Configure hostname and FQDN for the VM/system which will be used for LDAP server. (Reference to example.com is to mask the actual usage)
root@ldap:~# hostname --fqdn ldap.example.com root@ldap:~# cat /etc/hosts 127.0.0.1 localhost 10.1.2.22 ldap.example.com ldap The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root@ldap:~#
Install OpenLDAP server
#apt install -y slapd ldap-utils
When prompted for administrative password provide the same. Verify the installation status (should be able to view server details)
root@ldap:~# slapcat dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.net dc: example structuralObjectClass: organization entryUUID: ec8e0e54-e116-1039-9c12-4557ab3d8f0e creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20200211123652Z entryCSN: 20200211123652.176975Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20200211123652Z dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9eUJod1ExVkNIYSs4RGR3V0RUTVFaWks3Z1FPYno4WU4= structuralObjectClass: organizationalRole entryUUID: ec8e3e88-e116-1039-9c13-4557ab3d8f0e creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20200211123652Z entryCSN: 20200211123652.178255Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20200211123652Z root@ldap:~#
Need to add base DN for users and groups. To do the same create a file basedn.ldif (sample content)
#nano basedn.ldif dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
Apply the configuration
root@ldap:~# ldapadd -x -D cn=admin,dc=example,dc=com -W -f basedn.ldif Enter LDAP Password: adding new entry "ou=people,dc=example,dc=com" adding new entry "ou=groups,dc=example,dc=com" root@ldap:~#
Lets add one user. Before creating a user, let us use the slap password utility to generate a hash for a password
root@ldap:~# slappasswd
New password:
Re-enter new password:
{SSHA}YZNs3xQmFqv4qdksM/cMg/4QXBtb8TpD
root@ldap:~#
Create a ldif file with user details of the account to be created. userPassword, the one created in previous step. uid is user account name, cn and sn – user details (domain details should match the output of slapcat)
dn: uid=sandeep,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Sandeep
sn: Rao
userPassword: {SSHA}YZNs3xQmFqv4qdksM/cMg/4QXBtb8TpD
loginShell: /bin/bash
homeDirectory: /home/sandeep
uidNumber: 3000
gidNumber: 3000
Apply the configuration
root@ldap:~# ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldapusers.ldif Enter LDAP Password: adding new entry "uid=sandeep,ou=people,dc=example,dc=com" root@ldap:~#
Now lets add one group – same process – add one group – password is not required – just create the config file – cn – user group name, memberUid – uid of user created above.
root@ldap:~# cat ldapgroups.ldif dn: cn=developers,ou=groups,dc=example,dc=com objectClass: posixGroup cn: developers gidNumber: 3000 memberUid: sandeep root@ldap:~#
Install GUI based LDAP management tool LAM – LDAP Account Manager. Download from https://www.ldap-account-manager.org/lamcms/releases.
root@ldap:~# dpkg -i ldap-account-manager_7.0-1_all.deb Selecting previously unselected package ldap-account-manager. (Reading database … 32159 files and directories currently installed.) Preparing to unpack ldap-account-manager_7.0-1_all.deb … Unpacking ldap-account-manager (7.0-1) … dpkg: dependency problems prevent configuration of ldap-account-manager: ldap-account-manager depends on php5 (>= 5.4.26) | php (>= 7); however: Package php5 is not installed. Package php is not installed. ldap-account-manager depends on php5-ldap | php-ldap; however: Package php5-ldap is not installed. Package php-ldap is not installed. ldap-account-manager depends on php5-gd | php-gd | php5-imagick | php-imagick; however: Package php5-gd is not installed. Package php-gd is not installed. Package php5-imagick is not installed. Package php-imagick is not installed. ldap-account-manager depends on php5-json | php-json; however: Package php5-json is not installed. Package php-json is not installed. ldap-account-manager depends on php5-curl | php-curl; however: Package php5-curl is not installed. Package php-curl is not installed. ldap-account-manager depends on php5 | php-zip; however: Package php5 is not installed. Package php-zip is not installed. ldap-account-manager depends on php5 | php-xml; however: Package php5 is not installed. Package php-xml is not installed. ldap-account-manager depends on libapache2-mod-php5 | libapache2-mod-php | libapache2-mod-fcgid | php5-fpm | php-fpm; however: Package libapache2-mod-php5 is not installed. Package libapache2-mod-php is not installed. Package libapache2-mod-fcgid is not installed. Package php5-fpm is not installed. Package php-fpm is not installed. ldap-account-manager depends on php-phpseclib (>= 2.0); however: Package php-phpseclib is not installed. ldap-account-manager depends on php-monolog; however: Package php-monolog is not installed. ldap-account-manager depends on apache2 (>= 2.4.0) | httpd; however: Package apache2 is not installed. Package httpd is not installed. ldap-account-manager depends on fonts-dejavu; however: Package fonts-dejavu is not installed. dpkg: error processing package ldap-account-manager (--install): dependency problems - leaving unconfigured Errors were encountered while processing: ldap-account-manager root@ldap:~#
Note : Encountered installation errors. So continued with force install of dependent packages
root@ldap:~# apt -f install Reading package lists… Done Building dependency tree Reading state information… Done Correcting dependencies… Done The following additional packages will be installed: apache2 apache2-bin apache2-data apache2-utils fontconfig-config fonts-dejavu fonts-dejavu-core fonts-dejavu-extra libapache2-mod-php7.3 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libcurl4 libfontconfig1 libgd3 libjansson4 libjbig0 libjpeg62-turbo liblua5.2-0 libsodium23 libtiff5 libwebp6 libxpm4 libxslt1.1 libzip4 php php-common php-curl php-gd php-ldap php-monolog php-phpseclib php-psr-log php-xml php-zip php7.3 php7.3-cli php7.3-common php7.3-curl php7.3-gd php7.3-json php7.3-ldap php7.3-opcache php7.3-readline php7.3-xml php7.3-zip ssl-cert Suggested packages: apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser php-pear libgd-tools git php-graylog2-gelf-php php-sentry php-doctrine-couchdb php-ruflin-elastica php-amqplib php-amqp php-mongo php-mongodb php-aws-sdk php-rollbar php-console php-libsodium php-mcrypt php-gmp openssl-blacklist The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils fontconfig-config fonts-dejavu fonts-dejavu-core fonts-dejavu-extra libapache2-mod-php7.3 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libbrotli1 libcurl4 libfontconfig1 libgd3 libjansson4 libjbig0 libjpeg62-turbo liblua5.2-0 libsodium23 libtiff5 libwebp6 libxpm4 libxslt1.1 libzip4 php php-common php-curl php-gd php-ldap php-monolog php-phpseclib php-psr-log php-xml php-zip php7.3 php7.3-cli php7.3-common php7.3-curl php7.3-gd php7.3-json php7.3-ldap php7.3-opcache php7.3-readline php7.3-xml php7.3-zip ssl-cert 0 upgraded, 49 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 12.5 MB of archives. After this operation, 44.7 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://debianmirror.nkn.in/debian buster/main amd64 php-common all 2:69 [15.0 kB] ... ... Get:49 http://debianmirror.nkn.in/debian buster/main amd64 ssl-cert all 1.0.39 [20.8 kB] Fetched 12.5 MB in 3s (4,469 kB/s) Extracting templates from packages: 100% Preconfiguring packages … Selecting previously unselected package php-common. (Reading database … 36427 files and directories currently installed.) Preparing to unpack …/00-php-common_2%3a69_all.deb … Unpacking php-common (2:69) … ... ... Selecting previously unselected package ssl-cert. Preparing to unpack …/48-ssl-cert_1.0.39_all.deb … Unpacking ssl-cert (1.0.39) … Setting up php-common (2:69) … Created symlink /etc/systemd/system/timers.target.wants/phpsessionclean.timer → /lib/systemd/system/phpsessionclean.timer. Setting up libsodium23:amd64 (1.0.17-1) … Setting up libxpm4:amd64 (1:3.5.12-1) … Setting up libzip4:amd64 (1.5.1-4) … Setting up libbrotli1:amd64 (1.0.7-2) … Setting up libapr1:amd64 (1.6.5-1+b1) … Setting up libjbig0:amd64 (2.1-3.1+b2) … Setting up libjansson4:amd64 (2.12-1) … Setting up php-phpseclib (2.0.14-1) … Setting up php7.3-common (7.3.11-1~deb10u1) … Creating config file /etc/php/7.3/mods-available/calendar.ini with new version ... ... Setting up ssl-cert (1.0.39) … ... ... Creating config file /etc/php/7.3/mods-available/gd.ini with new version Setting up apache2 (2.4.38-3+deb10u3) … Enabling module mpm_event. .... .... Enabling site 000-default. Created symlink /etc/systemd/system/multi-user.target.wants/apache2.service → /lib/systemd/system/apache2.service. Created symlink /etc/systemd/system/multi-user.target.wants/apache-htcacheclean.service → /lib/systemd/system/apache-htcacheclean.service. Setting up libapache2-mod-php7.3 (7.3.11-1~deb10u1) … Creating config file /etc/php/7.3/apache2/php.ini with new version Module mpm_event disabled. Enabling module mpm_prefork. apache2_switch_mpm Switch to prefork apache2_invoke: Enable module php7.3 Setting up php-gd (2:7.3+69) … Setting up php7.3 (7.3.11-1~deb10u1) … Setting up php (2:7.3+69) … Setting up ldap-account-manager (7.0-1) … Enabling conf ldap-account-manager. Processing triggers for systemd (241-7~deb10u3) … Processing triggers for man-db (2.8.5-2) … Processing triggers for libc-bin (2.28-10) … root@ldap:~#
Complete the installation
root@ldap:~# dpkg -i ldap-account-manager_7.0-1_all.deb (Reading database … 37774 files and directories currently installed.) Preparing to unpack ldap-account-manager_7.0-1_all.deb … Unpacking ldap-account-manager (7.0-1) over (7.0-1) … Setting up ldap-account-manager (7.0-1) … root@ldap:~#
Configure the LDAP Account manager – access the ldap server
http://ldap.example.com/lam/templates/login.php
and click on LAM configuration at right top corner
In the next page select Edit Server Profiles
In the next page use default password ‘lam’ and log in. First thing to do is change the password. General Settings tab, scroll down to the bottom and update your new password, click on save in left bottom corner in the page. You will be logged out. Click on LAM configuration again and login using the new password.
Now update the tree suffix information in server settings
Next update the security settings (admin user details)
Save (left bottom corner) and switch to “Account Types” tab and edit LDAP Suffix against users and groups
Should you prefer to enable other account types (for authentication) you can do it in modules tab.
On saving the configuration you will be taken to the login page.
Creating groups and users
Login as admin (password given when ldapadd was done – administrative password – first steps)
First let us create a group and then one user. Select Groups tab after logging in. Then click on new group. Provide the group name and optionally other values
Click on save
Now click on Users tab and fill in the Personal Details of new user
Now in the Unix section set the Username, Common name, UID number(optional), User comment, User Primary group, and Secondary groups, Home directory and the default Login shell.
In Shadow section things related to password aging/expiry can be configured ( I did not configure anything )
Finally click on save and your are done
