Install And Configure OpenLDAP On Ubuntu Karmic Koala

Want to support HowtoForge? Become a subscriber!
 
Submitted by Miguel (Contact Author) (Forums) on Thu, 2009-12-03 12:03. :: Ubuntu

Install And Configure OpenLDAP On Ubuntu Karmic Koala

The configuration of OpenLDAP got a bit (more) complicated. cn=config is still used, but when installing the packages from the repositories only a skeleton configuration of openldap is installed.

You're not asked anymore to provide a password when the package is installed and issuing the "dpkg-reconfigure slapd" only resets openldap to the skeleton configuration. You will have to set up the openldap database, root dn and acl's yourself using the root account (or sudo) in order to configure openldap.

Here is how I configured openldap in Karmic Koala, but I do not issue any guarantee that this setup will suit your needs or works for you as it worked for me.

There is an official statement about this (https://lists.ubuntu.com/archives/ubuntu-server/2009-August/003182.html) but the official guide on help.ubuntu.com is outdated and does not tell you how to configure openldap on Karmic Koala.

Note:

  1. This howto uses dc=example,dc=com as the tree for the openldap server. Change these to the base tree that you want to have eg: dc=yourdomain,dc=tld. You need to do this everywhere dc=example,dc=com is used. Also for the entries o=example and dc:example in the db.ldif.
  2. Hard returns in all of the provided files are needed since they mark the end of a command when being applied to the openldap server.

So here 's how I did it:

Step 1: install openldap and ldap-utils:

apt-get -y install slapd ldap-utils

Step 2: change into the /etc/ldap directory:

cd /etc/ldap

Step 3: add the schemas you want / need since only the core schema is added by default:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Step 4:  load the database backend module and create the database.

Create a file called db.ldif and paste the text below in to it:

vi db.ldif

Content of the db.ldif:

# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

Save the file and issue the following command to load the module and initialize the database:

ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif

Please note the olcRootPW: example which sets the RootPW to example. Replace example witch a password of your choice.

Step 5: create the base dn and the admin account for the openldap server.

Modify the text below to your needs and wants and generate a password for the admin account. The hash currently in this file sets the password to example.

To create crypt a password for the admin account  issue the following command:

slappasswd -h {MD5}

Type the wanted pasword twice and copy the result in to the text below.

Create the base.ldif:

vi base.ldif

Content of base.ldif:

dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==
description: LDAP administrator

Load the base dn into the database with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif

Step 6: modify the system acl's

There are some acl's set in the openldap setup that prevent phpldapadmin to interface with the directory, so we will remove them now and set openldap to the default cn=admin,cn=config. From this moment on the openldap can be configured and manipulated as before, but no longer by issuing commands like ldapadd -Y EXTERNAL -H ldapi:// -f file but rather ldapadd -x -Y EXTERNAL -H ldapi:// -D cn=admin,cn=config -W -f file.

Create a file called config.ldif and paste the text below in to it. However do not forget to replace the olcRootPW hash with the hash you created above.

vi config.ldif

Content of config.ldif:

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootDN

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Load the config.ldif into the openldap server:

ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

7: Set the ldap acl's

Now we only need to add some acl to the directory, root has allways full read / write but this acl is the base acl that was always  shipped with opendlap.

Create a file called acl.ldif and paste the text below into it:

vi acl.ldif

Content of acl.ldif:

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Now load the acl into the openldap server:

ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif

You should now have an openldap directory as it was shipped with Jaunty Jackalope.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sun, 2011-11-13 08:47.

Hello I'm Manish from New Delhi

I have installed ubuntu server 11.04 in vmware. I have two user "root" and "manish" having same password 123456.

I have install and configured OpenLDAP in ubuntu server 11.04, (apt-get install slapd openldap-utils)

I entered some entries as followed by tutorials on internet...

I'm getting the search result using following command:-

ldapsearch -W -D cn=admin,dc=tamkor,dc=net -b dc=tamkor,dc=net

Result:-

# extended LDIF
#
# LDAPv3
# base <dc=tamkor,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tamkor.net
dn: dc=tamkor,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: tamkor.net
dc: tamkor

# admin, tamkor.net
dn: cn=admin,dc=tamkor,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9SklrMmVmeHlDczVZUDRxZnp4Uk13NW9uV25mVld6WUs=

# people, tamkor.net
dn: ou=people,dc=tamkor,dc=net
objectClass: organizationalUnit
ou: people

# groups, tamkor.net
dn: ou=groups,dc=tamkor,dc=net
objectClass: organizationalUnit
ou: groups
 

# rahul, people, tamkor.net
dn: uid=rahul,ou=people,dc=tamkor,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: rahul
sn: Sharma
givenName: Rahul
cn: Rahul Sharma
displayName: Rahul Sharma
uidNumber: 2000
gidNumber: 2000
userPassword:: MTIzNDU2Nzg=
gecos: Rahul Sharma
loginShell: /bin/bash
homeDirectory: /home/rahul
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: rahul@tamkor.net
mobile: 9999999999
title: System User
initials: RS

# hackers, groups, tamkor.net
dn: cn=hackers,ou=groups,dc=tamkor,dc=net
objectClass: posixGroup
cn: hackers
gidNumber: 2000

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

I added a user named Rahul Sharma with a password as 12345678

Now I have some questions regarding to used this ldap server in real world applications

 1. How I configure this openldap server so that I can retrive entries in windows address book. please direct how to configure addressbook as well.

 2. In above configuration i have created a person entry as Rahul Sharma, so is it neccesory to have a local user account of Rahul Sharma in ubuntu in order to login through ssh to this ubuntu server using ldap authentication?...Means is it neccesory that we should have same account of ldap person in our ubuntu linux.?

3.  I know that a uidNumber should be unique for every entry but what about the gid number?

4. I want to configure samba authentications with this openldap server. please instruct the best way to do it.

Thank you.

Submitted by Anonymous (not registered) on Thu, 2011-10-27 13:35.
Hi, I was doing your tutorial but I had an error en the last step. When I try run the command: ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif, the console show: Enter password, and when I write my admin password, this message is showed: ldap_bind: Invalid credentials (49)
Now when I try to do the last step, but using anothers directives, for example:

 sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/user/acl.ldif
This run correctly. Why this happend?
Submitted by Anonymous (not registered) on Mon, 2012-02-20 15:40.

Did you solve this issue?
I'm having exactly the same problem - reproduced on 2 different fresh installations :(

When I'm executing the last step: "ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif"
it ask's for the LDAP Password. Entering the given password results in
"ldap_bind: Invalid credentials (49)"

Submitted by JonBoy (not registered) on Mon, 2011-05-23 22:28.
Having trouble with LDAP too?  Take an asprin and read this article.  Thankyou so much.  I was having no joy anywhere else.
Submitted by redbit (registered user) on Thu, 2010-11-25 00:41.

 I included all the schemas in Step 3,  snd completed the db.ldif file, but  when I try to do 'ldapadd -Y EXTERNAL -H idapi:/// -f db.ldif', I get the following  error message:

SASL/EXTERNAL authentication started

SASL username: gidNumber=1000+uidNumber=1000, cn=peercred, cnexternal, cn=auth

SASL SSF: 0

adding new  entry "cn=module{0},cn=config"

ldap_add: Protocol error (2)

            additional info: no attributes provided

 I have rechecked the db.ldif file, and have not noticed an error.  What am I doing wrong? I get the error every time I isuue the command.  What should I do?

Please, help

Submitted by Anonymous (not registered) on Fri, 2012-04-13 12:58.
i run the step 3 as root and i get the same error 
Submitted by Anonymous (not registered) on Thu, 2011-09-29 11:58.
Run the command as root. External as is defined by AutZRegexp works only for root.
Submitted by Gopik (not registered) on Wed, 2010-07-28 11:18.

Thanks,

This is such a nice tutorial and it worked perfectly for me..

I did fresh Install.

 

Submitted by Keith Smith (not registered) on Tue, 2010-05-18 20:28.

Finally someone who understands this better than I.  Why cannot we have a simple sql backed directory service is beyond me.

I can't get this to fly on lucid, so I scripted it to facilitate removal && reinstallation.  The script generates the files above with substitution for dc=... and the password, normal and hashed.

Perhaps I missed the obvious somewhere?

I have 2 problems  During the add of config.ldif:

ksmith:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: No such attribute (16)
    additional info: modify/delete: olcAuthzRegexp: no such attribute

And during the modify of acl.ldif I get a password request which is evidently not the one I just put in.

Here's the script:


#!/bin/sh
passwd=example
dc1=example
dc2=com
hash_pw=`slappasswd -h "{MD5}" -s $passwd`
tmpdir=/tmp

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

#
# db.ldif
#
cat <<EOF > $tmpdir/db.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=$dc1,dc=$dc2
olcRootDN: cn=admin,dc=$dc1,dc=$dc2
olcRootPW: $passwd
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
EOF

#
# base.ldif
#
cat <<EOF > $tmpdir/base.ldif
dn: dc=$dc1,dc=$dc2
objectClass: dcObject
objectclass: organization
o: $dc1.$dc2
dc: $dc1
description: My LDAP Root

dn: cn=admin,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: $hash_pw
description: LDAP administrator
EOF

#
# config.ldif
#
cat <<EOF > $tmpdir/config.ldif
dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootDN

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $hash_pw

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
EOF

#
# acl.ldif
#
cat <<EOF > $tmpdir/acl.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=$dc1,dc=$dc2" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=$dc1,dc=$dc2" write by * read
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/db.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/base.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/config.ldif
ldapmodify -x -D cn=admin,cn=config -W -f $tmpdir/acl.ldif

Submitted by Brian Newton (not registered) on Mon, 2010-05-24 18:56.

I removed the two deletes that were causing problems from the config.ldif file, so it looks like this:

dn: cn=config
changetype: modify

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}4GeApBZa2y/PRNbR3x9BHw==

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

I know have slapd up and running and was able to add users and groups.  You can probably do away with those first two lines, but I haven't tested that yet.

Submitted by Darcio Lopes Pa... (not registered) on Mon, 2010-05-10 15:32.

 I tried to install slapd before, but slapd has been corrupted. I tried running the above procedure twice. The first time I just "removed" slapd corrupted with synaptic and failed. The second time I "completely removed" and it worked.

The "completely remove" delete the old settings of slapd. It is important in case of reinstall slapd procedure.

Thanks

Submitted by Atom88 (not registered) on Thu, 2010-04-29 20:19.
Thank you so much for this tutorial! Now if we can get this information on the Ubuntu server guide. It will be great! https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html
Submitted by Bill (not registered) on Wed, 2010-04-07 19:51.

If you see:

# ldapmodify -x -D'cn=admin,cn=config' -W -f acl.ldif
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

as requested in #7, it's because you need to specify the LDAP server host. Add the argument "-H ldap://localhost:389" to the ldapmodify line.

 

The password is the one you specified in the earlier steps... 'example' unless you changed it to something else.
Submitted by mlb (not registered) on Sat, 2010-04-03 15:04.

Thanks! Worked perfectly :) I've been looking for working solution for quite a while - and yours just worked without any tweaking!

Submitted by Anonymous (not registered) on Fri, 2010-03-19 15:02.
Would be sweet... even sweeter would be a .deb that you'd just have to install. Yes, I'm lazy. One of the virtues of a programmer/admin ;-)
Submitted by Anonymous (not registered) on Tue, 2010-03-09 19:57.
Hi everyone, I am a new to LDAP and I followed everything and when I tried to run : ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif I ran to this issue: SASL/EXTERNAL authentication started SASL username: gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module{0},cn=config" ldap_add: Insufficient access (50) does anyone know why I am getting this error? I can't proceed cause I get the same error on every step after that I do and at the end I get credential error as well. Thanks
Submitted by Anonymous (not registered) on Fri, 2010-05-28 17:27.

try this

   ldap -x -D cn=config -W -f db.ldif

 

Submitted by gnerd (not registered) on Tue, 2010-03-02 11:52.
I've been struggling for days trying to get OpenLDAP configured in Karmic, and all the other how-tos are seriously flawed; they never resulted in a working system.  Yours worked, however, and after ldapadding my user ldif, the system functions like it should.  Thanks a million!  You should do something to move this one to the top of the google rankings!
Submitted by Tapan Chugh (not registered) on Mon, 2010-01-25 07:04.

Congratulations for your great tutorial

I have a problem in the last step. When i try to execute ldapmodify, it asks for an LDAP Password.

What is that password

Submitted by Anonymous (not registered) on Thu, 2010-01-07 14:59.

Great Howto ! Excellent. Thank's a lot.

My question is very simple ;o) I do your Howto, all is correct. But, Now i want to do it again with an other DIT, etc. How can do it properly ? I don't want to re-install LDAP!

Before 9.10, we erased /var/lib/ldap, et rewrite slapd.conf but now ? What's the method? Please ;o)

Submitted by Anonymous (not registered) on Mon, 2010-01-04 13:09.

Great tutorial. Tried every step but the last one on adding acls fails with the following:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It asks for the ldap password and then this error. Can't figure it out and will be grateful for help

 

Regards

 

Submitted by Anonymous (not registered) on Wed, 2009-12-23 05:52.
Thanks very much for this !
I had the naming error but a :

stop server
aptitude --purge-unused slapd (and all..)
rm /var/lib/ldap/*

and reinstall, solves everything.
Submitted by administrator p... (not registered) on Mon, 2009-12-14 22:09.
Passware's Windows Key is an easy-to-use tool to gain access into any Windows system if a login password is lost. The software allows you to reset passwords in a matter of minutes - no need to reinstall the system.
Submitted by Fida (not registered) on Fri, 2009-12-04 13:01.

Hello

Thanks a lot for this Tutorial

I don't succeed  to add the db Conf into openldap on Karmic

 

I have this error 

 

adding new entry "cn=module{0},cn=config"
ldap_add: Naming violation (64)

 First, i thought that it is a problem whith defining objectclass, so i add all the .ldif file located under /etc/ldap/schema

this doesn't work to

do you have an idea about that? 

Thanks a lot 

Submitted by Guido (not registered) on Sun, 2009-12-13 08:59.

Same with me! I have tried the "old" installation tutorial from the ubuntu user wiki. Any idea?

--Guido 

Submitted by Anonymous (not registered) on Tue, 2009-12-15 04:46.

Same problem here (Naming violation)

Why put problem/fixes on a separate/unrelated forum?

Keep the howto and problems and solutions on the same page.

Submitted by Miguel (registered user) on Sun, 2009-12-06 12:58.

I just did the tutorial on a fresh install and succeeded while using copy and past from the tutorials without any errors.

Recheck what you are doing /did and please open a forum topic for questions and problems instead of the comment function.

Submitted by Anonymous (not registered) on Tue, 2009-12-22 10:27.
You guys probably forgot to change 'example' to YOURNAME and 'com' to YOURTLD somewhere
Submitted by Bhushan (not registered) on Tue, 2012-04-24 08:11.

My ldif is given below:::::

 

 

dn: dc=gmc,dc=com
objectClass: top
objectClass: domain
dc: gmc
 
dn: ou=groups,dc=gmc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
 
dn: ou=people,dc=gmc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
 
dn: uid=admin,ou=people,dc=gmc,dc=com
objectClass: top
objectClass: uidObject
objectClass: person
uid: admin
cn: admin
sn: admin
userPassword: secret
 
dn: uid=user1,ou=people,dc=gmc,dc=com
objectClass: top
objectClass: uidObject
objectClass: person
uid: user1
cn: user1
sn: user1
userPassword: 1111
 
dn: uid=user2,ou=people,dc=gmc,dc=com
objectClass: top
objectClass: uidObject
objectClass: person
uid: user2
cn: user2
sn: user2
userPassword: 1234
 
dn: cn=admin,ou=groups,dc=gmc,dc=com
objectClass: top
objectClass: groupOfNames
cn: admin
member: uid=admin,ou=people,dc=gmc,dc=com
 
dn: cn=user,ou=groups,dc=gmc,dc=com
objectClass: top
objectClass: groupOfNames
cn: user
member: uid=admin,ou=people,dc=gmc,dc=com
member: uid=user1,ou=people,dc=gmc,dc=com
member: uid=user2,ou=people,dc=gmc,dc=com
 
dn: cn=billmanager,ou=groups,dc=gmc,dc=com
objectClass: top
objectClass: groupOfNames
cn: billmanager
member: uid=user2,ou=people,dc=gmc,dc=com

 

 

 

 

 

like this way which are given for "dc=example dc=com"  is working properly but i want to add above ldif file.If any one Knows How i can do this then please suggest me on here or my mail-id:

snebhushan@gmail.com

please tell me what changes step by step that i have to be made in this example so that my ldif(which are posted above) is added.