This video marks a start of a mini-series on using the openLDAP Directory Server on Ubuntu 12.04 LTS Server. We have seen installations of openLDAP on earlier editions of Ubuntu before but this marks the first on Server and , as I say, marks the start of an exciting series.
On Ubuntu there is a little auto-configuration that happens during the installation of openLDAP; a local directory is created with the DN taken form the domain name of the host. For this reason we should configure the 127.0.1.1 entry in the /etc/hosts file with the host and domain name the we would like the LDAP server to host. For example if we would like to create a directory for dc=tup,dc=com then we would ensure the entry in the host’s files was similar to the following:
127.0.1.1 ubuntu.tup.com ubuntu
This only needs to be in place for the installation and if required it can be reverted once the installation has completed.
With the naming infrastructure in place we can proceed with the install of openLDAP: using apt-get we will install both the server, slapd and the tools, ldap-utils. At the end of the installation we will be prompted for the administrator password for the openLDAP server, this in my case will be the account: cn=admin,dc=tup,dc=com . The password can be anything, but try to keep it secure and separate from the root users password.
The next infrastructure step will to open up ports in the firewall, of course, you may not be running a host based firewall on your system; in my case I am using the UFW on Ubuntu 12.04 and will need to open TCP port 389 for LDAP and possibly TCP port 636 for LDAPS. Currently I will not be using LDAPS so I open just the LDAP ports. For UFW, this can be achieved with the command:
sudo ufw allow “openLDAP LDAP”
The status of the firewall can be verified with the command:
sudo ufw status
From the above screenshot we can see that the LDAP ports are open for both TCP v4 and v6. Now we are ready to check the configuration of openLDAP. Since version 8 of Ubuntu the openLDAP server uses a configuration Directory rather than file to store its settings. This can only be access by root and is done using the command:
sudo ldapsearch -Q -LLL -Y EXTERNAL
-H ldapi:/// -b cn=config dn:
- -Q SASL Authentication
- -LLL Output in LDIF format, ignore comments and ignore version
- -Y EXTERNAL SASL authentication method
- -H host to connect to
- –b is the LDAP base to search. The ldapi method will take us to the configuration Directory and we look to list the config folder.
- dn: List just the distinguished name attributes
Next we can use similar syntax to connect to the actual tup Directory, with this we can run ldapsearch as a normal user as we authenticate to the directory rather than using using the root account. We can additionally have this search run without authentication as we can read elements of the Directory as a public account.
ldapsearch -x -LLL -H ldap:/// -b dc=tup,dc=com
The -x is using simple authentication and the method of access now is ldap to the localhost rather than ldapi. The base dn that we search is the top container, and currently the only container in the Directory, dc=tup,dc=com.
The final part of this lesson is to create OUs, Organizational Units for users and groups, the usual names ou=people and ou=groups. To add entries to the Directory we use and LDIF file and ldapadd. The LDIF file has to be created and here I use a file I have named structure.ldif.
dn: ou=people,dc=tup,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=tup,dc=com objectClass: organizationalUnit ou: groups
We then need to import this using the admin name and password entered when we installed openLDAP, of course we cannot use the anonymous account we used for the search. The option -W will prompt for the password.
ldapadd -W -D cn=admin,dc=tup,dc-com -f /tmp/structure.ldif