{"id":5846,"date":"2020-05-09T22:34:05","date_gmt":"2020-05-09T19:34:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5846"},"modified":"2024-05-05T08:44:13","modified_gmt":"2024-05-05T05:44:13","slug":"install-and-setup-openldap-server-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openldap-server-on-ubuntu-20-04\/","title":{"rendered":"Install and Setup OpenLDAP Server on Ubuntu 20.04"},"content":{"rendered":"\n<p>In this tutorial, we are going to learn how to install and setup OpenLDAP Server on Ubuntu 20.04. <a href=\"https:\/\/www.openldap.org\/software\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Software<\/a>\u00a0is an\u00a0open source\u00a0implementation of the\u00a0<strong>L<\/strong>ightweight\u00a0<strong>D<\/strong>irectory\u00a0<strong>A<\/strong>ccess\u00a0<strong>P<\/strong>rotocol. LDAP is a lightweight client-server protocol for accessing directory services, specifically X. 500-based directory services.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-server-on-ubuntu-20-04\">Installing OpenLDAP Server on Ubuntu 20.04<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-stand-alone-ldap-daemon-slapd-on-ubuntu-20-04\">Install Stand-alone LDAP Daemon (SLAPD) on Ubuntu 20.04<\/a><\/li><li><a href=\"#configuring-open-ldap-on-ubuntu-20-04\">Configuring OpenLDAP on Ubuntu 20.04<\/a><ul><li><a href=\"#configure-open-ldap-logging-on-ubuntu-20-04\">Configure OpenLDAP Logging on Ubuntu 20.04<\/a><\/li><li><a href=\"#configure-ldap-with-ssl-tls-certificates\">Configure LDAP with SSL\/TLS Certificates<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-to-provide-sudo-access-for-users\">Configure OpenLDAP to Provide SUDO Access for Users<\/a><ul><li><a href=\"#install-open-ldap-sudo-package\">Install OpenLDAP sudo package;<\/a><\/li><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO schema;<\/a><\/li><li><a href=\"#configure-open-ldap-to-include-sudo-schema-in-its-database\">Configure OpenLDAP to include SUDO schema in its database.<\/a><\/li><\/ul><\/li><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><ul><li><a href=\"#setting-password-for-ldap-user\">Setting Password for LDAP User<\/a><\/li><\/ul><\/li><li><a href=\"#create-open-ldap-bind-dn\">Create OpenLDAP BIND DN<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-server-on-ubuntu-20-04\">Installing OpenLDAP Server on Ubuntu 20.04<\/h2>\n\n\n\n<p>The OpenLDAP suite include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.openldap.org\/software\/man.cgi?query=slapd\" target=\"_blank\" rel=\"noopener\">slapd<\/a>&nbsp;&#8211; stand-alone LDAP daemon (server)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.openldap.org\/software\/man.cgi?query=ldap\" target=\"_blank\" rel=\"noopener\">libraries<\/a>&nbsp;implementing the LDAP protocol, and<\/li>\n\n\n\n<li>utilities, tools, and sample clients.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>Before you begin, ensure your system package cache is up-to-date.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><code>apt upgrade<\/code><\/code><\/pre>\n\n\n\n<p>Want to know whether to reboot your system after upgrade? Simply install <code><strong>needrestart<\/strong><\/code> package to help you with that.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-stand-alone-ldap-daemon-slapd-on-ubuntu-20-04\">Install Stand-alone LDAP Daemon (SLAPD) on Ubuntu 20.04<\/h3>\n\n\n\n<p>To install SLAP and other LDAP utilities, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install slapd ldap-utils<\/code><\/pre>\n\n\n\n<p>During the installation, you are prompted to set the OpenLDAP administrative password.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"670\" height=\"243\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/admin-pass.png\" alt=\"Install and Setup OpenLDAP Server on Ubuntu 20.04\" class=\"wp-image-5860\" title=\"\"><\/figure><\/div>\n\n\n<p>Set the password and press ENTER confirm the password set.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-open-ldap-on-ubuntu-20-04\">Configuring OpenLDAP on Ubuntu 20.04<\/h3>\n\n\n\n<p>By default, the SLAPD installer doesn&#8217;t prompt you to enter the domain information settings. It however auto-populates the the DIT with sample data based on your server domain name.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: kifarunix-demo.com\ndc: kifarunix-demo\nstructuralObjectClass: organization\nentryUUID: 523af726-25a0-103a-8c03-87de2c08c2d4\ncreatorsName: cn=admin,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20200508175142Z\nentryCSN: 20200508175142.880878Z#000000#000#000000\nmodifiersName: cn=admin,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20200508175142Z\ndn: cn=admin,dc=kifarunix-demo,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword:: e1NTSEF9M1hkZ3h5SmRsK3IyclNkbkhxTzlqMXlrdS9ZWnk0Sis=\nstructuralObjectClass: organizationalRole\nentryUUID: 523b1daa-25a0-103a-8c04-87de2c08c2d4\ncreatorsName: cn=admin,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20200508175142Z\nentryCSN: 20200508175142.881901Z#000000#000#000000\nmodifiersName: cn=admin,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20200508175142Z\n<\/code><\/pre>\n\n\n\n<p>If you want to set your own DIT,  you need to reconfigure SLAPD package.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dpkg-reconfigure slapd<\/code><\/pre>\n\n\n\n<p>When run, you are prompted on whether to omit the OpenLDAP server configuration. Select <strong>No<\/strong> and proceed to configure your OpenLDAP settings.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set your DNS domain name for constructing the base DN of your LDAP directory.<\/li>\n\n\n\n<li>Enter the name of your organization to be used in the base DN.<\/li>\n\n\n\n<li>Re-enter the name of your administration password and confirm it.<\/li>\n\n\n\n<li>Choose to remove SLAPD database when slapd package is removed.<\/li>\n<\/ul>\n\n\n\n<p>In our example setup, the base DN is set to <code><strong>dc=kifarunix-demo,dc=com<\/strong><\/code>, root DN is set to <code><strong>cn=admin,dc=kifarunix-demo,dc=com<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -x -LLL -b \"\" -s base namingContexts<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn:\nnamingContexts: <strong>dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\n<p>To view the RootDN, run the command below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"cn=config\" -LLL -Q | grep olcRootDN:<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>olcRootDN: <strong>cn=admin,dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-ubuntu-20-04\">Configure OpenLDAP Logging on Ubuntu 20.04<\/h4>\n\n\n\n<p>Log files is the first place you might want to be checking in case something is not working out. By default, OpenLDAP logging level is set to <code>none<\/code> which is required to have high priority messages only logged.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"cn=config\" -LLL -Q | grep olcLogLevel:<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>olcLogLevel: <strong>none<\/strong><\/code><\/pre>\n\n\n\n<p>If you need to change this to a <a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">different log level<\/a>, say to <code>stats<\/code> level (logs connections\/operations\/results), run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>The paste the content below to modify the log level.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Next, press <strong>ENTER<\/strong>. Once you see a line, <code><strong>modifying entry \"cn=config\"<\/strong><\/code>, then press <code><strong>Ctrl+d<\/strong><\/code>.<\/p>\n\n\n\n<p>You can as well use LDIF files to update this information if you like.<\/p>\n\n\n\n<p>To confirm the changes;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Next, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility, hence, to configure it to log to <code>\/var\/log\/slapd.log<\/code> for example, execute the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.d\/51-slapd.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog and SLAPD service<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart rsyslog slapd<\/code><\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>You can as well configure log rotation;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/logrotate.d\/slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\/var\/log\/slapd.log\n{ \n        rotate 7\n        daily\n        missingok\n        notifempty\n        delaycompress\n        compress\n        postrotate\n                \/usr\/lib\/rsyslog\/rsyslog-rotate\n        endscript\n}\n<\/code><\/pre>\n\n\n\n<p>Restart log rotation service;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart logrotate<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-ldap-with-ssl-tls-certificates\">Configure LDAP with SSL\/TLS Certificates<\/h4>\n\n\n\n<p>LDAP supports two methods to encrypt communications using SSL\/TLS:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>LDAPS<\/code>: LDAPS communication usually occurs over a special port, commonly 636.<\/li>\n\n\n\n<li><code>STARTTLS<\/code>: STARTTLS connections begin as a plaintext over the standard LDAP port (389), and that connection is then upgraded to SSL\/TLS. It is also known as <em>TLS upgrade<\/em>&nbsp;operation.<\/li>\n<\/ul>\n\n\n\n<p>In this demo, we are using self-signed certificates. Follow the link below to configure OpenLDAP server with SSL\/TLS certificates.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/#ldap-ssl-tls\" target=\"_blank\">How to Configure OpenLDAP server with Signed SSL\/TLS certificates<\/a><\/p>\n\n\n\n<p>If while updating the TLS certificates you get the error below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>modifying entry \"cn=config\"\n<strong>ldap_modify: Other (e.g., implementation specific) error (80)<\/strong><\/code><\/pre>\n\n\n\n<p>And checking the syslog files, you find AppArmor denying read access to the the certificate and key files;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>May 9 12:54:08 ldap kernel: [ 3785.915065] audit: type=1400 audit(1589028848.345:137): <strong>apparmor=\"DENIED\" operation=\"open\" profile=\"\/usr\/sbin\/slapd\" name=\"\/etc\/ssl\/openldap\/certs\/cacert.pem\"<\/strong> pid=5141 comm=\"slapd\" <strong>requested_mask=\"r\" denied_mask=\"r\"<\/strong> fsuid=112 ouid=112<\/code><\/pre>\n\n\n\n<p>You need to update the AppArmor to give slapd read access to the certificates and key files by editing the SLAPD AppArmor profile and adding the lines below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/apparmor.d\/usr.sbin.slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n  # Site-specific additions and overrides. See local\/README for details.\n  #include \n\n  #TLS\n  \/etc\/ssl\/openldap\/certs\/ r,\n  \/etc\/ssl\/openldap\/certs\/* r,\n  \/etc\/ssl\/openldap\/private\/ r,\n  \/etc\/ssl\/openldap\/private\/* r,\n}\n<\/code><\/pre>\n\n\n\n<p>Replace the paths to certificate files and keys accordingly. Save and exit the file and reload SLAPD AppArmor profile;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apparmor_parser -r \/etc\/apparmor.d\/usr.sbin.slapd<\/code><\/pre>\n\n\n\n<p>Note, if you are using standard certificate and keys path, then the AppArmor changes might not be necessary.<\/p>\n\n\n\n<p>Once that is done, retry to update SLAPD database with TLS certificates.<\/p>\n\n\n\n<p>To verify that the files are in place;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -b \"cn=config\" | grep \"olcTLS\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>olcTLSCACertificateFile: \/etc\/ssl\/openldap\/certs\/cacert.pem\nolcTLSCertificateFile: \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\nolcTLSCertificateKeyFile: \/etc\/ssl\/openldap\/private\/ldapserver-key.key<\/code><\/pre>\n\n\n\n<p>Next, update the path to CA certificate file on <code>\/etc\/ldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i 's|certs\/ca-certificates.crt|openldap\/certs\/cacert.pem|' \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-to-provide-sudo-access-for-users\">Configure OpenLDAP to Provide SUDO Access for Users<\/h3>\n\n\n\n<p>To enable OpenLDAP to provide sudo access for users, proceed as follows;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-open-ldap-sudo-package\">Install OpenLDAP sudo package;<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>export SUDO_FORCE_REMOVE=yes<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install sudo-ldap<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO schema;<\/h4>\n\n\n\n<p>Copy the sample OpenLDAP sudo schema to OpenLDAP schemas directory<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP \/etc\/ldap\/schema\/sudo.schema<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-to-include-sudo-schema-in-its-database\">Configure OpenLDAP to include SUDO schema in its database.<\/h4>\n\n\n\n<p>For this, we will create a temporary directory from where we will convert the sudo schema to LDIF before we can configure SLAPD to include it in its database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/tmp\/ldap-sudo<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"include \/etc\/ldap\/schema\/sudo.schema\" &gt; \/tmp\/ldap-sudo\/ldapsudo.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp\/ldap-sudo<\/code><\/pre>\n\n\n\n<p>Generate SUDO LDIF file from the schema;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slaptest -f ldapsudo.conf -F .<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>config file testing succeeded<\/strong><\/code><\/pre>\n\n\n\n<p>The sudo LDIF file should now be located under the <code>cn\\=config\/cn\\=schema\/<\/code><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls cn\\=config\/cn\\=schema\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>'cn={0}sudo.ldif'<\/strong><\/code><\/pre>\n\n\n\n<p>Edit the LDAP SUDO LDIF file and <strong><strong>REMOVE<\/strong> comment lines (Lines beginning with #)<\/strong> at the top and update the lines;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn={0}sudo\nobjectClass: olcSchemaConfig\ncn: {0}sudo<\/code><\/pre>\n\n\n\n<p>such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo<\/code><\/pre>\n\n\n\n<p>Also, <strong>REMOVE<\/strong> these lines at the bottom;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>structuralObjectClass: olcSchemaConfig\nentryUUID: a0db89da-2646-103a-83d7-df36427f181e\ncreatorsName: cn=config\ncreateTimestamp: 20200509134211Z\nentryCSN: 20200509134211.249833Z#000000#000#000000\nmodifiersName: cn=config\nmodifyTimestamp: 20200509134211Z\n<\/code><\/pre>\n\n\n\n<p>Once done editing the sudo LDIF file, update the SLAPD database to include SUDO schema;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Q -Y EXTERNAL -H ldapi:\/\/\/ -f 'cn=config\/cn=schema\/cn={0}sudo.ldif'<\/code><\/pre>\n\n\n\n<p>You should see a line;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>adding new entry \"cn=sudo,cn=schema,cn=config\"<\/code><\/pre>\n\n\n\n<p>Enable sudo user and host indexing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>When the command runs, paste te content below and press <strong>ENTER<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: sudoUser,sudoHost pres,eq\n<\/code><\/pre>\n\n\n\n<p>Once you see the line, <strong><code>modifying entry \"olcDatabase={1}mdb,cn=config\"<\/code><\/strong>, press <code><strong>ctrl+d<\/strong><\/code>.<\/p>\n\n\n\n<p>To verify indexing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -n 0 | grep olcDbIndex<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>olcDbIndex: objectClass eq\nolcDbIndex: cn,uid eq\nolcDbIndex: uidNumber,gidNumber eq\nolcDbIndex: member,memberUid eq\nolcDbIndex: sudoUser,sudoHost pres,eq\n<\/code><\/pre>\n\n\n\n<p>Your OpenLDAP should now be able to provide SUDO access for users. This is subject to further configuration, however. Follow the link below to complete on this;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-configure-sudo-via-openldap-server\/\" target=\"_blank\">How to Configure SUDO access via OpenLDAP Server<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/h3>\n\n\n\n<p>Before we can create OpenLDAP user accounts, we need to create the organization unit containers for storing users and their group information. See our example below. Be sure to make the relevant changes as per your environment setup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim users-ou.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: ou=people,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\n\ndn: ou=groups,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n<\/code><\/pre>\n\n\n\n<p>Before you can be able to update the database with the users OU information above, you need to adjust the SLAPD database access controls;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim update-mdb-acl.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.exact=\"cn=readonly,ou=people,dc=kifarunix-demo,dc=com\" read \n  by * none\nolcAccess: to dn.exact=\"cn=readonly,ou=people,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by * none\nolcAccess: to dn.subtree=\"dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Note that we have included the access controls for the Read Only Bind DN user that we will create later in this guide.<\/p>\n\n\n\n<p>Update database ACL with the above information by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f update-mdb-acl.ldif<\/code><\/pre>\n\n\n\n<p>Once that is done, you should now be able, as the admin, to create the users OU as shown above. Therefore, to update the database with the user OU information above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users-ou.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n<strong>adding new entry \"ou=people,dc=kifarunix-demo,dc=com\"\nadding new entry \"ou=groups,dc=kifarunix-demo,dc=com\"<\/strong><\/code><\/pre>\n\n\n\n<p>Once you have the user OU containers created, you can now add user accounts. In this demo, we will create a user called <strong>johndoe<\/strong> in our OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim johndoe.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: uid=johndoe,ou=people,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\n<\/code><\/pre>\n\n\n\n<p>To add the user johndoe to the database using the information above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f johndoe.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>adding new entry \"uid=johndoe,ou=people,dc=kifarunix-demo,dc=com\"\nadding new entry \"cn=johndoe,ou=groups,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"setting-password-for-ldap-user\">Setting Password for LDAP User<\/h4>\n\n\n\n<p>If you noticed, in the above, we didn&#8217;t set any password for the user. To set\/reset the password for the user, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>To verify user&#8217;s password;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -h ldap.kifarunix-demo.com -x -D \"uid=johndoe,ou=people,dc=kifarunix-demo,dc=com\" -W<\/code><\/pre>\n\n\n\n<p>If the password is correct, you should see the user&#8217;s DN;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn:uid=johndoe,ou=people,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn\">Create OpenLDAP BIND DN<\/h3>\n\n\n\n<p>There are two OpenLDAP BIND DNs;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code><strong>Administrator Bind DN<\/strong><\/code>: defines admin username and password. It is used only for querying the directory server and so this user must have privileges to search the directory.<\/li>\n\n\n\n<li><code><strong>User Bind DN<\/strong><\/code>: defines the user username and password is used for authentication and password change operations.<\/li>\n<\/ul>\n\n\n\n<p>In this demo, we will create a user Bind DN called <code><strong>readonly<\/strong><\/code> for read operations.<\/p>\n\n\n\n<p>Generate the password hash for the bind DN user;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>New password: <strong>password<\/strong>\nRe-enter new password: <strong>password<\/strong>\n<strong>{SSHA}qUwFrgsseX1ztrJ64wq63SNqGuSnLics<\/strong><\/code><\/pre>\n\n\n\n<p>Copy the hash above and replace it with the value of <code><strong>userPassword<\/strong><\/code> below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim readonly-user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=readonly,ou=people,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}qUwFrgsseX1ztrJ64wq63SNqGuSnLics\ndescription: Bind DN user for LDAP Operations\n<\/code><\/pre>\n\n\n\n<p>Add the bind user to the LDAP database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f readonly-user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>adding new entry \"cn=readonly,ou=people,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>Define the access controls for the user bind DN. See what we have in our ACL file above. Or simply run the command below to check the ACLs defined;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h3>\n\n\n\n<p>If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow \"OpenLDAP LDAP\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow \"OpenLDAP LDAPS\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/h3>\n\n\n\n<p>The basic installation and configuration of OpenLDAP server on Ubuntu 20.04 is done. All you can do now is to configure your clients to authenticate via OpenLDAP;<\/p>\n\n\n\n<p>Follow the link below to learn how to configure SSSD for OpenLDAP authentication on Ubuntu 20.04;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\" target=\"_blank\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/\" target=\"_blank\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-authentication-on-ubuntu-18-04\/\" target=\"_blank\">Configure SSSD for OpenLDAP Authentication on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we are going to learn how to install and setup OpenLDAP Server on Ubuntu 20.04. OpenLDAP Software\u00a0is an\u00a0open source\u00a0implementation of the\u00a0Lightweight\u00a0Directory\u00a0Access\u00a0Protocol. LDAP<\/p>\n","protected":false},"author":3,"featured_media":9219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1587,1586,1589,1590,1588,1200],"class_list":["post-5846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-install-ldap-ubuntu-20-04","tag-install-openldap-on-ubuntu-20-04","tag-openldap-server","tag-openldap-with-ssl","tag-setup-openldap-server-ubuntu-20-04","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5846"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5846"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5846\/revisions"}],"predecessor-version":[{"id":22441,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5846\/revisions\/22441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9219"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}