Table of Contents
- A Brief Introduction to LDAP
- Initial Setup
- ldap-utils and slapd
- Reconfiguring slapd
- Apache Directory Studio
- Managing Users
- Apache
- Common Attributes
- Removing LDAP
- Bibliography
Prerequisite
- Knows how to install Ubuntu desktop on virtual box 🔗
- Proficiency in Linux
- Take a look at my course titled A Beginner's Guide to Linux: Crash Course Edition 🔗
- Basic networking knowledge
- Take a look at my another article titled Linux network commands 🔗
1. A Brief Introduction to LDAP
The Lightweight Directory Access Protocol (LDAP) is a widely used protocol that offers directory services, such as phone books, addresses, and user accounts (Kirch & Dawson, 2000). It is versatile and capable of storing a diverse range of information (Negus & Bresnahan, 2012).
1.1. LDAP as a Tree
The simplest way to visualize LDAP is to perceive it as a tree structure.
- The first dot represents root.
DC
means domain component. DC objects represent the top of an LDAP tree that uses DNS to define its namespace (LDAP Namespace Structure, n.d.).OU
represents organizational unit. Typically holds a group objects or user objects.uid
represents user's id, it is also an unique identifier.CN
means common name and represents the name of an entry in the directory.
A Distinguised Name
Or, DN is short; is a unique identifier for an entry in the LDAP directory tree. It includes an object's entire path to the root. Here is an example of DN for the user ezosima
:
uid=ezosima,ou=People,dc=example,dc=com
See more of LDAP attributes in the section [Common LDAP Attributes Names]().
1.2. Difference between Directory and Database
Many people confuse directories with databases. Here are some key differences:
Directory | Database |
---|---|
Directory is designed to read much more. | The Database read and write operations occurs with roughly the same frequency. |
Directory service is hierarchy in nature. | The data is stored in rows and columns. |
Directory Services can be concurrently modified in many locations, and if multiple changes occur simultaneously, the last write will overwrite earlier ones. | Data is locked before updating, making sure that there is no simultaneous changes in two locations. |
The data typically stored in the directory undergoes infrequent changes. | It is designed to handle frequently changing data. |
The data in the directory is organized hierarchically, and it uses a standard schema for all available applications. | The database is configured on a per-application basis, making it suitable for handling complex data models, such as relationships, joins, etc. |
(Carter, 2003; Christian, 2019; Mahajan, 2001)
2. Initial setup
Begin by setting up a VirtualBox instance running Ubuntu Server 22.04.3. Download the server from https://ubuntu.com/download/server.
After downloading the server, proceed to configure the VirtualBox environment.
Take note of the IP address assigned to the Ubuntu server and we shall call it myldapserver
$ ip addr
192.168.0.79
Now, on your "main" machine, let us do couple of things. Firstly, update /etc/hosts
:
$ sudo vi /etc/hosts
192.168.0.79 myldapserver
Secondly, copy id_rsa.pub
to the myldapserver
:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub tux@myldapserver
*Replace tux with your myldapserver's actual username.
And attempt to log into the machine using the following command:
$ ssh username@myldapserver
3. ldap-utils and slapd
In this section, I will briefly discuss ldap-utils
and slapd
.
The ldap-utils package contains several utilities designed for querying an LDAP server (LDAP/LDAPUtils - Debian Wiki, n.d.).
Slapd, on the other hand, is the stand-alone LDAP daemon. It actively listens for LDAP connections on various ports (default 389), responding to the LDAP operations it receives through these connections (Slapd(8): Stand-Alone LDAP Daemon - Linux Man Page, n.d.).
3.1. Moving on to myldapserver
Go to myldapserver and update /etc/hosts
file on the server:
$ sudo vi /etc/hosts
127.0.0.1 localhost
192.168.0.79 myldapserver.example.com myldapserver
3.2. Install (1) ldap-utils and (2) slapd
$ sudo apt install -y ldap-utils
$ sudo apt install -y slapd
Give an administrator password:
Administrator password: passw0rd
Now, investigate the sockets on myldapserver. You can observe that port 389
is up and running. LDAP uses tcp 389 for its service (SpeedGuide, n.d.).
$ ss -ntl
Check if the installation works:
$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
No such object (32)
Don't worry if you encounter a "no such object" error; I will explain the meaning of those commands. For now, in the next section, let's proceed to reconfigure the LDAP server.
4. Reconfiguring slapd
$ sudo dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: example.com
Organization name: example.com
Administrator password: passw0rd
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
*In a Debian-based distribution, dpkg-reconfigure is used to reconfigure packages after they have already been installed (Ubuntu Manpage: Dpkg-Reconfigure - Reconfigure an Already Installed Package, n.d.).
Now, please try the following steps again:
$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
You must see the following output:
Awesome, let me break down the aforementioned command for you. First of all we are initiating a search request to the LDAP directory from the base DN.
-x
indicates the use of simple authentication.-LLL
indicates the output result should be in LDIF format without any comments.-H ldap:///:
specifies the URI of the LDAP server.-b dc=example,dc=com
specifies base DN for the search.dn
is the attribute we want to see in the result.
4.1. Create Upper Layers
Now, let's create an upper layer called structure.ldif
:
4.2. What is .ldif?
The LDAP Data Interchange Format is a standard text format used for representing LDAP objects and LDAP updates (add, modify, delete, modify DN) in textual form (IBM Documentation, 2023).
$ vi structure.ldif
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
Above, we defined two organizational units (OU) called people
and groups
.
$ ldapadd -w passw0rd -D cn=admin,dc=example,dc=com -f structure.ldif
And this command adds the entries from structure.ldif
to the LDAP directory.
-W
prompts for bind password.-D
binds DN-f
represents file (read operations from the file)
Once again do the ldapsearch
:
$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com
The output should be something like:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
Moreover, try to connect myldapserver
outside from your virtual box, i.e., "another machine" within the same network, and you should get the same successful results.
another-machine:~$ ldapsearch -x -LLL -H ldap://myldapserver:389 -b dc=example,dc=com
*myldapserver or IP address of myldapserver
Now, moving on to the next section on how to use GUI tools like Apache Directory Studio.
5. Apache Directory Studio
Apache Directory Studio serves as a comprehensive directory tooling platform designed for LDAP servers.
Begin by downloading Apache Directory Studio from https://directory.apache.org/studio/download/download-linux.html.
Ensure you have openjdk 11.0.21 installed.
$ java --version
openjdk 11.0.21 2023-10-17
If you do not have Java Runtime Environment installed, proceed to install it as shown below:
$ sudo apt install default-jre
Now, extract the downloaded Apache Directory Studio:
$ tar xvf ApacheDirectoryStudio-2.0.0.v20210717-M17-linux.gtk.x86_64.tar.gz
$ cd ApacheDirectoryStudio
$./ApacheDirectoryStudio
That's it; it's that simple! 😊
Now,
- Navigate to File menu > New
- From LDAP Browser, choose LDAP Connection
Provide connection details
For authentication method, I will be using No Authentication
as shown below:
And click Finish
. That's it.
Now, you'll notice the Connections tab on the right side of the studio. Click on "Open connection."
Upon establishing a connection, the LDAP browser will promptly display the Directory Information Tree (DIT).
Good! you've just quickly learnt the basics of using Apache Directory Studio. For a comprehensive user's guide, refer to the Apache Directory Studio documentation available at https://directory.apache.org/studio/users-guide.html.
6. Managing users
In this section, I will guide you through the process of managing users in LDAP. Let's start by creating a user.
6.1. Create an user
To create an user, let us first create .ldif
as below:
$ vi user_alexei.ldif
Paste the following content:
dn: cn=akaramazov,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
sn: Karamazov
givenName: Alexei
cn: akaramazov
userPassword: Password1
$ ldapadd -x -w passw0rd -D cn=admin,dc=example,dc=com -f user_alexei.ldif
*-x
: means simple authentication
Response:
adding new entry "cn=akaramazov,ou=people,dc=example,dc=com"
You can use <<EOF
as well as mentioned-below:
$ ldapadd -x -w passw0rd -D "cn=admin,dc=example,dc=com" -a <<EOF
dn: cn=akaramazov,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
sn: Karamazov
givenName: Alexei
cn: akaramazov
userPassword: Password1
EOF
- EOF: It stands for "end of file".
6.2. Look the user
To look up the user, use ldapsearch
command.
$ ldapsearch -x -H ldap:/// -b ou=people,dc=example,dc=com
Response:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
# akaramazov, people, example.com
dn: cn=akaramazov,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
sn: Karamazov
givenName: Alexei
cn: akaramazov
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Also, you can use the following command too:
$ ldapsearch -LLL -x -w passw0rd -D cn=admin,dc=example,dc=com -b ou=people,dc=example,dc=com
Note: But command shall show you userPassword
too.
6.3. Delete the user
To delete the user, enter the following command:
$ ldapdelete -x -H ldap:/// -w passw0rd -D cn=admin,dc=example,dc=com "cn=akaramazov,ou=people,dc=example,dc=com"
6.4. Encrypt the password
Now, let's explore the process of encrypting the password (i.e., Password1) for the user kverkhovtsev
.
$ slappasswd -s Password1
{SSHA}Kl3qIO0tKIeaux2/DXtFGdUL/fnqB7Pl
In this context, the 'slappasswd' command is utilized to hash the password values.
Now, create user_kverkhovtsev.ldif
, and paste the following:
$ vi user_kverkhovtsev.ldif
dn: cn=kverkhovtsev,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
sn: Katerina
givenName: Verkhovtsev
cn: kverkhovtsev
userPassword: {SSHA}Kl3qIO0tKIeaux2/DXtFGdUL/fnqB7Pl
Add the user kverkhovtsev
:
$ ldapadd -x -w passw0rd -D cn=admin,dc=example,dc=com -f user_kverkhovtsev.ldif
Now, when you ldapsearch the user kverkhovtsev
, you will see the following encrypted password in userPassword
:
...
cn: kverkhovtsev
userPassword:: e1NTSEF9S2wzcUlPMHRLSWVhdXgyL0RYdEZHZFVML2ZucUI3UGw=
6.5. Add a new attribute for the user
Let's add a new attributes initials
and description
for the user akaramazov
:
$ vi user_alexei_add_attributes.ldif
dn: cn=akaramazov,ou=people,dc=example,dc=com
changetype: modify +
add: initials +
initials: Mr. +
-
add: description +
description: The Brothers Karamazov +
We will utilize ldapmodify
to ensure that our changes are persisted:
$ ldapmodify -x -w passw0rd -D cn=admin,dc=example,dc=com -f user_alexei_add_attributes.ldif
You can cross-check if the user was persisted:
$ ldapsearch -LLL -x -H ldap:/// -w passw0rd
-D cn=admin,dc=example,dc=com
-b ou=people,dc=example,dc=com
"(cn=akaramazov)"
6.5. Modify the attribute of the user
To modify the attribute of the user use replace
, as mentioned-below:
$ vi user_alexei_replace.ldif
dn: cn=akaramazov,ou=people,dc=example,dc=com
changetype: modify
replace: description +
description: The Brothers Karamazov Novel by Fyodor Dostoevsky +
$ ldapmodify -x -w passw0rd -D cn=admin,dc=example,dc=com -f user_alexei_replace.ldif
Response:
modifying entry "cn=akaramazov,ou=people,dc=example,dc=com"
6.6. Delete the attribute
To delete the attribute of the user use delete
, as outlined below:
$ ldapmodify -x -w passw0rd -D "cn=admin,dc=example,dc=com" -a <<EOF
dn: cn=akaramazov,ou=people,dc=example,dc=com
changetype: modify
delete: initials
EOF
LDAP Authentication in Apache
The design of the directory as an authentication source prioritizes security. The goal of this section is to demonstrate basic LDAP authorization for the Apache web server.
First, install Apache2 and W3m:
$ sudo apt update
$ sudo apt install -y apache2 w3m
*w3m is a text based web browser and pager.
Now, when you browse http://myldapserver
, you should be able to see the Apache web server up and running.
Now, this is the page that we want to protect.
Enable the Apache module authnz_ldap
:
$ sudo a2enmod authnz_ldap
Restart apache2
$ sudo systemctl restart apache2
Add the following to the 000-default.conf
file:
$ sudo vi /etc/apache2/sites-available/000-default.conf
...
DocumentRoot /var/www/html
<Directory /var/www/html> +
AuthType Basic +
AuthName "Web Site Authentication Required" +
AuthBasicProvider ldap +
AuthLDAPURL "ldap://127.0.0.1:389/ou=people,dc=example,dc=com?cn" +
Require valid-user +
</Directory>
....
Check if the config (a2enmod) is working:
$ sudo apachectl configtest
Syntaxt OK
Finally, restart apache2
$ sudo systemctl restart apache2
Try browsing http://myldapserver
, you should be prompted for authentication.
Or, try with w3m
from the myldapserver
$ w3m localhost
Username for Web Site Authentication Required: akaramazov
Password for Web Site Authentication Required: Password1
By providing the correct credentials, you should be able to view the Apache server-hosted page.
8. Common LDAP Attributes Names
The table below lists some common LDAP attributes in alphabetical order:
Attribute | Description |
---|---|
cn | Common name, which contains the name of the object |
dc | Domain Component |
o | Name of the Organization |
ou | Name of the Organization Unit |
sn | Surname of an individual |
givenName | First name of the individual |
uid | User ID, which is unique |
User's email address | |
c | Country name |
dn | Distinguished name |
title | Title |
url | Other web page |
company | Company name |
department | Department name |
homephone | Home phone number |
manager | Boss, manager |
mobile | Mobile phone number |
9. Removing LDAP
To completely remove LDAP from the system, follow these steps.
Firstly, stop the slapd:
$ sudo systemctl stop slapd
Remove the LDAP packages:
$ sudo apt remove -y --purge ldap-utils slapd
Now, remove the LDAP configuration files:
$ sudo rm -rf /etc/ldap/ ; sudo rm -rf /var/lib/ldap/
Delete the user "ldap" and the group "openldap":
$ sudo deluser --remove-home ldap ; sudo delgroup openldap
Finally, remove all unused packages automatically:
$ sudo apt autoremove
Great!
You've just learned the basics of getting started with LDAP. I highly recommend a couple of resources if you want to dig deeper into LDAP:
- LDAP System Administration: Putting Directories to Work by Gerald Carter
- Linux Network Administrator's Guide: Infrastructure, Services, and Security by Tony Bautts
- https://www.openldap.org/
- https://wiki.debian.org/LDAP/LDAPUtils
- https://ubuntu.com/server/docs/service-ldap
Good Luck!
Articles recommended by the author
10. Bibliography
Carter, G. (2003). LDAP System Administration: Putting Directories to Work. O’Reilly Media. https://books.google.de/books?id=utsMgEfnPSEC
Christian. (2019, December 18). Differences between Directory Services and Databases. TechDirectArchive. https://techdirectarchive.com/2019/12/18/differences-between-directory-services-and-databases/
IBM Documentation. (2023, May 19). https://www.ibm.com/docs/en/i/7.3?topic=reference-ldap-data-interchange-format-ldif
Kirch, O., & Dawson, T. (2000). Linux Network Administrator’s Guide. O’Reilly. https://books.google.de/books?id=5bgEyjAtLhEC
LDAP Namespace Structure | Understanding Active Directory Services | InformIT. (n.d.). Retrieved January 18, 2024, from https://www.informit.com/articles/article.aspx?p=101405&seqNum=7
LDAP/LDAPUtils—Debian Wiki. (n.d.). Retrieved January 20, 2024, from https://wiki.debian.org/LDAP/LDAPUtils
Mahajan, V. (2001). Should I Use a Directory, a Database, or Both? https://support.novell.com/techcenter/articles/ana20011101.html
Negus, C., & Bresnahan, C. (2012). Linux Bible. Wiley. https://books.google.de/books?id=pdgJ3HIgSHEC
Slapd(8): Stand-alone LDAP Daemon—Linux man page. (n.d.). Retrieved January 20, 2024, from https://linux.die.net/man/8/slapd
SpeedGuide. (n.d.). Port 389 (tcp/udp). SpeedGuide. Retrieved January 17, 2024, from https://www.speedguide.net/port.php?port=389
Ubuntu Manpage: Dpkg-reconfigure—Reconfigure an already installed package. (n.d.). Retrieved January 17, 2024, from https://manpages.ubuntu.com/manpages/jammy/en/man8/dpkg-reconfigure.8.html
Welcome to Apache Directory Studio—Apache Directory. (n.d.). Retrieved January 19, 2024, from https://directory.apache.org/studio/