Install OpenLDAP

LDAP is often used as part of the IAM landscape and while many organization may already have a directory infrastructure, the steps below describe how to install OpenLDAP on Ubuntu.

This document is not intended to serve as a comprehensive guide to installing and configuring OpenLDAP.

Install OpenLDAP

Install SLAP and other LDAP utilities

sudo apt install slapd ldap-utils

Enter the password when the installer prompts you.

Validate that your installation was successful by running the slapcat command. You should see output similar to the example below:

dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: fafc8c24-67aa-103b-9cc4-bb0732693a06
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20210622133915Z
entryCSN: 20210622133915.388447Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210622133915Z
dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aG1wNzR5T0gxR0RxR2dwWjNkMndyempIbWJRcm9BVVA=
structuralObjectClass: organizationalRole
entryUUID: fafcf452-67aa-103b-9cc5-bb0732693a06
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20210622133915Z
entryCSN: 20210622133915.391151Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210622133915Z

Update the configuration to use your domain. This can be done by using the package reconfiguration utility shown below.

sudo dpkg-reconfigure slapd

You will be prompted to determine if the OpenLDAP server configuration should be omitted or not. Select No and proceed to configure your OpenLDAP settings. The utility will prompt you for the information below.

  • DNS information for constructing the base DN of your LDAP directory; ie. iam.test.local
  • Enter the name of your organization to be used in the base DN; ie. test
  • Re-enter the name of your administration password and confirm it.
  • Choose to remove SLAPD database when slapd package is removed.

After completing the reconfiguration process, run the slapcat utility again and you should see output similar to the example below (your domain information will be different)

dn: dc=iam,dc=test,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: test
dc: iam
structuralObjectClass: organization
entryUUID: 5e174c32-697b-103b-98ba-9b7914e10072
creatorsName: cn=admin,dc=iam,dc=test,dc=local
createTimestamp: 20210624210328Z
entryCSN: 20210624210328.140704Z#000000#000#000000
modifiersName: cn=admin,dc=iam,dc=test,dc=local
modifyTimestamp: 20210624210328Z
dn: cn=admin,dc=iam,dc=test,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9SGtBRVo5RGM5MitWVDBLaE42K3RvV2E0emhiSlpGTlM=
structuralObjectClass: organizationalRole
entryUUID: 5e1aa788-697b-103b-98bb-9b7914e10072
creatorsName: cn=admin,dc=iam,dc=test,dc=local
createTimestamp: 20210624210328Z
entryCSN: 20210624210328.162765Z#000000#000#000000
modifiersName: cn=admin,dc=iam,dc=test,dc=local
modifyTimestamp: 20210624210328Z

Validate that your directory is running

After the above steps have been completed, you can validate that your directory is operational by running the following command:

sudo systemctl status slapd

You should see output similar to the example below:

● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; generated)
Drop-In: /usr/lib/systemd/system/slapd.service.d
└─slapd-remain-after-exit.conf
Active: active (running) since Fri 2021-07-16 16:20:55 EDT; 9min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 4 (limit: 38399)
Memory: 10.5M
CGroup: /system.slice/slapd.service
└─1322 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d

Populate your directory

The following steps describe how you can create the initial structure of your directory. Along the way, utilities to review your configuration will also be described.

To check the BaseDN, use the utility below:

ldapsearch -x -LLL -b "" -s base namingContexts

To view the RootDN, use the command below:

ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:

Define the basic structure for your directory using the steps and examples shown below:

  • Create an ldif file as shown nano basedn.ldif
nano basedn.ldif
dn: ou=people,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: groups
dn: ou=dept1,ou=people,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: dept1
dn: ou=dept2,ou=people,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: dept2
dn: ou=admins,ou=people,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: admins
dn: ou=disabledusers,ou=people,dc=iam,dc=test,dc=local
objectClass: organizationalUnit
ou: disableduser
  • Load the file using the ldapadd utility.
sudo ldapadd -x -D cn=admin,dc=iam,dc=test,dc=local -W -f basedn.ldif
  • Create test users
dn: uid=james.brown,ou=people,dc=iam,dc=test,dc=local
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: james.brown
cn: James
sn: Brown
mail: james.brown@test.local
postalCode: 12345
userPassword: password123
dn: uid=Mick.Jagger,ou=dept1,ou=people,dc=iam,dc=test,dc=local
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: mick.jagger
cn: Mick
sn: Jagger
mail: mick.jagger@test.local
postalCode: 12345
userPassword: password123
  • Create test groups
dn: cn=developers,ou=groups,dc=iam,dc=test,dc=local
objectclass: top
objectclass: groupOfNames
cn: developers
member: uid=james.brown,ou=people,dc=iam,dc=test,dc=local
member: uid=Mick.Jagger,ou=dept1,ou=people,dc=iam,dc=test,dc=local
dn: cn=admins,ou=groups,dc=iam,dc=test,dc=local
objectclass: top
objectclass: groupOfNames
cn: admins
member: uid=uid=james.brown,ou=people,dc=iam,dc=test,dc=local

LDAP Search examples

Show all users

sudo ldapsearch -x -b dc=iam,dc=test,dc=local -H ldap://localhost

Show for users with objectClass Inetorgperson

sudo ldapsearch -x -b dc=iam,dc=test,dc=local -H ldap://localhost -D "cn=admin,dc=iam,dc=test,dc=local" -W "objectclass=inetOrgPerson

Secure your directory

Generate a self-signed certificate

  • Create directories for the certificates

You can define your own location to store the certificates or you can use the default location: /etc/ldap/sasl2/

mkdir -p /etc/ssl/openldap/{private,certs,newcerts}
  • Open the /usr/lib/ssl/openssl.cnf configuration file and set the directory for storing SSL/TLS certificates and keys under the [ CA_default ]
nano /usr/lib/ssl/openssl.cnf

Update the dir entry as shown below.

#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/openldap
  • Create the following files which will be used for tracking during the certificate creation process later
echo "1001" > /etc/ssl/openldap/serial
touch /etc/ssl/openldap/index.txt
  • Generate the ldap server key
sudo openssl genrsa -aes256 -out /etc/ssl/openldap/private/cakey.pem 2048
sudo openssl rsa -in /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/private/cakey.pem
  • Create the certificate
sudo openssl req -new -x509 -days 3650 -key /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/certs/cacert.pem
  • Generate the ldap server key
sudo openssl genrsa -aes256 -out /etc/ssl/openldap/private/ldapserver-key.key 2048
sudo openssl rsa -in /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/private/ldapserver-key.key
  • Generate the CSR
sudo openssl req -new -days 365 -key ldap_server.key -out ldap_server.csr
sudo openssl req -new -key /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/certs/ldapserver-cert.csr
  • Generate the LDAP server certificate and sign it with CA key and certificate generated above.
sudo openssl ca -keyfile /etc/ssl/openldap/private/cakey.pem -cert /etc/ssl/openldap/certs/cacert.pem -in /etc/ssl/openldap/certs/ldapserver-cert.csr -out /etc/ssl/openldap/certs/ldapserver-cert.crt
  • Validate the certificate using the command below.
openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt

You should expect output similar to the example below:

/etc/ssl/openldap/certs/ldapserver-cert.crt: OK
  • Now that the certificates have been generated, change the ownership such that they files are owned by the openldap user.
chown -R openldap: /etc/ssl/openldap/

Configure SSL on OpenLDAP

  • Configure the ldap server to use the certificates. Create a new ldif file (ldap_ssl.ldif) as shown below:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
  • Apply the configuration using the comment below
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif

To validate that the certificates have been set, run the command below:

sudo slapcat -b "cn=config" | grep -E "olcTLS"

Configure LDAP Client

  • Update the /etc/ldap/ldap.conf by adding the following lines
ssl start_tls
ssl on
  • Restart your ldap server
sudo systemctl restart slapd