LDAP is the Lightweight Directory Access Protocol, which allows for the querying and modification of an X.500-based directory service. LDAP is used over an IP network to manage and access a distributed directory service. The primary purpose of LDAP is to provide a set of records in a hierarchical structure. If you’re curious as to how LDAP fits in with Active Directory, think of it this way: Active Directory is a directory service database, and LDAP is one of the protocols used to communicate with it. LDAP can be used for user validation, as well as the adding, updating, and removing of objects within a directory.
I want to show you how to install OpenLDAP on the latest iteration of Ubuntu, and then how to populate an LDAP database with a first entry. All you will need for this is a running instance of Ubuntu 18.04 and a user account with sudo privileges.
And with that said, let’s install.
SEE: Open source vs. proprietary software: A look at the pros and cons (Tech Pro Research)
Installation
The first thing you’ll want to do is run an update/upgrade on the server. Remember, during this process the kernel could be upgraded, which will require a reboot. Because of this, run the update/upgrade during a time when a reboot is feasible.
To take care of the update/upgrade, open a terminal window and issue the commands:
sudo apt-get update
sudo apt-get upgrade
Once that finishes, you’re ready to install OpenLDAP. For this, go back to the terminal window and issue the command:
sudo apt install slapd ldap-utils
During the installation, you will be asked to create an admin password for the LDAP directory (Figure A).
Figure A
After the installation completes, you may want to modify the default Directory Information Tree (DIT) suffix. Let’s go ahead and do that. We’ll change our DIT to dc=example,dc=com. You can change yours to fit your company network needs. To do this, run the command:
sudo dpkg-reconfigure slapd
When prompted, answer No for the first question (omitting an initial configuration). For our DNS name we’ll enter example.com (Figure B).
Figure B
You will then be asked to configure the Organization name, and then enter/verify the admin password you created during the installation. Once you’ve done that, select MDB as the database backend, and then select No for removing the database when slapd is purged. Finally, select Yes to move the old database, and you’re done with the installation and configuration.
Populating your LDAP database
Now we’re going to add initial data to the LDAP database. We’ll do this from a file and create a single entry. From your terminal window, issue the command:
nano ldap_data.ldif
In this new file, add the following contents (Note: You’ll need to modify this file to fit your needs, as this is just an example):
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=DEPARTMENT,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: SUBGROUP
gidNumber: 5000
dn: uid=USER,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: USER
sn: LASTNAME
givenName: FIRSTNAME
cn: FULLNAME
displayName: DISPLAYNAME
uidNumber: 10000
gidNumber: 5000
userPassword: USER
gecos: FULLNAME
loginShell: /bin/bash
homeDirectory: USERDIRECTORY
Where:
- DEPARTMENT is a department or group you want to add.
- SUBGROUP is a sub-group of the department.
- USER is an actual user account on your system.
- LASTNAME is the last name of the user.
- FIRSTNAME is the first name of the user.
- FULLNAME is the full name of the user.
- DISPLAYNAME is the name you want displayed for the user.
- USERDIRECTORY is the user’s home directory on the Linux server.
You can also modify the ou entries (People, Groups) to fit your organizational needs. For instance, you can have ou entries like Editorial and Writers, or NetAdmins and SecAdmins, or DevOps and Testers.
Save and close that file. Add the content of the file to LDAP with the command:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap_data.ldif
Once you successfully authenticate with the LDAP admin password, the data will be added. You can then search the database with the command:
ldapsearch -x -LLL -b dc=example,dc=com 'uid=USER' cn gidNumber
Where USER is the name of the user you added. You should see a listing of the added user (Figure C).
Figure C
You now have your first entry in the LDAP database. You can modify that data file every time you need to add an entry, or you can install a web-based front-end for LDAP to make the process a bit easier (we’ll tackle that soon). Either way you handle your LDAP data, you are ready to start employing this incredibly powerful and flexible directory access protocol.