Install OpenLDAP on Ubuntu

LDAP is often used as part of the IAM landscape and while many organization may already have a directory infrastructure, the steps below describe how to install OpenLDAP on Ubuntu.

This document is not intended to serve as a comprehensive guide to installing and configuring OpenLDAP.

Install OpenLDAP

Install SLAP and other LDAP utilities

sudo apt install slapd ldap-utils

Enter the password when the installer prompts you.

Validate that your installation was successful by running the slapcat command. You should see output similar to the example below:

dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: 2f3ff140-6a54-103c-99c6-8144871930ca
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20220517174028Z
entryCSN: 20220517174028.015525Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20220517174028Z

Update the configuration to use your domain. This can be done by using the package reconfiguration utility shown below.

sudo dpkg-reconfigure slapd

You will be prompted to determine if the OpenLDAP server configuration should be omitted or not. Select No and proceed to configure your OpenLDAP settings. The utility will prompt you for the information below.

• DNS information for constructing the base DN of your LDAP directory; ie. ldap.local
• Enter the name of your organization to be used in the base DN; ie. test
• Re-enter the name of your administration password and confirm it.
• Choose to remove SLAPD database when slapd package is removed.

After completing the reconfiguration process, run the slapcat utility again and you should see output similar to the example below (your domain information will be different)

dn: dc=ldap,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: openiam
dc: ldap
structuralObjectClass: organization
entryUUID: bc830e48-6a54-103c-8324-c7e057e95c40
creatorsName: cn=admin,dc=ldap,dc=local
createTimestamp: 20220517174425Z
entryCSN: 20220517174425.014134Z#000000#000#000000
modifiersName: cn=admin,dc=ldap,dc=local
modifyTimestamp: 20220517174425Z

Validate that your directory is running

After the above steps have been completed, you can validate that your directory is operational by running the following command:

sudo systemctl status slapd

You should see output similar to the example below:

● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
     Loaded: loaded (/etc/init.d/slapd; generated)
    Drop-In: /usr/lib/systemd/system/slapd.service.d
             └─slapd-remain-after-exit.conf
     Active: active (running) since Tue 2022-05-17 17:44:25 UTC; 3min 28s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 645482 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
      Tasks: 3 (limit: 38496)
     Memory: 3.0M
        CPU: 35ms
     CGroup: /system.slice/slapd.service
             └─645488 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d

May 17 17:44:25 localhost systemd[1]: slapd.service: Succeeded.
May 17 17:44:25 localhost systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
May 17 17:44:25 localhost systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
May 17 17:44:25 localhost slapd[645487]: @(#) $OpenLDAP: slapd 2.4.57+dfsg-3 (May 15 2021 23:03:34) $
                                                 Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
May 17 17:44:25 localhost slapd[645488]: slapd starting
May 17 17:44:25 localhost slapd[645482]: Starting OpenLDAP: slapd.
May 17 17:44:25 localhost systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).

Populate your directory

The following steps describe how you can create the initial structure of your directory. Along the way, utilities to review your configuration will also be described.

To check the BaseDN, use the utility below:

ldapsearch -x -LLL -b "" -s base namingContexts

To view the RootDN, use the command below:

ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:

You will see output similar to the example below:

olcRootDN: cn=admin,cn=config
olcRootDN: cn=admin,dc=ldap,dc=local

Define the basic structure for your directory using the steps and examples shown below:

• Create an ldif file as shown nano basedn.ldif

dn: ou=people,dc=ldap,dc=local
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=ldap,dc=local
objectClass: organizationalUnit
ou: groups

dn: ou=dept1,ou=people,dc=ldap,dc=local
objectClass: organizationalUnit
ou: dept1

dn: ou=dept2,ou=people,dc=ldap,dc=local
objectClass: organizationalUnit
ou: dept2

dn: ou=admins,ou=people,dc=ldap,dc=local
objectClass: organizationalUnit
ou: admins

dn: ou=disabledusers,dc=ldap,dc=local
objectClass: organizationalUnit
ou: disableduser

• Load the file using the ldapadd utility.

sudo ldapadd -x -D cn=admin,dc=ldap,dc=local -W -f basedn.ldif

• Create test users

• Create an ldif file as shown nano testusers.ldif

dn: uid=james.brown,ou=people,dc=ldap,dc=local
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: james.brown
cn: James
sn: Brown
mail: james.brown@test.local
postalCode: 12345
userPassword: password123

dn: uid=Mick.Jagger,ou=dept1,ou=people,dc=ldap,dc=local
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: mick.jagger
cn: Mick
sn: Jagger
mail: mick.jagger@test.local
postalCode: 12345
userPassword: password123

dn: uid=Elton.John,ou=dept1,ou=people,dc=ldap,dc=local
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: Elton.John
cn: Elton
sn: John
mail: Elton.John@test.local
initials: EJ
title: Manager
postalCode: 12345
userPassword: password123
employeeNumber:12334343
employeeType: Employee
departmentNumber: 205
preferredLanguage: en
ou: people
ou: dept1
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941

Use the command below to load the users.

sudo ldapadd -x -D cn=admin,dc=ldap,dc=local -W -f testusers.ldif

• Create test groups

dn: cn=developers,ou=groups,dc=ldap,dc=local
objectclass: top
objectclass: groupOfNames
cn: developers
member: uid=james.brown,ou=people,dc=ldap,dc=local
member: uid=Mick.Jagger,ou=dept1,ou=people,dc=ldap,dc=local

dn: cn=admins,ou=groups,dc=ldap,dc=local
objectclass: top
objectclass: groupOfNames
cn: admins
member: uid=james.brown,ou=people,dc=ldap,dc=local

LDAP Search examples

Show all users

sudo ldapsearch -x -b dc=ldap,dc=local -H ldap://localhost

Show for users with objectClass Inetorgperson

sudo ldapsearch -x -b dc=ldap,dc=local -H ldap://localhost -D "cn=admin,dc=ldap,dc=local" -W "objectclass=inetOrgPerson"

Secure your directory

Generate a self-signed certificate

• Create directories for the certificates

You can define your own location to store the certificates or you can use the default location: /etc/ldap/sasl2/

mkdir -p /etc/ssl/openldap/{private,certs,newcerts}

• Open the /usr/lib/ssl/openssl.cnf configuration file and set the directory for storing SSL/TLS certificates and keys under the [ CA_default ]

nano /usr/lib/ssl/openssl.cnf

Update the dir entry as shown below.

#dir            = ./demoCA              # Where everything is kept
dir             = /etc/ssl/openldap

• Create the following files which will be used for tracking during the certificate creation process later

echo "1001" > /etc/ssl/openldap/serial
touch /etc/ssl/openldap/index.txt

• Generate the ldap server key

sudo openssl genrsa -aes256 -out /etc/ssl/openldap/private/cakey.pem 2048
sudo openssl rsa -in /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/private/cakey.pem

• Create the certificate

sudo openssl req -new -x509 -days 3650 -key /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/certs/cacert.pem

• Generate the ldap server key

sudo openssl genrsa -aes256 -out /etc/ssl/openldap/private/ldapserver-key.key 2048
sudo openssl rsa -in /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/private/ldapserver-key.key

• Generate the CSR

sudo openssl req -new -days 365 -key ldap_server.key -out ldap_server.csr 
sudo openssl req -new -key /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/certs/ldapserver-cert.csr

• Generate the LDAP server certificate and sign it with CA key and certificate generated above.

sudo openssl ca -keyfile /etc/ssl/openldap/private/cakey.pem -cert /etc/ssl/openldap/certs/cacert.pem -in /etc/ssl/openldap/certs/ldapserver-cert.csr -out /etc/ssl/openldap/certs/ldapserver-cert.crt

• Validate the certificate using the command below.

openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt

You should expect output similar to the example below:

/etc/ssl/openldap/certs/ldapserver-cert.crt: OK

• Now that the certificates have been generated, change the ownership such that they files are owned by the openldap user.

chown -R openldap: /etc/ssl/openldap/

Configure SSL on OpenLDAP

• Configure the ldap server to use the certificates. Create a new ldif file (ldap_ssl.ldif) as shown below:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt

• Apply the configuration using the comment below

ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif 

To validate that the certificates have been set, run the command below:

sudo slapcat -b "cn=config" | grep -E "olcTLS"

Configure LDAP Client

• Update the /etc/ldap/ldap.conf by adding the following lines

ssl start_tls
ssl on

• Restart your ldap server

sudo systemctl restart slapd