How to Install OpenLDAP on Ubuntu 18.04?

Introduction

In this post we will install OpenLDAP on Ubuntu 18.04.

OpenLDAP is a free open-source implementation of LDAP (Lightweight Directory Access Protocol). LDAP is a datastore mostly used for storing user identities and for user authentication.

What is LDAP?

LDAP stores the information in a hierarchical format called Directory Information Tree(DIT). The DIT contains nested entries, each entry has some attributes, defined by the objectClass of the entry. The schema of LDAP tree defines which attributes are available for each objectClass.

Each entry in the tree has a DN (distinguished name) which uniquely identifies it. The root of the tree also has a distinguished name which is sometimes called suffix or root DN.

Step 1. Install OpenLDAP

Let’s jump right in and install the LDAP software itself. The command is $ sudo apt install -y ldap-utils slapd

During installation we will have to provide password for LDAP admin account:

Once you provide the password, the installation will resume for a while and then finish.

Step 2. Default configuration.

The installation has completed, so let’s have a look at the initial configuration. Run sudo slapcat to check the default directory contents. The output has a special format called LDIF (LDAP Data Interchange Format):

orkhans@ubu1:~$ sudo slapcat
[sudo] password for orkhans: 
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: 1aea52c2-d2d0-1038-84dc-33c5df1edb1a
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20190304134941Z
entryCSN: 20190304134941.739043Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20190304134941Z

dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aFpSWmZtZ0tSOHVvM3hyWTdMN1BTd1VybWVzVHNVbGk=
structuralObjectClass: organizationalRole
entryUUID: 1aeaea16-d2d0-1038-84dd-33c5df1edb1a
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20190304134941Z
entryCSN: 20190304134941.743016Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20190304134941Z

There are two entries in our directory: first entry represents the root of our tree and the second represents the admin user. Those entries have different objectClasses and therefore have different attributes.

As you can see the top level distinguished name (the root of our tree) is dc = nodomain, because we don’t have any domain related configuration on our server.

The dn (distinguished name) for admin user is cn=admin,dc=nodomain

Step 3. Initial configuration wizard

Now we need to prepare our configuration files for further use. Let’s run a special wizard to do this:

sudo dpkg-reconfigure slapd

For Omit OpenLDAP server configuration? select No:

For DNS domain name enter the domain like geekstuff.org. This domain name will be used to construct a base DN for the tree, if you remember at the moment it is just dc=nodomain.

Then enter the organization name and proceed.

Enter the administrator password and then confirm it:

For Database Backend to use select MDB:

Do you want the database to be removed when slapd is purged? Choose No:

For Move old database? choose Yes:

Then the wizard will finish its work and you will see the similar message in your terminal:

Step 4. Verify the changes

Now if you sudo slapcat again you will see that our base DN for the tree has been changed to dc=geekstuff,dc=org and the DN for the admin is now cn=admin,dc=geekstuff,dc=org. These changes have been made by the wizard we have just run.

You can also run $ systemctl status slapd to make sure OpenLDAP daemon is running:

Step 5. Configure LDAP client

So far we have been configuring the server part of OpenLDAP. Now let’s configure the client part so we can test the connection. The client configuration file is /etc/ldap/ldap.conf

Make sure that file contains values for both BASE and URI. BASE defines where the client should start the search in the directory tree. URI defines the location of the server itself.

My config looks like this:

BASE is set to the DN of the tree, because I want the client to start its search in the root. URI is set to localhost, because the server is on the same server.

Step 6. Make a test connection

Let’s test out OpenLDAP server. Run the following command ldapsearch -x:

orkhans@ubu1:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=geekstuff,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# geekstuff.org
dn: dc=geekstuff,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: geekstuff
dc: geekstuff

# admin, geekstuff.org
dn: cn=admin,dc=geekstuff,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

We have successfully received the response to our request, which means that our OpenLDAP server is working. ldapsearch is a utility that allows us to make various LDAP requests. There are also ldapadd and ldapmodify utilities, which are used for basic manipulations with LDAP entries.

Conclusion

Now you should have a working OpenLDAP server supporting LDAPv3. Thank you for reading.