SLAP – stand-alone LDAP daemon(server)<\/p>\n\n\n\n
Libraries implementing the LDAP protocol<\/p>\n\n\n\n
Utilities, tools, and sample clients.<\/p>\n\n\n\n
Update\/ upgrade the system:<\/strong><\/p>\n\n\n\n First, you need to ensure the upgrade of your cache server. To update and upgrade Ubuntu, you need to log into the server and run the following commands.<\/p>\n\n\n\n once you have upgraded the cache server, then reboot the server if necessary and get ready to install and configure the OpenLDAP. <\/p>\n\n\n\n Installing Open LDAP on Ubuntu20.04.<\/strong><\/p>\n\n\n\n Run the following commands to install open LDAP on Ubuntu20.04.<\/p>\n\n\n\n apt install slapd ldap-utils<\/p>\n\n\n\n During the installation, you will be promoted to set the OpenLDAP administrative password.<\/p>\n\n\n\n Set the password and then press <ok> button.<\/p>\n\n\n\n Confirm the password and continue with the installation and select the <ok> button.<\/p>\n\n\n\n You can confirm the installation was successful by using the commands lapcat to output SLAPD database contents.<\/p>\n\n\n\n Step 2:<\/strong> Adding the base dn for the users and groups.<\/p>\n\n\n\n Next is adding a base DN for users and groups. Create filename <\/p>\n\n\n\n basedn. ldif with below contents.<\/p>\n\n\n\n Replace the example and com<\/strong> according to your domain components.<\/p>\n\n\n\n Now add the file by running the commands.<\/p>\n\n\n\n Step 3: Adding the user accounts and the groups.<\/p>\n\n\n\n Enter the password for the user account and confirm it.<\/p>\n\n\n\n Create Idif file for adding users.<\/p>\n\n\n\n Replace Skynats technologies with the username to add.<\/p>\n\n\n\n dc=example,dc=com with your correct domain.<\/p>\n\n\n\n cs and the sn with the username values.<\/p>\n\n\n\n {SSHA}Zn4\/E5f+Ork7WZF\/alrpMuHHGufc3xOK with your hashed password.<\/p>\n\n\n\n Once you are done with editing, add the account by running.<\/p>\n\n\n\n Do the same for the group. Create Idif file.<\/p>\n\n\n\n Add group:<\/strong><\/p>\n\n\n\n You can combine the two file into a single file.<\/p>\n\n\n\n Step 4 : Install LDAP account manager.<\/strong><\/p>\n\n\n\n I recommend using the LDAP account manager because the phpLDAPadmin doesn’t work well with PHP 7.2+.so follow the instructions to install and configure LDAP account manager.<\/p>\n\n\n\n Install and configure the LDAP account manager on Ubuntu.<\/strong><\/p>\n\n\n\n Step 1: <\/strong>Install the OpenLDAP server.<\/p>\n\n\n\n First, you have to install and run the LDAP server.<\/p>\n\n\n\n Step 2: <\/strong>Install Apache Webserver & PHP.<\/p>\n\n\n\n You can install the PHP and Apache server by running the commands below. <\/p>\n\n\n\n sudo apt -y install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear<\/p>\n\n\n\n Enable the php-Cgi PHP extensions.<\/p>\n\n\n\n Ubuntu 20.04<\/strong><\/p>\n\n\n\n Step 5: Configure LDAP Client on Ubuntu 20.04.<\/strong><\/p>\n\n\n\n If you don’t have an active DNS server in the network try to add the LDAP server address to the \/etc\/hosts file. <\/p>\n\n\n\n $ sudo vim \/etc\/hosts<\/p>\n\n\n\n 192.168.18.50 ldap.example.com<\/p>\n\n\n\n Install LDAP Client on your ubuntu system:<\/strong><\/p>\n\n\n\n sudo apt -y install libnss-ldap libpam-ldap ldap-utils<\/p>\n\n\n\n Steps to configuring the settings below.<\/p>\n\n\n\n 2. Next is the distinguished name of the search base.<\/p>\n\n\n\n 3. Then, select the LDAP versions 3.<\/p>\n\n\n\n 4. Click <yes> button to Make local root Database admin.<\/p>\n\n\n\n 5. Later, choose <No> for Does the LDAP database requires login.<\/p>\n\n\n\n 6. Set LDAP account for root, something like cn=admin,cd=example,cn=com<\/p>\n\n\n\n 7. Provide the LDAP ROOT account password.<\/p>\n\n\n\n Once you are done with the installation, edit \/etc\/nsswitch.conf and add ldap authentication.<\/p>\n\n\n\n passwd: compat systemd ldap<\/p>\n\n\n\n group: compat systemd ldap<\/p>\n\n\n\n shadow: compat<\/p>\n\n\n\n Try to create the home directory on the first login by adding the following line to the file \/etc\/pam.d\/common-session<\/p>\n\n\n\n session optional pam_mkhomedir.so skel=\/etc\/skel umask=077<\/p>\n\n\n\n That’s all before that test the LDAP by switching it into the user account.<\/p>\n\n\n\n root@server1:~# su – jmutai<\/strong><\/p>\n\n\n\n Creating directory ‘\/home\/jmutai’.<\/p>\n\n\n\n jmutai@server1:~$ id<\/strong><\/p>\n\n\n\n uid=10000(jmutai) gid=10000(sysadmins) groups=10000(sysadmins)<\/p>\n\n\n\n Securing LDAP server with SSL\/TLS on ubuntu.<\/strong><\/p>\n\n\n\n The following guideline will help in explaining the use of self-signed certificates. <\/p>\n\n\n\n Step 1: generate self-signed SSL.<\/p>\n\n\n\n First, login into the LDAP server and generate the SSL certificate.<\/p>\n\n\n\n Remove the passphrase from the generating RSA private key.<\/strong><\/p>\n\n\n\n # openssl rsa -in ldap_server.key -out ldap_server.key<\/strong><\/p>\n\n\n\n Enter pass phrase for ldap_server.key: <Enter passphrase><\/strong><\/p>\n\n\n\n writing RSA key<\/p>\n\n\n\n Generate Csr<\/strong>.<\/p>\n\n\n\n # openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csr <\/strong><\/p>\n\n\n\n You are about to be asked to enter information that will be incorporated<\/p>\n\n\n\n into your certificate request.<\/p>\n\n\n\n What you are about to enter is what is called a Distinguished Name or a DN.<\/p>\n\n\n\n There are quite a few fields but you can leave some blank<\/p>\n\n\n\n For some fields there will be a default value,<\/p>\n\n\n\n If you enter ‘.’, the field will be left blank.<\/p>\n\n\n\n Then sign in to your certificate<\/strong>.<\/p>\n\n\n\n # openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 3650<\/p>\n\n\n\n Signature ok<\/p>\n\n\n\n Getting Private key<\/p>\n\n\n\n Step 2: Configure SSL on the LDAP server.<\/strong><\/p>\n\n\n\n Copy certificates and a key to \/etc\/ldap\/sasl2\/ directory.<\/p>\n\n\n\n sudo cp \/etc\/ssl\/private\/{ldap_server.key,ldap_server.crt} \/etc\/ssl\/certs\/ca-certificates.crt \/etc\/ldap\/sasl2\/<\/p>\n\n\n\n Set the ownership certificate to OpenLDAP user.<\/p>\n\n\n\n Creating LDAP configuration file for SSL.<\/p>\n\n\n\n Use the following commands to apply the configuration.<\/p>\n\n\n\napt update \napt upgrade \n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-53.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-54.png\")
<\/figure>\n\n\n\n# slapcat\ndn: dc=example,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: example.com\ndc: example\nstructuralObjectClass: organization\nentryUUID: e33fc814-e5b9-1038-8243-39a2e6b74e62\ncreatorsName: cn=admin,dc=example,dc=com\ncreateTimestamp: 20190328152831Z\nentryCSN: 20190328152831.511390Z#000000#000#000000\nmodifiersName: cn=admin,dc=example,dc=com\nmodifyTimestamp: 20190328152831Z\n<\/code><\/pre>\n\n\n\ndn: cn=admin,dc=example,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword:: e1NTSEF9WDIzUEJxbXgycUU3M1dRUmppTVYrZE91U0RNMWswSHE=\nstructuralObjectClass: organizationalRole\nentryUUID: e340fedc-e5b9-1038-8244-39a2e6b74e62\ncreatorsName: cn=admin,dc=example,dc=com\ncreateTimestamp: 20190328152831Z\nentryCSN: 20190328152831.519463Z#000000#000#000000\nmodifiersName: cn=admin,dc=example,dc=com\nmodifyTimestamp: 20190328152831Z\n<\/code><\/pre>\n\n\n\n$ vim basedn.ldif\ndn: ou=people,dc=example,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=groups,dc=example,dc=com\nobjectClass: organizationalUnit\nou: groups\n\n<\/code><\/pre>\n\n\n\n$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f basedn.ldif\nEnter LDAP Password:\nadding new entry \"ou=people,dc=example,dc=com\"\nadding new entry \"ou=groups,dc=example,dc=com\"\n<\/code><\/pre>\n\n\n\n$ slappasswd\nNew password: \nRe-enter new password: \n{SSHA}Zn4\/E5f+Ork7WZF\/alrpMuHHGufC3x0k\n<\/code><\/pre>\n\n\n\n$ vim ldapusers.ldif\ndn: uid=Skynats technologies,ou=people,dc=example,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\ncn: Skynats technologies\n<\/code><\/pre>\n\n\n\nsn: Wiz\nuserPassword: {SSHA}Zn4\/E5f+Ork7WZF\/alrpMuHHGufC3x0k\nloginShell: \/bin\/bash\nuidNumber: 2000\ngidNumber: 2000\nhomeDirectory: \/home\/Skynats technologies\n<\/code><\/pre>\n\n\n\n$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldapusers.ldif \nEnter LDAP Password: \nadding new entry \"uid=Skynats technologies,ou=people,dc=example,dc=com\"\n<\/code><\/pre>\n\n\n\n$ vim ldapgroups.ldif\ndn: cn=Skynats technologies,ou=groups,dc=example,dc=com\nobjectClass: posixGroup\ncn: Skynats technologies\ngidNumber: 2000\nmemberUid: \n<\/code><\/pre>\n\n\n\n$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldapgroups.ldif\nEnter LDAP Password: \n adding new entry \"cn=Skynats technologies,ou=groups,dc=example,dc=com\"\n<\/code><\/pre>\n\n\n\nsudo a2enconf php7.4-cgi\nsudo systemctl reload apache2<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-55.png\")
<\/figure>\n\n\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-56.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-57.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-58.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-59.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-60.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-61.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.skynats.com\/blog\/wp-content\/uploads\/2021\/01\/image-62.png\")
<\/figure>\n\n\n\n# cd \/etc\/ssl\/private \n# openssl genrsa -aes128 -out ldap_server.key 4096 \n\nGenerating RSA private key, 4096 bit long modulus\n \u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..++\n \u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026.++\n e is 65537 (0x010001)\n Enter pass phrase for ldap_server.key: <Set passphrase>\n Verifying - Enter pass phrase for ldap_server.key: <Confirm passphrase>\n<\/code><\/pre>\n\n\n\nCountry Name (2 letter code) [AU]:KE\nState or Province Name (full name) [Some-State]:Nairobi\nLocality Name (eg, city) []:Nairobi\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:skynatstechnologies\nOrganizational Unit Name (eg, section) []:skynatstechnologies\nCommon Name (e.g. server FQDN or YOUR name) []:ldap.example.com\nEmail Address []:admin@example.com\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []: \nAn optional company name []:\n\n<\/code><\/pre>\n\n\n\nsubject=C = KE, ST = Nairobi, L = Nairobi, O = skynatstechnologies, OU = skynatstechnologies, CN = ldap.example.com, emailAddress = admin@example.com<\/code><\/pre>\n\n\n\nsudo chown -R openldap. \/etc\/ldap\/sasl2<\/code><\/pre>\n\n\n\n# vim ldap_ssl.ldif\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/ldap\/sasl2\/ca-certificates.crt\nreplace: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/ldap\/sasl2\/ldap_server.crt\nreplace: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/ldap\/sasl2\/ldap_server.key\n<\/code><\/pre>\n\n\n\n# ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f ldap_ssl.ldif \nSASL\/EXTERNAL authentication started SASL\nusername: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=config\"\n<\/code><\/pre>\n\n\n\n