How-To set up a LDAP server and its clients

LDAP (Lightweight Directory Access Protocol) allows central user, group, domain..... authentication, information storage ...

Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network.

This tutorial will be split in 2 parts. In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate through LDAP if the user does not exist on the local filesystem.

In this tutorial, I will suppose that our LDAP server is located at 192.168.1.4. All machines in the network can resolve the host name ldap to 192.168.1.4. The LDAP server is going to manage domain debuntu.local.
The server runs Debian 4 (testing but almost stable) and the client Ubuntu Feisty 7.04.

1. LDAP Server

1.1. Installation

In order to get our LDAP server setted up, we need a couple of packages to be installed:

# apt-get install slapd ldap-utils migrationtools

Answer the questions and then reconfigure slapd in order to have dpkg ask us a few more questions.

#dpkg-reconfigure slapd

Omit OpenLDAP server configuration? ... No
DNS domain name: ... debuntu.local
Name of your organization: ... Whatever & Co
Admin Password: XXXXX
Confirm Password: XXXXX
OK
BDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No

Right, from now on, we have got our domain set up, as well as our administrator user: "admin".

You can now check if you can access your ldap server by typing:

$ ldapsearch -x -b dc=debuntu,dc=local

If you get an error message like:

ldap_bind: Can't contact LDAP server (-1)

Most chances are that your server is not running. use:

# /etc/init.d/slapd start

to start it.

Ok, now, it is about time to add our users and groups to the LDAP database.

1.2. Populating the database

Using migrationtools we are going to be able to quickly import all existing users and groups from our local system to LDAP.

#cd /usr/share/migrationtools/

We need to edit the default migrationtools' config file migrate_common.ph and replace the following parameters with:

$DEFAULT_MAIL_DOMAIN = "debuntu.local";
$DEFAULT_BASE = "dc=debuntu,dc=local";

Then export the values:

# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

Unfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:

dn: ou=People, dc=debuntu, dc=local
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=debuntu, dc=local
ou: Group
objectclass: organizationalUnit

Now, we have our users and groups converted to LDAP's ldif format. Let import them into our LDAP database.

# cd
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldif

where:

-x specify that we are not using sasl
-W prompt for password
-D is used to identify the administrator
-f to specify the file where ldapadd should find the data to add

Well, now the server is ready to identify your users. Let's go on and set up the clients.

Printer-friendly version
Login or register to post comments

Submitted by chantra on Thu, 2007-02-22 19:20.

Thanks

Submitted by yaodd on Fri, 2007-10-05 08:45.

That was exactly what I needed! Been staring at "ldap_bind: Can't contact LDAP server (-1)" for days!

smb ldap installer

Submitted by Anonymous (not verified) on Mon, 2007-07-16 03:18.

For anyone interested in setting up a combination of ldap/samba/nfs on a number of distros you should check out http://majen.net/smbldap/

It's still good to go through a manual installation a couple of times so you know how everything works if something goes wrong, but I wouldn't want to have to do it everytime.

ldapadd error!

Submitted by Anonymous (not verified) on Sun, 2007-07-08 06:47.

I am trying to install LDAP on Ubuntu Feisty

These work fine...

ldapadd -x -W -D "cn=admin,dc=company,dc=com" -f ~/people_group.ldif
ldapadd -x -W -D "cn=admin,dc=company,dc=com" -f ~/group.ldif

But the following errors out...

ldapadd -x -W -D "cn=admin,dc=company,dc=com" -f ~/passwd.ldif

Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=company,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #5 invalid per syntax

Any suggestions?
Thanks

If you, like me, did

Submitted by perweij on Tue, 2008-04-08 10:19.

If you, like me, did copy&paste of the contents of people_group.ldif, you probably got some trailing whitespace on the last line (objectclass: organizationalUnit ). Remove that whitespace. You should probably remove the first section too, if that was successfully added the first time you ran the command (as the syntax error occurs in the second section).

trailing spaces?

Submitted by chantra on Sun, 2007-07-08 13:55.

From http://www.openldap.org/faq/index.cgi?file=648

This error is reported when a value of an attribute does not conform to syntax restrictions. Additional information is commonly provided stating which value of which attribute was found to be invalid. Double check this value and other values (the server will only report the first error it finds).

Common causes include:

extraneous white space (especially trailing white space)
improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode)
empty values (few syntaxes allow empty values)

For certain syntax, like OBJECT IDENTIFER (OID), this error can indicate that the OID descriptor (a "short name") provided is unrecongized. For instance, this error is returned if the objectClass value provided is unrecongized.

I don't know where the error is. But it looks like there is something wrong with your first user syntax.
Debuntu

When I perform the ldappadd

Submitted by Endurion (not verified) on Fri, 2007-06-08 19:43.

When I perform the ldappadd command I receive the following error:

adding new entry "ou=People, dc=tici, dc=local"
ldap_add: Server is unwilling to perform (53)
        additional info: no global superior knowledge

Any ideas?

Re: "no global superior knowledge"

Submitted by Quentin (not verified) on Wed, 2007-07-11 23:08.

You must change "debuntu" and "local" to "foo" and "bar" (if your domain is foo.bar).
I did the same thing. See http://www.openldap.org/faq/data/cache/1322.html

old database issue

Submitted by Anonymous (not verified) on Thu, 2007-06-07 13:37.

I am new here.

After I executed the following part,

I got the next thing:

Stopping OpenLDAP: slapd.
Moving old database directory to /var/backups:

Backup path /var/backups/unknown-2.3.30-2.ldapdb exists. Giving up...

Any comments?

Thanks

Old back up already exists

Submitted by chantra on Thu, 2007-06-07 19:18.

From the error message:
Backup path /var/backups/unknown-2.3.30-2.ldapdb exists. Giving up...
The installer gives up because a backup already exist.
you should move this file somewhere else like:
# mv /var/backups/unknown-2.3.30-2.ldapdb /var/backups/unknown-2.3.30-2.ldapdb.old
and redo dpkg-reconfigure slapd
Debuntu

ldap_bind: Invalid credentials (49)

Submitted by Anonymous (not verified) on Wed, 2007-06-06 17:07.

Hi,

I tried the part1. Everything seems ok. I tested the server accessing. It works fine. However, when I tried the follows:

I typed passwd, I got the following error:

ldap_bind: Invalid credentials (49)

The server is running and I don't know what's wrong with that. Any suggestion?

Thanks for your help

Do you actually type the

Submitted by chantra on Wed, 2007-06-06 19:39.

Do you actually type the admin ("cn=admin,dc=debuntu,dc=local") password?
The ldap credentials are different than root's.
Debuntu

passwd

Submitted by Anonymous (not verified) on Wed, 2007-06-06 20:01.

Thanks for ur quick response.

I did type admin passwd. The passwd I set is the same as roots. Should I use a different passwd?

Thank you

wrong domain name

Submitted by chantra on Wed, 2007-06-06 21:44.

# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldif

You want to change dc=debuntu,dc=local by the domain name you entered during dpkg-reconfigure slapd
Debuntu

Still doesn't work

Submitted by ronnqvist on Fri, 2007-11-09 19:27.

Considering all that you wrote here, I still get the same error. I'm using Ubuntu 7.04 Feisty.

cheers, Simon

stuck

Submitted by Anonymous (not verified) on Wed, 2007-06-06 14:37.

Hi,
I followed the following instructions:

However, after "Confirm Password: XXXXX", the next screen gets stuck and not moving to the BDB prompt. What's wrong with that?

thanks for help

Can not login with LDAP

Submitted by Anonymous (not verified) on Mon, 2007-05-21 05:20.

I following the instruction from your tutorial, it seem like ok (I can login into my computer (server and client are same computer)).

After that, I created a testing account "guest" into LDAP server. I can not login into my server although the "getent passwd" command get correctly result. The system will told me "Permission denied, please try again"

$ ldapadd -x -D cn=admin,dc=kenson,dc=idv,dc=hk -W -f guest.ldif
Enter LDAP Password:
adding new entry "cn=guest,ou=user,ou=auth,dc=kenson,dc=idv,dc=hk"
adding new entry "cn=guest,ou=group,ou=auth,dc=kenson,dc=idv,dc=hk"
$ sudo getent passwd | grep guest
guest:x:1100:1100:Guest:/home/guest:/bin/bash
$ ssh guest@localhost
guest@localhost password:
Permission denied, please try again.
$ cat guest.ldif
dn:             cn=guest,ou=user,ou=auth,dc=kenson,dc=idv,dc=hk
uid:            guest
cn:             guest
objectClass:    account
objectClass:    posixAccount
objectClass:    top
objectClass:    shadowAccount
userPassword:   guest
shadowLastChange: 13653
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1100
gidNumber: 1100
homeDirectory: /home/guest
gecos: Guest
dn:             cn=guest,ou=group,ou=auth,dc=kenson,dc=idv,dc=hk
objectClass:    posixGroup
objectClass:    top
cn:             guest
userPassword:
gidNumber:      1100

Is /etc/pam.d/ssh set

Submitted by chantra on Mon, 2007-05-21 17:20.

Is /etc/pam.d/ssh set properly?
Does the logs say anything?
Debuntu

Thanks for the tip on the

Submitted by Neal (not verified) on Sat, 2007-05-19 12:07.

Thanks for the tip on the "dpkg-reconfigure slapd"- I've used LDAP before but am not at all familiar with Debian/Ubuntu.

That was exactly what I needed! Been staring at "ldap_bind: Can't contact LDAP server (-1)" for days!

Wrong command?

Submitted by Anonymous (not verified) on Tue, 2007-02-27 09:44.

Hi,
Thank you for document...

Wrong command ?
./migrate_passwd.pl ~/passwd.ldif

In fact:
./migrate_passwd.pl /etc/passwd ~/passwd.ldif

okay ?

Aytekin Aygün

/etc/passwd indeed

Submitted by chantra on Tue, 2007-02-27 18:45.

Yep, you are right. This was a typo.
Thanks for reporting this, I've edited the post accordingly.
Debuntu

Which programs do you use

Submitted by Robf (not verified) on Sun, 2007-03-18 16:27.

Which programs do you use to add/change/delete users accounts?

Debian/Ubuntu Tips & Tricks

Debuntu.org: .deb packages, Unix/Linux Tutorials and Articles.

Navigation

Poll

Syndicate

Search

User login

Get Firefox

Tips

How-To set up a LDAP server and its clients

1. LDAP Server

1.1. Installation

1.2. Populating the database

Thanks

smb ldap installer

ldapadd error!

If you, like me, did

trailing spaces?

When I perform the ldappadd

Re: "no global superior knowledge"

old database issue

Old back up already exists

ldap_bind: Invalid credentials (49)

Do you actually type the

passwd

wrong domain name

Still doesn't work

stuck

Can not login with LDAP

Is /etc/pam.d/ssh set

Thanks for the tip on the

Wrong command?

/etc/passwd indeed

Which programs do you use

Similar entries