Deploy the LDAP Directory System to an Ubuntu Server

You’ve probably heard of Active Directory, which is the Microsoft directory service that connects users with the resources they require. But did you know that there’s an open source directory service called the Lightweight Directory Access Protocol (LDAP) that can do many of the things Active Directory can do?

LDAP stands for Lightweight Directory Access Protocol, and is a protocol that stores data in a directory, such that users can access the data for numerous purposes. One very handy use case for LDAP is creating a centralized authentication directory, so user login information can be retained in a centralized database. When a user attempts to log in to any machine on your network, the machine will query the LDAP directory and, if the credentials match, allow access to the user’s accounts on the machine they want to use.

LDAP is powerful, flexible and free.

I want to walk you through the process of deploying an LDAP server, and then, how to configure a client to use LDAP authentication.

What You’ll Need

To make this work, you’ll need one instance of Ubuntu Server (I’ll demonstrate with version 22.04), an instance of Ubuntu Desktop, and a user with sudo privileges. That’s it. Let’s get to work.

Installing LDAP

Log in to Ubuntu Server and install the necessary software with this command:

sudo apt-get install slapd ldap-utils -y

During the installation, you’ll be required to set an LDAP admin password. Make sure to type and verify a strong entry for this.

That’s it for the installation.

Configuring LDAP

It’s now time to configure LDAP. First, you must reconfigure the Directory Information Tree (DIT), which should be in this format:

dc=example,dc=com

That’s what I’ll be using for this tutorial, but you’ll want to use your own domain for this. To configure the DIT, issue this command:

sudo dpkg-reconfigure slapd

Answer “No” for the first question (“Omit OpenLDAP server configuration”) and then type your domain (such as example.com).

Next, configure the organizational name (which can be whatever you need to define an organization). When asked if you want to remove the slapd database, answer “No,” and then answer “Yes” to move the old database.

With this taken care of, you can now populate the LDAP database with your first entry. To do that, we’ll use an LDIF file. Create the file with this command:

nano ldap_data.ldif

In that file, paste the following (making sure to replace the DIT with your domain and customize anything in bold):

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=DEPARTMENT,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: SUBGROUP
gidNumber: 5000
dn: uid=USER,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: USER
sn: LASTNAME
givenName: FIRSTNAME
cn: FULLNAME
displayName: DISPLAYNAME
uidNumber: 10000
gidNumber: 5000
userPassword: PASSWORD
gecos: FULLNAME
loginShell: /bin/bash
homeDirectory: USERDIRECTORY

Save and close the file.

Add the new entry with the command:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap_data.ldif

Make sure to change the DIT in the above command to match yours. Once you’ve successfully entered your LDAP admin password, the entry will be added. You can verify the addition by searching the USER you added, like this:

ldapsearch -x -LLL -b dc=example,dc=com 'uid=USER' cn gidNumber

Be sure to replace the text “USER” in the previous command with the username in the uid: entry in the LDIF file.

Installing the LDAP Account Manager

Instead of having to do everything by way of the command line, you can add the LDAP Account Manager (LAM) into the mix for a handy web-based admin tool. Install this with:

sudo apt-get install ldap-account-manager -y

After the installation completes, access LAM from the URL “http://SERVER/lam” (where SERVER is the IP address or domain name of the hosting server). When the page loads, click LAM Configuration in the upper-right corner of the window (Figure 1).

On the resulting page, click Edit Server Profiles; when prompted, type “lam” as the password. In the next page, you’ll need to configure the following information:

• Under Server Settings, configure the Tree Suffice (under Tree Tools) to match your DIT.
• In the List of Valid Users, change “cn=Manager”, “dc=my-domain” and “cd=com” to “cn=admin”, “dc=example” and “dc=com” (making sure to change “example” and “com” to match your DIT).
• In the Account Types tab, change every instance of “my-domain” and “com” to match your DIT.

Save the configuration and then, when prompted, log back in using your LDAP admin user password.

Creating a New Group in LAM

In the Groups tab (Figure 2), you’ll want to create a new group with a straightforward name (such as “linuxlogins”).

Once you’ve done that, click the Users tab and create a new user. In the resulting window (Figure 3), you’ll need to do the following:

• Add all of the necessary personal information for the user in the Personal section.
• Create a Unix login in the Unix section.
• Set a password for the user by clicking Set Password.

Authenticating From the Linux Desktop

With the server taken care of, you can now configure a Linux desktop to authenticate to the LDAP server. To do that, log in to the Linux desktop machine and install the necessary software with:

sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd -y

During the installation, you’re required to enter an address for the LDAP server, which is in this form:

ldap://SERVER

Be sure to replace the text “SERVER” with the IP address of the LDAP server you’ve just deployed.

You’ll then be required to select the following:

• Version of LDAP = 3
• Make local root Database admin = Yes
• Does the LDAP database require login? = No
• LDAP account for root = cn=admin,dc=example,dc=com (make sure to use your DIT)
• LDAP root account password = the password for the LDAP admin user

When the installation is complete, you’ll then have to configure the client for LDAP authentication. To do this, open the nsswitch.conf file:

sudo nano /etc/nsswitch.conf

Locate the following lines:

passwd: files systemd sss
group: files systemd sss
shadow: files sss

Change those lines to:

passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap

Save and close the file.

Open the common-password file with this command:

sudo nano /etc/pam.d/common-password

Look for the following line:

password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass

Remove the use_authtok entry; then, save and close the file.

Open the common-session file:

sudo nano /etc/pam.d/common-session

At the bottom of that file, add the following:

session optional pam_mkhomedir.so skel=/etc/skel umask=077

Save and close the file.

Reboot the client machine and, when prompted for a login, log in with a user in the LDAP directory. You should now have access to the desktop.

Congratulations! You’ve just deployed your first LDAP server and configured a client to authenticate against the directory tree.