Ubuntu 11.04 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering it.

sudo apt-get install slapd ldap-utils

You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous release is handled automatically in 11.04. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run “sudo dpkg-reconfigure slapd”. All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.

This is done by creating a frontend.danbishop.org.ldif file like so:

dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups

Please note: it is important that you have a new line between “ou:Users” and “dn: ou=Groups,dc=danbishop,dc=org” if you’re copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!

Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

LDAP Authentication on the Server

LDAP doesn’t actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we’ve setup Kerberos and created our first users we’re ready to go! This is actually very easy to configure, it simply requires the installation of two packages:

sudo apt-get install libnss-ldapd libpam-ldapd

During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you’d like to enable LDAP for, you should select “group”, “passwd” and “shadow”. The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2

  • Pingback: How do I configure an ldap server on ubuntu 11.04 ? (for use with subversion and trac) | Coding Answers()

  • Will

    HI, When i try to add the frontend.ldif i get the error: lbap_bind: Invalid Credentials (49). I purge the service ldap and reinstall it… and nothing. Anyone has a clue about this issue?.

  • John

    I got the same “invalid credentials (49)”.. help anyone?? thanks

  • Archer

    >lbap_bind: Invalid Credentials (49)

    I had some problem. After “sudo dpkg-reconfigure slapd” problem was solved.

  • exestr

    I had that problem, and reinstalled then followed the instructions again. I know the real reason – this is very, very difficult to get correct if you are building a domain server inside a network where an MS-SBS box is already running everything. Gradually wrestling control out of SBS is tough – starting from nothing is definitely to be recommended.

  • quentusrex

    If you initially install the slapd package on 11.04 and you FQDN is not correct then ‘dc=nodomain’ will be used. This can cause the authentication issues that some have commented about. If you then try to ‘dpkg-reconfigure slapd’ the writing of the new configs will fail with an error because the directory /etc/ldap/slapd.d/ exists. To fix this issue run these commands:

    /etc/init.d/slapd stop
    mv /etc/ldap/slapd.d/ ~
    dpkg-reconfigure slapd

  • Giuseppe

    under Ubuntu 11.04 acting as ROOT (sudo su) resolved “/etc/ldap/slapd.d/ exists” error and invalid credentials (49) after purging slapd and deleting manually /etc/apt