Performed on Ubuntu 14.04 LTS
~$ sudo apt-get update && sudo apt-get install slapd ldap-utils -y
It should ask for you to setup an administrator password.
By default openldap does not ask you for any configuration settings when installing. You must do this afterwards which means it may not be fully functional directly have installation.
~$ sudo dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? No
- DNS domain name? domain.com
- Organization name? domain
- Administrator password? setup password
- Database backend? HDB
- Remove the database when slapd is purged? No
- Move old database? Yes
- Allow LDAPv2 protocol? No
Very useful web interface for administration
~$ sudo apt-get update && sudo apt-get install phpldapadmin -y
Modifying setup of phpLDAPadmin
By default phpLDAPadmin creates a conf configuration file under /etc/apache2/conf-available and enables it with some mod-rewrite magic so that when someone goes to domain.com/phpldapadmin it pulls the page from this conf's document root. While this way probably works for most, tweaking this to restrict access can be complicated, so I'd rather have it run on a non-standard port which i can use iptables to restrict access to.
~$ sudo a2disconf phpldapadmin.conf
create new site conf
Instead of a conf under ~/conf-enabled I personally prefer virtual hosts to be placed under ~/sites-available.
Create a new .conf such as ldap.domain.com.conf. In this example i'm setting it as a subdomain and making apache listen on port 8080 for this virtualhost.
~$ sudo vi /etc/apache2/sites-available/ldap.domain.com.conf <VirtualHost *:8080> ServerName ldap.domain.com ServerAdmin [email protected] DocumentRoot /usr/share/phpldapadmin ErrorLog /var/log/apache2/ldap.domain.com-error.log CustomLog /var/log/apache2/ldap.domain.com-access.log common </VirtualHost>
- Now use iptables to restrict access to port 8080 to only the ip addresses you'll use to manage it.
- Make sure apache is listening on the non-standard port
- enable the new apache site
- restart apache (or reload)
Adjust the following lines
~$ sudo vi /etc/phpldapadmin/config.php $servers->setValue('server','name','ldap.domain.com'); $servers->setValue('server','host','ldap.domain.com'); $servers->setValue('server','base',array('dc=domain,dc=com')); $servers->setValue('login','bind_id','cn=admin,dc=domain,dc=com');
Uncomment the following to prevent annoying warning messages about template files that have no impact on functionality
~$ sudo vi /etc/phpldapadmin/config.php search for hide_template_warning $config->custom->appearance['hide_template_warning'] = true;
If you get an error:
Error trying to get a non-existent value (appearance, password_hash)
you can fix it by modifying line 2469 in /usr/share/phpldapadmin/lib/TemplateRender.php
$default = $this->getServer()->getValue('appearance','password_hash_custom');
Originally I tried to set the Server base and Login Bind IDs to dc=ldap,dc=domain,dc=com. Unfortunately the admin account was already created and was listed as dc=domain,dc=com, so when i logged in without dc=ldap (wouldnt authenticate without it), I got a nice error about "This base cannot be created with PLA" in phpLDAPadmin and it refused to show me the LDAP tree. Changed the config.php file and removed both instances of dc=ldap and I could authenticate successfully with everything showing as it should.
Did not bother to look into how to change the admin account, no one will ever really see this as its just supplementing applications which can work with openLDAP on the local host.
To setup authentication on LDAP so you can use it for other applications, do the following
~$ sudo apt-get update && sudo apt-get install -y libpam-ldap nscd