Deploy the LDAP Directory System to an Ubuntu Server
You’ve probably heard of Active Directory, which is the Microsoft directory service that connects users with the resources they require. But did you know that there’s an open source directory service called the Lightweight Directory Access Protocol (LDAP) that can do many of the things Active Directory can do?
LDAP stands for Lightweight Directory Access Protocol, and is a protocol that stores data in a directory, such that users can access the data for numerous purposes. One very handy use case for LDAP is creating a centralized authentication directory, so user login information can be retained in a centralized database. When a user attempts to log in to any machine on your network, the machine will query the LDAP directory and, if the credentials match, allow access to the user’s accounts on the machine they want to use.
LDAP is powerful, flexible and free.
I want to walk you through the process of deploying an LDAP server, and then, how to configure a client to use LDAP authentication.
What You’ll Need
To make this work, you’ll need one instance of Ubuntu Server (I’ll demonstrate with version 22.04), an instance of Ubuntu Desktop, and a user with sudo privileges. That’s it. Let’s get to work.
Installing LDAP
Log in to Ubuntu Server and install the necessary software with this command:
sudo apt-get install slapd ldap-utils -y
During the installation, you’ll be required to set an LDAP admin password. Make sure to type and verify a strong entry for this.
That’s it for the installation.
Configuring LDAP
It’s now time to configure LDAP. First, you must reconfigure the Directory Information Tree (DIT), which should be in this format:
dc=example,dc=com
That’s what I’ll be using for this tutorial, but you’ll want to use your own domain for this. To configure the DIT, issue this command:
sudo dpkg-reconfigure slapd
Answer “No” for the first question (“Omit OpenLDAP server configuration”) and then type your domain (such as example.com).
Next, configure the organizational name (which can be whatever you need to define an organization). When asked if you want to remove the slapd database, answer “No,” and then answer “Yes” to move the old database.
With this taken care of, you can now populate the LDAP database with your first entry. To do that, we’ll use an LDIF file. Create the file with this command:
nano ldap_data.ldif
In that file, paste the following (making sure to replace the DIT with your domain and customize anything in bold):
dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit ou: Groups dn: cn=DEPARTMENT,ou=Groups,dc=example,dc=com objectClass: posixGroup cn: SUBGROUP gidNumber: 5000 dn: uid=USER,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: USER sn: LASTNAME givenName: FIRSTNAME cn: FULLNAME displayName: DISPLAYNAME uidNumber: 10000 gidNumber: 5000 userPassword: PASSWORD gecos: FULLNAME loginShell: /bin/bash homeDirectory: USERDIRECTORY
Save and close the file.
Add the new entry with the command:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap_data.ldif
Make sure to change the DIT in the above command to match yours. Once you’ve successfully entered your LDAP admin password, the entry will be added. You can verify the addition by searching the USER you added, like this:
ldapsearch -x -LLL -b dc=example,dc=com 'uid=USER' cn gidNumber
Be sure to replace the text “USER” in the previous command with the username in the uid: entry in the LDIF file.
Installing the LDAP Account Manager
Instead of having to do everything by way of the command line, you can add the LDAP Account Manager (LAM) into the mix for a handy web-based admin tool. Install this with:
sudo apt-get install ldap-account-manager -y
After the installation completes, access LAM from the URL “http://SERVER/lam” (where SERVER is the IP address or domain name of the hosting server). When the page loads, click LAM Configuration in the upper-right corner of the window (Figure 1).
-
Figure 1: The LAM login page.
On the resulting page, click Edit Server Profiles; when prompted, type “lam” as the password. In the next page, you’ll need to configure the following information:
- Under Server Settings, configure the Tree Suffice (under Tree Tools) to match your DIT.
- In the List of Valid Users, change “cn=Manager”, “dc=my-domain” and “cd=com” to “cn=admin”, “dc=example” and “dc=com” (making sure to change “example” and “com” to match your DIT).
- In the Account Types tab, change every instance of “my-domain” and “com” to match your DIT.
Save the configuration and then, when prompted, log back in using your LDAP admin user password.
Creating a New Group in LAM
In the Groups tab (Figure 2), you’ll want to create a new group with a straightforward name (such as “linuxlogins”).
-
Figure 2: Creating a new group in LAM is very simple.
Once you’ve done that, click the Users tab and create a new user. In the resulting window (Figure 3), you’ll need to do the following:
- Add all of the necessary personal information for the user in the Personal section.
- Create a Unix login in the Unix section.
- Set a password for the user by clicking Set Password.
-
Figure 3: Creating a new user in LAM.
Authenticating From the Linux Desktop
With the server taken care of, you can now configure a Linux desktop to authenticate to the LDAP server. To do that, log in to the Linux desktop machine and install the necessary software with:
sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd -y
During the installation, you’re required to enter an address for the LDAP server, which is in this form:
ldap://SERVER
Be sure to replace the text “SERVER” with the IP address of the LDAP server you’ve just deployed.
You’ll then be required to select the following:
- Version of LDAP = 3
- Make local root Database admin = Yes
- Does the LDAP database require login? = No
- LDAP account for root = cn=admin,dc=example,dc=com (make sure to use your DIT)
- LDAP root account password = the password for the LDAP admin user
When the installation is complete, you’ll then have to configure the client for LDAP authentication. To do this, open the nsswitch.conf file:
sudo nano /etc/nsswitch.conf
Locate the following lines:
passwd: files systemd sss group: files systemd sss shadow: files sss
Change those lines to:
passwd: files systemd ldap group: files systemd ldap shadow: files ldap
Save and close the file.
Open the common-password file with this command:
sudo nano /etc/pam.d/common-password
Look for the following line:
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
Remove the use_authtok entry; then, save and close the file.
Open the common-session file:
sudo nano /etc/pam.d/common-session
At the bottom of that file, add the following:
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Save and close the file.
Reboot the client machine and, when prompted for a login, log in with a user in the LDAP directory. You should now have access to the desktop.
Congratulations! You’ve just deployed your first LDAP server and configured a client to authenticate against the directory tree.
