Supply Chain Management Blogs by SAP
Expand your SAP SCM knowledge and stay informed about supply chain management technology and solutions with blog posts by SAP. Follow and stay connected.
cancel
Showing results for 
Search instead for 
Did you mean: 
marcoporru
Advisor
Advisor
In my recent experience, I've set it up several examples that involve the Essential Business Functions module of SAP Leonardo IoT Edge Services.

The usage of this module often requires the authentication of a certain user over an LDAP server.

Since I don't have any pre-cooked LDAP server available, I have decided to create my own server starting from scratch in an Ubuntu 18.04 LTS virtual machine.

I will reuse this server for the Edge Services integrations that I'm going to share in my next blog posts.

Is it an empty machine or do you need to reconfigure an existing LDAP server?


Let's consider that you have already tried to install the LDAP server, or that a partial installation has already been executed; as suggested in many blog posts/questions in several internet portals, the best solution is to reset and purge the slapd and ldap-utils services.

In case you are really starting from scratch, you can skip this step.
sudo apt-get purge slapd ldap-utils

 

Prepare the machine and install the LDAP server


it's a good practice to set the hostname of the machine properly and define the host address for each IP address associated to the virtual machine.

use the linux command to discover the IPs addresses of the virtual machine:
ifconfig

let's assume that my virtual machine has 2 IP addresses: 52.59.52.59 and 10.251.251.10, for each existing address add it into /etc/hosts with the following command
echo "52.59.50.19 SAAP.user.com" | sudo tee -a /etc/hosts
echo "10.251.214.145 SAAP.user.com" | sudo tee -a /etc/hosts
sudo hostnamectl set-hostname SAAP.user.com

with the above commands, we have set SAAP.user.com as hostname of my virtual machine

Now let's proceed with the installation of the LDAP required software: slapd and ldap-utils
sudo apt update
sudo apt -y install slapd ldap-utils

During the installation, you are asked to set up a password, use your favorite password; in this example, we have used Password1.

Now reconfigure the service
sudo dpkg-reconfigure slapd

and use the following details:

  • Omit initial configuration: No

  • DNS domain name: user.com

  • Password: Password1

  • Database type: MDB

  • Remove db when purged: Yes

  • Move old database: Yes

  • Org name: SAAP


I'd like to suggest you install the LDAP Account Manager graphical UI, it's an optional step and not required for the setup of the LDAP server, but especially if you are not an expert with LDAP, it could be useful to navigate the server structure.
sudo apt -y install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear
sudo a2enconf php7.2-cgi
sudo systemctl reload apache2
sudo apt -y install ldap-account-manager

now edit with your favorite editor the file /etc/apache2/conf-enabled/ldap-account-manager.conf 
sudo vim /etc/apache2/conf-enabled/ldap-account-manager.conf

and limit the access to Account Manager to the desired interfaces, for example with the following modification:
#Require all granted
Require ip 127.0.0.1 10.251.251.10/24

This configuration only permits to have access to the Account Manager in localhost and from the network interface 10.251.251.10, but not from 52.59.52.59.

If you would like to have it accessible from any IP keep the file as is with the setting Require all  granted.

 

Install a second database


Create the directory structure for the database. Add these settings in addition to the existing configuration (don't remove the existing stuff)
root@SAAP:~/ldap# mkdir /var/lib/ldap-mdb
root@SAAP:~/ldap# chown openldap:openldap /var/lib/ldap-mdb
root@SAAP:~/ldap# vim /etc/apparmor.d/usr.sbin.slapd
# the databases and logs
/var/lib/ldap-mdb/ r,
/var/lib/ldap-mdb/** rwk,

# lock file
/var/lib/ldap-mdb/alock kw,

root@SAAP:~/ldap# service apparmor reload

Create a new password Password1
root@SAAP:~/ldap# slappasswd -h {SSHA}
New password:
Re-enter new password:{SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1

Create the database configuration, it consists of a file that we have called domain2_conf.ldif with the following content
dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap-mdb/
olcDatabase: mdb
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDBNoSync: TRUE
olcSuffix: dc=People
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=People" write by * read
olcRootDN: cn=admin,dc=People
olcRootPW: {SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1

Change the current slapd configuration
root@SAAP:~/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain2_conf.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"

Add the database with the top level for the database People. Create a file named domain2_db.ldif
dn: dc=People
objectClass: top
objectClass: dcObject
objectClass: organization
dc: People
o: People
description: People

dn: cn=admin,dc=People
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1
description: People Manager

And now commit the changes
root@SAAP:~/ldap# ldapadd -x -D "cn=admin,dc=People" -w Password1 -f domain2_db.ldif
adding new entry "dc=People"

adding new entry "cn=admin,dc=People"

 

Install Apache Directory Studio


The tool is currently available here: Apache Directory Studio Homepage

Open Directory Studio and from the menu File create a New LDAP Connection

When creating a new LDAP connection for the field Hostname use the IP address of your virtual machine. Define also any name for the connection and keep the default values for the other parameters



Complete the wizard with the following details for the connection:

  • Simple authentication

  • Bind DN: cn=admin,dc=People

  • Password: Password1




Now we need to create a new Element in the root folder dc=People 



In the wizard select to start from scratch. In the list of classes select uidObject



In the next step, the wizard asks you for the Distinguish Name; for the field RDN select uid and as value EBEF to create an user called EBEF.



Before completing the wizard add some elements in the last window, add each element by pressing the plus button to add the following details:



  • sn=EBEF

  • cn=EBEF

  • objectClass=inetOrgPerson (structural)

  • objectClass=organizationalPerson (structural)

  • objectClass=person (structural)

  • userPassword

    • use SSHA as hash

    • “Initial” as password




This is the correct setup for the password



Finally, your object should look like the following picture



 

Conclusion


In this blog post, we have learned how to configure correctly an LDAP server in an Ubuntu 18 virtual machine.

We have also learned how to configure correctly the users that will be used into the SAP Leonardo IoT Edge Services examples.