ssl/private/slapd01_key.pem
# chmod 640 /etc/ssl/private/slapd01_key.pem

Step 9: We need to add the openldap user to the ssl-cert group so slapd can read
the private key

# usermod -aG ssl-cert openldap

Step 10: Restart the slapd daemon

#/etc/init.d/slapd restart
Step 11: Now we need to tell LDAP about the created SSL certificate, for that
we need to create a LDIF file as below (/etc/ssl/certinfo.ldif)
#vi /etc/ssl/certinfo.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/slapd01.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/slapd01_key.pem

Step 12: Now add it to the LDAP

#ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

Step 13: Now enable SSL in /etc/default/slapd as below (add ldaps:/// entry
additionally)
#vi /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Step 14: Restart the slapd daemon

#/etc/init.d/slapd restart
How to test LDAP in BMC (with encryption):

SSL:
Step 1: Enable SSL and enter port number as 636 and leave other credentials as
same.

Step 2: Login using LDAP user “megarac”.

Starttls:

Step 1: Download the certificate files from the Ubuntu LDAP server

a. cacert.pem from /etc/ssl/certs/

b. slapd01.pem from /etc/ssl/certs/

c. slapd01_key.pem from /etc/ssl/private/

Step 2: Copy those files in your client machine. Login to BMC from your client
machine.

Step 3: Enable starttls, change the port number to 389 and upload the copied
certificates files from your client machine. Other things can remain unchanged.
Step 4: Login using our LDAP user “megarac”.

Note: To make STARTTLS work with FQDN, please provide common name as
“Fully Qualified Domain Name” while generating the certificates in Step 6.

Repeat Step 2 to Step 10 for generating certificates with FQDN with the only
change in Step 6 as:

#vi /etc/ssl/slapd01.info

organization = AMI
cn = ldap.m.t.i.co.in ( Where “ldap” is host name of LDAP server and “m.t.i.co.in”
is domain name of LDAP server. i.e LDAP sever has been registered with the
domain “m.t.i.co.in”. So the FQDN of LDAP server is “ldap.m.t.i.co.in”

tls_www_server

encryption_key

signing_key

expiration_days = 3650

And in BMC side, we need to select FQDN option for STARTTLS and provide the
LDAP’s FQDN.

To check STARTTLS connection from client side,

Copy the ca certificate in /etc/ssl/certs/ path of client and mention the
certificate path in the client file "/etc/ldap/ldap.conf"

#vi /etc/ldap/ldap.conf

TLS_CACERT /etc/ssl/certs/ cacert.pem

And execute the below command to verify the connection:

#ldapsearch -H ldap://ldap.m.t.i.co.in -D 'cn=admin,dc=coretesting,dc=com' -W

"cn=admin" -b 'dc=coretesting,dc=com' '(objectclass=*)' –ZZ

How to use uid attribute in LDAP:

Step 1: Open this file “/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif” and

change the attribute for olcRootDN with uid

#vi /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

olcRootDN: uid=admin,dc=coretesting,dc=com

Step 2: Restart the slapd demon.

#/etc/init.d/slapd restart

Now we can login phpldapadmin client with both attributes uid and cn for admin
Step 3: Now create ldif file for adding group and user with uid attribute

#vi uid.ldif

dn: uid=groups,dc=coretesting,dc=com

objectClass: groupOfNames

objectClass: uidObject

cn: groups

member: uid=testing,dc=coretesting,dc=com

dn: uid=testing,dc=coretesting,dc=com

objectClass: uidObject

objectClass: top

objectClass: person

cn: testing

sn: testing

uid: testing
userPassword: testing

Step 3: Save this file and add it to ldap.

# ldapadd -x -D uid=admin,dc=coretesting,dc=com -W -f uid.ldif

How to check LDAP in BMC with UID attribute:

Step 1: Login into BMC Go to Settings External User Services  LDAP/E-

directory SettingsGeneral Settings Configure as below:
Step 2: Add role group as follows:

Step 3: Login into BMC using our LDAP user “testing”.