Setting up OpenLdap and phpldapadmin

What?
Let me start the post saying that OpenLdap is a yet another Linux service which build on top of the LDAP protocol ( Lightweight Directory Access Protocol). But it is a free, unlike Windows Active Directory which is another product that build on top of LDAP.

Why?
There could be different use cases that people use LDAP, but most often one of the best outcome we generally see is the benefit of maintaining a user account administrations for user account authentication. However, It just not store user password credential, but also other account specific information such as UID, GID, home-directory, Telephone numbers, other associate groups and etc.

phpLdapAdmin:
On the other hand, phpldapadmin is just a web based application that provide graphical user interface to interact with LDAP. It builds on top of PHP and by default Apache will host the application, so that users can access the interface via their favorite browsers.

 

Getting Started.

01. Install the required packages.

# yum install -y openldap openldap-clients openldap-servers

 

02. Generate root LDAP password

# slappasswd -s osradar -n

{SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj[root@localhost ~]#

You will have a similar above output, and then the root password for the Ldap will be;
{SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj

 

03. Next, create a TLS certificate to be used by LDAP server

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365

Generating a 2048 bit RSA private key
...........................................................................................................................................................+++
.........................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LK
State or Province Name (full name) []:CMB
Locality Name (eg, city) [Default City]:colombo
Organization Name (eg, company) [Default Company Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ldap-server.osradar.com
Email Address []:

 

04. Now, its time to initialize the LDAP database. First, you need to copy given example schema to a another working directory

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

 

05. Generating DB files

# slaptest

5c5c5740 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5c5c5740 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)

Dont worry about the errors.

 

06. Next, go into the directory where we generate the Certificate in above step. Then apply basic security.

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem
# chown ldap:ldap /var/lib/ldap/*

 

07. Starting up the server

# systemctl start slapd.service

 

08. Check the network socket is up & running

# ss -lnt
State       Recv-Q Send-Q                      Local Address:Port                                     Peer Address:Port                             
LISTEN      0      128                                    :::389                                                :::*

NOTE the 389/tcp which is the default for LDAP server.

 

09.  Generate cosine & nis LDAP schemas:

# cd /etc/openldap/schema

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

 

10. Its time to add the details that govern our LDAP service. You should take a note on the domain because LDAP always binds to a domain once built.

# vim /etc/openldap/changes.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=osradar,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=osradar,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=osradar,dc=com" read by * none

olcRootPW => should be replace with the password that we generated at step 02
dc=osradar,dc=com => should be replace with the domain you want the LDAP to be in

 

11. Apply the changes to LDAP server

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"

 

12. Finally, we will need to setup a base to work with LDAP service. So, first create a file with enough details.

# vim  /etc/openldap/base.ldif 

dn: dc=osradar,dc=com
dc: osradar
objectClass: top
objectClass: domain

dn: ou=adminGroup,dc=osradar,dc=com
ou: adminGroup
objectClass: top
objectClass: organizationalUnit

 

13. Apply the changes now via ‘ldapadd’ command

# ldapadd -x -w osradar -D cn=Manager,dc=osradar,dc=com -f /etc/openldap/base.ldif

 

14. Restart the LDAP service

# systemctl restart slapd.service

 

Setup phpLdapAdmin:

15. Install apache and php

yum -y install httpdphp php-mbstring php-pear

 

16. Change the main apache configuration

# vim etc/httpd/conf/httpd.conf

ServerAdmin [email protected]
ServerName www.srv.world:80
AllowOverride All
DirectoryIndex index.html index.cgi index.php

Note: the required changes line are at line numbers 86, 95, 151 and 164 respectively.

 

17. Install “phpldapadmin”. (For this we will have to add new repository call “epel”)

# yum install -y epel-release
# yum install -y phpldapadmin

 

18. Changing the default settings

# vim /etc/phpldapadmin/config.php

$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');

The above changes are in line numbers 397 to 398

 

19. Lets change the default VirtualHost  that is coming under phpldapadmin

# vim /etc/httpd/conf.d/phpldapadmin.conf

Require all granted

The change suppose to happen at line number 11

 

That’s it for setting up “phpldapadmin”. Make sure you enable the required firewall configuration. That’s being done, let go ahead and visit our newly setup phpLDAPAdmin interface.
http://{ip address of the server}/ldapadmin

To login, you will have to provide the
– Login DN: cn=Manager,dc=osradar,dc=com
– Password: in our case, it is “osradar” which we given at step 02 of the

“If you come up to this far, congratulations.. you have now your working LDAP service.”