Project

General

Profile

Feature #162

Installing OpenLDAP with phpLDAPAdmin on Debian

Added by Daniel Curtis over 10 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Curtis
Category:
Domain Controller
Target version:
-
Start date:
08/08/2013
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:
2.00 h

Description

The need to store, access, and modify directory information such as user information, corporate contacts, and/or asset management is necessary for centralized scalable information storage. LDAP is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. OpenLDAP will be used as the server, and phpLDAPAdmin will be the interface to add, remove, and modify entries to the LDAP server.

Make sure the host has a Fully Qualified Domain Name

hostname --fqdn

OpenLDAP will automatically configure itself to the domain name of the host it is installed on.

Install OpenLDAP and utilities

sudo apt-get install slapd ldap-utils
  • Enter LDAP admin password: password
    To reconfigure the OpenLDAP server for some reason, such as to reassign the domain name the server is registered to:
    dpkg-reconfigure slapd

Configure OpenLDAP for to listen for unencrypted connections from localhost

vi /etc/ldap/ldap.conf

#LDAP Defaults
#See ldap.conf(5) for details
#This file should be world readable but not world writable.

BASE dc=example,dc=com
URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

And restart the ldap service:

sudo service slapd restart

Install and Configure phpLDAPAdmin

sudo apt-get install phpldapadmin

Configure phpLDAPAdmin

vi /etc/phpldapadmin/config.php

$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','192.168.0.2');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

Enable phpLDAPAdmin on Apache

ln -s /etc/phpldapadmin/apache.conf /etc/apache2/sites-enabled/phpldapadmin

(Optional) Add Server Configuration Administrator Access

The file /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif is usually generated during the installation and contains the initial settings. The configuration itself is stored in the ldap database. So modifying this ldif and restarting slapd does NOT change anything! By default, only the unix account root is able to read and write cn=config. In /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif you will find

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

This indicates, that the unix user with group and user id 0 (actually root) is able to access cn=config. As root you will receive all config values by typing:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Generate a password for your new user cn=admin,cn=config:
slappasswd -h {SSHA}
  • Enter the password twice and note the hash value

Create a temporary ldif e.g. add_adminconfig.ldif with the following content:

vi add_adminconfig.ldif

dn: cn=config
changetype: modify

#usually cn=admin,cn=config is already set by a fresh slapd install
#dn: olcDatabase={0}config,cn=config
#changetype: modify
#add: olcRootDN
#olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}theHashValueGeneratedBefore==

#comment this in, if you like to remove root's permission
#to access cn=config; the fallback to unix root is useful
#if cn=admin,cn=config won't work (e.g. lost the password)
#dn: olcDatabase={0}config,cn=config
#changetype: modify
#delete: olcAccess

Now let's add this temporary ldif to the slapd config:

ldapadd -Y EXTERNAL -H ldapi:/// -f add_adminconfig.ldif

You should now find the hashvalue for your password in the output of:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

The autodetection of cn=config does not work flawlessly (seems to be a security feature). So we need to add the base-dn in /etc/phpldapadmin/config.php:

vi /etc/phpldapadmin/config.php

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin auto-detect it for you. */
$servers->setValue('server','base',array('cn=config','dc=example,dc=org'));

Now you can login to phpldapadmin with cn=admin,cn=config and your new password set by the steps above. The usual administrative ldap account cn=admin,dc=example,dc=org is not able to see cn=config.

Related issues

Related to GNU/Linux Administration - Feature #164: Centralized User Authentication and Information Using OpenLDAP and Kerberos on DebianClosedDaniel Curtis08/09/2013

Actions
Related to GNU/Linux Administration - Feature #163: Installing Kerberos 5 on DebianClosedDaniel Curtis08/08/2013

Actions
Related to GNU/Linux Administration - Feature #165: Adding Existing Unix Users To LDAP Directory From Local Unix Password FileClosedDaniel Curtis08/12/2013

Actions
Related to GNU/Linux Administration - Support #166: Backing Up LDAP Directory With RsnapshotClosedDaniel Curtis08/12/2013

Actions

Also available in: Atom PDF