LDAP Server
Server Administration

Linux LDAP Server

Two days ago one of the website visitors was searching on the website for LDAP and found nothing, that drives me to make a post about LDAP server, so we fill the gaps and bring the loved content to the visitors.

Our main points are:

What is LDAP?

Uses of LDAP

LDAP Server Implementations

Installing OpenLDAP

Configuring LDAP

LDAP Terminology

Modifying Entries

Adding Entries

Adding Organizational Units

Adding Users

Adding Groups

Deleting Entries

LDAP Port

Authenticating Users with LDAP

Using phpldapadmin

What is LDAP?

We know that Linux keeps registered users on /etc/passwd file, so if you want to access the machine, you must have a user defined on that file. This is good when you are working one or few machines, but what if you have hundreds of machines or maybe thousands, and how you will maintain user management tasks like password modification or any other administrative task like somebody left the work and you need to close his account, would you go to every machine to do that? That could be a nightmare, or you need to create a new account. In this case, we need centralized user account management system, a database to keep all information related to user accounts.

The most used solution for this problem is the Lightweight Directory Access Protocol (LDAP).

LDAP uses usual client/server paradigm. A typical interaction between the client and the server.

Uses of LDAP

LDAP not only keeps a list of users, but it is a central database in which users, computers, and, generally all network objects are stored and maintained.

LDAP can be used as storage for various types of information such as plain textual information, images, binary data, or public key certificates and much more.

It can provide authentication and authorization services for users like the example we introduced about login management at the beginning.

The stored data in DNS records can be stored in LDAP.

LDAP can be used like yellow pages directory service for an organization to provide information about users or employees, departments, contact information, phone numbers, addresses, private data or whatever.

LDAP Server Implementations

LDAP is an open standard protocol, many companies make its own implementation of the protocol.

There are commercial implementations for LDAP like:

  • Microsoft Active Directory
  • Oracle Internet Directory
  • Oracle Unified Directory
  • IBM Security Directory Server
  • UnboundID Directory Server
  • NetIQ eDirectory or eDirectory
  • CA Directory or CA eTrust Directory

And free open source implementations like:

  • OpenLDAP
  • ForgeRock OpenDJ
  • Apache DS
  • 389 Directory Server

In this post, we will use OpenLDAP which is very common and loved by the community.

OpenLDAP is the open source implementation of LDAP that runs on Linux/UNIX systems

Installing OpenLDAP

To install OpenLDAP you have to install openldap, openldap-servers and openldap-clients packages.

$ yum -y install openldap openldap-servers openldap-clients

Or if you are using CentOS 7 you can use dnf or Dandified Yum

$ dnf -y install openldap openldap-servers openldap-clients

If you are using Debian based system like Ubuntu you can install it like this

Then we can enable the service to run automatically at startup

$ systemctl enable slapd

Configuring LDAP

After successful installation, you need to make a password for the admin user using ldappassword command

$ ldappassword

The configuration files for OpenLDAP are in /etc/openldap/slapd.d  directory

You can modify these files directly or use the ldapmodify command. It is strongly recommended to modify OpenLDAP using ldapmodify command.

LDAP Terminology

If we are going to deal with LDAP protocol, there are some terms that we need to know because we will use them a lot

Entry (or object): every unit in LDAP considered an entry. Every entry has a distinguished name

dn: is the distinguished name for an entry.

o: organization Name.

dc: Domain Component. For example, likegeeks.com is written like this dc=likegeeks,dc=com

cn: Common Name like the person name or name of some object.

Modifying Entries

OpenLDAP stores its information in storage backend. One of the most used back ends has always been the Berkeley DB back ends, such as bdb or hdb.

The information stored in the hdb back end can be found in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif  file.

LDIF (LDAP Data Interchange Format) is the standard text format designed to retrieve information from an LDAP server.

To uniquely identify an element, we use the dn (distinguished name) attribute. So the first line in out LDIF file will be

dn: olcDatabase={2}hdb,cn=config

Then we specify if we want to add or modify

changeType: modify

We also must clarify if we’ll replace it or delete it

replace: olcSuffix

And, finally, we type the new value of the modified attribute.

olcSuffix: dc=likegeeks,dc=local

Back to our file. We have to modify (at least) these two entries

olcSuffix: dc=my-domain,dc=com

olcRootDN: cn=Manager,dc=my-domain,dc=com

And we have to add a new entry to store the admin’s password (olcRootPW), where we’ll store the password we just created with the slappasswd command.

So our LDIF file will be like this

The first line identifies the main entry in the LDAP that we are going to change.

In our file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif  file. The dn attribute is dn:

olcDatabase={2}hdb, and because the file is inside the config folder, so the full dn attribute is dn:

olcDatabase={2}hdb,cn=config

Then we save our file and use ldapmodify

$ ldapmodify -Y EXTERNAL -H ldapi:/// -f myfile.ldif

LDAP server modify entry

To check the changes, we can use the ldapsearch command.

$ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=\*

LDAP server ldapsearch

And yes the data has been changed.

Another tool we can use to check the configuration is the slaptest command

$ slaptest -u

Adding Entries

We can use ldapadd command to add entries using LDIF file

First, we create our ldif file

We specify a series of attributes, such as distinguished name ( dn ), domain component ( dc ), and organization ( o ). We also define the new entry as an object of the type dcObject and organization

Depending on the type of object we are creating, there are a series of attributes that can be optional or required.

There is an easy way to know what attributes must be defined when adding an object of the organization type, you check the schema.

On CentOS 6 you can go to /etc/openldap/slapd.d/cn=config/cn=schema

On CentOS 7 you can go to /etc/openldap/schema

Or you can use grep command to get the .schema files from your system.

The object organization in our example is in cn={1}core.ldif  file on CentOS 6 or core.schema  file on CentOS 7

LDAP server core schema

As we can see, the only required attribute is o which is the organization.

Now we can use ldapadd command to add our object

$ ldapadd -f myobj.ldif -D cn=admin,dc=likegeeks,dc=local -w mypass

We specify the filename with -f, the admin user with -D and the password with -w.

You can check if the entry was created using ldapsearch command

$ ldapsearch -x -b dc=likegeeks,dc=local

Adding Organizational Units

You can add organizational unit (ou) called users in which to store all LDAP users. To do so, we’ll create a new LDIF file named users.ldif with this content

Then we use ldapadd to add the unit

$ ldapadd -f users.ldif -D cn=admin,dc=likegeeks,dc=local -w mypass

Adding Users

We can add users to the newly created organizational unit.

First, we create our ldif file

Then add the user using ldapadd command

$ ldapadd -f adam.ldif -x -D cn=admin,dc=likegeeks,dc=local 2 -w mypass

Adding Groups

Also, we create the ldif file first

Then run ldapadd to add the group

$ ldapadd -f groups.ldif -x -D cn=admin,dc=likegeeks,dc=local -w mypass

Deleting Entries

Deleting an entry is very easy, just use ldapdelete command with the cn you want

$ ldapdelete "cn=adam,ou=users,dc=likegeeks,dc=local" -D cn=admin,dc=likegeeks,dc=local -w mypass

You can check if the entry is deleted using ldapsearch

$ ldapsearch -x -b "dc=likegeeks,dc=local"

LDAP Port

Ldap port is 389 and in case you secure your ldap using TLS the port will be 636

You can ensure what port your OpenLDAp is running using netstat command

$ netstat -ntlp | grep slapd

LDAP server port

Authenticating Users with LDAP

By default, Linux authenticates users using /etc/passwd file. Now we will see how to authenticate users using OpenLDAP.

Make sure you allow the OpenLDAP port on your system using iptables firewall

I recommend you to review iptables post to understand these commands Linux iptables firewall.

$ authconfig --enableldap --enableldapauth --ldapserver ver=192.168.1.10 --ldapbasedn="dc=likegeeks,dc=local" --enableldaptls --update

Now the certificates are in /etc/openldap/cacerts

In order to authenticate as an LDAP user, when we create the user, we have to include a series of fields, such as shell, uid, gid nd other fields

We will create a user adam. We will create adam.ldif file and write the following

if you are using CentOS 7 you will notice that it doesn’t recognize passwords written in clear text in the LDIF file so we have to encrypt it using slappasswd command like this.

$ slappasswd

Then we copy the encrypted password on the ldif file, so the file will be like this

Now we can use ldapadd to add the user

$ ldapadd -f adam.ldif -x -D cn=admin,dc=likegeeks,dc=local -w mypass

Using phpldapadmin

We’ve seen how to work with LDAP server using command line, it might be little tricky for a beginner, however, there is a web based tool called phpldapadmin which is written in PHP to simplify working with OpenLDAP.

You can install it like this

$ yum -y install phpldapadmin

The apache server will be installed, so you don’t need to install it.

Some small configuration need to be done to open phpldapadmin

Edit this file /etc/phpldapadmin/config.php

And change this line

$servers->setValue('server','host','PUT YOUR SERVER IP OR DOMAIN HERE');

If you want to use likegeeks.local as a domain you should write it like this

$servers->setValue('server','base',array('dc=likegeeks,dc=local'));

Also you need to change the line of bind_id like this

$servers->setValue('login','bind_id','cn=admin,dc= likegeeks,dc=local');

And don’t forget to put your apache alias

Now you can access your phpldapadmin like this

http://server_domain_name_or_IP/ldap

in my example, I will use

http://likegees.local/ldap

on login DN field you will use something like the following

cn=admin,dc=likegeeks,dc=local

You can do all we’ve done in this web interface adding users, organizations, and groups.

I hope you find the post useful and easy. We can’t cover all LDAP server uses in one post, but this was a brief look into LDAP protocol and how to use it.

Thank you.