Tutorial

How To Install and Configure a Basic LDAP Server on an Ubuntu 12.04 VPS

How To Install and Configure a Basic LDAP Server on an Ubuntu 12.04 VPS

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

Introduction


LDAP, or Lightweight Directory Access Protocol, is a protocol for managing related information from a centralized location through the use of a file and directory hierarchy.

It functions in a similar way to a relational database in certain ways, and can be used to organize and store any kind of information. LDAP is commonly used for centralized authentication.

In this guide, we will cover how to install and configure an OpenLDAP server on an Ubuntu 12.04 VPS. We will populate it with some users and groups. In a later tutorial, authentication using LDAP will be covered.

Install LDAP


The OpenLDAP server is in Ubuntu’s default repositories under the package “slapd”, so we can install it easily with apt-get. We will also install some additional utilities:

sudo apt-get update
sudo apt-get install slapd ldap-utils

You will be asked to enter and confirm an administrator password for the administrator LDAP account.

Reconfigure slapd


When the installation is complete, we actually need to reconfigure the LDAP package. Type the following to bring up the package configuration tool:

sudo dpkg-reconfigure slapd

You will be asked a series of questions about how you’d like to configure the software.

  • Omit OpenLDAP server configuration? No

  • DNS domain name?

    • This will create the base structure of your directory path. Read the message to understand how it works.

    • There are no set rules for how to configure this. If you have an actual domain name on this server, you can use that. Otherwise, use whatever you’d like.

    • In this article, we will call it test.com <br/>

  • Organization name?

    • Again, this is up to you

    • We will use example in this guide. <br/>

  • Administrator password?

    • Use the password you configured during installation, or choose another one <br/>
  • Database backend to use? HDB

  • Remove the database when slapd is purged? No

  • Move old database? Yes

  • Allow LDAPv2 protocol? No

Install PHPldapadmin


We will be administering LDAP through a web interface called PHPldapadmin. This is also available in Ubuntu’s default repositories.

Install it with this command:

sudo apt-get install phpldapadmin

That will install all of the required web server and PHP dependencies.

Configure PHPldapadmin


We need to configure some values within the web interface configuration files before trying it out.

Open the configuration file with root privileges:

sudo nano /etc/phpldapadmin/config.php

Search for the following sections and modify them accordingly.

Change the <span class=“highlight”>red</span> value to the way you will be referencing your server, either through domain name or IP address.

<pre> $servers->setValue(‘server’,‘host’,‘<span class=“highlight”>domain_nam_or_IP_address</span>’); </pre>

For the next part, you will need to reflect the same value you gave when asked for the DNS domain name when we reconfigured “slapd”.

You will have to convert it into a format that LDAP understands by separating each domain component. Domain components are anything that is separated by a dot.

These components are then given as values to the “dc” attribute.

For instance, if your DNS domain name entry was “imaginary.lalala.com”, LDAP would need to see “dc=imaginary,dc=lalala,dc=com”. Edit the following entry to reflect the name you selected (ours is “test.com” as you recall):

<pre> $servers->setValue(‘server’,‘base’,array(‘dc=<span class=“highlight”>test</span>,dc=<span class=“highlight”>com</span>’)); </pre>

The next value to modify will use the same domain components that you just set up in the last entry. Add these after the “cn=admin” in the entry below:

<pre> $servers->setValue(‘login’,‘bind_id’,‘cn=admin,dc=<span class=“highlight”>test</span>,dc=<span class=“highlight”>com</span>’); </pre>

Search for the following section about the “hide_template_warning” attribute. We want to uncomment this line and set the value to “true” to avoid some annoying warnings that are unimportant.

<pre> $config->custom->appearance[‘hide_template_warning’] = <span class=“highlight”>true</span>; </pre>

Save and close the file.

Log Into the Web Interface


You can access by going to your domain name or IP address followed by “/phpldapadmin” in your web browser:

<pre> <span class=“highlight”>domain_name_or_IP_address</span>/phpldapadmin </pre>

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/phpldap_initial.png” alt =“PHPldapadmin inital screen” />

Click on the “login” link on the left-hand side.

You will receive a login prompt. The correct Login DN (distinguished name) should be pre-populated if you configured PHPldapadmin correctly. In our case, this would be “cn=admin,dc=test,dc=com”.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/phpldap_login.png” alt =“PHPldapadmin login” />

Enter the password you selected during our slapd configuration.

You will be presented with a rather sparse interface initially.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/phpldap_logged_in.png” alt =“PHPldapadmin logged in” />

If you click on the “plus” next to the domain components (dc=test,dc=com), you will see the admin login we are using.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/phpldap_admin_entry.png” alt =“PHPldapadmin admin entry” />

Add Organizational Units, Groups, and Users


LDAP is very flexible. You can create hierarchies and relationships in many different ways, depending on what kind of information you need accessible and what kind of use case you have.

We will create some basic structure to our information and then populate it with information.

Create Organizational Units


First, we will create some categories of information where we will place the later information. Because this is a basic setup, we will only need two categories: groups and users.

Click on the “Create new entry here” link on the left-hand side.

Here, we can see the different kinds of entries we can create.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/object_selection.png” alt =“LDAP object selection” />

Because we are only using this as an organizational structure, rather than an information-heavy entry, we will use the “Generic: Organizational Unit” template.

We will be asked to create a name for our organizational unit. Type “groups”:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/groups_name.png” alt =“LDAP groups name” />

We will then need to commit the changes.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/commit_ou.png” alt =“LDAP commit ou” />

When this is complete, we can see a new entry on the left-hand side.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/ou_groups.png” alt =“LDAP ou groups” />

We will create one more organizational structure to get ourselves going. Repeat the procedure, but this time, use the name “users”.

When you are done, you should have something that looks like this:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/ou_complete.png” alt =“LDAP ou complete” />

Create Groups


We will be creating three different groups that could be used to organize users into different “access” groups based on the privileges they require.

We will create an “admin” group, an “irc” group, and a “user” group. We could then allow members of different groups to authenticate if we set up client LDAP authentication.

We want to create the groups within the “groups” organizational unit. Click on the “groups” category we created. In the main pane, click on the “Create a child entry” within the groups category.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/child_groups.png” alt =“LDAP child of groups” />

This time, we will choose the “Generic: Posix Group” category.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/posix_group.png” alt =“LDAP posix group” />

Fill in “admin” as the group name. Click “Create Object” and then confirm on the next page.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/admin_group.png” alt =“LDAP admin group” />

Repeat the process, but simply replace the “admin” name with “irc” and “user”. Be sure to re-click the “ou=groups” entry before creating child entries, or else you may create entries under the wrong category.

You should now have three groups in the left-hand panel:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/three_groups.png” alt =“LDAP three groups” />

You can see an overview of the entries in the “ou=groups” category by clicking on that entry, and then clicking on “View 3 children”:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/view_three_children.png” alt =“LDAP view three children” />

Create Users


Next, we will create users to put in these groups. Start by clicking the “ou=users” category. Click on “Create a child entry”.

We will choose “Generic: User Account” for these entries.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/user_account.png” alt =“LDAP user account” />

We will be given a lot of fields to fill out:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/user_fields.png” alt =“LDAP user fields” />

Fill in all of the entries with information that makes sense for your user.

Something to keep in mind is that the “Common Name” needs to be unique for each entry in a category. So you may want to use a username format instead of the default “FirstName LastName” that is auto-populated.

Click “Create Object” at the bottom and confirm on the following page.

To create additional users, we will take advantage of the ability to copy entries.

Click on the user you just created in the left-hand panel. In the main pane, click “Copy or move this entry”:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/copy_entry.png” alt =“LDAP copy user entry” />

Adjust the “cn=user” portion of the entry to point it to the common name you’d like to use for the new entry. Click “Copy” at the bottom:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/copy_common_name.png” alt =“LDAP copy common name” />

You will be given the next page populated with your first users data. You will need to adjust it to match the new users information.

Be sure to adjust the uidNumber. Click the “Create Object” button at the bottom.

Add Users to Groups


We can add users to various groups by clicking on the group in question. In the main pane, select “Add new attribute”:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/add_new_attr.png” alt =“LDAP add new attribute” />

Select “memberUid” from the drop down menu:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/memberuid_entry.png” alt =“LDAP memberuid entry menu” />

In the text field that populates, enter the first user you’d like to add. Click “Update Object” at the bottom:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/add_user2.png” alt =“LDAP add user2” />

You can then add more members by clicking “modify group members” and selecting them from the available choices:

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/articles/ldap_basics/user_choices.png” alt =“LDAP user choices” />

Conclusion


You should now have a basic LDAP server set up with a few users and groups. You can expand this information and add all of the different organizational structures to replicate the structure of your business.

We will cover in another section how to authenticate using the LDAP credentials for various services.

<div class=“author”>By Justin Ellingwood</div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

I would suggest changing the link in

We will cover in another section ‘how to authenticate using the LDAP credentials’ for various services. which is, "https://www.digitalocean.com/community/articles/how-to-use-pam-to-configure-authentication-on-an-ubuntu-12-04-vps " to “https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps

Justin Ellingwood
DigitalOcean Employee
DigitalOcean Employee badge
January 2, 2014

andrew: Thanks for the heads up. That was the intended link, and I’ve updated the article to reflect your suggestion.

Let me know if you see anything else! Thanks!

The link at the top of the article should also be changed

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
January 5, 2014

Thanks, andrew! I’ve updated the article.

Hi, I am getting the following error when trying to create a user.

Could not add the object to the LDAP server.

LDAP said: No such object Error number: 0x20 (LDAP_NO_SUCH_OBJECT) Description: That object does not exist.

I am in the process of migration a Centos5 OpenLDAP server over to Ubuntu 12.04, and I am running in to an issue with the initial configuration. I am trying to replication the structure that was setup by the admin a couple of years back (who is no longer around), but I have been unsuccessful at it. I am hoping that someone could point me in the right direction. The structure of the original install is as follows:

First the login: Login DN: cn=Manager,o=sun

Structure: The top structure only has “o=sun”, no “dc=sun, dc=net”. Then: “ou=Groups, o=sun”,“ou=Users, o=sun”, “sambaDomainName=SUNSERVER”, and “Create new entry here”.

I am new to OpenLDAP, I have been using the following how-to, successfully, but I have not been able to achieve the desired results.

http://ideasnet.wordpress.com/2012/10/31/ideas-server-how-to-install-and-set-openldap-in-ubuntu-12-04lts-server-edition-part-1/

Thanks in advance, Joe

The best I’ve seend. Congratulations.

This is a fantastic article. It should be noted though that this article required some additional steps if you’re installing on Ubuntu 13.10 as phpLDAPadmin requires a fair bit of patching due to the php5.5 version that 13.10 selects.

http://sourceforge.net/u/nihilisticz/phpldapadmin/ci/7e53dab990748c546b79f0610c3a7a58431e9ebc/ and http://stackoverflow.com/questions/20673186/getting-error-for-setting-password-feild-when-creating-generic-user-account-phpl

will get you through.

Hello, and thank you for this great article.

When i try to connect to My_IP_address/phpldapadmin the browser suggest me to download the file with this message "Vous avez choisir d’ouvrir “application/x-httpd-php” à partir de http://IP

I have this configuration PHP Version => 5.4.4-14+deb7u7

I tried several things but didn’t find the right way to solve it… Can you help me ? Thanks in advance Gilles

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
March 3, 2014

@gilles: What version of Ubuntu are you using?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.