Friday, 12 March 2010

HOWTO: LDAP Server on 8.04 Hardy Heron

So, I've been playing around with LDAP and I have finally got it working. There are lots of howto's out there but none of them worked for me.

NOTE: For an up to date howto for 10.04 Lucid Lynx see this article

So, here we go!

* Ubuntu Server 8.04 LTS (Hardy)

* Working DNS with fqdn.
* An NFS server exporting the users home directorys

Network overview;
* domain name:
* ldap-server

Install The Packages

apt-get install slapd ldap-utils migrationtools

For some reason the install process doesn't ask you all of the necessary questions so when it is done we must reconfigure slapd.

dpkg-reconfigure slapd

It will ask you a bunch of questions

Omit OpenLDAP server configuration? No
DNS domain name:
Name of your organization: Example Corp
Admin Password: password
Confirm Password: password
Database Type: HDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No

Note: During this process, I will use "password" for simplicities sake. This is fine for setting up a test network for educational purposes but if you intend to use this in production then you should obviously choose a more appropriate password.

Oh, also, make sure you DONT FORGET IT! You will need it later.

You can now check if you can access your ldap server by typing:

ldapsearch -x -b dc=example,dc=com

Installing phpldapadmin

apt-get install phpldapadmin
ln -s /usr/share/phpldapadmin/ /var/www/phpldapadmin

Increase php memory limit

vi /etc/php5/apache2/php.ini

Find this line and change the memory limit to 64M;

memory_limit = 64M ; Maximum amount of memory a script may consume (16MB)

Restart apache;

/etc/init.d/apache2 restart

You can then browse to

and login using admin:password

Once you have logged in, expand the tree & you should see something like this;

+--> dc=example,dc=com (1)
---> cn=admin
---> Create new entry here

Lets add some users and groups;

cd /usr/share/migrationtools/

We need to create the default migrationtools' config file ""


and add the following parameters:

$DEFAULT_BASE = "dc=example,dc=com";

Create an ldif file with the details for our ou entries

vi ~/usergroup.ldif

dn: ou=users, dc=example, dc=com
ou: users
objectclass: organizationalUnit

dn: ou=groups, dc=example, dc=com
ou: groups
objectclass: organizationalUnit

Note: If you cut and paste from this guide, ensure that there are no whitespace chars at the end of the file.

Now that the user and group info is saved in your file, we can add it to the ldap server

ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/usergroup.ldif

Possible errors;
ldap_add: Invalid syntax (21)
additional info: objectclass: value #0 invalid per syntax

Probable cause;
If you copy/pasted the above then check for whitespace at the end of the users_group.ldif file. You will also need to remove the first entry (ou=users stanza) if it has already gone through before or you will get "already exists" and the script will halt before reaching the second entry

ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge

Probable cause;
You have used incorrect domain details. Make sure the uri setting in /etc/ldap.conf is correct and that the server is pingable.

Now, if you hit "refresh" in the phpldapadmin gui, you should see your Users and Groups ou's are there.

Of course you could have added those ou's using the clickety-clickety gui as well but I just wanted to show how stuff can be added via command line. Yes, yes, I know, I'm a cruel bastard.

So now we want to add a new test user to the ldap tree using the phpldapadmin gui, but first we need to create a group called "users" in the Groups ou.

Click on the Groups ou and click "Create a child entry". Select "Posix Group".

Call the group "users" with Group ID 100. Click "Save Changes" when done.

Next, create a user in the Users ou with the following details;

User: fred
Group: users
Password: password
Encryption: crypt

Note: When I do this, the drop down box does not list /bin/bash as an option for loginShell. If you click "Save" you get a second screen where it is possible to alter the loginShell parameter to use /bin/bash. This is less of an issue if your users just use GDM. I use crypt instead of md5. You can use md5 if you prefer but remember to change the encryption type when setting up client hosts to match.

Well, assuming everything is working up to this point, the server is ready to authenticate your users.

Let's go on and set up a client on Hardy or Lucid

1 comment:

Anonymous said...

Thank you Brett I had a hard time installing LDAP. This would help me.
Please visit: