[ This post is part of my ongoing instructional series on setting up some baseline IT infrastructure for the fictional startup Shoestring Lab. Shoestring has committed to using Open Source wherever possible. Shoestring Lab has standardized on Ubuntu for its server and desktop/laptop computer systems.

Today's lesson

As the admin for Shoestring Lab, you need to install OpenLDAP server to manage users and groups for various network services.]

 

OpenLDAP is an open source directory server and authentication system that successfully scales to billions of records and is used around the world. I like it because it is a mature and rock solid solution for the common problem of authentication in networked applications. Installing and configuring it on Ubuntu 18.04 requires a little bit of patience and some basic information about your implementation. I will show you how to install the OpenLDAP server, LDAP utils, and Apache Directory Studio for use as an administrative tool.

Installing OpenLDAP

First, let's install the packages:

$ sudo apt install slapd ldap-utils

Change the root password if needed:

$ slappasswd

Configuring OpenLDAP

Enter the command to configure slapd:

$ sudo dpkg-reconfigure slapd

Follow the screenshots to configure slapd. We are going to configure our LDAP service hostname as ldap.shoestringlab.com. If you are installing LDAP in a production environment, choose a hostname appropriate for your network domain.

We need to create an initial configuration, so answer No at the first step:

Next, we specify the fully qualified hostname of the service. This hostname is how other services and systems will contact the LDAP service:

For the organization, if you don't know what to use, enter the same hostname as the LDAP service. This entry will be the "root" of the domain tree inside OpenLDAP:

Next, enter the administrator password used to secure the OpenLDAP service. Don't lose this password- you will need it to access OpenLDAP later:

 

Use the MDB backend:

Your choice whether the remove the database when slapd is purged:

Move the old database so you don't break the configuration process:

 

Checking your install

$ service slapd status

Verify the service is running and is not returning an error.

 

Check that OpenLDAP responds to search queries:

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=ldap,dc=shoestringlab,dc=com dn

  dn: dc=ldap,dc=shoestringlab,dc=com

  dn: cn=admin,dc=ldap,dc=shoestringlab,dc=com


Modifying the LDAP Config

Per https://help.ubuntu.com/lts/serverguide/openldap-server.html.en

Modifying the configuration of OpenLDAP is done using the ldapmodify command, referencing a text file that contains the commands to modify the configuration.

 

Add an index to the mdb config.


add_index.ldif

-----------------------

dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: mail eq,sub

 

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f add_index.ldif

 

Enable logging at the stats log level. This level will probably give you more logging than you need in production, so make a note to change the log level once your system is properly configured.

 

logging.ldif

-------------------

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

 

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

 

Logging defined by olcLogLevel in:

https://www.openldap.org/doc/admin24/slapdconf2.html

 

Possible log levels:

Table 5.1: Debugging Levels
Level Keyword Description
-1 any enable all debugging
0   no debugging
1 (0x1 trace) trace function calls
2 (0x2 packets) debug packet handling
4 (0x4 args) heavy trace debugging
8 (0x8 conns) connection management
16 (0x10 BER) print out packets sent and received
32 (0x20 filter) search filter processing
64 (0x40 config) configuration processing
128 (0x80 ACL) access control list processing
256 (0x100 stats) stats log connections/operations/results
512 (0x200 stats2) stats log entries sent
1024 (0x400 shell) print communication with shell backends
2048 (0x800 parse) print entry parsing debugging
16384 (0x4000 sync) syncrepl consumer processing
32768 (0x8000 none) only messages that get logged whatever log level is set


Add Groups and People nodes. The People node will be the root of all entries of people into your LDAP server. The Groups node will be the root of all group entries. You can then add people to individual groups to provide granular level access control  to resources in your network.

add_nodes.ldif

------------------------

dn: ou=people,dc=ldap,dc=shoestringlab,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=groups,dc=ldap,dc=shoestringlab,dc=com
objectClass: organizationalUnit
ou: Groups

 

$ ldapadd -x -D cn=admin,dc=ldap,dc=shoestringlab,dc=com -W -f add_nodes.ldif

 

Add memberof configuration. The memberof module provides an easy way for the service to check whether a given person is a member of a given group.

memberof_config.ldif

-----------------------------------

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

 

$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif

 

 

Add refint1 and refint2.

refint1.ldif

------------------

dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint

 

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif

 

refint2.ldif

-----------------

dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

 

$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif


Implement required schemas for Linux user management. These schemas are in the /etc/ldap folder already.

 

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

 

Congratulations, you have now set up OpenLDAP on Ubuntu 18.04. Using this configuration, you can use OpenLDAP to manage user access to other systems. As a bonus, we have set up the base configuration to be able to manage Linux computer access using OpenLDAP. I will cover that topic later.