Are you trying to install OpenLDAP and phpLDAPadmin on Ubuntu?
This guide is for you.
phpLDAPadmin is a web app for administering Lightweight Directory Access Protocol servers.
OpenLDAP is a open source implementation of LDAP in Linux.
We can use OpenLDAP to store any kind of information and it is often used as one component of a centralized authentication system.
The system that we set up is quite flexible and we can design our own organizational schema and manage groups of resources as our needs demand.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform LDAP related queries.
In this context, we shall look into to install OpenLDAP and phpLDAPadmin on Ubuntu 14.04 Server.
Here, you will learn how to install and configure an OpenLDAP server on an Ubuntu 14.04 server. We will then install and secure a phpLDAPadmin interface to provide an easy web interface.
We need to install all necessary software and the packages are available in Ubuntu’s default repositories.
First, refresh the local package index:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils
During the installation, we have to set an administrator password for LDAP.
We reconfigure it because a lot of important configuration questions are skipped over in the installation process.
i. We can gain access to all of the prompts if we reconfigure the package:
$ sudo dpkg-reconfigure slapd
ii. There are quite a few questions we encounter as we go through this process:
Omit OpenLDAP server configuration? No
DNS domain name?
– It will determine the base structure of our directory path. Read the message to understand exactly how this will be implemented.
– We can select whatever “domain name” value, even if we do not own the actual domain. However, if we have a domain name for the server, it is probably wise to use that.
– Here, we select test.com for our configuration.
Organization name?
– It is entirely up to our preferences.
– For this article, we will be using the example as the name of our organization.
Administrator password?
– Anything we select here will overwrite the previous password we used.
Database backend? HDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
Eventually, our LDAP will be configured.
Although we can administer LDAP through the command line, it is easier to use a web interface.
The Ubuntu repositories contain the phpLDAPadmin package. To install, we run:
$ sudo apt-get install phpldapadmin
This will install the administration interface, enable the necessary Apache virtual hosts files and reload Apache.
We configure a few things to connect with the LDAP directory structure that was created during the OpenLDAP configuration stage.
i. To begin, we open the main configuration file with root privileges in any text editor:
$ sudo nano /etc/phpldapadmin/config.php
ii. Here, we add the configuration details. Initially, look for the host parameter and set it to the server's domain name or public IP address.
This parameter reflects the way we plan on accessing the web interface:
$servers->setValue(‘server’,’host’,’serverdomainnameorIP’);
iii. Next up, we need to configure the domain name. We need to translate it into LDAP syntax by replacing each domain component into the value of a dc specification.
We should find the parameter that sets the server base parameter and use the format to reference the domain we decide on:
$servers->setValue(‘server’,’base’,array(‘dc=test,dc=com’));
iv. Then we adjust the same in our login bind_id parameter. The cn parameter is already set as “admin”. We just need to adjust the dc portions again:
$servers->setValue(‘login’,’bind_id’,’cn=admin,dc=test,dc=com’);
v. Finally, we need to adjust a setting that controls the visibility of warning messages.
By default, phpLDAPadmin will throw quite a few annoying warning messages.
vi. We can hide these by searching for the hide_template_warning parameter, uncommenting the line that contains it, and setting it to "true":
$config->custom->appearance[‘hidetemplatewarning’] = true;
vii. Eventually, we can save and close the file.
We have to secure our connection with SSL and thereby avoid intercept in communications.
Since the admin interface is talking to the LDAP server itself on the local network, we do not need to use SSL for that connection.
However, we need to secure the external connection to our browser when we connect.
For that, we need to set up a self-signed SSL certificate that our server can use. This will allow us to encrypt our messages.
The OpenSSL packages will be on our system by default. First, we should create a directory to hold our certificate and key:
$ sudo mkdir /etc/apache2/ssl
Then, we create the key and certificate:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
In the prompt that says Common Name, enter the server’s domain name or IP address.
Once done, the certificate and key will be written to the /etc/apache2/ssl directory.
We need to password protect our phpLDAPadmin location.
Run the below command to get the utility:
$ sudo apt-get install apache2-utils
We will keep this in the /etc/apache2 directory. Create the file and specify the username:
$ sudo htpasswd -c /etc/apache2/htpasswd demo_user
Now, we are ready to modify Apache to take advantage of our security upgrades.
Initially, we should enable the SSL module in Apache.
To do that, run:
$ sudo a2enmod ssl
This will enable the module. We still need to configure Apache to take advantage.
We need to tell Apache to redirect requests for our phpLDAPadmin interface to our HTTPS interface so that the connection is encrypted.
While on the same, we will also implement the password file to authenticate users.
In addition, we will also change the location of the phpLDAPadmin interface itself to minimize targeted attacks.
First, we modify the alias that is set up to serve our phpLDAPadmin files.
Open the file with root privileges in any text editor:
$ sudo nano /etc/phpldapadmin/apache.conf
Here we need to decide on the URL location where we want to access our interface. The default is /phpldapadmin. However, we will change this to cut down on random login attempts by bots and malicious parties.
For our purpose, we will use the location /superldap.
We need to modify the line that specifies the Alias.
This should be in an IfModule mod_alias.c block. Once done, it should look like this:
<IfModule mod_alias.c>
Alias /superldap /usr/share/phpldapadmin/htdocs
</IfModule>
Eventually, save and close the file.
Next, we to modify our current Virtual Hosts file, open it with root privileges in our editor:
$ sudo nano /etc/apache2/sites-enabled/000-default.conf
Inside, we will see a rather bare configuration file that looks like this:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>
We have to add information about our domain name or IP address to define our server name and set up our redirect to point all HTTP requests to the HTTPS interface.
The changes will look like this:
<VirtualHost *:80>
ServerAdmin webmaster@serverdomainorIP
DocumentRoot /var/www/html
ServerName serverdomainorIP
Redirect permanent /superldap https://server_domain_or_IP/superldap
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>
Eventually, save and close the file.
Apache includes a default SSL Virtual Host file. However, it is not enabled by default.
In order to enable it, run:
$ sudo a2ensite default-ssl.conf
This will link the file from the sites-available directory into the sites-enabled directory. To edit the file, run:
$ sudo nano /etc/apache2/sites-enabled/default-ssl.conf
This file involves more than the last one, so we will discuss the changes that we make.
All of the changes below should go within the Virtual Host block in the file.
First of all, set the ServerName value to the server’s domain name or IP address and change the ServerAdmin directive:
ServerAdmin webmaster@serverdomainorIP
ServerName serverdomainorIP
Then, we set the SSL certificate directives to point to the key and certificate that we created. The directives should already exist in our file, so just modify:
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Finally, we need to set up the location block that will implement our password protection for the entire phpLDAPadmin installation.
We do this by referencing the location where we serve the phpLDAPadmin and setting up authentication using the file we generated.
<Location /superldap>
AuthType Basic AuthName “Restricted Files”
AuthUserFile /etc/apache2/htpasswd Require valid-user
</Location>
Eventually, save and close the file.
Restart Apache to implement all of the changes:
$ sudo service apache2 restart
We can now move on to the actual interface.
We access the web interface by visiting the server’s domain name or public IP address followed by the alias we configured:
http://serverdomainnameorIP/superldap
There will probably be a warning about the site’s SSL certificate. It is to let us know that the browser does not recognize the certificate authority that signed our certificate.
It is expected and not a problem. Click the “Proceed anyway” button.
Then, we will see the password prompt. Use the credentials we created with the htpasswd command.
In the main phpLDAPadmin landing page, click on the “login” link.
We will be taken to a login prompt.
It will pre-populate the correct value for the admin account if we configured phpLDAPadmin correctly. For us, it will look like this:
cn=admin,dc=test,dc=com
Eventually, enter the administrator password configured during the LDAP configuration.
In the phpLDAPadmin interface, we have the ability to add users, organizational units, groups, and relationships.
LDAP is flexible in how we wish to structure our data and directory hierarchies.
In addition, we can create rules for how they interact.
i. Create Organizational Units
First, we will create categories to store information.
Since this is a basic setup, we will make two categories: groups and users.
a. Click on the “Create new entry here” link on the left-hand side.
b. Since we use this as an organizational structure, we will use the “Generic: Organizational Unit” template.
c. In the prompt to create a name for our organizational unit, type “groups”.
d. Then we need to commit the changes.
e. Once done, we can see a new entry on the left-hand side.
f. Repeat the procedure to create one more organizational structure.
However, this time, use the name “users”.
To create the groups within the “groups” organizational unit. Click on the group category >> Create a child entry.
This time, we will choose the “Generic: Posix Group” category.
Fill in “admin” as the group name. Click “Create Object” and then confirm on the next page.
We can see an overview in the “ou=groups” category by clicking on that entry, and then clicking on “View 3 children”.
ii. Create Users
Next, we will create users to put in these groups. Click ou=users >> Create a child entry.
Then we choose “Generic: User Account” for these entries.
Note that the “Common Name” needs to be unique for each entry in a category. So we may want to use a username format instead of the default “FirstName LastName” that is auto-populated.
Click “Create Object” at the bottom and confirm on the following page.
To create additional users, we will take advantage of the ability to copy entries.
Click on the user we just created in the left-hand panel. In the main pane, click “Copy or move this entry”:
Adjust the “cn=user” portion of the entry to point it to the common name we would like to use for the new entry. Click “Copy” at the bottom.
We will be given the next page populated with our first user’s data. We will need to adjust it to match the new user’s information.
Make sure to adjust the uidNumber. Click the “Create Object” button at the bottom.
iii. Add Users to Groups
We can add users to various groups by clicking on the group in question. In the main pane, select “Add new attribute”.
Select “memberUid” from the drop-down menu.
In the text field that populates, enter the first user we would like to add. Click “Update Object” at the bottom.
We can then add more members by clicking “modify group members” and selecting them from the available choices.
While we install OpenLDAP and phpLDAPadmin on Ubuntu, we may come across an error.
Here's how our Support Experts solve it.
While installing OpenLDAP we might receive the error:
root@server# sudo apt-get install slapd ldap-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
libodbc1 libslp1
Suggested packages:
libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc
The following NEW packages will be installed:
ldap-utils libodbc1 libslp1 slapd
0 upgraded, 4 newly installed, 0 to remove and 284 not upgraded.
Need to get 2,243 kB of archives.
After this operation, 5,595 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Err http://us.archive.ubuntu.com/ubuntu/ quantal/main libodbc1 i386 2.2.14p2-5ubuntu4
Could not connect to 172.19.48.164:8080 (172.19.48.164). – connect (110: Connection timed out)
Err http://us.archive.ubuntu.com/ubuntu/ quantal/main libslp1 i386 1.2.1-9
Unable to connect to 172.19.48.164:8080:
Apparently, the APT configuration is set to connect using a proxy server. This server cannot be reached and that is what the error is about.
In order to solve this, our Support Experts suggest the following:
Assume the proxy server is not online anymore and we do not want to use it anymore.
i. Find the configuration line responsible for it:
$ grep -rni proxy /etc/apt
Our output will be like this:
$ /etc/apt/apt.conf:1:Acquire::http::Proxy “http://1.2.3.4:8000/”;
ii. In the file /etc/apt/apt.conf on line 1, APT is configured to connect using that proxy address.
On our system filename and line are likely to be different.
iii. Then edit the file with the line. Comment it (prepend it with a hash #) or simply remove the line. Use a text editor, e.g. nano):
$ sudo nano /etc/apt/apt.conf
iv. Save and close.
v. Finally, update the APT lists:
$ sudo apt-get update
This article will guide you on how to install #OpenLDAP and phpLDAPadmin on #Ubuntu. Also, we covered the prospective error affacting OpenLDAP and phpLDAPadmin and its solution as well.
#LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. LDAP provides the communication language that applications use to communicate with other directory services servers.
#Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid.
To access #phpLDAPadmin:
Point your browser to http://IP_OF_SERVER/phpldapadmin (IP_OF_SERVER is the actual IP address of your LDAP server).
From the main window, click the login button in the left pane.
When prompted, you will log into your DN and enter the password for the admin user created during the slapd reconfiguration.