OpenLDAP installation on ubuntu server 20.04 LTS
This post details the installation of OpenLDAP to manage users and authentication.
First configuration
Ref: https://doc.ubuntu-fr.org/slapd (in French)
OpenLDAP is installed using the package slapd:
sudo apt install slapd sudo dpkg-reconfigure slapdwhere the answers have to be:
- Omit OpenLDAP server configuration? No
- DNS domain name: mydomain.org
- Organization name: FunOrg
- Create database? Yes
- Administrator password: ***
- Do you want the database to be removed when slapd is purged? Yes
- Remove old database? Yes
In addition, the command slappasswd can be used to set an ecrypted administrator password. The file /etc/ldap/ldap.conf is then edited to contain the following files:
BASE dc=mydomain,dc=org URI ldap://localhost:389 SIZELIMIT 0 TIMELIMIT 0 DEREF never
At this stage, OpenLDAP is operational and can be started with:
systemctl start slapd.service
Creating groups and users
Ref: https://guide.ubuntu-fr.org/server/openldap-server.html (in French)
First, ldap-utils is installed:
sudo apt install ldap-utilsand can be used to add a new
ldiff file that contains the structure of users and groups (hereafter named init_ldap.ldiff:
dn: ou=Someone,dc=mydomain,dc=org objectClass: organizationalUnit ou: Someone dn: ou=AGroup,dc=mydomain,dc=org objectClass: organizationalUnit ou: AGroup dn: cn=tuxette,ou=AGroup,dc=mydomain,dc=org objectClass: posixGroup cn: tuxette gidNumber: 10000 dn: uid=tuxette,ou=Someone,dc=mydomain,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: tuxette sn: Chix givenName: Tuxette cn: Tuxette Chix displayName: Tuxette Chix uidNumber: 1000 gidNumber: 10000 gecos: Tuxette Chix loginShell: /bin/bash homeDirectory: /home/tuxette shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: tuxette@mydomain.org postalCode: 31000 l: Toulouse mobile: +33 (0)X XX XX XX XX homePhone: +33 (0)X XX XX XX XX title: System Administrator postalAddress: A street in Toulouse initials: TC
This file indicates that groups are named AGroup, users are named Someone. Then, a first group tuxette and a first user tuxette are declared. The LDAP database is updated with
sudo ldapadd -x -D cn=admin,dc=mydomain,dc=org -W -f init_ldap.ldiff
Authentication with LDAP
Ref: https://doc.ubuntu-fr.org/utilisateurs/fr.laugier/ldap_client (in French) and https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
The following packages are first installed:
sudo apt install libnss-ldap libpam-ldapwith the following answers:
- LDAP URI: ldap://localhost:389
- Distinguished name of the search base: dc=mydomain,dc=org
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root: cn=admin,cd=mydomain,cn=eu + password
The following step requires the edition of /etc/nsswitch.conf where ldap is added to passwd and group lines.
Then, PAM is configured with the edition of </code>/etc/pam.d/common-password</code> where use_authtok is removed from line 26:
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_passand the edition of
/etc/pam.d/common-session where the following line is added:
session optional pam_mkhomedir.so skel=/etc/skel umask=077to allow the automatic creation of the home directory at first connexion.
The proper functionning can be tested with
sudo su tuxettethat should create the home directory
/home/tuxette and change the current user to tuxette.
LDAP password management
Ref: https://guide.ubuntu-fr.org/server/openldap-server.html#openldap-auth-config
LDAP user passwords can be managed by installing ldapscripts (that is also convenient to add and remove users and more generally to manage the LDAP database):
sudo apt install ldapscripts
It is configured by editing the file /etc/ldapscripts/ldapscripts.conf so as to obtain:
SERVER=localhost BINDDN='cn=admin,dc=mydomain,dc=org' BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX='dc=mydomain,dc=org' GSUFFIX='ou=AGroups' USUFFIX='ou=Someone' GIDSTART=10000 UIDSTART=1000
To allow root to automatically use its password, use:
sudo sh -c "echo -n '***' > /etc/ldapscripts/ldapscripts.passwd"where
*** is the admin root password. This file needs to be protected with:
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
Then, the command
ldapsetpasswd tuxettecan be used to set tuxette's password. It can be tested by an external SSH connexion (if password connexion is allowed)
Manage LDAP sudoers
To add a user to the sudoers group, first create the corresponding group (named admin) in LDAP and add tuxette to the admin group:
ldapaddgroup admin ldapaddusertogroup tuxette admin
This should give tuxette the right to use sudo.
Install phpldapadmin
A web user interface is provided to manage the LDAP database. It is easily installed with:
sudo apt install phpldapadminand can be accessed at http://mydomain.org/phpldapadmin right after the installation. A virtual host can be created after commenting the redirection in
/etc/apache2/conf-available/phpldapadmin.conf. The configuration file is located at /usr/share/phpldapadmin/config.php with the need to edit
$servers->setValue('server','name','LDAP on myserver');
$servers->setValue('server','base', array('dc=mydomain,dc=org'));
$servers->setValue('login','bind_id','cn=admin,dc=mydomain,dc=org');
to require login to access your LDAP server information.
Activating memberOf overlay
Refs: http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/, https://blog.debugo.fr/openldap-overlays/, https://www.openldap.org/doc/admin24/overlays.html and https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/.
To give access to certain features (typically, access to some PhP services like nextcloud), you need to have another group management besides posixGroup. This group management is included in an overlay (additional module) called **memberOf**. To activate and configure it, you'll need to edit the config part of the database (which can not be handled with phpldapadmin). First create two files: one called activation_memberof.ldif that contains
dn: cn=module,cn=config cn:module objectclass: olcModuleList objectclass: top olcmoduleload: memberof.la olcmodulepath: /usr/lib/ldapand the other called
configuration_memberof.ldif that contains
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
The module is then activated and configured using the command lines:
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof_act.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f memberof_conf.ldif
At this step, **memberOf** is operational and allows you to create groups of types memberOf. These groups have a mandatory field which indicates which users are member of the group. Such a group can thus not be empty. For instance, to create a group called myappuser (intended to grant access to the service provided by myapp to certain users, members of this group), you first create a file myappuser_creation.ldif that contains
dn: cn=myappuser,ou=AGroups,dc=mydomain,dc=org objectClass: groupOfNames cn: myappuser member: uid=tuxette,ou=Someone,dc=mydomain,dc=orgthat you import using phpldapadmin menu or with the command line:
ldapadd -x -D cn=admin,dc=mydomain,dc=org -W -f myappuser_creation.ldif
Personal note about unresolved issue: default setting of ldapscripts (with the command lines ldapadduser and ldapaddgroup) does not allow to directly create this type of groups (or does not even create a user with inetOrgPerson), even if the configuration file /etc/ldapscripts/ldapscripts.conf is modified to include:
GCLASS="groupOfNames"(this modification leads to a consistency error, stating a relation between
posixGroup and memberOf. Templates for these commands are included in /usr/share/doc/ldapscripts/examples and can potentially be modified to solve this issue but this is still to be fixed for me.
