There is a new version of this tutorial available for Ubuntu 22.04 (Jammy Jellyfish).

How to Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 20.04

LDAP is a Lightweight Directory Access Protocol used for accessing and maintaining distributed directory over an internet protocol. phpLDAPadmin is a web-based LDAP client used for managing and administering the LDAP server. Its powerful search functionality and hierarchical tree view make it easier to manage the LDAP server through the web browser. You can add and delete records, view and edit image attributes, manage user password hashes and many more using phpLDAPadmin.

In this tutorial, we will explain how to install phpLDAPadmin on Ubuntu 20.04.

Prerequisites

  • A server running Ubuntu 20.04.
  • A valid domain name pointed with your server IP.
  • A root password is configured the server.

Getting Started

Before starting, it is always recommended to update your system with the latest version of packages. You can update it with the following command:

apt-get update -y

Once all the packages are updated, you can proceed to the next step.

Install and Configure OpenLDAP Server

First, you will need to install Slapd and other LDAP utilities in your server. You can install them by running the following command:

apt-get install slapd ldap-utils

During the installation, you will be asked to set up an administrator password as shown below:

Configure slapd

Provide your secure password and hit Enter to continue. Once the installation has been finished, you will need to reconfigure the SLAPD package to set your domain information.

You can reconfigure it with the following command:

dpkg-reconfigure slapd

You will be asked to omit the OpenLDAP server configuration as shown below:

OpenLdap configuration

Select No and hit Enter to continue. You will be asked to provide a DNS domain name as shown below:

Configure slapd

Provide your domain name and hit Enter to continue. You will be asked to provide the organization name as shown below:

Organization name

Provide your desired organization name and hit Enter to continue. You will be asked for the admin password as shown below:

admin password

Provide your administrator password and hit Enter to continue. You will be asked to remove the database as shown below:

purge database

Select Yes and hit Enter to finish the configuration.

Now, you can verify your LDAP information using the following command:

slapcat

You should get the following output:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
structuralObjectClass: organization
entryUUID: 971829cc-ac5f-103a-8e42-9f8486ff5685
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20201027051828Z
entryCSN: 20201027051828.103064Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20201027051828Z

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9Tm5OYlpSMktkYjVnUUprb284MHFPTEVkMjQrQXpQWEk=
structuralObjectClass: organizationalRole
entryUUID: 9718c198-ac5f-103a-8e43-9f8486ff5685
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20201027051828Z
entryCSN: 20201027051828.107057Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20201027051828Z

Create OpenLDAP User Accounts

First, you will need to create the organization unit containers to store users and group information. You can create it with the following command:

nano users-ou.ldif

Add the following lines:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

Save and close the file when you are finished then adjust the SLAPD database access controls by creating the following file:

nano update-mdb-acl.ldif

Add the following lines:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.exact="cn=readonly,ou=people,dc=example,dc=com" read 
  by * none
olcAccess: to dn.exact="cn=readonly,ou=people,dc=example,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to dn.subtree="dc=example,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none

Save and close the file then update database ACL with the above information by running the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f update-mdb-acl.ldif

You should get the following output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Next, update the database with the user OU information by running the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f users-ou.ldif

You should get the following output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=people,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

Next, create a new user account named hiteshj by creating the following file:

nano hitesh.ldif

Add the following lines:

dn: uid=hiteshj,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: hiteshj
cn: Hitesh
sn: Jethva
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/hiteshj
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0

dn: cn=hiteshj,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: hiteshj
gidNumber: 10000
memberUid: hiteshj

Save and close the file then add the user to the database with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f hitesh.ldif

You should get the following output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "uid=hiteshj,ou=people,dc=example,dc=com"

adding new entry "cn=hiteshj,ou=groups,dc=example,dc=com"

Next, you will need to set the password for the user. You can set it with the following command:

ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=hiteshj,ou=people,dc=example,dc=com"

You should se the following output:

New password: 
Re-enter new password: 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Once you are finished, you can proceed to the next step.

Create OpenLDAP Bind DN

Next, you will need to define username and password for querying the directory server. First, generate the password hash for the bind DN user using the following command:

slappasswd

You should get the following output:

New password: 
Re-enter new password: 
{SSHA}DhjyJN5akaj2etaFKoyeAY8QMgSD/OTb

Next, create a Bind DN name readonly with the following command:

nano readonly-user.ldif

Add the following lines:

dn: cn=readonly,ou=people,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}DhjyJN5akaj2etaFKoyeAY8QMgSD/OTb
description: Bind DN user for LDAP Operations

Save and close the file when you are finished then add the BIND user to the database with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f readonly-user.ldif

You should get the following output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=readonly,ou=people,dc=example,dc=com"

Next, verify the Bind DN ACL with the following command:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

You should get the following output:

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ
 e by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=ext
 ernal,cn=auth" manage  by dn.exact="cn=readonly,ou=people,dc=example,dc=com" 
 read  by * none
olcAccess: {1}to dn.exact="cn=readonly,ou=people,dc=example,dc=com" by dn.subt
 ree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * non
 e
olcAccess: {2}to dn.subtree="dc=example,dc=com" by dn.subtree="gidNumber=0+uid
 Number=0,cn=peercred,cn=external,cn=auth" manage by users read  by * none

Install and Configure phpLDAPadmin

By default, phpLDAPadmin package is available in the Ubuntu 20.04 default repository. You can install it by running the following command:

apt-get install phpldapadmin -y

After installing phpLDAPadmin, you will need to configure phpLDAPadmin and define your domain information. You can do it by editing the file /etc/phpldapadmin/config.php:

nano /etc/phpldapadmin/config.php

Change the following lines:

$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','69.87.216.102');
$servers->;setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>10000));

Save and close the file when you are finished.

Configure Apache for phpLDAPadmin

phpLDAPadmin default configuration file for Apache is located at /etc/apache2/conf-available/phpldapadmin.conf. Don't make any changes and go with default settings.

Next, disable the default Apache virtual host configuration file and restart the Apache service to apply the changes:

a2dissite 000-default.conf
systemctl restart apache2

Once you are finished, you can proceed to the next step.

Access phpLDAPadmin Web UI

Now, open your web browser and access the phpLDAPadmin using the URL http://your-server-ip/phpldapadmin. You should see the following screen:

phpladpadmin

Now, click on the login button. You should see the phpLDAPadmin login screen:

phpladpadmin login

Provide your login DN, password and click on the Authenticate button. You should see the phpLDAPadmin dashboard in the following screen:

Ldap dashboard

Conclusion

Congratulations! you have successfully installed and configured phpLDAPadmin on Ubuntu 20.04 server. You can now manage your LDAP server and perform several tasks including, adding organizational units, groups, and users with phpLDAPadmin web UI. Feel free to ask me if you have any questions.

Share this page:

4 Comment(s)