OpenLDAP Server Setup in Ubuntu 12.04 LTS

[ryazkhan]

Hi folks,

The new LTS version is very impressive, it equipped with all latest and greatest open source stuff ! I find that configuring any thing like samba,ldap etc.. has been made even simpler than 10.04 LTS. Ubuntu official documentation are little confusing as they always are, so don't totally relay on them and expect to have working setup, it might work or might not, anyway it did not worked for me but was main source of my references in configuring my OpenLDAP Server and setting it up for authentication. The procedure has been tested few times in virtual environment for the sake of accuracy and functionality. Currently its available on my website, I have not got enough time to write it here, I will update the thread whenever I got some extra time to spare.

http://www.ryazkhan.net/articles/ldap12

[LHammonds]

Thanks for making and sharing this tutorial.

LHammonds

[ryazkhan]

Thanks for making and sharing this tutorial.

LHammonds

My pleasure ! Hope it was helpful

[ryazkhan]

Here is the tutorial as promised, its always available here

With the assumption that Ubuntu 12.04 LTS Server is already installed, it should work with any other version with some changes if any. No assurance that it will work for your setup, worked for me so I am sharing it

I have used dc=testlab,dc=dev as my domain, cn=admin,dc=testlab,dc=dev as my ldap admin user, and test as my password throughout this guide, please feel free to change it to your liking
Update all packages and install updates if any

apt-get update && apt-get upgrade -y

The base DN or suffix of ldap tree will be populated/created based on the domain name specified in /etc/hosts file, in my case it is testlab.dev
Lets proceed with install and install following required packages

sudo apt-get install slapd ldap-utils -y

the password would test like I mentioned in the beginning
Now lets add some logging level for ldap
nano log.ldif and paste the following in it then save the file and exit out

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

Add the above ldif file to ldap database

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldif

Done, at this point we have working OpneLDAP server
Now let set it up so we can actually use it, here we are going to use it for user authentication
Install libnss-ldap package

sudo apt-get install libnss-ldap -y

There would few questions here, answer them like following

ldap://127.0.0.1
dc=testlab,dc=dev
3
Yes
No
cn=admin,dc=testlab,dc=dev
test

If you make a mistake you can try again using

sudo dpkg-reconfigure ldap-auth-config

Now configure the LDAP profile for NSS

sudo auth-client-config -t nss -p lac_ldap

There should not be any error, if you have some error(s) go back and check your config
Finally tell system to use ldap for authentication, the option should be selected already hit space bar to select it if its not already, do not uncheck Unix authentication

sudo pam-auth-update

That is it, we have configured our ldap server successfully and is ready to authenticate user
Now lets add some indices to ldap database to ease the lookup

nano indices.ldif

and paste the following

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq,pres,sub

Now add the above ldif data

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif

Verify new indices

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex

You should see all above indices !
Let add some objects under our ldap tree using ldif file, for testing purposes I am going to add only one OU and only one user

nano base.ldif

and paste the following to it, save it and exit out of it

dn: ou=Users,dc=testlab,dc=dev
objectClass: organizationalUnit
ou: Users

dn: uid=rkhan,ou=Users,dc=testlab,dc=dev
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: rkhan
sn: Khan
givenName: Ryaz
cn: Ryaz Khan
displayName: Ryaz Khan
uidNumber: 10000
gidNumber: 10000
userPassword: test
gecos: Ryaz Khan
loginShell: /bin/bash
homeDirectory: /profiles/rkhan
mail: ryaz.khan@live.com
telephoneNumber: 000-000-0000
st: NY
manager: uid=rkhan,ou=Users,dc=testlab,dc=dev
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
title: System Administrator

Now add the above ldif data to ldap database

ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif

and again password is test
Great !
Now we have one user in our ldap database, so lets try the search indices we created earlier

ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rkhan' uid uidNumber displayName
ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*kh*' uid uidNumber displayName
ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*an' uid uidNumber displayName
ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rk*' uid uidNumber displayName

All above queries should retrieve user rkhan from ldap database
Great !
Now let test our ldap authentication

ssh rkhan@localhost

I was able to login to the system as rkhan with ldap credentials so should you, rkhan might be welcomed with error about home path not found etc.. that is because you probably have not created /profile/rkhan, it would not be created automatically !

Have a fun playing with LDAP monster, feel free to ask me any question(s)

I apologies for any typo, I might have one or more
References
LDAP - Ubuntu Official Documentation

[quad3d@work]

The only problem I had with the official doc is replication stuff just flatout doesn't work.

Do you have any idea what's wrong with the written docs?

[ryazkhan]

The only problem I had with the official doc is replication stuff just flatout doesn't work.

Do you have any idea what's wrong with the written docs?

I have not tried that part (replication), go to samba part and you will know what's wrong, it might work for you

[Doug S]

It would be great if you could make launchpad bug reports for issues with the Ubuntu offical server guide. Or better still join the documentation contibutors team and you will be able to edit yourself and submit merge proposals.

I don't use OpenLDAP, but I do know that section was reviewed and edited for the 12.04 release.

[ryazkhan]

It would be great if you could make launchpad bug reports for issues with the Ubuntu offical server guide. Or better still join the documentation contibutors team and you will be able to edit yourself and submit merge proposals.

I don't use OpenLDAP, but I do know that section was reviewed and edited for the 12.04 release.

Yes it was and LDAP part is not bad, its samba part, it has one link to not existing script, and the samba schema (tar ball) has bug in it as well, some of smbldap-tools perl scripts contains some deprecated codes.

[Doug S]

I see that the samba ldap section and the samba chapter did not get reviewed/edited in the 12.04 cycle. In the end, the time was up but there was still lots to do.

It would be much appreciated if you could enter a launchpad bug, so that your important observations and suggestions don't get lost.

@quad3dwork: also, for your issues with the replication parts.

[quad3d@work]

Never used Launchpad before. Hope I did it right.