Page All: Viewing All Pages
Page 1
Intro:
The Lightweight Directory Access Protocol, LDAP for short, is a 'fork' of the original X.500 specification for Directory Access Protocol. This X.500 was large and heavy. It also required an OSI protocol stack to run. LDAP was made to be leaner and able to run on top of TCP/IP instead of the OSI complete stack. Active Directory, the directory software that many Windows based enterprise networks use, is LDAP at its heart. Directory services can provide many benefits to a home network or a business. With LDAP setup, it is relatively easy to setup a single sign-on on every computer or have a global address book. The first step is the installation which is very easy on Ubuntu.
Why Bother?:
You might ask yourself about why you should even bother installing OpenLDAP. I can give you a few reasons.
System Setup:
This guide will give you step by step instructions on how to install OpenLDAP on Ubuntu. This guide will work on all its variants as well as Debian. The actual computer I used to perform the steps in this guide is my »BackupPC and fileserver as well as the VMWare server. This install will be done fully from a bash prompt so you are free to use ssh to do everything in this guide as I did.
You need to get to a bash prompt. If you are using ssh, you should know what you need to do. If you are new to Linux and are using Ubuntu, you can use the terminal program under Applications -> Accessories -> Terminal. That brings up a command line interface with a bash prompt. It should look like this...
aronschatz@aseserver:~$
Step 1: Install OpenLDAP
Technically, this can be the only step if you left the default settings. The default settings need adjustment, so we need to reconfigure the package after the installation. Don't worry, this isn't a one step guide.
To install OpenLDAP type...
aronschatz@aseserver:~$ sudo apt-get install slapd ldap-utils
This command will install OpenLDAP (called slapd) and some LDAP utilities from the Ubuntu repository. Make sure you enter your password for sudo and accept the installation of the software to continue. apt-get will install the software and return to a prompt asking you to input an initial password. Make this as simple as you want since we are going to reset the configuration of slapd.
Step 2: Reconfigure slapd
The next step we need to do is the actual configuration of the server. The installation pre-configured the slapd package, but we need to put in our own information. Since slapd is a Debian package, a simple command allows you to reconfigure it. Type...
aronschatz@aseserver:~$ sudo dpkg-reconfigure slapd
This command brings up the initial slapd configuration. dpkg-reconfigure is pretty easy to figure out. It is a graphical setup in the command line interface. The follow screenshots display the configuration.
We want to setup slapd, so you don't want to omit the OpenLDAP configuration. Pick No.
Directories work in the same way a domain does. In fact, it is good to name the base of your LDAP directory the same as your DNS suffix. My suffix happens to be asetest. so my base DN (distinguished name) would be "asetest" which actually translates into "dc=asetest". You can enter as long a domain as you want. If you wanted "ldap.aseserver.asetest" that would be fine. In the LDAP directory, this would be "dc=ldap,dc=aseserver,dc=asetest" where dc means domain component.
This step is the name of the organization. I just said "ASE LDAP", but you can pick any organization you want.
Here is where the new admin password is made. For extra security, pick a different password than the root password on the machine.
Now renter the same password to confirm.
This blurb is giving you information about how to store the data for LDAP. We will be using BDB. Just tab to OK.
Pick BDB and move on to the next screen.
No you don't want the database deleted on a purge.
Sure, move the old stuff out of the way.
No, you don't want to allow LDAPv2.
And that's the final configuration step. Next we will dive into the files to make sure everything is fine. The configuration routine actually handles everything nicely, but it is good to see what is happening.
Intro:
The Lightweight Directory Access Protocol, LDAP for short, is a 'fork' of the original X.500 specification for Directory Access Protocol. This X.500 was large and heavy. It also required an OSI protocol stack to run. LDAP was made to be leaner and able to run on top of TCP/IP instead of the OSI complete stack. Active Directory, the directory software that many Windows based enterprise networks use, is LDAP at its heart. Directory services can provide many benefits to a home network or a business. With LDAP setup, it is relatively easy to setup a single sign-on on every computer or have a global address book. The first step is the installation which is very easy on Ubuntu.
Why Bother?:
You might ask yourself about why you should even bother installing OpenLDAP. I can give you a few reasons.
- Everything runs directory services. Every Windows Active Directory domain is running LDAP and most enterprise POSIX networks are running LDAP. OpenLDAP gives you insight and experience on how these systems work.
- Central administration. Directory services can ease administration in the smallest networks using a central system. Make a single change in one place instead of each workstation.
- It's easy. There's no reason not to install it. You can always try it out and uninstall it if you don't want to keep it.
System Setup:
This guide will give you step by step instructions on how to install OpenLDAP on Ubuntu. This guide will work on all its variants as well as Debian. The actual computer I used to perform the steps in this guide is my »BackupPC and fileserver as well as the VMWare server. This install will be done fully from a bash prompt so you are free to use ssh to do everything in this guide as I did.
You need to get to a bash prompt. If you are using ssh, you should know what you need to do. If you are new to Linux and are using Ubuntu, you can use the terminal program under Applications -> Accessories -> Terminal. That brings up a command line interface with a bash prompt. It should look like this...
aronschatz@aseserver:~$
Step 1: Install OpenLDAP
Technically, this can be the only step if you left the default settings. The default settings need adjustment, so we need to reconfigure the package after the installation. Don't worry, this isn't a one step guide.
To install OpenLDAP type...
aronschatz@aseserver:~$ sudo apt-get install slapd ldap-utils
This command will install OpenLDAP (called slapd) and some LDAP utilities from the Ubuntu repository. Make sure you enter your password for sudo and accept the installation of the software to continue. apt-get will install the software and return to a prompt asking you to input an initial password. Make this as simple as you want since we are going to reset the configuration of slapd.
Step 2: Reconfigure slapd
The next step we need to do is the actual configuration of the server. The installation pre-configured the slapd package, but we need to put in our own information. Since slapd is a Debian package, a simple command allows you to reconfigure it. Type...
aronschatz@aseserver:~$ sudo dpkg-reconfigure slapd
This command brings up the initial slapd configuration. dpkg-reconfigure is pretty easy to figure out. It is a graphical setup in the command line interface. The follow screenshots display the configuration.
We want to setup slapd, so you don't want to omit the OpenLDAP configuration. Pick No.
Directories work in the same way a domain does. In fact, it is good to name the base of your LDAP directory the same as your DNS suffix. My suffix happens to be asetest. so my base DN (distinguished name) would be "asetest" which actually translates into "dc=asetest". You can enter as long a domain as you want. If you wanted "ldap.aseserver.asetest" that would be fine. In the LDAP directory, this would be "dc=ldap,dc=aseserver,dc=asetest" where dc means domain component.
This step is the name of the organization. I just said "ASE LDAP", but you can pick any organization you want.
Here is where the new admin password is made. For extra security, pick a different password than the root password on the machine.
Now renter the same password to confirm.
This blurb is giving you information about how to store the data for LDAP. We will be using BDB. Just tab to OK.
Pick BDB and move on to the next screen.
No you don't want the database deleted on a purge.
Sure, move the old stuff out of the way.
No, you don't want to allow LDAPv2.
And that's the final configuration step. Next we will dive into the files to make sure everything is fine. The configuration routine actually handles everything nicely, but it is good to see what is happening.
Page 2
Step 3: Test LDAP server
The command "ldapsearch -x -b dc=asetest" will basically dump records in the base DN of dc=asetest without using authentication. You should see basic things such as the admin entry. The LDAP directory is good to go.
Step 4: Look at the config file
The file /etc/ldap/slapd.conf has the configuration for the slapd package. In it you will find answers that you gave during the configuration step. The lines that are important are...
This group says that only the admin and self can change the userPassword field. That makes perfect sense since you don't want some random person changing someone else's password. Permissions in slapd are easy to configure by looking at other examples in the config file.
If you changed the config file, you must restart slapd. "sudo /etc/init.d/slapd restart" will restart the process. This step is actually the final step needed to get a working LDAP server. The next step is optional and extremely useful.
Step 5: Install phpLDAPadmin
We need an easy way to administrate the LDAP server. While the command line tools work fine, it would be nice to use a web interface. Thankfully, phpLDAPadmin comes in to the picture. Type...
aronschatz@aseserver:~$ sudo apt-get install phpldapadmin
Which will install phpLDAPadmin. This install will grab information from the slapd configuration and setup to work with the LDAP server. You can now navigate to that server's name or IP address and append /phpldapadmin/ and get to the phpLDAPadmin page in a browser.
This is the initial welcome screen of phpLDAPadmin. This is nice, but you will want to Login to the server to do anything useful.
The Login DN is a distinguished name. This is a full typed LDAP entry. Mine would be "cn=admin,dc=asetest". Let's say your server directory wa ldap.aseserver.asetest and the name was admin. The Login DN would be "cn=admin,dc=ldap,dc=aseserver,dc=asetest". The password is your admin password.
Once you are authenticated, you can administer the LDAP server. It is very easy to make groups and new users, but a follow-up guide will go into making LDAP work for centralized logins and such.
Conclusion:
Setting up OpenLDAP on Ubuntu is simple and effective. Within minutes, you have a fully functional LDAP server waiting to be used. The is the first step in making a centralized logon facility and directory services for everyone on your network. Stay tuned for another guide how to make a schema that works for different uses. For further reading, buy some LDAP books. I'm sure it is a good bathroom read.
If you have any questions, feel free to »post in the forums or email me.
Step 3: Test LDAP server
Code
aronschatz@aseserver:~$ ldapsearch -x -b dc=asetest
# extended LDIF
#
# LDAPv3
# base <dc=asetest> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# asetest
dn: dc=asetest
objectClass: top
objectClass: dcObject
objectClass: organization
o: ASE LDAP
dc: asetest
# admin, asetest
dn: cn=admin,dc=asetest
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
# extended LDIF
#
# LDAPv3
# base <dc=asetest> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# asetest
dn: dc=asetest
objectClass: top
objectClass: dcObject
objectClass: organization
o: ASE LDAP
dc: asetest
# admin, asetest
dn: cn=admin,dc=asetest
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
The command "ldapsearch -x -b dc=asetest" will basically dump records in the base DN of dc=asetest without using authentication. You should see basic things such as the admin entry. The LDAP directory is good to go.
Step 4: Look at the config file
The file /etc/ldap/slapd.conf has the configuration for the slapd package. In it you will find answers that you gave during the configuration step. The lines that are important are...
Code
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=asetest" write
by anonymous auth
by self write
by * none
by dn="cn=admin,dc=asetest" write
by anonymous auth
by self write
by * none
This group says that only the admin and self can change the userPassword field. That makes perfect sense since you don't want some random person changing someone else's password. Permissions in slapd are easy to configure by looking at other examples in the config file.
If you changed the config file, you must restart slapd. "sudo /etc/init.d/slapd restart" will restart the process. This step is actually the final step needed to get a working LDAP server. The next step is optional and extremely useful.
Step 5: Install phpLDAPadmin
We need an easy way to administrate the LDAP server. While the command line tools work fine, it would be nice to use a web interface. Thankfully, phpLDAPadmin comes in to the picture. Type...
aronschatz@aseserver:~$ sudo apt-get install phpldapadmin
Which will install phpLDAPadmin. This install will grab information from the slapd configuration and setup to work with the LDAP server. You can now navigate to that server's name or IP address and append /phpldapadmin/ and get to the phpLDAPadmin page in a browser.
This is the initial welcome screen of phpLDAPadmin. This is nice, but you will want to Login to the server to do anything useful.
The Login DN is a distinguished name. This is a full typed LDAP entry. Mine would be "cn=admin,dc=asetest". Let's say your server directory wa ldap.aseserver.asetest and the name was admin. The Login DN would be "cn=admin,dc=ldap,dc=aseserver,dc=asetest". The password is your admin password.
Once you are authenticated, you can administer the LDAP server. It is very easy to make groups and new users, but a follow-up guide will go into making LDAP work for centralized logins and such.
Conclusion:
Setting up OpenLDAP on Ubuntu is simple and effective. Within minutes, you have a fully functional LDAP server waiting to be used. The is the first step in making a centralized logon facility and directory services for everyone on your network. Stay tuned for another guide how to make a schema that works for different uses. For further reading, buy some LDAP books. I'm sure it is a good bathroom read.
If you have any questions, feel free to »post in the forums or email me.