Ubuntu: Creating an OpenLDAP Server

Ubuntu:  Creating an OpenLDAP Server
Page content

Installing the OpenLDAP packages

You will need the slapd and ldap-utils packages in order to create an LDAP server on Ubuntu. The slapd package contains the OpenLDAP server software, while the ldap-utils packages contains utilities and the client software. You can install the packages through the Synaptic package manager or by typing the command “sudo apt-get install slapd ldap-utils.” When the slapd package is installed, it will ask you for an administrator password. You can type any password here as you will be asked again later in the process.

The OpenLDAP documentation says that the configuration file for the LDAP server will be found at /etc/ldap/slapd.conf. However, Debian and Ubuntu use a slapd.d directory instead of the slapd.conf file. Therefore, configuring the server is done differently. The information needed for configuration is the administrator password, the domain name for your network, and your company name. There are different ways to provide this information but the easiest way to do it is by typing the command “sudo dpkg-reconfigure slapd.”

While the command is running you will be asked a few questions. The first question is whether you want to Omit OpenLDAP server configuration. You will want to answer no to this question. The next three questions will ask you for the domain name, your company name, and the administrator password. You should use the default answers for the final six questions unless you are absolutely sure that you want a non default setting.

That is all that is needed to set up the server. You can test that your server is working correctly by typing the following command:

ldapsearch -x -b dc=example,dc=com

The -x option says to use simple authentication. The -b option says to start at the zero level, instead of the default location. The two dc variables refer to the domain components. Each portion of the domain name must be separated into a component.

Adding the Logins

To finish the LDAP server, you will have to populate the database with the login information for your users. Assuming that your users already have a login on the Ubuntu server where your LDAP database is held, this is a simple process. There is an application called migrationtools that will assist in migrating your current information into the database. To install the application type the command “sudo apt-get install migrationtools.”

Before using the tools, you will have to provide your server information in the file /usr/share/migrationtools/migrate_common.ph. Open the file with the command “sudo gedit /usr/share/migrationtools/migrate_common.ph” and look for the following lines, around line 70:

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = “example.com”;

# Default base

$DEFAULT_BASE = “dc=example,dc=com”;

Place the complete domain name in the $DEFAULT_MAIL_DOMAIN variable. The $DEFAULT_BASE variable splits the domain into the domain components.

Once that is done, you will have to export your current group and password information into a form that can be read by the LDAP database. To do that, you will type the following commands:

cd /usr/share/migrationtools/

./migrate_group.pl /etc/group ~/group.ldif

./migrate_passwd.pl /etc/passwd ~/passwd.ldif

You have to create one more .ldif file before the database can be populated. This file creates the Group and People nodes in the LDAP directory. Create a plain text file called people.ldif in your home and place the following information in it:

dn: ou=People, dc=example, dc=com

ou: People

objectclass: organizationalUnit

dn: ou=Group, dc=example, dc=com

ou: Group

objectclass: organizationalUnit

Once the .ldif files are created, you can then import the information into the LDAP database by issuing the following commands from your home directory:

ldapadd -x -W -D “cn=admin,dc=example,dc=coml” -f ~/people_group.ldif

ldapadd -x -W -D “cn=admin,dc=example,dc=com” -f ~/group.ldif

ldapadd -x -W -D “cn=admin,dc=example,dc=com” -f ~/passwd.ldif

The -x option says to use simple authentication. The -W option says to prompt for a password. The -D option specifies the administrator. The -f option says where to find the .ldif file. Once this is done you have an LDAP server that is ready to accept authentication requests from clients.

Conclusion

Creating a simple LDAP server for your network is very simple, especially if your users already have logins on the server. Once the server is set up, you can install the appropriate software on the clients. Windows users will have to connect using Samba TNG. Linux clients can connect using the libnss-ldap package.