In this lesson we look at an OpenLDAP install on Ubuntu 16.04 server. Installing OpenLDAP varies depending on the system that you use. Using Ubuntu, a little of the configuration of the directory is completed during the install whereby, the upper level or root container is created along with the Admin user for that directory. This is acheived by the package slapd that we install along with ldap-utils which is the main package for the LDAP server and client.
Hostname We should the the hostname of the system to include the openLDAP organization that we want to use. We set this with hostnamectl and also in the file /etc/hosts. It is the slapd package that reads this data to create the root container, ie, dn: dc=example,dc=com.
Name Resolution
We will begin with the ldap1 system that should be configured with the IP Address 192.168.0.201. If we take a look at the file /etc/hosts it will need some configuration:
ubuntu@ldap1:~$ head -n 2 /etc/hosts 127.0.0.1 localhost
We will need to add host entries for ldap1.example.com, we edit the hosts file to include:
ubuntu@ldap1:~$ echo '192.168.0.201 ldap1.example.com ldap1' | sudo tee -a /etc/hosts
Setting the Host Name
The last step on the preparation process is to ensure that we have the correct FQDN set on the host. As Ubuntu 16.04 is based on systemd we can user the command hostnamectl:
ubuntu@ldap1:~$ sudo hostnamectl set-hostname ldap1.example.com
It is important to have the hostname set correctly before the install as slapd uses the suffix to set the root level container.
Installing openLDAP
The install will us the normal apt-get mechanism found on Debian based systems such as Ubuntu:
ubuntu@ldap1:~$ sudo apt-get update ubuntu@ldap1:~$ sudo apt-get install -y ldap-utils slapd
During the install you will prompted for the admin password. This is a new LDAP account created to manage the Directory that we are populating. Use a password of your choosing.
Post Installation Checks
We now have an LDAP server, step back and give yourself a few minutes to savor the moment. We will also discover a little more about what we have achieved. If we check the open TCP ports on the system
ubuntu@ldap1:~$ ss -ntl
We should see that we now have port 389 open. The is the LDAP port. We will later see how we open the LDAPS port of 636 for more secure communication.
389 LDAP port for clear-text communication
636 LDAPS port used for authenticating the server to the client and encrypting traffic. This needs to be specifically configured.
After the OpenLDAP install, we have two LDAP Directories in place:
cn=config A configuration directory used in later versions of OpenLDAP. This has been used by Ubuntu since 2008. This replaced the slapd.conf traditional flat configuration file and allows for dynamic configuration changes to the OpenLDAP server. Changes can be made and implemented without a restart of the service.
dc=example,dc=com This is the directory that we will use to store our own entries. This is empty at the moment.
To list the configuration of cn=config directory we use the root account in Linux via sudo:
ubuntu@ldap1:~$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
This command, ldapsearch, will become quite familiar to us as we run through the course. With it we are able to query LDAP from the CLI. The command options are broken down for you in the following block:
-Q Enable SASL authentication in quiet mode
-LLL This formats the output. A single -L produces LDIFv1. A second -L disables printing of comments and the third disables printing of the LDIF version
-Y Specifies the mechanism for SASL. We specify EXTERNAL here where we use access from the root account
-H Specifies the URI to connect to we connect using ldapi (LDAP over IPC) allowing us access to the root credentials
-b Specifies the base DN start start the query. cn=config is the root container of the configuration DIT
dn This is an optional filter. We ask the output to print just the DN of entries found.
We don’t just have the configuration directory, we also have the DIT that we will use for our own entries. We can connect to this using standard LDAP or LDAPS when it is configured so we do not need to be concerned about the use of sudo when running ldapsearch this time:
ubuntu@ldap1:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
Here we use -x as an option. This is for simple authentication. OpenLDAP supports 3 types of authentication:
- Anonymous An LDAP request that does not send a a bind request is treated as an anonymous connection. No username is sent to the server
- Simple With simple authentication the username and password is sent to the server. -x specifies simple authentication but without the -D for the DN of the user to bind as it will be treated as an Anonymous connection
- SASL This stands for Simple Authentication and Security Layer and we specifies -Q for quiet SASL or -I for Interactive SASL. -I does not work for LDAPI as we take the current users credentials
From the output you will see that we have just the single entry:
dn: cn=admin,dc=example,dc=com
We often talk about this as a user or our admin user. However, if we remove the filter, that is restricting the output to just the DN, we will see a little more:
ubuntu@ldap1:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com
We see that the entry is based on the objectClasses for simpleSecurityObject and organizationalRole. We can also modify the filter to display only the admin account:
ubuntu@ldap1:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com "(cn=admin)"
Troubleshooting
If you don’t have the dc=example,dc=com tree structure then it is most likely that you hostname and /etc/hosts file has not been configured correctly. At this stage it is an easy fix in Ubuntu by running dpkg-reconfigure. You are then able to add any domain name that you want to use for the DIT and you are not restricted to the domain name from your host. To work through the examples in this guide we use the DIT with the domain name of example.com. Although it is not required to have this name, it will make the labs easier to follow if the DIT matches. If you need to reconfigure the domain name then run the following command:
ubuntu@ldap1:~$ sudo dpkg-reconfigure slapd
Reconfiguring the OpenLDAP install with dpkg-reconfigure allows you to manually specify the suffix. Once started, you will be faced with a series of prompts which are explained:
The first option always seems a little clumsy in the wording The default option of No will allow you to contunue with the reconfiguration. The option Yes would quit the reconfigure action.Choose No.
We can now set the domain that we want to use for the DN of the root entry. The default entry will be the current domain name in use. Make sure that we have example.com here.
This dialog set the organization name of the entry. This is setting the attribute rather than the DN.
The result of setting example.com will produce an attribute as in the following:
o: example.com
We then are prompted, as before, for the admin password. This will always be a new account so you can set a password of your choce. You also will be prompted to confirm the password a second time.
Having set the admin password we are then prompted to select the type of database that we will use t sore our new user directory. The default and newest in this selection is MDB. There is no reason to change this.
The next screen we will see relates to purging. This is nothing to do with openLDAP but simply refers to the action when running the command sudo apt-get purge slapd. The purge action will normally remove any configuration of the package, here they ask should we also purge the database. The default is no, which is probably the safest. On test systems through you may prefer not to leave the DB in place; in which case, use the purge selection.
The final screen defaults to moving any existing database. This is usually required on a reconfiguration unless you have moved or renamed the exiting database. The final screen prompts you to slect support for LDAPv2 which we do not need. Once complete, you have now successfully reconfigured the openLDAP server with the correct suffix for use in the course