{"id":20229,"date":"2024-02-25T17:44:37","date_gmt":"2024-02-25T14:44:37","guid":{"rendered":"https:\/\/kifarunix.com\/?p=20229"},"modified":"2024-03-10T15:44:42","modified_gmt":"2024-03-10T12:44:42","slug":"install-openldap-server-on-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-openldap-server-on-ubuntu-24-04\/","title":{"rendered":"Install OpenLDAP Server on Ubuntu 24.04"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install OpenLDAP Server on Ubuntu 24.04.&nbsp;<a href=\"https:\/\/www.openldap.org\/software\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Software<\/a>&nbsp;is an&nbsp;open source&nbsp;implementation of the&nbsp;<strong>L<\/strong>ightweight&nbsp;<strong>D<\/strong>irectory&nbsp;<strong>A<\/strong>ccess&nbsp;<strong>P<\/strong>rotocol (LDAP), which is a lightweight client-server protocol for accessing directory services, specifically X. 500-based directory services.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-server-on-ubuntu-24-04\">Installing OpenLDAP Server on Ubuntu 24.04<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-open-ldap-server\">Install OpenLDAP Server<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-on-ubuntu-24-04\">Configure OpenLDAP on Ubuntu 24.04<\/a><ul><li><a href=\"#view-ldap-database-settings\">View LDAP Database Settings<\/a><\/li><li><a href=\"#update-open-ldap-database\">Update OpenLDAP Database<\/a><\/li><li><a href=\"#configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><ul><li><a href=\"#generate-ssl-tls-certificate-files\">Generate SSL\/TLS Certificate Files<\/a><\/li><li><a href=\"#update-open-ldap-server-tls-certificates\">Update OpenLDAP Server TLS Certificates<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-to-provide-sudo\">Configure OpenLDAP to Provide SUDO<\/a><ul><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/a><\/li><li><a href=\"#configure-open-ldap-to-include-sudo-schema-in-its-database\">Configure OpenLDAP to include SUDO schema in its database<\/a><\/li><\/ul><\/li><li><a href=\"#adjust-open-ldap-database-access-control-lists\">Adjust OpenLDAP Database Access Control Lists<\/a><\/li><li><a href=\"#open-ldap-user-accounts\">OpenLDAP User Accounts<\/a><ul><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/li><li><a href=\"#setting-password-for-ldap-users\">Setting Password for LDAP Users<\/a><\/li><\/ul><\/li><li><a href=\"#create-open-ldap-bind-dn\">Create OpenLDAP BIND DN<\/a><ul><li><a href=\"#create-bind-dn-read-only-user\">Create Bind DN Read Only User<\/a><\/li><li><a href=\"#define-access-control-lists-for-read-only-user\">Define Access Control Lists for ReadOnly User<\/a><\/li><li><a href=\"#create-open-ldap-system-bind-dn-and-user\">Create OpenLDAP System Bind DN and User<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-logging-on-ubuntu-24-04\">Configure OpenLDAP Logging on Ubuntu 24.04<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-server-on-ubuntu-24-04\">Installing OpenLDAP Server on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>Before you begin, ensure your system package cache is up-to-date.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-ldap-server\">Install OpenLDAP Server<\/h3>\n\n\n\n<p>The default Ubuntu 24.04 repositories provides the latest release version of OpenLDAP. As of this writing, OpenLDAP 2.6.7 is the current stable release, as per the <a href=\"https:\/\/www.openldap.org\/software\/release\/\" target=\"_blank\" rel=\"noreferrer noopener\">release page<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>slapd:\n  Installed: (none)\n  Candidate: 2.6.7+dfsg-1~exp1ubuntu1\n  Version table:\n     2.6.7+dfsg-1~exp1ubuntu1 500\n        500 http:\/\/archive.ubuntu.com\/ubuntu noble\/main amd64 Packages\n<\/code><\/pre>\n\n\n\n<p>Hence, you can install OpenLDAP on Ubuntu 24.04 using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install slapd ldapscripts<\/code><\/pre>\n\n\n\n<p>During the installation, you will be prompted to set the OpenLDAP administrative password.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/openldap-admin-pass.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20231&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1372,&quot;targetHeight&quot;:645,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: Install OpenLDAP Server on Ubuntu 24.04&quot;,&quot;alt&quot;:&quot;Install OpenLDAP Server on Ubuntu 24.04&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"645\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass.png?v=1708798111\" alt=\"Install OpenLDAP Server on Ubuntu 24.04\" class=\"wp-image-20231\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass.png?v=1708798111 1372w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass-768x361.png?v=1708798111 768w\" sizes=\"(max-width: 1372px) 100vw, 1372px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: Install OpenLDAP Server on Ubuntu 24.04\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-open-ldap-on-ubuntu-24-04\">Configure OpenLDAP on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"view-ldap-database-settings\">View LDAP Database Settings<\/h3>\n\n\n\n<p>You can check the default OpenLDAP database settings using the <strong>slapcat<\/strong> command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapcat<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: dc=nodomain\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: nodomain\ndc: nodomain\nstructuralObjectClass: organization\nentryUUID: fa7581ea-6787-103e-9c50-bf1e7fcd254f\ncreatorsName: cn=admin,dc=nodomain\ncreateTimestamp: 20240224174335Z\nentryCSN: 20240224174335.131130Z#000000#000#000000\nmodifiersName: cn=admin,dc=nodomain\nmodifyTimestamp: 20240224174335Z\n<\/code><\/pre>\n\n\n\n<p>Based on the SLAPD database configuration output above,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Base DN is set to&nbsp;<code>dn: dc=nodomain<\/code>.<\/li>\n\n\n\n<li>The Organization name is set to&nbsp;<code>o: nodomain<\/code>.<\/li>\n\n\n\n<li>The LDAP admin Base DN entry is set to&nbsp;<code>cn=admin,dc=nodomain<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-open-ldap-database\">Update OpenLDAP Database<\/h3>\n\n\n\n<p>Based on your organization setup, you need to update the OpenLDAP database.<\/p>\n\n\n\n<p>Thus, &nbsp;you need to reconfigure slapd package as shown below and follow through the prompts.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dpkg-reconfigure slapd<\/code><\/pre>\n\n\n\n<p>When the command runs, you are prompted on whether to omit OpenLDAP server configuration. Select&nbsp;<strong>No<\/strong>&nbsp;to have the configuration created for you.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/create-openldap-initial-config.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20232&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1372,&quot;targetHeight&quot;:640,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"640\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/create-openldap-initial-config.png?v=1708798154\" alt=\"\" class=\"wp-image-20232\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/create-openldap-initial-config.png?v=1708798154 1372w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/create-openldap-initial-config-768x358.png?v=1708798154 768w\" sizes=\"(max-width: 1372px) 100vw, 1372px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Update the DNS domain name for constructing the base DN of the LDAP directory.<\/p>\n\n\n\n<figure class=\"gb-block-image gb-block-image-d81de37d\"><img loading=\"lazy\" decoding=\"async\" width=\"1361\" height=\"625\" class=\"gb-image gb-image-d81de37d\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/base-dn-domain-name.png\" alt=\"\" title=\"base-dn-domain-name\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/base-dn-domain-name.png?v=1708798412 1361w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/base-dn-domain-name-768x353.png?v=1708798412 768w\" sizes=\"(max-width: 1361px) 100vw, 1361px\"><\/figure>\n\n\n\n<p>Define the name of your Organization for use in the base DN.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/organization-name.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20234&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1360,&quot;targetHeight&quot;:641,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1360\" height=\"641\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/organization-name.png?v=1708798180\" alt=\"\" class=\"wp-image-20234\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/organization-name.png?v=1708798180 1360w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/organization-name-768x362.png?v=1708798180 768w\" sizes=\"(max-width: 1360px) 100vw, 1360px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Reset the OpenLDAP administrator password.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/openldap-admin-pass.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20231&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1372,&quot;targetHeight&quot;:645,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"645\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass.png\" alt=\"\" class=\"wp-image-20231\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass.png?v=1708798111 1372w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/openldap-admin-pass-768x361.png?v=1708798111 768w\" sizes=\"(max-width: 1372px) 100vw, 1372px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Choose whether to remove the OpenLDAP database whenever you purge the OpenLDAP package, slapd.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/purge-database-when-slapd-is-removed.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20235&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1363,&quot;targetHeight&quot;:584,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1363\" height=\"584\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/purge-database-when-slapd-is-removed.png?v=1708798227\" alt=\"\" class=\"wp-image-20235\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/purge-database-when-slapd-is-removed.png?v=1708798227 1363w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/purge-database-when-slapd-is-removed-768x329.png?v=1708798227 768w\" sizes=\"(max-width: 1363px) 100vw, 1363px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Remove old OpenLDAP database configuration files to finalize the reconfiguration. The old database is stored on&nbsp;<code>\/var\/backups<\/code>.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/remove-old-database.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20236&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1363,&quot;targetHeight&quot;:616,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1363\" height=\"616\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/remove-old-database.png?v=1708798237\" alt=\"\" class=\"wp-image-20236\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/remove-old-database.png?v=1708798237 1363w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/remove-old-database-768x347.png?v=1708798237 768w\" sizes=\"(max-width: 1363px) 100vw, 1363px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Check the OpenLDAP database again after reconfiguration.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapcat<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: dc=ldap,dc=kifarunix,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: kifarunix.com\ndc: ldap\nstructuralObjectClass: organization\nentryUUID: 35f90bca-678c-103e-86f7-25bd8e4e56dc\ncreatorsName: cn=admin,dc=ldap,dc=kifarunix,dc=com\ncreateTimestamp: 20240224181352Z\nentryCSN: 20240224181352.965664Z#000000#000#000000\nmodifiersName: cn=admin,dc=ldap,dc=kifarunix,dc=com\nmodifyTimestamp: 20240224181352Z\n<\/code><\/pre>\n\n\n\n<p>You can also check LDAP Base DN using the&nbsp;<code>ldapsearch<\/code>&nbsp;command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -H ldapi:\/\/\/ -x -LLL -s base -b \"\" namingContexts<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn:\nnamingContexts: dc=ldap,dc=kifarunix,dc=com\n<\/code><\/pre>\n\n\n\n<p>To view the RootDN, run the command below<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"cn=config\" \"(olcRootDN=*)\"<\/code><\/pre>\n\n\n\n<p>sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n# extended LDIF\n#\n# LDAPv3\n# base <cn=config> with scope subtree\n# filter: (olcRootDN=*)\n# requesting: ALL\n#\n\n# {0}config, config\ndn: olcDatabase={0}config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: {0}config\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external\n ,cn=auth manage by * break\nolcRootDN: cn=admin,cn=config\n\n# {1}mdb, config\ndn: olcDatabase={1}mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: {1}mdb\nolcDbDirectory: \/var\/lib\/ldap\nolcSuffix: dc=ldap,dc=kifarunix,dc=com\nolcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none\nolcAccess: {1}to attrs=shadowLastChange by self write by * read\nolcAccess: {2}to * by * read\nolcLastMod: TRUE\nolcRootDN: cn=admin,dc=ldap,dc=kifarunix,dc=com\nolcRootPW: {SSHA}+fuCaVAvF5wkhXdzsQzGyj9\/YWu+kVRB\nolcDbCheckpoint: 512 30\nolcDbIndex: objectClass eq\nolcDbIndex: cn,uid eq\nolcDbIndex: uidNumber,gidNumber eq\nolcDbIndex: member,memberUid eq\nolcDbMaxSize: 1073741824\n\n# search result\nsearch: 2\nresult: 0 Success\n\n# numResponses: 3\n# numEntries: 2\n<\/code><\/pre>\n\n\n\n<p>To test the connection to LDAP server, use the&nbsp;<code>ldapwhoami<\/code>&nbsp;command as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapwhoami -H ldapi:\/\/\/ -x<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>anonymous<\/code><\/pre>\n\n\n\n<p>The expected output is&nbsp;<code>anonymous<\/code>&nbsp;if the connection to LDAP server is fine since the test is run without logging in to LDAP server.<\/p>\n\n\n\n<p>To search for all the DNs based on the Base DN;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -H ldapi:\/\/\/ -x -LLL -b dc=ldap,dc=kifarunix,dc=com dn<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: dc=ldap,dc=kifarunix,dc=com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n<p>In this guide, we are going to use self signed certificates. You can as well use commercial SSL\/TLS certificates from your trusted CA if you have them.<\/p>\n\n\n\n<p>To configure OpeLDAP server with SSL\/TLS certificate, you need a&nbsp;<code>CA certificate<\/code>, server&nbsp;<code>certificate<\/code>&nbsp;and&nbsp;<code>server certificate key<\/code>&nbsp;file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-ssl-tls-certificate-files\">Generate SSL\/TLS Certificate Files<\/h4>\n\n\n\n<p>Create a directory to store the certificates.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir -p \/etc\/ssl\/openldap\/{private,certs,newcerts}<\/code><\/pre>\n\n\n\n<p>Once you have created the directories above, open the&nbsp;<code>\/usr\/lib\/ssl\/openssl.cnf<\/code>&nbsp;configuration file and set the directory for storing SSL\/TLS certificates and keys under the&nbsp;<code>[ CA_default ]<\/code>&nbsp;section. It is set to \/usr<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/usr\/lib\/ssl\/openssl.cnf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n####################################################################\n[ CA_default ]\n\n#dir            = .\/demoCA              # Where everything is kept\n<strong>dir             = \/etc\/ssl\/openldap\n<\/strong>certs           = $dir\/certs            # Where the issued certs are kept\ncrl_dir         = $dir\/crl              # Where the issued crl are kept\ndatabase        = $dir\/index.txt        # database index file.\n#unique_subject = no                    # Set to 'no' to allow creation of\n                                        # several certs with same subject.\nnew_certs_dir   = $dir\/newcerts         # default place for new certs.\n...\n<\/code><\/pre>\n\n\n\n<p>You also need some files for tracking the signed certificates.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"1001\" &gt; \/etc\/ssl\/openldap\/serial<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>touch \/etc\/ssl\/openldap\/index.txt<\/code><\/pre>\n\n\n\n<p>Create a CA Key file by running the command below. When prompted, enter the passphrase.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl genrsa -aes256 \\\n\t-out \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t4096\n<\/code><\/pre>\n\n\n\n<p>To remove the passphrase from the CA key;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl rsa \\\n\t-in \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t-out \/etc\/ssl\/openldap\/private\/cakey.pem\n<\/code><\/pre>\n\n\n\n<p>Create the CA certificate. Be sure to set the common to match your server FQDN.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl req -new -x509 \\\n\t-days 3650 \\\n\t-key \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t-out \/etc\/ssl\/openldap\/certs\/cacert.pem\n<\/code><\/pre>\n\n\n\n<p>You can also simplify the process using the -subj option to specify the information. The subject information typically includes details like <strong>country<\/strong>, <strong>state<\/strong>, <strong>locality<\/strong>, <strong>organization<\/strong>, <strong>organizational unit<\/strong>, <strong>common name<\/strong>, and <strong>email address<\/strong>. Here&#8217;s an example command with the <code>-subj<\/code> option added:<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl req -new -x509 \\\n\t-days 3650 \\\n\t-key \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t-out \/etc\/ssl\/openldap\/certs\/cacert.pem \\\n\t<strong>-subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=Kifarunix Inc\/OU=IT Infrastructure\/CN=ldap.kifarunix.com\/emailAddress=admin@kifarunix.com\"<\/strong>\n<\/code><\/pre>\n\n\n\n<p>You can also use wildcard SSL cert to match your various domain names;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl req -new -x509 \\\n\t-days 3650 \\\n\t-key \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t-out \/etc\/ssl\/openldap\/certs\/cacert.pem \\\n\t-subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=Kifarunix Inc\/OU=IT Infrastructure\/CN=ldap.kifarunix.com\/emailAddress=admin@kifarunix.com\" \\\n\t-addext \"subjectAltName = DNS:*.kifarunix.com,DNS:kifarunix.com\"\n<\/code><\/pre>\n\n\n\n<p>Also specify the extensions in the <strong>openssl.cnf<\/strong> configuration.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/usr\/lib\/ssl\/openssl.cnf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>####################################################################\n[ req ]\ndefault_bits            = 2048\ndefault_keyfile         = privkey.pem\ndistinguished_name      = req_distinguished_name\nattributes              = req_attributes\nx509_extensions = v3_ca # The extensions to add to the self signed cert\n\n# Passwords for private keys if not present they will be prompted for\n# input_password = secret\n# output_password = secret\n\n# This sets a mask for permitted string types. There are several options.\n# default: PrintableString, T61String, BMPString.\n# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)\n# utf8only: only UTF8Strings (PKIX recommendation after 2004).\n# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).\n# MASK:XXXX a literal mask value.\n# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.\nstring_mask = utf8only\n\n<strong>req_extensions = v3_req # The extensions to add to a certificate request <\/strong>\n\n<\/code><\/pre>\n\n\n\n<p>We define the <strong>extensions to add to a certificate request <\/strong>under the section <strong>v3_req<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>[ v3_req ]\n\n# Extensions to add to a certificate request\n\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\n<strong>subjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = *.kifarunix.com\nDNS.2 = kifarunix.com<\/strong>\n\n<\/code><\/pre>\n\n\n\n<p>Next generate LDAP server key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl genrsa -aes256 -out \/etc\/ssl\/openldap\/private\/ldapserver-key.key 4096<\/code><\/pre>\n\n\n\n<p>Remove assigned key passphrase.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl rsa \\\n\t-in \/etc\/ssl\/openldap\/private\/ldapserver-key.key \\\n\t-out \/etc\/ssl\/openldap\/private\/ldapserver-key.key\n<\/code><\/pre>\n\n\n\n<p>Generate the certificate signing request (CSR). Be sure to configure the same details as you did when generating the CA certificate file above.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl req -new \\\n\t-key \/etc\/ssl\/openldap\/private\/ldapserver-key.key \\\n\t-out \/etc\/ssl\/openldap\/certs\/ldapserver-cert.csr \\\n\t-subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=Kifarunix Inc\/OU=IT Infrastructure\/CN=ldap.kifarunix.com\/emailAddress=admin@kifarunix.com\"\n<\/code><\/pre>\n\n\n\n<p>Generate the LDAP server certificate and sign it with CA key and certificate generated above.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl ca -keyfile \/etc\/ssl\/openldap\/private\/cakey.pem \\\n\t-cert \/etc\/ssl\/openldap\/certs\/cacert.pem \\\n\t-in \/etc\/ssl\/openldap\/certs\/ldapserver-cert.csr \\\n\t-out \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\n<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Using configuration from \/usr\/lib\/ssl\/openssl.cnf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n        Serial Number: 4097 (0x1001)\n        Validity\n            Not Before: Feb 24 20:54:50 2024 GMT\n            Not After : Feb 23 20:54:50 2025 GMT\n        Subject:\n            countryName               = US\n            stateOrProvinceName       = California\n            organizationName          = Kifarunix Inc\n            organizationalUnitName    = IT Infrastructure\n            commonName                = ldap.kifarunix.com\n            emailAddress              = admin@kifarunix.com\n        X509v3 extensions:\n            X509v3 Basic Constraints: \n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                41:68:00:99:97:5D:83:D8:E3:88:2C:43:9D:5B:0A:B7:33:2A:F0:44\n            X509v3 Authority Key Identifier: \n                BC:3C:1E:3C:D2:C4:BA:FD:5A:DB:AD:9B:90:A8:BD:57:4D:85:C1:B9\nCertificate is to be certified until Feb 23 20:54:50 2025 GMT (365 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nDatabase updated\n<\/code><\/pre>\n\n\n\n<p>To verify the LDAP server againt the CA;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl verify -CAfile \/etc\/ssl\/openldap\/certs\/cacert.pem \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>\/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt: OK<\/strong><\/code><\/pre>\n\n\n\n<p>Now, we have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the CA certificate file: <strong>\/etc\/ssl\/openldap\/certs\/cacert.pem<\/strong><\/li>\n\n\n\n<li>the server certificate: <strong>\/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt<\/strong><\/li>\n\n\n\n<li>the server key file: <strong>\/etc\/ssl\/openldap\/private\/ldapserver-key.key<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Next, set the ownership of the OpenLDAP certificates directory to&nbsp;<code>openldap<\/code>&nbsp;user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R openldap: \/etc\/ssl\/openldap\/<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-open-ldap-server-tls-certificates\">Update OpenLDAP Server TLS Certificates<\/h4>\n\n\n\n<p>Next, you need to update the OpenLDAP Server TLS certificates. Therefore, create the an LDIF file to define the TLS attributes as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ldap-tls.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/ssl\/openldap\/certs\/cacert.pem\n-\nreplace: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\n-\nreplace: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/ssl\/openldap\/private\/ldapserver-key.key\n<\/code><\/pre>\n\n\n\n<p>Replace the locations of your certificates and key files accordingly.<\/p>\n\n\n\n<p>To update the LDAP database, use&nbsp;<code>ldapmodify<\/code>&nbsp;command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f ldap-tls.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=config\"\n<\/code><\/pre>\n\n\n\n<p>To verify that the files are in place;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapcat -b \"cn=config\" | grep -E \"olcTLS\"<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>olcTLSCACertificateFile: \/etc\/ssl\/openldap\/certs\/cacert.pem\nolcTLSCertificateFile: \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\nolcTLSCertificateKeyFile: \/etc\/ssl\/openldap\/private\/ldapserver-key.key\n<\/code><\/pre>\n\n\n\n<p>To check the validity of the LDAP configuration, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slaptest -u<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>config file testing succeeded<\/code><\/pre>\n\n\n\n<p>Next, open the&nbsp;<code>\/etc\/ldap\/ldap.conf<\/code>&nbsp;configuration file and change the location of the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT\t\/etc\/ssl\/certs\/ca-certificates.crt\nTLS_CACERT\t\/etc\/ssl\/openldap\/certs\/cacert.pem<\/code><\/pre>\n\n\n\n<p>Restart OpenLDAP daemon.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<p>Confirm the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)\n     Loaded: loaded (\/etc\/init.d\/slapd; generated)\n    Drop-In: \/usr\/lib\/systemd\/system\/slapd.service.d\n             \u2514\u2500slapd-remain-after-exit.conf\n     Active: active (running) since Sat 2024-02-24 21:03:40 UTC; 7s ago\n       Docs: man:systemd-sysv-generator(8)\n    Process: 2984 ExecStart=\/etc\/init.d\/slapd start (code=exited, status=0\/SUCCESS)\n      Tasks: 3 (limit: 2238)\n     Memory: 3.4M (peak: 4.3M)\n        CPU: 22ms\n     CGroup: \/system.slice\/slapd.service\n             \u2514\u25002994 \/usr\/sbin\/slapd -h \"ldap:\/\/\/ ldapi:\/\/\/\" -g openldap -u openldap -F \/etc\/ldap\/slapd.d\n\nFeb 24 21:03:40 noble systemd[1]: Starting slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...\nFeb 24 21:03:40 noble slapd[2984]:  * Starting OpenLDAP slapd\nFeb 24 21:03:40 noble slapd[2993]: @(#) $OpenLDAP: slapd 2.6.7+dfsg-1~exp1ubuntu1 (Feb  6 2024 19:46:16) $\n                                           Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>\nFeb 24 21:03:40 noble slapd[2994]: slapd starting\nFeb 24 21:03:40 noble slapd[2984]:    ...done.\nFeb 24 21:03:40 noble systemd[1]: Started slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).\n<\/code><\/pre>\n\n\n\n<p>To verify OpenLDAP TLS connectivity, run the command below. If connection is fine, you should get the output,&nbsp;<code>anonymous<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapwhoami -H ldap:\/\/ldap.kifarunix.com -x -ZZ<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapwhoami -H ldapi:\/\/\/ -x -ZZ<\/code><\/pre>\n\n\n\n<p>Output of the commands should be, <strong>anonymous<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-to-provide-sudo\">Configure OpenLDAP to Provide SUDO<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/h4>\n\n\n\n<p>To configure LDAP with support&nbsp;<code>sudo<\/code>, first, install sudo-ldap package.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SUDO_FORCE_REMOVE=yes apt install sudo-ldap -y<\/code><\/pre>\n\n\n\n<p>You can then verify the sudo OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -V |  grep -i \"ldap\"<\/code><\/pre>\n\n\n\n<p>If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Configure options: --build=x86_64-linux-gnu --prefix=\/usr --includedir=${prefix}\/include --mandir=${prefix}\/share\/man --infodir=${prefix}\/share\/info --sysconfdir=\/etc --localstatedir=\/var --disable-option-checking --disable-silent-rules --libdir=${prefix}\/lib\/x86_64-linux-gnu --runstatedir=\/run --disable-maintainer-mode --disable-dependency-tracking --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-devel --with-env-editor --with-editor=\/usr\/bin\/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --with-tty-tickets --without-lecture --disable-root-mailer --with-sendmail=\/usr\/sbin\/sendmail --with-rundir=\/run\/sudo --with-sssd --with-sssd-lib=\/usr\/lib\/x86_64-linux-gnu --enable-zlib=system --enable-admin-flag --with-apparmor --with-selinux --with-linux-audit --enable-tmpfiles.d=\/usr\/lib\/tmpfiles.d MVPROG=\/bin\/mv --with-exampledir=\/usr\/share\/doc\/sudo-ldap\/examples --docdir=\/usr\/share\/doc\/sudo-ldap --with-ldap --with-ldap-conf-file=\/etc\/sudo-ldap.conf\n<strong>ldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Check if LDAP sudo schema is available.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>find \/usr\/share\/doc\/ -iname schema.openldap<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP<\/code><\/pre>\n\n\n\n<p>Copy the&nbsp;<code>schema.OpenLDAP<\/code>&nbsp;to the schema directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP  \/etc\/ldap\/schema\/sudo.schema<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-to-include-sudo-schema-in-its-database\">Configure OpenLDAP to include SUDO schema in its database<\/h4>\n\n\n\n<p>Next, you need to create sudo schema ldif file.<\/p>\n\n\n\n<p>Convert the sudo schema to LDIF before you can configure SLAPD to include it in its database.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ldap-sudo<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"include \/etc\/ldap\/schema\/sudo.schema\" &gt; ldapsudo.conf<\/code><\/pre>\n\n\n\n<p>Generate SUDO LDIF file from the schema;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ldap-sudo<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>slaptest -f ..\/ldapsudo.conf -F .<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>config file testing succeeded<\/strong><\/code><\/pre>\n\n\n\n<p>The sudo LDIF file should now be located under the&nbsp;<code>cn\\=config\/cn\\=schema\/<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls cn\\=config\/cn\\=schema\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>'cn={0}sudo.ldif'<\/strong><\/code><\/pre>\n\n\n\n<p>Edit the LDAP SUDO LDIF file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim cn\\=config\/cn\\=schema\/cn\\=\\{0\\}sudo.ldif<\/code><\/pre>\n\n\n\n<p><strong>REMOVE&nbsp;comment lines (Lines beginning with #)<\/strong>&nbsp;at the top and update the lines;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn={0}sudo\nobjectClass: olcSchemaConfig\ncn: {0}sudo<\/code><\/pre>\n\n\n\n<p>such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo<\/code><\/pre>\n\n\n\n<p>Also,&nbsp;<strong>REMOVE<\/strong>&nbsp;these lines at the bottom;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>structuralObjectClass: olcSchemaConfig\nentryUUID: 431580bc-67ab-103e-932b-a1c41a5943c1\ncreatorsName: cn=config\ncreateTimestamp: 20240224215609Z\nentryCSN: 20240224215609.360408Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20240224215609Z\n<\/code><\/pre>\n\n\n\n<p>Final sudo LDIF file looks like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) \n who may  run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SY\n NTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nolcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) \n who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat\n ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\nolcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Comma\n nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1\n 466.115.121.1.26 )\nolcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s)\n  impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1\n .4.1.1466.115.121.1.26 )\nolcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Option\n s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115\n .121.1.26 )\nolcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'Use\n r(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.11\n 5.121.1.15 )\nolcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Gr\n oup(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.\n 115.121.1.15 )\nolcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Sta\n rt of time interval for which the entry is valid' EQUALITY generalizedTimeMat\n ch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24\n  )\nolcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End \n of time interval for which the entry is valid' EQUALITY generalizedTimeMatch \n ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\nolcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an int\n eger to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrd\n eringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )\nolcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer En\n tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s\n udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotB\n efore $ sudoNotAfter $ description ) )\n<\/code><\/pre>\n\n\n\n<p>You can also copy the default ldif file from&nbsp;<strong>\/usr\/share\/doc\/sudo-ldap\/schema.olcSudo<\/strong>&nbsp;and just modified it.<\/p>\n\n\n\n<p>Once done editing the sudo LDIF file, update the SLAPD database to include SUDO schema;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Q -Y EXTERNAL -H ldapi:\/\/\/ -f 'cn=config\/cn=schema\/cn={0}sudo.ldif'<\/code><\/pre>\n\n\n\n<p>You should see a line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>adding new entry \"cn=sudo,cn=schema,cn=config\"<\/code><\/pre>\n\n\n\n<p>Enable sudo user and host indexing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>When the command runs, paste the content below and press&nbsp;<strong>ENTER twice<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: <strong>sudoUser,sudoHost pres,eq<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Once you see the line,&nbsp;<strong><code>modifying entry \"olcDatabase={1}mdb,cn=config\"<\/code><\/strong>, press&nbsp;<code><strong>ctrl+d<\/strong><\/code>.<\/p>\n\n\n\n<p>To verify indexing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapcat -n 0 | grep olcDbIndex<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>olcDbIndex: objectClass eq\nolcDbIndex: cn,uid eq\nolcDbIndex: uidNumber,gidNumber eq\nolcDbIndex: member,memberUid eq\n<strong>olcDbIndex: sudoUser,sudoHost pres,eq<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Your OpenLDAP should now be able to provide SUDO access for users. This is subject to <a href=\"https:\/\/kifarunix.com\/how-to-configure-sudo-via-openldap-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">further configuration<\/a>, however.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"adjust-open-ldap-database-access-control-lists\">Adjust OpenLDAP Database Access Control Lists<\/h3>\n\n\n\n<p>Next, adjust the SLAPD database access controls;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim update-mdb-acl.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.exact=\"cn=readonly,ou=people,dc=ldap,dc=kifarunix,dc=com\" read \n  by * none\nolcAccess: to dn.exact=\"cn=readonly,ou=people,dc=ldap,dc=kifarunix,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by * none\nolcAccess: to dn.subtree=\"dc=ldap,dc=kifarunix,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Note that we have included the access controls for the Read Only Bind DN user that we will create later in this guide.<\/p>\n\n\n\n<p>Update database ACL with the above information by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f update-mdb-acl.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"open-ldap-user-accounts\">OpenLDAP User Accounts<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/h4>\n\n\n\n<p>Before we can create OpenLDAP user accounts, we need to create the organization unit containers for storing users and their group information. See our example below. Be sure to make the relevant changes as per your environment setup.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim users-ou.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: ou=people,dc=ldap,dc=kifarunix,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\n\ndn: ou=groups,dc=ldap,dc=kifarunix,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n<\/code><\/pre>\n\n\n\n<p>Once that is done, you should now be able, as the admin, to create the users OU as shown above. Therefore, to update the database with the user OU information above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users-ou.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"ou=people,dc=ldap,dc=kifarunix,dc=com\"\n\nadding new entry \"ou=groups,dc=ldap,dc=kifarunix,dc=com\"\n<\/code><\/pre>\n\n\n\n<p>Once you have the user OU containers created, you can now add user accounts. In this demo, we will create a user called&nbsp;<strong>johndoe<\/strong>&nbsp;in our OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim johndoe.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: uid=johndoe,ou=people,dc=ldap,dc=kifarunix,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldap,dc=kifarunix,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\n<\/code><\/pre>\n\n\n\n<p>To add the user johndoe to the database using the information above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f johndoe.ldif -Q<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>adding new entry \"uid=johndoe,ou=people,dc=ldap,dc=kifarunix,dc=com\"\n\nadding new entry \"cn=johndoe,ou=groups,dc=ldap,dc=kifarunix,dc=com\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"setting-password-for-ldap-users\">Setting Password for LDAP Users<\/h4>\n\n\n\n<p>If you noticed, in the above, we didn\u2019t set any password for the user. To set\/reset the password for the user, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=ldap,dc=kifarunix,dc=com\"<\/code><\/pre>\n\n\n\n<p>To verify user\u2019s password;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapwhoami -H ldap:\/\/ldap.kifarunix.com -x -D \"uid=johndoe,ou=people,dc=ldap,dc=kifarunix,dc=com\" -W<\/code><\/pre>\n\n\n\n<p>If the password is correct, you should see the user\u2019s DN;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn:uid=johndoe,ou=people,dc=ldap,dc=kifarunix,dc=com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn\">Create OpenLDAP BIND DN<\/h3>\n\n\n\n<p>There are two OpenLDAP BIND DNs;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code><strong>Administrator Bind DN<\/strong><\/code>: defines admin username and password. It is used only for querying the directory server and so this user must have privileges to search the directory.<\/li>\n\n\n\n<li><code><strong>User Bind DN<\/strong><\/code>: defines the user username and password is used for authentication and password change operations.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-bind-dn-read-only-user\">Create Bind DN Read Only User<\/h4>\n\n\n\n<p>In this demo, we will create a user Bind DN called&nbsp;<code><strong>readonly<\/strong><\/code>&nbsp;for read operations.<\/p>\n\n\n\n<p>Generate the password hash for the bind DN user;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>New password: <strong>password<\/strong>\nRe-enter new password: <strong>password<\/strong>\n{SSHA}eTWwv010qnaaYeKPVGxe1mbPGdNKA75\/\n<\/code><\/pre>\n\n\n\n<p>Copy the hash above and replace it with the value of&nbsp;<code><strong>userPassword<\/strong><\/code>&nbsp;below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim readonly-user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=readonly,ou=people,dc=ldap,dc=kifarunix,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: <strong>{SSHA}eTWwv010qnaaYeKPVGxe1mbPGdNKA75\/<\/strong>\ndescription: Bind DN user for LDAP Operations\n<\/code><\/pre>\n\n\n\n<p>Add the bind user to the LDAP database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f readonly-user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>adding new entry \"cn=readonly,ou=people,dc=ldap,dc=kifarunix,dc=com\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"define-access-control-lists-for-read-only-user\">Define Access Control Lists for ReadOnly User<\/h4>\n\n\n\n<p>Define the access controls for the user bind DN. See what we have in our ACL file above. Or simply run the command below to check the ACLs defined;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\n<p>Sample ACLs;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ\n e by anonymous auth by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=ext\n ernal,cn=auth\" manage  by dn.exact=\"cn=readonly,ou=people,dc=ldap,dc=kifaruni\n x,dc=com\" read  by * none\n<strong>olcAccess: {1}to dn.exact=\"cn=readonly,ou=people,dc=ldap,dc=kifarunix,dc=com\" \n by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manag\n e by * none<\/strong>\nolcAccess: {2}to dn.subtree=\"dc=ldap,dc=kifarunix,dc=com\" by dn.subtree=\"gidNu\n mber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by users read  by \n * none\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-system-bind-dn-and-user\">Create OpenLDAP System Bind DN and User<\/h4>\n\n\n\n<p>Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.<\/p>\n\n\n\n<p>In this guide, we create a bind DN ou called&nbsp;<code>system<\/code>.<\/p>\n\n\n\n<p>Note the access controls associated with this <strong><code>ou<\/code><\/strong> as defined on the root DN above.<\/p>\n\n\n\n<p>You can list the Access control lists on the database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\n<p>Create the LDAP system Bind DN user password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>New password: \nRe-enter new password: \n{SSHA}OlOxrrrIpdrVovFj4QeD\/lc8cF\/Z0yl6\n<\/code><\/pre>\n\n\n\n<p>Copy and Paste the password hash value above as the value of&nbsp;<strong><code>userPassword<\/code><\/strong>&nbsp;attribute in the file below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > bindDNuser.ldif << 'EOL'\ndn: ou=system,dc=ldap,dc=kifarunix,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldap,dc=kifarunix,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}OlOxrrrIpdrVovFj4QeD\/lc8cF\/Z0yl6\ndescription: Bind DN user for LDAP Operations\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/code><\/pre>\n\n\n\n<p>Next, read the guide below to learn how to implement password policies.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/implement-openldap-password-policies\/\" target=\"_blank\" rel=\"noreferrer noopener\">Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\n<p>Note that the password policies modules are already loaded, hence skip the part, \"<strong>Load Password Policy Module<\/strong>\".<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-ubuntu-24-04\">Configure OpenLDAP Logging on Ubuntu 24.04<\/h3>\n\n\n\n<p>By default, OpenLDAP logging level is set to&nbsp;<code>none<\/code>&nbsp;which is required to have high priority messages only logged.<\/p>\n\n\n\n<p>You can change this to a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">different log level<\/a>, say to&nbsp;<code>stats<\/code>&nbsp;level (logs connections\/operations\/results), run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>The copy and paste the content below on the prompt to modify the log level.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats\n<\/code><\/pre>\n\n\n\n<p>Next, press&nbsp;<strong>ENTER<\/strong> twice. Once you see a line,&nbsp;<code><strong>modifying entry \"cn=config\"<\/strong><\/code>, then press&nbsp;<code><strong>Ctrl+d<\/strong><\/code>.<\/p>\n\n\n\n<p>You can as well use LDIF files to update this information if you like.<\/p>\n\n\n\n<p>To confirm the changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=config\nolcLogLevel: stats\n<\/code><\/pre>\n\n\n\n<p>Next, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility, hence, to configure it to log to&nbsp;<code>\/var\/log\/slapd.log<\/code>&nbsp;for example, execute the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.d\/51-slapd.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog and SLAPD service<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart rsyslog slapd<\/code><\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>You can as well configure log rotation;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/logrotate.d\/slapd << EOL\n\/var\/log\/slapd.log\n{ \n        rotate 7\n        daily\n        missingok\n        notifempty\n        delaycompress\n        compress\n        postrotate\n                \/usr\/lib\/rsyslog\/rsyslog-rotate\n        endscript\n}\nEOL\n<\/code><\/pre>\n\n\n\n<p>Restart log rotation service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart logrotate<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h3>\n\n\n\n<p>If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow \"OpenLDAP LDAP\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow \"OpenLDAP LDAPS\"<\/code><\/pre>\n\n\n\n<p>If using Iptables, allow the services accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/h3>\n\n\n\n<p>And that is it on how to install OpenLDAP Server.<\/p>\n\n\n\n<p>To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n<p>See the guides below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install OpenLDAP Server on Ubuntu 24.04.&nbsp;OpenLDAP Software&nbsp;is an&nbsp;open source&nbsp;implementation of the&nbsp;Lightweight&nbsp;Directory&nbsp;Access&nbsp;Protocol (LDAP), which is a lightweight client-server<\/p>\n","protected":false},"author":10,"featured_media":17759,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[7418,248,286,7419],"class_list":["post-20229","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-install-openldap-on-ubuntu-24-04","tag-ldap","tag-openldap","tag-ubuntu-24-04-install-ldap","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20229"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=20229"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20229\/revisions"}],"predecessor-version":[{"id":20917,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20229\/revisions\/20917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17759"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=20229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=20229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=20229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}