Monday, 21 June 2010

HOWTO: LDAP Server on 10.04 Lucid Lynx

In my previous LDAP server howto we used 8.04 Hardy Heron. Things have changed quite a bit since then, so I have updated my procedure. Most of this is ajust a reproduction of the Ubuntu Doc's page for LDAP (See references at the end of the article for a link)

* Ubuntu Server 10.04 LTS (Lucid)

* A standard vanilla Ubuntu 10.04 server install.
* An NFS server exporting the users home directorys

Network overview;
* domain name:
* ldap-server

Install The Packages

We want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils
By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is, the default suffix will be dc=example,dc=com.

Populating the server
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

* For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

* Remember to change dc=example,dc=com in the following examples to match your LDAP configuration.

First, some additional schema files need to be loaded. In a terminal enter:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Next, create an LDIF file

vi ~/backend.ldif

With the following contents;

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=tuxnetworks,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=tuxnetworks,dc=com
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=tuxnetworks,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=tuxnetworks,dc=com" write by * read

* Change olcRootPW: mypassword to a password of your choosing.

* Change dc=example,dc=com to suit your own domain details.

Now add the LDIF to the directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

The frontend directory is now ready to be populated. Create a frontend.ldif file

vi ~/frontend.ldif

Enter the following contents, once again making the necessary changes to suit your own network:

# Create top-level object in domain
dn: dc=tuxnetworks,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Tuxnetworks
dc: Tuxnetworks
description: LDAP Server

# Admin user.
dn: cn=admin,dc=tuxnetworks,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: mypassword

dn: ou=people,dc=tuxnetworks,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=tuxnetworks,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=brettg,ou=people,dc=tuxnetworks,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: brettg
sn: Glasson
givenName: Brett
cn: Brett Glasson
displayName: Brett Glasson
uidNumber: 1000
gidNumber: 10000
userPassword: mypassword
gecos: Brett Glasson
loginShell: /bin/bash
homeDirectory: /home/brettg
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
postalCode: 31000
l: Melbourne
o: tuxnetworks
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
initials: BG

dn: cn=users,ou=groups,dc=tuxnetworks,dc=com
objectClass: posixGroup
cn: users
gidNumber: 10000

In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.

Add the entries to the LDAP directory:

sudo ldapadd -x -D cn=admin,dc=tuxnetworks,dc=com -W -f frontend.ldif

We can check that the content has been correctly added with the ldapsearch utility. Execute a search of the LDAP directory:

ldapsearch -xLLL -b "dc=tuxnetworks,dc=com" uid=brettg sn givenName cn

Which should return something like this;

dn: uid=brettg,ou=people,dc=,dc=com
cn: Brett Glasson
sn: Glasson
givenName: Brett

Next, you should go ahead and install phpLDAPadmin, add Samba support or configure a client

Ubuntu Docs


Einstein said...

Thanks! Finally got a simple ldap address book up and running on Lucid after following many broken howtos today and yesterday. led me to a working install of phpmyadmin as well.
Thanks again. Your efforts are much appreciated over here.
- Dennis

Brett said...

Thanks for the feedback Dennis

risker said...

Why did you use .ldif instead of e.g. slapd.conf ? Did you just to this because you wanted it or what?

Brett said...

Apparently slapd.conf has been deprecated in favour of the new cn=config internal database method of storing configurations. I'm not sure why they did this and personally I would prefer to use standard text files however I didn't want to be learning to do this the "old" way so I bit the bullet and did it this way. Almost all of the howtos from which I assembled this post from used the cn=config database too.

Anonymous said...

Thanks alot !! Clearly explained how to configure ldap server. :) looking for more posts like this.

Anonymous said...

first of all very good post..:) But i have one doubt which is still not cleared.When i issue

sudo ldapadd -x -D cn=admin,dc=tuxnetworks,dc=com -W -f frontend.ldif

it gave the output ->
adding new entry "dc=tuxnetworks,dc=com" and few more..

I want to know where are all these values being stored.Like where can I see all the entries in the database?

mrahk said...

Nice tutorial, however there's something I don't understand.
It seems to work until phpldapadmin comes into sight.
If I use phpldapadmin and try to add more information (let's say more users), phpldapadmin starts complaining about being unable to get schema's. Addressbook clients also complain about being unable to retrieve things. But when I use the commandline I can retrieve what I want.
I don't understand what's wrong.
Do you have any clue about repairing schema's if needed or whatsoever to solve the problem?

Thanks for the tutorial.

mrahk said...

Never mind my previous comment.
I've found out what's wrong.
It appears that Webmin completely broke the install of the LDAP server. I've tried it again using the tutorial.
Good work!

neizlog said...

Hi, thanks for writing this great tutorial. I have some questions to ask about user management with LDAP:
1. Could we set the same guidNumber with the default gid in Ubuntu i.e. 1000?
2. How to assign extra groups for some users?

Thanks and sorry for my English :)

Anonymous said...

Many thanks for this a simple and forward HOWTO.
I am missing some explanations about error messages (nothing you could not find out on your own).
And I have two comments:
The line ldapadd -x -D "cn=admin,dc=tuxnetworks,dc=com" -W -f frontend.ldif is missing the quotes (at least for my computer) and you will encounter the error mesage:
ldap_add: Naming violation (64)
additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry

if you name your (single valued, no .com) domain differently from the cn: entry in the frontend.ldif file.
This took me quite some time to discover.

And in my oppinion you should use slappasswd to generate the passwords (at least for the admin account in the backend.ldif).

rainexpected said...

Thanks -- worked wonderfully. One item of concern is that it seems as if anyone can, if they know my ldap server's url, connect and make changes. Is there some way to require authentication before access is granted?

J� said...

You are my new GOD! This tutorials about LDAP are excellent. After months of trying I have it in 5 minutes with help of theese tutorials.

Anonymous said...

Yeah it works in graphical mode!
I've got to change to 192.168.3/24 in the /etc/exports file
a little tutorial about the nfs server config would be usefull.

Anonymous said...

this tutorial is great. for almost 3 months I've been searching and followed so many tutorials. Which is difficult to understand and I always come to a dead end wherein I can not execute or encounter some problems. But this one definitely done the impossible. two thumbs up