Skip to content

Install OpenLDAP on Ubuntu Server 24.04 LTS

1. Prerequisites

  • 1.1 Minimum System Requirements:

    • 4GB RAM
    • 2 CPUs
    • 50GB storage

  • 1.2 Server Setup:

    • Installed Ubuntu 24.04 on a server with public network access
    • Registered domain name, e.g., ldap.YOUR-DOMAIN.edu.gh

2. Install the required packages

sudo apt-get update
sudo apt-get install slapd ldap-utils gnutls-bin ssl-cert vim

In order to access some additional prompts that we need, we'll reconfigure the package after installation. To do so, type:

sudo dpkg-reconfigure slapd

Answer the prompts appropriately, using the information below as a starting point:

  • Omit OpenLDAP server configuration? No (we want an initial database and configuration)
  • DNS domain name: YOUR-DOMAIN.edu.gh (use the server's domain name, minus the hostname. This will be used to create the base entry for the information tree)
  • Organization name: Your Institute (This will simply be added to the base entry as the name of your institute)
  • Administrator password: whatever you'd like
  • Confirm password: must match the above
  • Do you want the database to be removed when slapd is purged? (your choice. Choose Yes to allow a completely clean removal, and choose No to save your data even when the software is removed)
  • Move old database? Yes

3. Create the Certificate Templates

To encrypt our connections, we'll need to configure a certificate authority and use it to sign the keys for the LDAP server(s) in our infrastructure. So, for our single server setup, we will need two sets of key/certificate pairs: one for the certificate authority itself and one that is associated with the LDAP service.

Start by making a directory to store the template files:

sudo mkdir /etc/ssl/templates

3.1 Create the template for the certificate authority

sudo vim /etc/ssl/templates/ca_server.conf

cn = LDAP Server CA
ca
cert_signing_key
expiration_days = 3652

Save and close the file.

3.2 Create a template for the LDAP server certificate

sudo vim /etc/ssl/templates/ldap_server.conf

organization = "Name of your institution"
cn = ldap.YOUR-DOMAIN.edu.gh
tls_www_server
encryption_key
signing_key
expiration_days = 3652

Save and close the file when you're finished.

3.3 Create CA Key and Certificate

Now that we have our templates, we can create our two key/certificate pairs. We need to create the certificate authority set first.

Use the certtool utility to generate a private key:

sudo certtool -p --outfile /etc/ssl/private/ca_server.key

Now, we can use the private key and the template file to create the certificate authority certificate:

sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem

We now have the private key and certificate pair for our certificate authority. We can use this to sign the key that will be used to encrypt the LDAP session.

3.4 Create LDAP Service Key and Certificate

Next, we need to generate a private key for our LDAP server:

sudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key

Once we have the private key for the LDAP server, we have everything we need to generate a certificate for the server:

sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem

3.5 Give OpenLDAP Access to the LDAP Server Key

We now have all the certificates and keys we need. However, currently, our OpenLDAP process will be unable to access its own key.

A group called ssl-cert already exists as the group-owner of the /etc/ssl/private directory. We can add the user our OpenLDAP process runs under (openldap) to this group:

sudo usermod -aG ssl-cert openldap
sudo service slapd restart

Now, our OpenLDAP user has access to the directory. We still need to give that group ownership of the ldap_server.key file:

sudo chown :ssl-cert /etc/ssl/private/ldap_server.key

Now, give the ssl-cert group read access to the file:

sudo chmod 640 /etc/ssl/private/ldap_server.key
sudo systemctl restart slapd

Our OpenSSL process can now access the key file properly.

3.6 Configure OpenLDAP to Use the Certificate and Keys

We have our files and have configured access to the components correctly. Now, we need to modify our OpenLDAP configuration to use the files we've made. We will do this by creating an LDIF file with our configuration changes and loading it into our LDAP instance.

Move to your home directory and open a file called addcerts.ldif:

cd ~
vim addcerts.ldif

To make configuration changes, we need to target the cn=config entry of the configuration DIT. We need to specify that we are wanting to modify the attributes of the entry. Afterwards we need to add the olcTLSCACertificateFile, olcCertificateFile, and olcCertificateKeyFile attributes and set them to the correct file locations.

The end result will look like this:

dn: cn=config
changetype: modify
add:olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
-
add:olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add:olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem

Save and close the file when you are finished. Apply the changes to your OpenLDAP system using the ldapmodify command:

sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

We can reload OpenLDAP to apply the changes:

sudo service slapd force-reload

Your clients can now be configured to encrypt their connections to the server over the conventional 'ldap://ldap.YOUR-DOMAIN:389' port by using STARTTLS.

4. Setting up the Client Machines

In order to connect to the LDAP server and initiate a STARTTLS upgrade, the clients must have access to the certificate authority certificate and must request the upgrade on the OpenLDAP Server.

If you interact with the OpenLDAP server from the server itself, you can set up the client utilities by copying the CA certificate and adjusting the client configuration file.

First, copy the CA certificate from the /etc/ssl/certs directory to a file within the /etc/ldap directory. We will call this file ca_certs.pem. This file can be used to store all of the CA certificates that clients on this machine may wish to access. For our purposes, this will only contain a single certificate:

sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem

Now, we can adjust the system-wide configuration file for the OpenLDAP utilities. Open up the configuration file in your text editor with sudo privileges:

sudo vim /etc/ldap/ldap.conf

Adjust the value of the TLS_CACERT option to point to the file we just created:

TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allow

Save and close the file.

You should now be able to upgrade your connections to use STARTTLS by passing the -Z option when using the OpenLDAP utilities. You can force STARTTLS upgrade by passing it twice. Test this by typing:

sudo ldapwhoami -H ldap:// -x -ZZ

This forces a STARTTLS upgrade. If this is successful, you should see:

anonymous

Then we need to disallow anonymous login to the LDAP server.

5. Create an LDIF file

cd ~
vim ldap_disable_bind_anon.ldif

Include the following:

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Save and close the file when you are finished. Apply the changes to your OpenLDAP system using the ldapmodify command:

sudo ldapmodify -H ldapi:// -Y EXTERNAL -f ldap_disable_bind_anon.ldif

You can check again:

sudo ldapwhoami -H ldap:// -x -ZZ

And you should see:

ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed

6. Load eduPerson Schema

Get the schema downloaded from Eduperson.ldif or the latest from https://spaces.at.internet2.edu/display/macedir/LDIFs.

wget https://raw.githubusercontent.com/REFEDS/eduperson/refs/heads/master/schema/openldap/eduperson.ldif

Load it using:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f eduperson.ldif

Also, let's load the Schema for Academia, SCHAC.

Get the schema downloaded from SCHAC.ldif or the latest from https://wiki.refeds.org/display/STAN/SCHAC+Releases.

wget https://raw.githubusercontent.com/REFEDS/SCHAC/refs/heads/main/schema/openldap.ldif

Load it using:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f openldap.ldif

7. Create User Structure

Depending on your Institute's Requirement, you may create groups and users as follows, but you may need to create mandatory attributes when creating users.

Mandatory Attributes:

  • Attribute givenName: First Name of the User
  • Attribute sn: Family Name of the User
  • Attribute mail: Primary email address of your domain
  • Attribute email: Secondary email for the user to help password recovery
  • Attribute eduPersonEntitlement as urn:mace:dir:entitlement:common-lib-terms
  • Values for the attribute mobile should be in the form of +233xxxxxxxxx (e.g., +233208110248)
  • Values for the attribute eduPersonOrgUnitDN should be in the form of ou=Department,ou=Faculty,o=institution name,c=GH (e.g., ou=Physics,ou=Faculty of Sciences,o=University of Ghana,c=GH)

  • Values for the attribute eduPersonAffiliation must be either faculty, student, staff, alum, member, affiliate, employee, library-walk-in as per the below definition:

  • Value

  • Meaning
  • faculty
  • Academic or Research staff
  • student
  • Undergraduate or postgraduate student
  • staff
  • All staff
  • employee
  • Employee other than staff, e.g. contractor
  • member
  • Comprises all the categories named above, plus other members with normal institutional privileges, such as honorary staff or visiting scholar
  • affiliate
  • Relationship with the institution short of full member
  • alum
  • Alumnus/alumna (graduate)
  • library-walk-in
  • A person physically present in the library

Create a file containing those details and modify the details to match your Institution. Replace garnet with your institutional domain

dn: ou=People,dc=garnet,dc=edu,dc=gh
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Group,dc=garnet,dc=edu,dc=gh
objectClass: organizationalUnit
objectClass: top
ou: Group
description: All groups

# System Admin Staff Group
dn: cn=adm,ou=Group,dc=garnet,dc=edu,dc=gh
cn: adm
description: System Admin Staff
gidNumber: 1500
objectClass: posixGroup
objectClass: top

# Academic staff Group
dn: cn=acd,ou=Group,dc=garnet,dc=edu,dc=gh
cn: acd
description: Academic Staff
gidNumber: 2000
objectClass: posixGroup
objectClass: top

# Students Group
dn: cn=student,ou=Group,dc=garnet,dc=edu,dc=gh
cn: student
description: Students
gidNumber: 5000
objectClass: posixGroup
objectClass: top

# Servers OU
dn: ou=servers,dc=garnet,dc=edu,dc=gh
description: servers
objectClass: top
objectClass: organizationalUnit
ou: servers

# Test User
dn: uid=testme@garnet.edu.gh,ou=people,dc=garnet,dc=edu,dc=gh
cn: Test Me
uid: testme@garnet.edu.gh
uidNumber: 1001
gidNumber: 1000
givenName: Test Me
homeDirectory: /dev/null
homePhone: none
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: extensibleObject
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
sn: Test
mobile: +233222222222
userPassword: testme1234
mail: testme@garnet.edu.gh
eduPersonPrincipalName: testme@garnet.edu.gh
eduPersonAffiliation: staff
eduPersonOrgUnitDN: ou=Network,ou=Infrastructure,o=GARNET,c=GH
eduPersonEntitlement: urn:mace:dir:entitlement:common-lib-terms

Save the above as an LDIF file and add it to your directory:

sudo ldapadd -H ldap:// -x -D "cn=admin,dc=YOUR-DOMAIN,dc=edu,dc=gh" -W -Z -f path_to_file.ldif

8. Set Autostart

Run this to enable autostart for the OpenLDAP application

sudo systemctl enable slapd.service

9. Useful Other Commands

  • Verify LDAP settings:
sudo ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q
  • View available schema:
sudo ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=schema,cn=config" -s one -Q -LLL dn
  • List Users:
ldapsearch -H ldap://localhost -D "cn=admin,dc=YOUR-DOMAIN,dc=edu,dc=gh" -W -b "dc=YOUR-DOMAIN,dc=edu,dc=gh"
  • View/backup LDAP to LDIF:
sudo slapcat
sudo slapcat > backup.ldif