Feature #162
Updated by Daniel Curtis over 10 years ago
The need to store, access, and modify directory information such as user information, corporate contacts, and/or asset management is necessary for centralized scalable information storage. LDAP is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. OpenLDAP will be used as the server, and phpLDAPAdmin will be the interface to add, remove, and modify entries to the LDAP server.
h2. Make sure the host has a Fully Qualified Domain Name
<pre>
hostname --fqdn
</pre>
OpenLDAP will automatically configure itself to the domain name of the host it is installed on.
h2. Install OpenLDAP and utilities
<pre>
sudo apt-get install slapd ldap-utils
</pre>
* Enter LDAP admin password: _password_
To reconfigure the OpenLDAP server for some reason, such as to reassign the domain name the server is registered to:
<pre>
dpkg-reconfigure slapd
</pre>
h2. Configure OpenLDAP for to listen for unencrypted connections from localhost
<pre>
vi /etc/ldap/ldap.conf
</pre>
> #LDAP Defaults
> #See ldap.conf(5) for details
> #This file should be world readable but not world writable.
>
> BASE dc=example,dc=com
> URI ldap://127.0.0.1
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
And restart the ldap service:
<pre>
sudo service slapd restart
</pre>
h2. Install and Configure phpLDAPAdmin
<pre>
sudo apt-get install phpldapadmin
</pre>
h3. Configure phpLDAPAdmin
<pre>
vi /etc/phpldapadmin/config.php
</pre>
> $servers = new Datastore();
> $servers->newServer('ldap_pla');
> $servers->setValue('server','name','My LDAP Server');
> $servers->setValue('server','host','192.168.0.2');
> $servers->setValue('server','port',389);
> $servers->setValue('server','base',array('dc=example,dc=com'));
> $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
h3. Enable phpLDAPAdmin on Apache
<pre>
ln -s /etc/phpldapadmin/apache.conf /etc/apache2/sites-enabled/phpldapadmin
</pre>
h2. (Optional) Add Server Configuration Administrator Access
The file @/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif@ is usually generated during the installation and contains the initial settings. The configuration itself is stored in the ldap database. So modifying this ldif and restarting slapd does NOT change anything! By default, only the unix account root is able to read and write @cn=config@. In @/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif@ you will find
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
This indicates, that the unix user with group and user id 0 (actually root) is able to access @cn=config@. As root you will receive all config values by typing:
<pre>
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
</pre>
Generate a password for your new user *cn=admin,cn=config*:
<pre>
slappasswd -h {SSHA}
</pre>
* Enter the password twice and note the hash value
Create a temporary ldif e.g. @add_adminconfig.ldif@ with the following content:
<pre>
vi add_adminconfig.ldif
</pre>
> dn: cn=config
> changetype: modify
>
> #usually cn=admin,cn=config is already set by a fresh slapd install
> #dn: olcDatabase={0}config,cn=config
> #changetype: modify
> #add: olcRootDN
> #olcRootDN: cn=admin,cn=config
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootPW
> olcRootPW: {SSHA}theHashValueGeneratedBefore== {MD5}theHashValueGeneratedBefore==
>
> #comment this in, if you like to remove root's permission
> #to access cn=config; the fallback to unix root is useful
> #if cn=admin,cn=config won't work (e.g. lost the password)
> #dn: olcDatabase={0}config,cn=config
> #changetype: modify
> #delete: olcAccess
Now let's add this temporary ldif to the slapd config:
<pre>
ldapadd -Y EXTERNAL -H ldapi:/// -f add_adminconfig.ldif
</pre>
You should now find the hashvalue for your password in the output of:
<pre>
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
</pre>
The autodetection of @cn=config@ does not work flawlessly (seems to be a security feature). So we need to add the base-dn in /etc/phpldapadmin/config.php:
<pre>
vi /etc/phpldapadmin/config.php
</pre>
> /* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin auto-detect it for you. */
> $servers->setValue('server','base',array('cn=config','dc=example,dc=org'));
Now you can login to phpldapadmin with @cn=admin,cn=config@ and your new password set by the steps above. The usual administrative ldap account @cn=admin,dc=example,dc=org@ is not able to see @cn=config@.