{"id":1891,"date":"2019-01-03T16:27:03","date_gmt":"2019-01-03T13:27:03","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1891"},"modified":"2020-05-08T21:36:50","modified_gmt":"2020-05-08T18:36:50","slug":"install-and-configure-openldap-server-on-debian-9-stretch","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/","title":{"rendered":"Install and Configure OpenLDAP Server on Debian 9 Stretch"},"content":{"rendered":"

In this guide, we are going to learn how to install and configure OpenLDAP<\/a> server on Debian 9 Stretch. OpenLDAP is an opensource implementation of Lightweight Directory Access Protocol, a non-relational database for accessing data. It commonly serves as an authentication backend for various services or an address book e.g for email clients.<\/p>\n

Install and configure OpenLDAP Server on Debian 9 Stretch<\/h2>\n

Update and upgrade your system packages<\/p>\n

apt update\napt upgrade<\/code><\/pre>\n
Install LDAP packages<\/p>\n
apt -y install slapd ldap-utils<\/code><\/pre>\n
The installer will prompt you to set the LDAP administrator password.<\/p>\n
\"Install<\/a><\/p>\n
Select Ok and press enter to re-enter the password for verification.<\/p>\n
\"Install<\/a><\/p>\n
Press Enter to proceed with installation and configuration.<\/p>\n
If you noticed, the installer doesn’t prompt for DNS domain nor the organization name. These are set based on the server’s hostname (domain name e.g example.com).<\/p>\n
When the installation completes, you can use slapcat<\/code> command to dump the contents of SLAPD configuration database.<\/p>\n
slapcat<\/code><\/pre>\n
dn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: example.com\ndc: example\nstructuralObjectClass: organization\nentryUUID: 500707ac-a37d-1038-847d-09fcfa8020a8\ncreatorsName: cn=admin,dc=example,dc=com\ncreateTimestamp: 20190103082837Z\nentryCSN: 20190103082837.967303Z#000000#000#000000\nmodifiersName: cn=admin,dc=example,dc=com\nmodifyTimestamp: 20190103082837Z\n\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword:: e1NTSEF9VDZmUXY5WWRXb1RMbHczd2NrTS9zSTdob2xHNUZscDE=\nstructuralObjectClass: organizationalRole\nentryUUID: 500a9502-a37d-1038-847e-09fcfa8020a8\ncreatorsName: cn=admin,dc=example,dc=com\ncreateTimestamp: 20190103082837Z\nentryCSN: 20190103082837.990678Z#000000#000#000000\nmodifiersName: cn=admin,dc=example,dc=com\nmodifyTimestamp: 20190103082837Z<\/code><\/pre>\n
From the above slapd database configuration, the installer sets the Base DN to dn: dc=example,dc=com<\/code>, the organization name to o: example.com<\/code> and Base DN for admin to dn: cn=admin,dc=example,dc=com<\/code>.<\/p>\n
You can check the Base DN set by using the ldapsearch<\/code> command as shown below;<\/p>\n
ldapsearch -x -LLL -b dc=example,dc=com dn<\/code><\/pre>\n
dn: dc=example,dc=com\n\ndn: cn=admin,dc=example,dc=com<\/code><\/pre>\n
Allow LDAP port on UFW (if it is running) to allow external clients to connect:<\/p>\n
ufw allow ldap\nRule added\nRule added (v6)<\/code><\/pre>\n
Reload UFW<\/p>\n
ufw reload\nFirewall reloaded<\/code><\/pre>\n
Test LDAP connection with ldapwhoami<\/code> command;<\/p>\n
ldapwhoami -H ldap:\/\/ -x\nanonymous<\/code><\/pre>\n
The anonymous user is because we run the test without logging in to LDAP server. This means that LDAP is responding to queries.<\/p>\n
Create a Base DN for Users and Groups<\/h2>\n
As shown above, the Base DN for the administrator has been created. However, since we are going to manage users using the LDAP server, you need to create a Base DN for users and groups. Therefore create an LDAP interchange format file with the following contents and use it to create the user\/group Base DN. Be sure to replace the domain name accordingly.<\/p>\n
vim user_group_base.ldif<\/code><\/pre>\n
dn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups<\/code><\/pre>\n
To add this entry, run the command below. When prompted for LDAP password, enter the LDAP admin password set during installation.<\/p>\n
ldapadd -x -D cn=admin,dc=example,dc=com -W -f user_group_base.ldif<\/code><\/pre>\n
Enter LDAP Password: LDAP admin password<\/strong>\nadding new entry \"ou=people,dc=example,dc=com\"\n\nadding new entry \"ou=groups,dc=example,dc=com\"<\/code><\/pre>\n
Add LDAP User Accounts<\/h2>\n
In order to add LDAP user accounts to LDAP Server, you need to create an LDIF file containing attributes definition for the users. To add user with a password, you need to generate the password using the slappasswd<\/code> command.<\/p>\n
slappasswd \nNew password: PassW0rd<\/strong>\nRe-enter new password: PassW0rd<\/strong>\n{SSHA}7C1UCXJvN3UnryzVttzHWzLD\/B10ilq3<\/code><\/pre>\n
Create new user ldif file with the following content. Replace your domain, the user names and the value of\u00a0 {SHA} accordingly.<\/p>\n
vim new_user.ldif<\/code><\/pre>\n
dn: uid=amibey,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: amibey\ncn: amibey\ngivenName: Amos\nsn: Mibey\nuserPassword: {SSHA}7C1UCXJvN3UnryzVttzHWzLD\/B10ilq3\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/amibey\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=amibey,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: amibey\ngidNumber: 0\nmemberUid: amibey<\/code><\/pre>\n
This will create a user whose username is amibey.<\/p>\n
Run the command below to add the user above.<\/p>\n
ldapadd -x -D cn=admin,dc=example,dc=com -W -f new_user.ldif<\/code><\/pre>\n
Enter LDAP Password: admin password<\/strong>\nadding new entry \"uid=amibey,ou=people,dc=example,dc=com\"\n\nadding new entry \"cn=amibey,ou=groups,dc=example,dc=com\"<\/code><\/pre>\n
You can list all the users under the base, dc=example,dc=com<\/code>, using the command below;<\/p>\n
ldapsearch -x -LLL -b \"dc=example,dc=com\"<\/code><\/pre>\n
To print all the LDAP user information, run the command below;<\/p>\n
ldapsearch -x -LLL -b dc=example,dc=com '(objectclass=*)'<\/code><\/pre>\n
dn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: example.com\ndc: example\n\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\n\ndn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups\n\ndn: uid=amibey,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: amibey\ncn: amibey\ngivenName: Amos\nsn: Mibey\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/amibey\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=amibey,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: amibey\ngidNumber: 10000\nmemberUid: amibey<\/code><\/pre>\n
You can as well delete an LDAP user\/group with the commands below;<\/p>\n
ldapdelete -x -W -D \"cn=admin,dc=example,dc=com\" \"uid=amibey,ou=people,dc=example,dc=com\"<\/code><\/pre>\n
ldapdelete -x -W -D \"cn=admin,dc=example,dc=com\" \"cn=amibey,ou=groups,dc=example,dc=com\"<\/code><\/pre>\n
In case you need to reset the user password, you can use ldappasswd<\/code> command as shown below;<\/p>\n
ldappasswd -H ldap:\/\/192.168.43.59 -x -D \"cn=admin,dc=example,dc=com\" -W -S \"uid=amibey,ou=people,dc=example,dc=com\"\nNew password: user pass<\/strong>\nRe-enter new password: user pass<\/strong>\nEnter LDAP Password: LDAP admin pass<\/strong><\/code><\/pre>\n
To verify the user’s password, you can use ldapwhoami<\/code> command as shown below;<\/p>\n
ldapwhoami -vvv -h 192.168.43.59 -D \"uid=amibey,ou=people,dc=example,dc=com\" -x -W\nldap_initialize( ldap:\/\/192.168.43.59 )\nEnter LDAP Password: user password<\/strong>\ndn:uid=amibey,ou=people,dc=example,dc=com\nResult: Success (0)<\/code><\/pre>\n
If you see Result: Success (0)<\/code> then the password matches. If the credentials are wrong, you will get the following output.<\/p>\n
ldapwhoami -vvv -h 192.168.43.59 -D \"uid=amibey,ou=people,dc=example,dc=com\" -x -W\nldap_initialize( ldap:\/\/192.168.43.59 )\nEnter LDAP Password: \nldap_bind: Invalid credentials (49)<\/code><\/pre>\n
That is it all takes to simply install and configure OpenLDAP server on Debian 9 Stretch. In our next tutorial, we will learn how configure LDAP client on Debian 9 stretch<\/a>.<\/p>\n
Related Tutorials<\/h3>\n
Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n
Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n
Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to install and configure OpenLDAP server on Debian 9 Stretch. OpenLDAP is an opensource implementation of<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121],"tags":[287,286],"class_list":["post-1891","post","type-post","status-publish","format-standard","hentry","category-directory-server","category-howtos","tag-debian-9","tag-openldap","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1891"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1891"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1891\/revisions"}],"predecessor-version":[{"id":5848,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1891\/revisions\/5848"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}