LDAP Server Setup on Ubuntu 20.04 LTS
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral application protocol for accessing and maintaining distributed directory information services. It's commonly used for authentication and storing information about users, groups, and applications.
Centralized Authentication
LDAP provides a centralized authentication system that can be used by multiple services and applications.
Directory Services
Store and organize information about users, groups, systems, and network resources in a hierarchical structure.
Access Control
Implement fine-grained access control policies to secure sensitive information in your directory.
Prerequisites
- Ubuntu 20.04 LTS server
- Minimum 2GB RAM (4GB recommended for production)
- 20GB+ of disk space
- Root or sudo privileges
- Static IP address configured
- Fully Qualified Domain Name (FQDN)
- Basic knowledge of Linux command line
1 System Preparation
Update your system and set the hostname:
sudo apt update && sudo apt upgrade -y
sudo hostnamectl set-hostname ldap.example.com
exec bashEdit the hosts file to include the FQDN:
sudo nano /etc/hostsAdd an entry for your server (replace with your actual IP and domain):
192.168.1.100 ldap.example.com ldap2 Install LDAP Server
Install OpenLDAP server and utilities:
sudo apt install -y slapd ldap-utilsDuring installation, you'll be prompted for an administrator password. Enter a strong password.
Reconfigure slapd if you need to change settings:
sudo dpkg-reconfigure slapdFollow the prompts to configure your LDAP domain.
3 Configure Firewall
Allow LDAP through the firewall:
sudo ufw allow ldap
sudo ufw enableAlternatively, open specific ports for LDAP:
sudo ufw allow 389/tcp # LDAP
sudo ufw allow 636/tcp # LDAPS
sudo ufw allow 389/udp # LDAP
sudo ufw enableVerify the firewall status:
sudo ufw status4 Verify LDAP Installation
Check if the LDAP server is running:
sudo systemctl status slapdTest the LDAP connection:
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=comYou should see basic information about your LDAP directory.
5 Configure LDAP Base Structure
Create a file to define the base structure of your LDAP directory:
nano base.ldifAdd the following content (replace with your domain information):
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administratorAdd the base structure to LDAP:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f base.ldifYou'll be prompted for the admin password.
6 Create LDAP Users
Create a file to define a user:
nano user.ldifAdd the following content (replace with your user information):
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 10000
userPassword: {CRYPT}x
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0Add the user to LDAP:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f user.ldifSet the user password:
ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=john,ou=People,dc=example,dc=com7 Create LDAP Groups
Create a file to define a group:
nano group.ldifAdd the following content:
dn: cn=developers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: developers
gidNumber: 10000
memberUid: johnAdd the group to LDAP:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f group.ldif8 Enable LDAPS (SSL Encryption)
Generate SSL certificates:
sudo apt install -y gnutls-bin ssl-cert
sudo certtool --generate-privkey --bits 2048 --outfile /etc/ssl/private/ldap_slapd_key.pem
sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/ldap_slapd_key.pem --outfile /etc/ssl/certs/ldap_slapd_cert.pemSet proper permissions:
sudo chown openldap:openldap /etc/ssl/private/ldap_slapd_key.pem
sudo chmod 600 /etc/ssl/private/ldap_slapd_key.pemCreate a certificate configuration file:
sudo nano /etc/ldap/ldap.confAdd the following lines:
TLS_CACERT /etc/ssl/certs/ldap_slapd_cert.pem
TLS_REQCERT allow9 Configure LDAP Client Tools
Install LDAP client utilities:
sudo apt install -y ldap-utils libnss-ldap libpam-ldapDuring installation, you'll be prompted for:
- LDAP server Uniform Resource Identifier: ldap://ldap.example.com/
- Distinguished name of the search base: dc=example,dc=com
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root: cn=admin,dc=example,dc=com
- LDAP root account password: (your admin password)
Configure the LDAP client manually if needed:
sudo nano /etc/ldap/ldap.confAdd the following configuration:
BASE dc=example,dc=com
URI ldap://ldap.example.com
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow10 Test LDAP Configuration
Search for all entries in the directory:
ldapsearch -x -LLL -b dc=example,dc=comSearch for a specific user:
ldapsearch -x -LLL -b dc=example,dc=com uid=johnTest authentication with a user:
ldapwhoami -x -D uid=john,ou=People,dc=example,dc=com -WTest SSL connection:
ldapsearch -x -LLL -Z -b dc=example,dc=com11 Configure System Authentication with LDAP
Configure PAM to use LDAP for authentication:
sudo pam-auth-updateSelect "LDAP Authentication" and "Create home directory on login".
Configure NSS to use LDAP:
sudo nano /etc/nsswitch.confUpdate the following lines:
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat ldapTest LDAP authentication:
getent passwd john
id john12 Troubleshooting Common Issues
Check LDAP service status:
sudo systemctl status slapd
sudo journalctl -u slapd -fCheck LDAP logs:
sudo tail -f /var/log/syslog | grep slapdTest LDAP configuration:
sudo slaptest -uCommon issues and solutions:
| Issue | Solution |
|---|---|
| Connection refused | Check firewall settings and LDAP service status |
| Authentication failures | Verify user credentials and LDAP configuration |
| SSL/TLS errors | Check certificate permissions and configuration |
| Schema violations | Verify objectClass attributes in LDIF files |