Installing LDAP on Ubuntu 18.04

This post will run through Installing LDAP on Ubuntu 18.04. Allowing you to authenticate users via LDAP. As well as setting up thier Linux groups. You will need a server or desktop install to begin with. Lightweight Directory Access Protocol (LDAP) is a network protocol for accessing and manipulating information stored in a directory.

This HOWTO also works on a Raspberry PI 3 running the Ubuntu MATE image!

Do not do this on a production server until you have tried it out and have a working LDAP server.

For this HOWTO I am building using the following posts.
my test networking lab, Setup a Test Networking Lab with VirtualBox.
A minimal Ubuntu server running 18.04.

We will be creating a machine with a hostname of ldap.dragon.lab. It will need an entry on your local DNS. As well as a client machine, use another minimal server machine. The client machine will be called ldap-client.dragon.lab

Let’s start off by installing LDAP on Ubuntu 18.04 and other related software.

sudo apt-get update
sudo apt-get install slapd ldap-utils

As part of the initial installation process you will be asked for an Administrator password:. Enter the password you want to use for your LDAP administrator. We will have a chance to change it in a minute, if you change your mind or forget it. You will need it later so do not forget it. 🙂

After the installation has finished, We can use the command dpkg-reconfigure slapd to reconfigure slapd to a better degree. This will reset the LDAP database!

sudo dpkg-reconfigure slapd

You will be asked a number of questions when this runs.

Omit OpenLDAP server configuration? No
DNS domain name: dragon.lab
Organization name: dragon.lab
Administrator password: LDAPPasswd
Confirm password: LDAPPasswd
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes

A quick edit to /etc/ldap/ldap.conf to point to our server.

sudo nano /etc/ldap/ldap.conf

Uncomment and update the two lines below, the first is so set your base distinguished name. The other to point at the LDAP server with will be its fully qualified hostname or its IP address if you want to avoid problems with DNS lookups.

BASE	dc=dragon,dc=lab
URI	ldap://ldap.dragon.lab

Now edit to /etc/default/slapd, to check the ports it will accept connections on.

sudo nano /etc/default/slapd

Search for the option SLAPD_SERVICES, for the moment we will only need the following, if ldaps is listed leave it there if you intend to allow TLS/SSL connections.

SLAPD_SERVICES="ldap:/// ldapi:///"

Adding data with LDIF files

Create a new file called add_ou.ldif in your home directory with the following contents. The file will add two organizational Units, Groups and People. People will contain all the Users that will be able to authenticate again our LDAP server. The Groups will be the Linux groups that are added to the Users account to all further access to the system.

sudo nano add_ou.ldif

# Delete existing OU's
######################
#dn: ou=Groups,dc=dragon,dc=lab
#changetype: delete

#dn: ou=people,dc=dragon,dc=lab
#changetype: delete


# Organizational Unit for Linux/POSIX Groups
############################################
dn: ou=Groups,dc=dragon,dc=lab
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: Groups

# Organizational Unit for Linux/POSIX Users
dn: ou=People,dc=dragon,dc=lab
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: People

You will see that a line that starts with a # as its first character is a comment line. There must not be any white space before the #.
The top few lines have been commented out these will delete the Organizational Units for Groups and People. Since they do not exists yet these will cause an error the first time you use the file. I left them in as they are useful when playing around and you want to rebuild your LDAP database.

We can add the Organizational Units with the following, you will be prompted for the LDAP admin password you created with dpkg-reconfigure slapd.

ldapmodify -xWD "cn=admin,dc=dragon,dc=lab" -H ldap:// -f add_ou.ldif

Enter LDAP Password: 
adding new entry "ou=Groups,dc=dragon,dc=lab"

adding new entry "ou=People,dc=dragon,dc=lab"

If you want to add this file again uncomment the lines at the top of the file. Try it out, use can the same ldapmodify command line. The output should show two new output lines for ‘deleting entry…’

To explain the command line options:

-x Use simple authentication instead of SASL.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w password).
-D Use the Distinguished Name binddn to bind to the LDAP directory.
-H Specify URI(s) referring to the ldap server(s); only the protocol/host/port fields are allowed; a list of URI, separated by whitespace or commas is expected.
-f Read the entry modification information from file instead of from standard input.

Lets check we can search for these new items, it will also give an example for ldapsearch.

ldapsearch -xLLL ou=Groups -b dc=dragon,dc=lab

dn: ou=Groups,dc=dragon,dc=lab
objectClass: top
objectClass: organizationalUnit
ou: Groups

To explain the command line options:

-x Use simple authentication instead of SASL.
-L Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF.
ou=Groups This is the search patten, what we a re looking for.
-b Use searchbase as the starting point for the search instead of the default.

Try out the same search without the searchbase to see all of your LDAP entries. Also have a look at the differences with and without the -L options.

The searches above are all performed through an unauthenticated connection. To see any userPassword data you need to pass in the admin bind DN and use use -W to request authorization. This plugs a security hole allowing every one to see anyones password or other sensitive data.

ldapsearch -xWLLL -b dc=dragon,dc=lab -D 'cn=admin,dc=dragon,dc=lab'

Add some groups to our Organizational Unit

we will use the same format to add group items to the organizational Uint for groups as we did above. Create the file

sudo nano add_group.ldif

add the following contents, again note the commented out lines at the top.

# Delete existing groups
########################
#dn: cn=admin,ou=Groups,dc=dragon,dc=lab
#changetype: delete

#dn: cn=fred,ou=Groups,dc=dragon,dc=lab
#changetype: delete

#dn: cn=bert,ou=Groups,dc=dragon,dc=lab
#changetype: delete

#dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
#changetype: delete

# Add a new groups
##################
# Group for admins they get sudo rights
dn: cn=admin,ou=Groups,dc=dragon,dc=lab
changetype: add
cn: admin
gidNumber: 10000
objectClass: posixGroup
objectClass: top

# All ldap_users get this not sure why yet :-)
dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
changetype: add
cn: ldap_user
gidNumber: 10001
objectClass: posixGroup
objectClass: top

# Group for a user called Fred
dn: cn=fred,ou=Groups,dc=dragon,dc=lab
changetype: add
cn: fred
gidNumber: 10002
objectClass: posixGroup
objectClass: top

# Group for a user called Bert
dn: cn=bert,ou=Groups,dc=dragon,dc=lab
changetype: add
cn: bert
gidNumber: 10003
objectClass: posixGroup
objectClass: top

ldapmodify -xWD "cn=admin,dc=dragon,dc=lab" -H ldap:// -f add_group.ldif

Enter LDAP Password: 
adding new entry "cn=admin,ou=Groups,dc=dragon,dc=lab"

adding new entry "cn=ldap_user,ou=Groups,dc=dragon,dc=lab"

adding new entry "cn=fred,ou=Groups,dc=dragon,dc=lab"

adding new entry "cn=bert,ou=Groups,dc=dragon,dc=lab"

And a check to see they went in okay.

ldapsearch -xLLL objectClass=posixGroup -b dc=dragon,dc=lab

dn: cn=admin,ou=Groups,dc=dragon,dc=lab
cn: admin
gidNumber: 10000
objectClass: posixGroup
objectClass: top

dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
cn: ldap_user
gidNumber: 10001
objectClass: posixGroup
objectClass: top

dn: cn=fred,ou=Groups,dc=dragon,dc=lab
cn: fred
gidNumber: 10002
objectClass: posixGroup
objectClass: top

dn: cn=bert,ou=Groups,dc=dragon,dc=lab
cn: bert
gidNumber: 10003
objectClass: posixGroup
objectClass: top

Add some people to our Organizational Unit

Now there are groups in the Group OU we will not be able to delete the Group OU. If we want to delete them we first have to delete the leaves or child data. We cannot do a recursive delete.

Now to add some people. This is the same process again.

sudo nano add_people.ldif

Add the following contents, again note the commented out lines at the top. To create the password hash we can use slappasswd. We need to include ‘{MD5}’ exactly as shown.

slappasswd -h {MD5} -s A_PassWord_123

{MD5}m1Uc3vqaUBU25gRdyiFpJQ==

# Delete People
#dn: cn=Fred Bloggs,ou=People,dc=dragon,dc=lab
#changetype: delete

#dn: cn=Bert Worker,ou=People,dc=dragon,dc=lab
#changetype: delete

# Add new People
################
dn: cn=Fred Bloggs,ou=People,dc=dragon,dc=lab
changetype: add
givenName: Fred
sn: Bloggs
cn: Fred Bloggs
uid: fred
homeDirectory: /home/ldap/fred
uidNumber: 10001
gidNumber: 10002
loginShell: /bin/bash
# Create password hash with: slappasswd -h {MD5} -s 
userPassword: {MD5}m1Uc3vqaUBU25gRdyiFpJQ==
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

dn: cn=Bert Worker,ou=People,dc=dragon,dc=lab
changetype: add
givenName: Bert
sn: Worker
cn: Bert Worker
uid: bert
homeDirectory: /home/ldap/bert
uidNumber: 10002
gidNumber: 10003
loginShell: /bin/bash
userPassword: {MD5}m1Uc3vqaUBU25gRdyiFpJQ==
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

ldapmodify -xWD "cn=admin,dc=dragon,dc=lab" -H ldap:// -f add_people.ldif

Enter LDAP Password: 
adding new entry "cn=Fred Bloggs,ou=People,dc=dragon,dc=lab"

adding new entry "cn=Bert Worker,ou=People,dc=dragon,dc=lab"

And a check to see they went in okay.

ldapsearch -xLLL objectClass=posixAccount -b dc=dragon,dc=lab

dn: cn=Fred Bloggs,ou=People,dc=dragon,dc=lab
givenName: Fred
sn: Bloggs
cn: Fred Bloggs
uid: fred
homeDirectory: /home/ldap/fred
uidNumber: 10001
gidNumber: 10002
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

dn: cn=Bert Worker,ou=People,dc=dragon,dc=lab
givenName: Bert
sn: Worker
cn: Bert Worker
uid: bert
homeDirectory: /home/ldap/bert
uidNumber: 10002
gidNumber: 10003
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

Add People to Groups

We can now add Fred to the admin group as the user fred will be picking up sudo access when he logs in. All users that are configured in LDAP also become a member of our ldap_users group.

sudo nano add_people_2_group.ldif

# Add People to Groups
#####################
dn: cn=admin,ou=Groups,dc=dragon,dc=lab
changetype: modify
add: memberUid
memberUid: fred

dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
changetype: modify
add: memberUid
memberUid: fred
memberUid: bert

ldapmodify -xWD "cn=admin,dc=dragon,dc=lab" -H ldap:// -f add_people_2_group.ldif

Enter LDAP Password: 
modifying entry "cn=admin,ou=Groups,dc=dragon,dc=lab"

modifying entry "cn=ldap_user,ou=Groups,dc=dragon,dc=lab"

We can now add an index to the LDAP DB for uniqueMember.

sudo nano add_umember_index.ldif

# Add an index on uniqueMember
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uniqueMember eq

This time we need to run the ldapmodify as root.

sudo ldapmodify -H ldapi:// -Y EXTERNAL -f add_umember_index.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

And a check to see they went in okay. This is a slightly different format for the search. We will perform a subtree search using the default search base for entries with a cn = ldap_user and then display only cn gidNumber memberUid

ldapsearch -xLLL -b dc=dragon,dc=lab "(cn=ldap_user)" cn memberUid gidNumber

dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
cn: ldap_user
gidNumber: 10001
memberUid: fred
memberUid: bert

This search shows all the Groups that fred (memberUid) is a member of. He should be in two groups admin and ldap_users

ldapsearch -xLLL -b "dc=dragon,dc=lab" "(memberUid=fred)" cn memberUid gidNumber

dn: cn=admin,ou=Groups,dc=dragon,dc=lab
cn: admin
gidNumber: 10000
memberUid: fred

dn: cn=ldap_user,ou=Groups,dc=dragon,dc=lab
cn: ldap_user
gidNumber: 10001
memberUid: fred
memberUid: bert

If you got this far then we have a LDAP database setup and populated with a few users, which is nice but not a lot of use until we get some client machines added. 🙂

Authenticating Local Clients

For each client that you want to authenticate LDAP People you need to do the following. It can also be done on the LDAP server itself.

sudo apt-get install libpam-ldap nscd ldap-utils

If at any time you want to reconfigure that again just run the following, the defaults will be the current settings of your LDAP server.

sudo dpkg-reconfigure ldap-auth-config

Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldap://ldap.dragon.lab
Distinguished name of the search base: dc=dragon,dc=lab
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=dragon,dc=lab
LDAP root account password: your password for LDAP
Local crypt to use when changing passwords: crypt

We need to update pam to let it know where to look when authenticating People.

sudo nano /etc/nsswitch.conf

Update the three lines for passwd, group, and shadow, They should look like this. This way around with compat first PAM will look in the local passwd file first and then search on LDAP. If you want the search order the other way around just swap the order. Try it out an see.

passwd:         compat ldap systemd
group:          compat ldap systemd
shadow:         compat ldap

Save the file and exit.

So that new People will have their HOME directories created automatically we need to tweak a pam module.

sudo nano /usr/share/pam-configs/mkhomedir

Update so it looks similar to this:

Name: Create home directory on login
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
        required    pam_mkhomedir.so skel=/etc/skel umask=0022

Adding local groups to LDAP People

We need to create a new file similar to the one above this time it will add the necessary values to pull through the LDAP groups and some additional ones that are local to the machine.

sudo nano /usr/share/pam-configs/ldap_groups

Name: Add local Groups from /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so

Save and exit the editor.
Create the settings which will add the groups to the LDAP user. These changes go at the end of the file before the last comment.

sudo nano /etc/security/group.conf

# All LDAP People get these extra local groups
*;*;*;Al0000-2400;audio cdrom plugdev video

# Admins get to launch and configure printers, can share files via samba
*;*;%admin;Al0000-2400;dip lpadmin sambashare sudo

# People in the LDAP group virtual join the local vboxusers group
*;*;%virtual;Al0000-2400;vboxusers

To make sure the home directory is created the first time a user logs in run the following command. Make sure the PAM profile for Create home directories at login is ticked. Run the command you will see what I mean 🙂 Then reboot to make sure that lot all survives a reboot.

sudo pam-auth-update
sudo reboot

Testing Client Connections

Using the ldapsearch utility we can check the connection to our LDAP server. First we check that a user, fred, can be found then check he is a member of the admin group.

ldapsearch -xLLL uid=fred -b dc=dragon,dc=lab -H ldap://ldap.dragon.lab

dn: cn=Fred Bloggs,cn=People,dc=dragon,dc=lab
givenName: Fred
sn: Bloggs
cn: Fred Bloggs
uid: fred
homeDirectory: /home/ldap/fred
uidNumber: 10000
gidNumber: 10003
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

Check the admin group exists and that it has a memberUid of fred.

For the search below rather then using -H ldap://ldap.dragon.lab let’s mix it up a bit and use a host name.

ldapsearch -xLLL cn=admin -b dc=dragon,dc=lab -h ldap

dn: cn=admin,dc=dragon,dc=lab
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator


dn: cn=admin,ou=Groups,dc=dragon,dc=lab
cn: admin
gidNumber: 10000
objectClass: posixGroup
objectClass: top
memberUid: fred

If all of that worked as expected you should now be able to login to the client machine with ssh fred@client.machine. Once logged in, the current working directory should be /home/ldap/fred. Check the groups have been added correctly by looking at the current groups for the user with the groups command.

If the user is a member of the LDAP admin group they should also be in the sudo group and therefore be able to use sudo. 🙂

Now try the same thing with bert, he should not be a member of admin and the first group in his list will be bert not fred which is the primary group for the user.

Make a backup before doing anything else :-). That is it for installing LDAP on Ubuntu 18.04.

Beware Here Be Musings

I enjoy using Linux, I have to be paid to use Microsoft Windows.