Ubuntu 14.04 Ultimate Server Guide

Part 3: OpenLDAP

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering it. This process will use your hostname to configure your LDAP domain, therefore it is very important that you have set this correctly BEFORE continuing, else you will get error(49) invalid bind credentials at the next step. In this example the domain is danbishop.org and the server is called neo, so make sure /etc/hosts contains a line like so: “ neo.danbishop.org neo” if this is not the case, make this change then REBOOT. Now install OpenLDAP:

sudo apt-get install slapd ldap-utils

You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous releases is handled automatically in 11.04 and above. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run “sudo dpkg-reconfigure slapd”. All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.

This is done by creating a frontend.danbishop.org.ldif file like so:

dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups

Please note: it is important that you have a new line between “ou:Users” and “dn: ou=Groups,dc=danbishop,dc=org” if you’re copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!

Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif


Whilst we’re setting up LDAP, this would be a good time to create the necessary LDAP entries for AutoFS. This will handle the mounting of home directories on clients later on.

It isn’t necessary to use LDAP for AutoFS… you can simply specify the same settings on every client… the only problem with this is that if you decide to change something in the future, you have to manually change it on every client. LDAP provides a centralised way of doing this.

The first thing to do is tell LDAP what AutoFS is by defining a schema:

Create a file called autofs.ldif and enter the following data into it:

nano autofs.ldif
dn: cn=autofs,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: autofs
olcAttributeTypes: {0}( NAME 'automountInformation' DESC 'Inf
 ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1. SINGLE-VALUE )
olcObjectClasses: {0}( NAME 'automount' DESC 'An entry in an 
 automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation $ object
 class ) MAY description )
olcObjectClasses: {1}( NAME 'automountMap' DESC 'An gro
 up of related automount objects' SUP top STRUCTURAL MUST ou )

There’s nothing environment specific in there, so you won’t need to make any changes. Now add it to the LDAP database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f autofs.ldif

Now to create our automount maps, make a new file, automount.ldif

nano automount.ldif

And enter the following data:

dn: ou=admin,dc=danbishop,dc=org
ou: admin
objectClass: top
objectClass: organizationalUnit

dn: ou=automount,ou=admin,dc=danbishop,dc=org
ou: automount
objectClass: top
objectClass: organizationalUnit

dn: ou=auto.master,ou=automount,ou=admin,dc=danbishop,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap

dn: cn=/home,ou=auto.master,ou=automount,ou=admin,dc=danbishop,dc=org
cn: /home
objectClass: top
objectClass: automount
automountInformation: ldap:ou=auto.home,ou=automount,ou=admin,dc=danbishop,dc=org --timeout=60 --ghost

dn: ou=auto.home,ou=automount,ou=admin,dc=danbishop,dc=org
ou: auto.home
objectClass: top
objectClass: automountMap

dn: cn=/,ou=auto.home,ou=automount,ou=admin,dc=danbishop,dc=org
cn: /
objectClass: top
objectClass: automount
automountInformation: -fstype=nfs4,rw,hard,intr,fsc,sec=krb5 neo.danbishop.org:/home/$

This tells AutoFS to map all requests for /home/$USERNAME to the correct NFS share. Please note: as above, it is important that an empty new line exists between each section, if you are copy and pasting the above remember to remove the space character present on the blank lines!

Now we add it to the database:

sudo ldapadd -D cn=admin,dc=danbishop,dc=org -W -f automount.ldif


So that clients know which users/groups can use sudo and that this can be centrally managed, we’re also going to create a schema for sudo.

Create a new file called sudo.ldif

nano sudo.ldif

And paste the following contents into it:

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( NAME 'sudoUser' DESC 'User(s) 
 who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMa
 tch SYNTAX )
olcAttributeTypes: {1}( NAME 'sudoHost' DESC 'Host(s) 
 who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat
 ch SYNTAX )
olcAttributeTypes: {2}( NAME 'sudoCommand' DESC 'Comma
 nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX
 466. )
olcAttributeTypes: {3}( NAME 'sudoRunAs' DESC 'User(s)
  impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX
 .4.1.1466. )
olcAttributeTypes: {4}( NAME 'sudoOption' DESC 'Option
 s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX
 .121.1.26 )
olcAttributeTypes: {5}( NAME 'sudoRunAsUser' DESC 'Use
 r(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX
 . )
olcAttributeTypes: {6}( NAME 'sudoRunAsGroup' DESC 'Gr
 oup(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX )
olcAttributeTypes: {7}( NAME 'sudoNotBefore' DESC 'Sta
 rt of time interval for which the entry is valid' EQUALITY generalizedTimeMat
 ch ORDERING generalizedTimeOrderingMatch SYNTAX
olcAttributeTypes: {8}( NAME 'sudoNotAfter' DESC 'End 
 of time interval for which the entry is valid' EQUALITY generalizedTimeMatch 
 ORDERING generalizedTimeOrderingMatch SYNTAX )
olcAttributeTypes: {9}( NAME 'sudoOrder' DESC 'an int
 eger to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrd
 eringMatch SYNTAX )
olcObjectClasses: {0}( NAME 'sudoRole' DESC 'Sudoer En
 tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s
 udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotB
 efore $ sudoNotAfter $ description ) )

Now we add this to our LDAP server like so:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif

LDAP now knows what sudo records are and how to store them, so now we can create a container and then fill it with records for our sudo enabled groups.

To do this, create a sudoMaster.ldif file:

nano sudoMaster.ldif

And enter the following contents:

dn: ou=sudoers,dc=danbishop,dc=org
objectclass: organizationalUnit
objectclass: top
ou: sudoers

dn: cn=defaults,ou=sudoers,dc=danbishop,dc=org
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
sudoOption: env_reset
sudoOption: mail_badpass
sudoOrder: 1

dn: cn=root,ou=sudoers,dc=danbishop,dc=org
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 2

dn: cn=%admin,ou=sudoers,dc=danbishop,dc=org
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3

dn: cn=%sudo,ou=sudoers,dc=danbishop,dc=org
objectClass: top
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 4

dn: cn=%domainadmins,ou=sudoers,dc=danbishop,dc=org
objectClass: top
objectClass: sudoRole
cn: %domainadmins
sudoUser: %domainadmins
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 5

PLEASE NOTE: As with other ldif files, the blank lines in the above must be exactly that! If you’re copying and pasting from this blog, you will have a single space character on each “blank” line. Be sure to remove it, leaving only a blank line! I will fix this one day…

Now we can add our information to the LDAP database like so:

ldapadd -f sudoMaster.ldif -D "cn=admin,dc=danbishop,dc=org" -W -x

LDAP Indices

Although all of the above will work just fine, LDAP will complain every time a user is looked up in the database that you haven’t indexed the UIDs. Indexing allows LDAP to perform searches faster than it otherwise would. Though this increase in performance is negligible with only a few users, large scale deployments will see noticeable benefits. For the purpose of preparing for possible future expansion… and to keep our log clean, we’re going to create some indices for UIDs and other LDAP values.

Create an index.ldif file:

nano index.ldif

And insert the following:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sudoHost eq,sub
olcDbIndex: sudoUser eq,sub

Now we’re going to run the modification like so:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f index.ldif

And we’re done!



  • Florent

    Hi Dan !
    Thank you for your great work, as usual 🙂

    I have an error on part 7, like another follower of your 12.04 guide (http://www.danbishop.org/2012/06/02/ubuntu-12-04-ultimate-server-guide/#comment-1552860993).
    Command kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)” failed with :
    Authenticating as principal dan/admin with password.
    kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface

    Moreover, after restart sssd, it is impossible to connect to LDAP user with su, and getent passwd only shows local user.
    I think there is a problem between client and server. Evertyhing works fine on server side, and client can ping server through kerberos.domain.local and ldap.domain.local.

    Thank you for your help

    • danbishop88

      Hi Florent,

      Try appending -s kerberos.domain.local to that command and see what happens. It looks like you’re customising some parts of the guide for your own environment, but not others… it’s possible that your /etc/krb5.conf file on the client is wrong.

      I’m hoping to have a way of doing all of this using puppet going very soon. I’m almost there and will hopefully publish in the next couple of weeks. That should eliminate all the problems people are having by varying parts of the guide for their environment, but not others.


      • Florent

        Thank you very much for your answer.
        I reinstall server & client. No customising except domain (domain.local) and kerberos username as florent/admin. On the client side, sudo dpkg-reconfigure krb5-config only ask realm but server and admin server where difined during installation. My /etc/krb5.conf file seems to be good. My domain isn’t defined in [domain_realm] but it is in [libdefaults]. Servers name are in top of [realms] (kdc and admin_server).
        Is there au place where krb logs ?

        Thanks again.

    • Hi Florent,

      i run accoss the same problem as you have, after several tryout found out that you need to point you DNS Client into IP of Server.

      ie. DNS Client is : from Network Manager, then you change to (IP of Ubuntu Server)

      and voila :)… Hope this helps !

    • aqw

      I also got this error and solved it by adding kerberos.danbishop.org to /etc/hosts of the client machine

    • OleHoppe

      Solved this issue by editing /etc/nsswitch.conf on the client (kubuntu 16.04.2). Modify “hosts” line to read:
      hosts: files dns

  • Marco

    Hi Dan, thanks for this beatifoul guide

    i try many times your guide but have some problem

    server configure as your guide
    when try login from a configured client (using server username) it log succesfull but unable to mount home directory

    “Could not chdir to home directory /home/fabio: No such file or directory”

    check and check again but still this problem….

    can you help me?

    • Marco

      I have only linux (debian) pc, i’m interested central accounting and share users home directory… samba in future (now not important)

      ubuntu 14 server configure as your VERY clear guide (and thanks!!)
      i’m able lo ssh login on server using LDAP user accounts and is fantastic

      then want allow login from clients, pc… configure as guide… login is accepted but NO home directory mounted

      how i can debug where problem is?

      Sorry for my english

      • GuiSenges

        Hello Marco,

        I got the same problem. Any news? I’ve double checked this tutorial multiple times and everthing seems ok…

        • GuiSenges

          Small Update: When running automount in verbose mode I get “mount(nfs): no hosts available”. NFS server is up and running…Very strange…

        • GuiSenges

          Ok, I figured it out: Ports 111 and 2049 both TCP and UDP needs to be openned….Thanks for the excelent tutorial Dan!

        • Marco

          In my case there was no firewall…

        • Marco

          Problem solved, was a problem with reverse resolution… because i have an existing bind dns server and need use it, can’t use dnsmasq. Now NFS/kerberos works perfect!!
          Tanks for this perfect, clean guide DAN!!

          Now going on to configure samba, but i have a problem again (sorry!!): windows PC can see samba share but can join to samba domain. When try to join samba domain from a windows pc, it ask user name and password (i use my user (domainuser) with net rpc rights grant) but give me an error… each username and password i try to use same error…

    • Hi Marco,

      i have the same situation as you are, can you help me out the solutions here ?

  • Marco

    Hi again,
    i have this strange problem:

    if i reinstal ubuntu on server, add again ldap users, kerberos etc etc (as in this guide)

    clients can’t mount their home using nfs

    try to login one from client, perform again:
    kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)”
    sudo kadmin -p dan/admin -q “ktadd nfs/$(hostname -f)”
    but nothink happens

    if i reinstall ubuntu on client pc, follow client configuration (of this guide) all return perfect working

    I think problem is Kerberos, but how to solve this problmem when i reinstall OS on server?
    try to remove nfs princ from server but not solution

    any advices?

    • Hi Marco,

      happens to be the same issue with me as well,
      but instead of reformatting ubuntu client, here are what i did :

      apt-get purge –remove krb5-user -y
      REBOOT NOW !

      apt-get install krb5-user -y
      dpkg-reconfigure krb5-config

      sudo kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)”
      sudo kadmin -p dan/admin -q “ktadd nfs/$(hostname -f)”

      REBOOT NOW !

      and you can easily login with your domain users credentials 🙂

      (PS : your guess is right it is somehow connected to Kerberos, but no need to remove nfs princ 🙂

      • Marco

        thanks for this solution!

  • Steve Thompson

    Thanks for the great guide. I have a question about this setup – I also had this problem with the 12.04 guide. In both, you set neo to have a static IP and then you configure dnsmasq to use Google’s public servers. At no point, as far as I can see, do you tell neo which DNS servers to use which means it has no DNS. I’ve added dns-nameservers to the static config to get round this but I can’t figure out if I’m missing something in the instructions that would make this unnecessary?


  • Hi Dan, just a quick correction,

    on Page 6
    there is something like


    it should be not comment (remove the hashtag)

    otherwise it will come out results

    “Unable to read password file , exiting…”

    But overall this is Awesome tutorials :))

    • Thanks Adhi… I had the same issue. Great guide by the way, Dan 😀

  • Marco

    Hi, i have new problem

    new workstation wit Windows 10 need to be joined to Samba

    not no succes 🙁

    no problem when add windows7 macchines

  • Ian Carey

    The package ldapscripts didn’t work for me. I used ldap-account-manager instead.

    For Samba, by default you get Samba 4. Your command “adminlocal@neo:$ net rpc rights grant -U dan “danbishop.orgDomain Admins” SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege” is depreciated and will not work with Samba 4.

    Fix is a new syntax below.

    net sam rights grant “danbishop.orgDomain Admins” SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege -Udan

    Other than those two things I have it all up and running perfectly. Thank you Dan!

  • Jheguy2

    I’ve been getting the error:
    Error adding group domainadmins to LDAP
    every time I try and create a new group. I’ve checked the logs and they are returning:
    ldap_add: No such object (32)
    If anyone could help me I would be more than grateful. Thank you.

    • Pekka R.

      Had similar problem. Did not check the logs, so not completely sure if same problem.
      I commented line BINDDN=”cn=Manager,dc=example,dc=com” from

      since similar line was already added for actual DN by Dan’s instructions.

    • Dheeraj Bharat Sethi

      Hi there, In just faced the same issue, can you please let me know the solution for the same?

      • Dheeraj Bharat Sethi

        Got it resolved, adding password by vi was causing the issue.

  • Olivier Dir

    hi all after client install (ubuntu 14.04) without error
    i don’t found domainadmins with command getent group
    how do to debug this point ?

    where is the log file for see if there are a problem ?

    thank for your help

  • Marco

    All works fantastic (10months perfect working)
    but now i have new workstation with windows10 preinstalled, want join them tho ubuntu domain
    follow same guide than win7 but win10 give me an error, not join into domain giving an error (unable to contact domain)

    any help?

  • Kleder Osodarck

    Hello Dan!

    First thanks for the great tutorial!

    I’m using your guide to build an GNS3 network for a college project, the problem is I have to join Windows XP and 2000 machines in the domain, any information or direction on how to do so will be really appreciated! below is the error I’m receiving in a Windows XP machine:

    error 0x000005B4 ERROR_TIMEOUT

  • John Christensen

    I am not having luck getting Windows 7 to connect to the Samba DC. The error I am getting says that windows was trying to contact the SRV record for _ldap._tcp.dc._msdcs.. I added a SVR record to dnsmasq.conf and pointed the requests to ldap. on port 398. Now I am getting an error from Windows that the domain controller at ldap. could not be reached. Any thoughts on why this is not working for me?

  • TC

    On Ubuntu 15.10, I failed at Step 6, “sudo ldapaddgroup domainadmins”. In /var/log/ldapscripts.log, the error message is ldapadd: invalid format (line 1) entry “”. It turns out it is a bug in ldapscripts—it fails in some locales. For more information, read this:


    You can fix this bugs by these commands:

    sudo su
    LC_ALL=C ldapaddgroup domainadmins
    LC_ALL=C ldapaddgroup domainusers
    LC_ALL=C ldapadduser csatc2002 domainadmins
    LC_ALL=C ldapaddusertogroup csatc2002 domainusers

    Just my two cents, and hope it helps.

  • Thanks a lot, Dan.
    I migrated the authentication of a cluster of machines with Ubuntu 14.04 from NIS to LDAP+Kerberos and it worked great. I tried to follow the instructions for SingleSignOn from the Ubuntu Help but it was very complicated, didn’t explain some concepts and contained some “magical” instructions. This guide help me figure out what I needed to do.

  • Srinath Bk

    Hi Dan,

    thanks for the excellent tutorial.

    I cannot use DHCP server for my setup since, there is already another DHCP server in the LAN. I would like to use static IP for both server and clients. Can you please suggest what needs to be changed?


  • Dheeraj Bharat Sethi

    Hi dan,
    Thanku so much for the guide.
    been stuck on last step. when trying to login via the new ldap user.
    “No passwd entry for user”
    When trying to add passwd, “user does not exist”
    What is going wrong here?

  • Dheeraj Bharat Sethi

    Getting Permission Denied via SSH for the Ldap user added , and Incorrect Login via server login

  • Hello Dan,

    Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a
    LDAP Browser is not a very user-friendly way for managing a large number
    of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it
    requires 389 Directory Server, and we don’t use that in our environment
    (for good reasons)

  • Bineural juls

    Hi, i think all its working ok, but as sson as i login by ssh with user i have this error.. Could not chdir to home directory /home/robert: No such file or directory
    And localy on the machine this one:
    No directory, logging in with HOME=/
    I can see the problem is that my home is not working.. but i dunno how to solve this.
    Any idea please?
    Thanks a lot

  • Pekka R.

    This is still the most clear and complete guide to set up a small company network environment with servers. I can not find better. And I have looked around. Just bloody exellent. “Ultimate” describes this well.
    Did finally have time to look at chapter 10. Just wondering what does mean “In this case a stock install of 12.04 server is being used” in this context.

    Dan? Does it mean a copy of the primary server installation that I could make with dd command and then twist around the dnsmasq configuration file?

    Maybe safest option is to start installing server from the start and follow up the master server setup instructions untill this point. I expect that the /etc/dnsmasq.conf file will be mirror of the master dnsmasq server regarding to ip-adresses and host names. Will start playing with image copied with dd first.

    Many thanks to Dan for giving this to public domain. To boil up this kind of instruction set so, that it is also comprehensible, must have taken a ton of work.

  • Gin

    Great guide and working one 🙂
    Any chance to update same tutorial for Ubuntu 16.04? Or maybe a little help pls. Things seems working till samba setup. First of all in Ubuntu 16.04 libpam-smbpass was removed. So I add user manually for krb and samba using same credentials (even account for machine in some tests). When i try to join an Windows 7 to domain I got follow error:
    “The join operation was not successful. The could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Use a different computer name or contact your administrator to remove any stale conflicting raccount. The error was: Access is denied.”
    Ldap log:
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 fd=20 ACCEPT from IP=xxx.xxx.xxx.xxx (IP=
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 op=0 BIND dn=”” method=163
    Jan 31 13:58:59 dcdoxmain slapd[1539]: SASL [conn=1052] Failure: GSSAPI Error: An unsupported mechanism was requested (Unknown error)
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 op=0 RESULT tag=97 err=49 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
    Samba shares could be accessed from Windows 7 using same credentials.

  • Marco

    Hi again DAN, thanks again for this beatifoul guide… i’m using it in my office and works like a charm!!
    I’m really happy to have Win7 and Linux (debian) with distributed logins, home directories!
    Now i really have a bit headache trying join new windows 10 pro macchines to samba domain… i try many many different samba configuration but no solution.
    You know any solution?


  • cuzintone

    if I wanted to setup a separate machine as a router on the network, would I let that machine handle all of the DNS, DHCP duties or can I just make it my gateway and setup ip forwarding to the Internet side of things?