OpenLDAP is a software implementation of the Lightweight Directory Access Protocol (LDAP). OpenLDAP is free and open-source software that comes with its own BSD-style license called OpenLDAP Public License. Its command-line drive LDAP software is available on most Linux distributions such as CentOS, Ubuntu, Debian, SUSE, and many more. OpenLDAP is a complete software suite for LDAP servers, which includes SLAPD (standalone LDAP daemon), SLURPD (standalone LDAP update replication daemon), and some utilities and tools for managing LDAP servers. OpenLDAP is a highly customizable LDAP server and supports all major computing platforms.

LDAP Account Manager or LAM is a web application written in PHP for managing users, groups, and DHCP settings stored on an LDAP server. LAM provides an easy way to manage LDAP servers from the web browser. The LAM is designed for people with the little technical background to manage LDAP data. LAM comes in two different versions, the Lite version which is free, and the commercial license version.

This guide will teach you how to set up LDAP Server with OpenLDAP and LDAP Account Manager on the Ubuntu 22.04 server. This guide also will teach how to set up LDAP users and how to set up an LDAP Account Manager for managing the OpenLDAP server.

Prerequisites

Before you begin with this guide, you must have the following prerequisites:

  • An Ubuntu 22.04 server
  • A non-root user with root/administrator privileges.

Setting Up FQDN (Fully Qualified Domain Name)

Before you begin the installation of the OpenLDAP server, you need to ensure the FQDN (Fully Qualified Domain Name) configuration for the OpenLDAP server is correct. In this demo, we will set up an OpenLDAP server with the server hostname “ldap” and the domain “localdomain.com“, and with the IP address “192.168.5.25“.

Run the below command to set up the FQDN to “ldap.localdomain.com”.

sudo hostnamectl set-hostname ldap.localdomain.com

Edit the config file “https://www.howtoforge.com/etc/hosts” using the following command.

sudo nano /etc/hosts

Add the below configuration to the file. The format of the “https://www.howtoforge.com/etc/hosts” file here is “server-IP  fqdn  hostname“.

192.168.5.25 ldap.localdomain.com ldap

Save and close the file when you are done.

Lastly, run the command below to check and verify the FQDN of your LDAP server. In this demo, you should get the output such as “ldap.localdomain.com“. Also, if you try to ping the hostname “ldap“, you should get the response from the server IP address “192.168.5.25” instead of localhost.

sudo hostname -f

ping ldap

<img alt="setup fqdn" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/1-setup-fqdn.png62d557694e350.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="248" loading="lazy" src="data:image/svg xml,” width=”750″>

Installing OpenLDAP Packages

After you have the correct FQDN, it’s time to install OpenLDAP packages which are available by default on the Ubuntu repository.

Before start installing packages, run the apt command below to update and refresh your Ubuntu system repository.

sudo apt update

Now install OpenLDAP packages using the following command. Input Y to confirm the installation and press ENTER, and the installation will begin.

sudo apt install slapd ldap-utils

<img alt="install openldap" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/2-install-openldap.png62d557695b91c.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="260" loading="lazy" src="data:image/svg xml,” width=”750″>

During the OpenLDAP packages installation, you will be asked to set up the admin password for OpenLDAP. Input the strong password for the OpenLDAP admin user and select “OK“, then repeat your password. And the OpenLDAP installation will be completed.

<img alt="setup admin password" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/3-setup-admin-password.png62d557697ee16.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="243" loading="lazy" src="data:image/svg xml,” width=”708″>

<img alt="confirm admin password" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/4-confirm-admin-password.png62d55769b5ce1.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="176" loading="lazy" src="data:image/svg xml,” width=”750″>

Configuring OpenLDAP Server

To start configuring the OpenLDAP server, run the following command. This command will re-configure the main OpenLDAP package “slapd” and you will be asked for some of the basic OpenLDAP configurations.

sudo dpkg-reconfigure slapd

When asked to “Omit OpenLDAP server configuration?“, select “No“. This will set up the OpenLDAP server with a new configuration file and a new database.

<img alt="omit confiyueation no" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/5-no-omit-ldap-config.png62d55769e37b4.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="186" loading="lazy" src="data:image/svg xml,” width=”750″>

Input the domain name for your OpenLDAP installation and select “Ok“. This domain name will be used as the DN (Distinguished Name) of your OpenLDAP server. In this demo, the domain name is “localdomain.com“, so the DN will come “dc=localdomain,dc=com“.

<img alt="setup default dn" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/6-setup-default-dn.png62d5576a0b9d9.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="154" loading="lazy" src="data:image/svg xml,” width=”750″>

Input the organization name that will be used inside the DN. You can use the domain for this, but also you can use another name.

<img alt="setup orgz name" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/7-setup-orgs-name.png62d5576a419b5.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="212" loading="lazy" src="data:image/svg xml,” width=”750″>

Now input the admin password for your OpenLDAP server and repeat the password. Also, be sure the password is correct.

<img alt="confirm openldap password" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/8-confirm-admin-password.png62d5576a773f3.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="242" loading="lazy" src="data:image/svg xml,” width=”702″>

<img alt="confirm openldap admin password" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/9-confirm-admin-password.png62d5576a9085a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="174" loading="lazy" src="data:image/svg xml,” width=”750″>

When asked to remove the old database, select “No“.

<img alt="no purge old database" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/10-purge-old-database-no.png62d5576ab2564.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="224" loading="lazy" src="data:image/svg xml,” width=”638″>

Now select “Yes” to move the old OpenLDAP database, and the OpenLDAP configuration is finished.

<img alt="move old database" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/11-move-old-database-yes.png62d5576ad9130.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="141" loading="lazy" src="data:image/svg xml,” width=”750″>

Below is the output when the OpenLDAP configuration is completed.

<img alt="reconfigure openldap" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/12-reconfigure-openldap.png62d5576aef8e9.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="163" loading="lazy" src="data:image/svg xml,” width=”750″>

After reconfiguring the “slapd” package, edit the configuration file “/etc/ldap/ldap.conf” using the command below.

sudo nano /etc/ldap/ldap.conf

Uncomment the line “BASE” and “URI” and input the domain name for your OpenLDAP server. In this demo, the “BASE” here is “dc=localdomain,dc=com” and the “URI” for the OpenLDAP server is “ldap://ldap.localdomain.com“.

BASE dc=localdomain,dc=com

URI  ldap://ldap.localdomain.com

Save and close the file are you are done.

Now run the command below to restart the “slapd” OpenLDAP service and apply new changes on the OpenLDAP server. The OpenLDAP server is now running with the base DN “dc=localdomain,dc=com“.

sudo systemctl restart slapd

sudo systemctl status slapd

<img alt="check openldap service" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/13-check-openldap-service.png62d5576b19c3e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="259" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, run the following command to check and verify the OpenLDAP basic configuration. You should get the base DN for the OpenLDAP server as “dc=localdomain,dc=com“.

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///

<img alt="check base dn" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/14-check-default-dn.png62d5576b38772.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="168" loading="lazy" src="data:image/svg xml,” width=”657″>

Setting Up Base Group

After configuring the base DN (Distinguished Name) of the OpenLDAP server, now you will be creating a new base group of OpenLDAP users. In this demo, you will create two different base groups, the group named “People” for storing users, and then the group named “Groups” for storing groups on your OpenLDAP server.

To create new LDAP contents such as user and group, you can use the LDIF file (LDAP Data Interchange Format) and the LDAP tool “ldapadd“.

Create a new LDIF file “base-groups.ldif” using the command below.

sudo nano base-groups.ldif

Add the following configuration to the file.

dn: ou=People,dc=localdomain,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Groups,dc=localdomain,dc=com

objectClass: organizationalUnit

ou: Groups

Now run the “ldapadd” command below to new base groups through the file “base-groups.ldif“. You will be prompted for the OpenLDAP admin password, so be sure to input the correct password.

sudo ldapadd -x -D cn=admin,dc=localdomain,dc=com -W -f base-groups.ldif

<img alt="create base group" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/15-create-base-groups.png62d5576b5b25e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="189" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, run the following command to check and verify the base groups of your OpenLDAP server. You should see two base groups available now, the group named  “People” and “Groups“.

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///

<img alt="check base group" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/16-check-base-groups.png62d5576b6fc41.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="352" loading="lazy" src="data:image/svg xml,” width=”642″>

Adding New Group

After creating base groups on the LDAP server, now you can create a new LDAP group and user. In this section, you will be creating a new group through the LDIF file.

Create a new LDIF file “group.ldif” using the following command.

sudo nano group.ldif

Add the following configuration to the file. In this example, we will create a new group with the name “developers”, store it on the base group “Groups” and define the gidNumber “5000“.

dn: cn=developers,ou=Groups,dc=localdomain,dc=com

objectClass: posixGroup

cn: developers

gidNumber: 5000

Save and close the file when you are done.

Next, run the “ldapadd” command below to add the new group of “developers“. And be sure to input the admin password for your OpenLDAP server.

sudo ldapadd -x -D cn=admin,dc=localdomain,dc=com -W -f group.ldif

<img alt="create new group" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/17-create-group.png62d5576b96275.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="149" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, run the following command to check and verify the group “developers“. You should get the output of the group “developers” which is part of “Groups” and with the gidNumber “5000“.

sudo ldapsearch -x -LLL -b dc=localdomain,dc=com '(cn=developers)' gidNumber

<img alt="check groups" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/18-verify-group.png62d5576ba5cc8.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="134" loading="lazy" src="data:image/svg xml,” width=”750″>

Adding OpenLDAP Users

After you have created a group on the OpenLDAP server, it’s time to create an LDAP user through the LDIF file.

Before creating a new user, run the following command to generate an encrypted password for the new LDAP user. Input the new password and repeat, then copy the encrypted password “{SSHA}ZdNAB uH/zbK1mdS9JWlfOwRDf0mrsla“.

sudo slappasswd

Now create a new LDIF file “user.ldif” using the following command.

sudo nano user.ldif

Add the following configuration to the file. In this demo, we will create a new user “john” with the default home directory “https://www.howtoforge.com/home/john” and the default shell “/bin/bash“. Also, you can see on top of the config file, that this user is part of the group “People” and using the gidNumber “5000“.

dn: uid=john,ou=People,dc=localdomain,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: john

sn: Doe

givenName: John

cn: John Doe

displayName: John Doe

uidNumber: 10000

gidNumber: 5000

userPassword: {SSHA}ZdNAB uH/zbK1mdS9JWlfOwRDf0mrsla

gecos: John Doe

loginShell: /bin/bash

homeDirectory: /home/john

Save and close the file when you are done.

Next, run the “ldapadd” command below to add a new user within the file “user.ldif“. Now input the admin password for the OpenLDAP server.

sudo ldapadd -x -D cn=admin,dc=localdomain,dc=com -W -f user.ldif

<img alt="create ldap user" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/19-create-ldap-user.png62d5576bbf8c5.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="243" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, run the “ldapsearch” command below to check and verify the new LDAP user. And you should get the user “john” created and available on the OpenLDAP server.

sudo ldapsearch -x -LLL -b dc=localdomain,dc=com '(uid=john)' cn uidNumber gidNumber

<img alt="check ldap user" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/20-checkl-dap-user.png62d5576c00672.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="150" loading="lazy" src="data:image/svg xml,” width=”750″>

Installing LDAP Account Manager

At this point, you have finished the basic OpenLDAP installation. Now you will be installing the LDAP Account Manager on the same server as the OpenLDAP server. The LDAP Account Manager (LAM) is a web application that can be used as the front-end for the OpenLDAP server. It allows you to manage the OpenLDAP server from the web browser, you can set up new users, groups, etc from the web browser.

The LAM is available by default on the Ubuntu repository. You can install it using the apt command below. This will install some other packages including PHP and Apache2 web server.

Input Y to confirm the installation and press ENTER to continue. And the LAM installation will begin.

sudo apt install ldap-account-manager

After installation is completed, open up the web browser and visit the server IP address followed by the URL path “/lam (i.e http://192.168.5.25/lam). And you should get the login page of the LDAP Account Manager (LAM).

Configuring LDAP Account Manager

Before you start managing your OpenLDAP server from the LAM application, you will be setting up the LAM profile for your OpenLDAP server.

On the LAM login page, click the menu “LAM configuration” on the top left.

<img alt="configure lam" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/21-lam-comfiguration.png62d5576c2c64f.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="117" loading="lazy" src="data:image/svg xml,” width=”291″>

Now click “Edit server profiles” to set up the LAM profile for your OpenLDAP server.

<img alt="setup server profiles" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/22-edit-server-profiles.png62d5576c45ed2.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="290" loading="lazy" src="data:image/svg xml,” width=”750″>

When asked for the password, input the default password “lam” and click “Login“. The default profile on the LDAP Account Manager is “lam“. You will be editing this default profile for your OpenLDAP server.

<img alt="default password lam" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/23-password-lam-default.png62d5576c68ac8.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="369" loading="lazy" src="data:image/svg xml,” width=”657″>

On the “General settings” page, you will see some of the different settings.

On the “Tools settings“, input the main DN (Distinguished Name) of the OpenLDAP server. In this demo, the DN is “dc=localdomain,dc=com“.

On the “Security settings” section, select the “login method” as “Fixed list”. Then, input details login for the OpenLDAP server. The default user for OpenLDAP is “admin”, so the filed should be like this “cn=admin,dc=localdomain,dc=com“.

Lastly, input a new password on the “Password profile” section. This will change the default password for the profile “lam”. Then, click the “Save” button to apply new changes.

<img alt="setup ldap server on lam" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/24-setup-default-dn-admin-user.png62d5576ca59bd.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="357" loading="lazy" src="data:image/svg xml,” width=”750″>

Now you will be redirected to the LDAP Account Manager login page. Click the “LAM configuration” menu again and edit the default profile “lam“.

Now move to the “Account types” page to set up the default group of the OpenLDAP server.

On the “Users” section, input the LDAP suffix as “ou=People,dc=localdomain,dc=com“. In this example, all users should be available on the “People“.

On the “Groups” section, input the LDAP suffix as “ou=Groups,dc=localdomain,dc=com“. In this example, all groups should be available at the base group “Groups“.

Now click the “Save” button to save the changes on the default profile “lam“.

<img alt="setup default group" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/25-setup-default-group.png62d5576cec16a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="284" loading="lazy" src="data:image/svg xml,” width=”750″>

At this point, you will be redirected again to the LDAP Account Manager login page. As you can see the default user login is now changed to “admin“. Input the admin password for your OpenLDAP password and click “Login“. And you should get the LAM dashboard.

<img alt="login to lam with ldap admin" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/26-login-lam.png62d5576d0e2da.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="454" loading="lazy" src="data:image/svg xml,” width=”699″>

On the “Users” menu, you should see the user “john” that you just created.

<img alt="list of users" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/28-list-users.png62d5576d37d15.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="153" loading="lazy" src="data:image/svg xml,” width=”750″>

While on the “Groups” menu, you should see the group “developers“.

<img alt="list of groups" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/07/echo/29-lists-group.png62d5576d67237.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="148" loading="lazy" src="data:image/svg xml,” width=”750″>

Conclusion

Congratulation! You have now successfully installed the OpenLDAP server with the LDAP Account Manager (LAM) on the Ubuntu 22.04 server. You have also learned how to set up an OpenLDAP group and user. Lastly, you have also learned how to set up an LDAP Account Manager profile to add the OpenLDAP server to the LAM web application.