OpenLDAP installation steps: Notes: This HOWTO uses somaliren.org.so to provide this guide with example values. Please remember to replace all occurencences of the somaliren.org.so domain name with the domain name of your institution. Utility Simple Bash script useful to convert a Domain Name into a Distinguished Name of LDAP: create a new file called domain2dn.sh: nano domain2dn.sh copy and paste the following content into the file: #!/usr/bin/env bash LDAP_DC_ARRAY=() LDAP_DC="" echo "Enter your domain name (e.g.: somnog.com):" read DOMAIN DCS=$(echo $DOMAIN | tr "." "\n") for dc in $DCS do LDAP_DC_ARRAY+=("dc=$dc") done # Iterate the loop to read and print each array element for value in "${LDAP_DC_ARRAY[@]}" do LDAP_DC+="$value" if [[ "$value" != ${LDAP_DC_ARRAY[-1]} ]]; then LDAP_DC+="," fi done Save the file: ctrl + x and then press y to save and press enter. Then set the file permission to make it executable: sudo chmod +x domain2dn.sh Then run the script: ./domain2dn.sh You will something like this Enter your domain name (e.g.: somnog.com): somaliren.org.so change somaliren.org.so to your own domain. then you will find something like this: dc=somaliren,dc=org,dc=so On your OpenLDAP server, follow the below steps to install and configure OpenLDAP server: Step 1: Update your server sudo apt-get update Step 2: Install OpenLDAP sudo apt-get install slapd ldap-utils Step 3:Reconfiguring OpenLDAP sudo dpkg-reconfigure slapd Answer the following questions: omit OpenLDAP configuration: no DNS domain name: somaliren.org.so Organization name: SomNOG Administration password: somnog Cofirm password: somnog Database backend: MDB Do you the database to be removed when slapd is purged: yes Move olda database: yes Allow LDAP v2 protocol: no Step 3: Start your Openldap Database and ensure It is working with commands as below. sudo systemctl start slapd sudo ps -ef | grep slapd To test it run: ldapsearch -x Use ldapsearch as follows to query our newly added domain, somaliren.org.so ldapsearch -x -LLL -H ldap:/// -b dc=somaliren,dc=org,dc=so dn The following command will query the default content for somaliren.org.so: ldapsearch -x -LLL -b dc=somaliren,dc=org,dc=so Step 4: Creating a base Ldif file Create a file with content below for your base directory structure. nano base.ldif dn: ou=Groups,dc=somaliren,dc=org,dc=so ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Users,dc=somaliren,dc=org,dc=so ou: Users objectClass: top objectClass: organizationalUnit Step 5: Upload your base LDIF file to LDAP Run the command below to upload your base ldif file into the LDAP server ldapadd -x -W -D "cn=admin,dc=somaliren,dc=org,dc=so" -f base.ldif Supplied your LDAP password and you should see feedback as below: adding a new entry "ou=Groups,dc=somaliren,dc=org,dc=so" adding a new entry "ou=Users,dc=somaliren,dc=org,dc=so" Step 6: Creating a person Ldif file Create a file with content below for your base directory structure. nano person.ldif dn: cn=biixi,ou=Groups,dc=somaliren,dc=org,dc=so cn: biixi gidNumber: 4001 objectClass: posixGroup dn: uid=biixi,ou=Users,dc=somaliren,dc=org,dc=so uid: biixi uidNumber: 4001 gidNumber: 4001 cn: Abdullahi Biixi sn: Biixi objectClass: posixAccount objectClass: organizationalPerson loginShell: /bin/bash homeDirectory: /home/biixi Step 7: Upload your person LDIF file to LDAP Run the command below to upload your base ldif file into the LDAP server ldapadd -x -W -D "cn=admin,dc=somaliren,dc=org,dc=so" -f person.ldif Supplied your LDAP password and you should see feedback as below: adding a new entry: "cn=biixi,ou=Groups,dc=somaliren,dc=org,dc=so" adding a new entry: "cn=biixi,ou=Groups,dc=somaliren,dc=org,dc=so" Step 8: Setting up user credentials Run the command below create a password for the user account created. sudo ldappasswd -s somnog123 -W –D "cn=admin,dc=somaliren,dc=org,dc=so" -x "uid=biixi,ou=Users,dc=somaliren,dc=org,dc=so" Step 9: Check your LDAP directory structure Run the command below to check your uploaded ldif files forming your LDAP directory structurein your database. sudo slapcat You should see entire OpenLdap database At this point, the LDAP server is working and we now focus on configuring the clients. Go to your client, and follow the below steps: Step 10: Adding ubuntu server logins with LDAP as a client 10.1: 1. We will need to install the LDAP client-side package on the client system. This package will install all the required tools to authenticate with the remote LDAP server: sudo apt-get update sudo apt-get install ldap-auth-client nscd 10.2. The installation process will ask you some questions regarding your LDAP server and its authentication details. Answer those questions as follows: LDAP server URI: ldap://you-LDAP-server-IP: Make sure you change the protocol line from ldapi:/// to ldap:// Distinguished name of search base: Match this to the domain set on the LDAP server in the format dc=example,dc=com LDAP version to use: 3Make local root database admin: Yes Does LDAP database require login: No LDAP account for root: cn=admin,dc=somaliren,dc=org,dc=so LDAP root account password: The password for the LDAP admin account, use ‘somnog’. 10.3. Next, we need to change the authentication configuration to check with the LDAP server. First, run the following command to set the name service switch file /etc/nsswitch.conf: sudo auth-client-config -t nss -p lac_ldap This will change /etc/nsswitch.conf as follows: Passwd: files ldap group: files ldap shadow: files ldap 10.4 Next, add the following line to /etc/pam.d/common-session. This will create a local home directory for LDAP users. Edit the common-session file and add the following line at the end of the file: session required pam_mkhomedir.so umask=0022 skel=/etc/skel Now restart the nscd service with the following command: sudo /etc/init.d/nscd restart To test it while logged in on your client machine, we will need to switch your user to the user we created during the OpenLDAP server: First check that this user does not exist in your local machine, in the guide we create a user called biixi, if you changed it, use your own user: cat /etc/passwd | grep biixi You should not see any entry for user biixi in the passwd file. Then switch your user to biixi and after running the following, the system should prompt a password for the user to login: su - biixi Congratulations! If you managed to login biixi with your client machine. You have a working centralized identity service.