OpenLDAP, a free open-source integration of the Lightweight Directory Access Protocol, is a protocol for centralized directory access in Linux. You can easily configure LDAP Server and Client on Linux Mint to allow system administrators to manage users on a centralized directory.
In the Microsoft environment, we have Active Directory which is used to authenticate the desktop with server machines to a centralized directory. This is very useful when we want to manage multiple users and allow users to log in on any system without having the actual account on their local machine. However, in Linux, there is no concept of Active Directory.
Instead, we utilize the OpenLDAP protocol to manage users on the server. We configure OpenLDAP such that the desktop machine can authenticate with the server.
In this tutorial, we will cover how to configure the LDAP server and client on the Linux Mint machines. The tutorial is suitable for those configuring the LDAP from scratch.
What You’ll Need
In this tutorial, we are configuring both the LDAP Server and Client on Linux Mint machines. Furthermore, all the necessary configurations will be performed with the sudo privilege.
Configure LDAP Server on Linux Mint
1. Set Up Hostname for the Server
Before starting with the installation, it is crucial to set up the server name. For this step, use the hostnamectl
command and set the hostname. For example:
sudo hostnamectl set-hostname example.example.com
Secondly, add the IP and FQDN to the hosts file located at file /etc/hosts
. Edit the file using the vim or nano editor. For example:
sudo vim /etc/hosts
IP_Address example.example.com
Replace example.example.com
and IP Address with correct hostname here.
2. Install LDAP Server on Linux Mint
After the configuration in the host’s file, the next step is to install the OpenLDAP server. To install the packages, use the install command followed by the package name. Make sure to update the installed packages first.
sudo apt update
sudo apt -y install slapd ldap-utils
The process will ask you to set up the password for the LDAP administrator.
Provide your desired password and hit the “Enter” key to continue with the installation.
3. Start the LDAP Service
OpenLDAP configuration required slapd
and slurpd
daemon. The slapd
and slurpd
daemons are UNIX-based daemons responsible for providing replicated services on any number of ports. In this tutorial, we are covering the configuration of the server without replication, hence, we will focus on the slapd
daemon only.
Now, start the installed service using the start command. Secondly, enable it and then check its status using the status command. For example:
sudo systemctl start slapd
systemctl enable slapd
systemctl status slapd
4. Configure the Firewall
Additionally, update the firewall settings to allow the LDAP server daemon. For this step, use the allow command with the ufw
firewall. For example:
sudo ufw allow ldap
5. Configure LDAP on Linux Mint to Add base dn for Users
In this step, we will create a file to add base DN for users and groups that will be accessing our server. To create the file, you can use the vim or nano command. For example:
sudo vim basedn.ldif
Next, add the following code to the file and save the file. Make sure to replace “example” and “com” with your domain and domain name.
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
You can add the following entry for the group:
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
After that, add the LDAP entry of the file that we have created above. For example:
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f basedn.ldif
6. Add User Accounts and Groups
In this step, we will first generate the password for the user accounts. For example:
sudo slappasswd
Secondly, we will create one file for users and one for groups. For users, create that file using the nano or vim command. For example:
vim ldapusers.ldif
Thirdly, add the user and group information in the file. Make sure to use your own username, domain name, and path in this step.
dn: uid=ldap,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldap
sn: Wiz
userPassword: {SSHA}Zn4/E5f+Ork7WZF/alrpMuHHGufC3x0k
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ldap
After that, add that file in the OpenLDAP configuration.
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldapusers.ldif
Similarly, you can create a file for group accounts by following the same steps.
Finally, you have configured the LDAP Server on Linux.
Install and Configure LDAP Client on Linux Mint
LDAP servers provide information to the LDAP clients. Therefore, a separate client account is not required. When a new user is added, you can simply edit the user file and add its configuration.
1. Install LDAP Client on Linux Mint
In this step, we will install and configure LDAP Client on Linux to access the LDAP server. Firstly, add the LDAP server address to the etc/hosts
file. Edit the file using vim or the nano editor. For example:
sudo vim /etc/hosts
Add the following content:
IP_ADDRESS YOUR_DOMAIN_NAME
Make sure to save the file before exiting the editor.
Secondly, install the LDAP client utilities on your system using the install command.
For example:
sudo apt -y install libnss-ldap libpam-ldap ldap-utils
You will be asked to configure various settings. Here is a summary of the default settings that you should opt for.
- Set LDAP URI – Add your client IP Address or Hostname. For example:
ldapi:///ldap.example.com
- Set a Distinguished name of the search base – For example
dc=example, dc=com
- Select LDAP version – 3
- Make local root Database admin – Yes
- Does the LDAP database require login? No
- LDAP account for root – For example:
cn=admin,cd=example,cn=com
- LDAP root account Password – Enter your LDAP root account password
2. Add Configuration Files
Thirdly, add the following configuration in the /etc/nsswitch.conf
file. You can access the file using the nano or vim editor.
For example:
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat
Next, edit the /etc/pam.d/common-password
file and remove use_authtok
. The file would contain a similar string like that:
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
After that, edit the /etc/pam.d/common-session
file and enable the creation of the home directory by adding the following settings:
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Finally, you have configured the OpenLDAP client on Linux.
Now, reboot the client machine. After that, try to log in to your server machine with the user you just created. It should authenticate and log in as well. Similarly, you can configure your other clients to access the server using the OpenLDAP server.
In this article, we have covered how to configure the LDAP server and the client on Linux Mint machines. The LDAP utility can also be used to authenticate users coming from web applications. The tutorial has covered how to configure LDAP on Linux Mint only. Furthermore, you can also configure your LDAP server with SSH to enforce a layer of security to your directory services. For more details, check out its official documentation.
If this guide helped you, please share it.