Skip to Content
Technical Articles

Create an LDAP server in a standalone virtual machine

In my recent experience, I’ve set it up several examples that involve the Essential Business Functions module of SAP Leonardo IoT Edge Services.

The usage of this module often requires the authentication of a certain user over an LDAP server.

Since I don’t have any pre-cooked LDAP server available, I have decided to create my own server starting from scratch in an Ubuntu 18.04 LTS virtual machine.

I will reuse this server for the Edge Services integrations that I’m going to share in my next blog posts.

Is it an empty machine or do you need to reconfigure an existing LDAP server?

Let’s consider that you have already tried to install the LDAP server, or that a partial installation has already been executed; as suggested in many blog posts/questions in several internet portals, the best solution is to reset and purge the slapd and ldap-utils services.

In case you are really starting from scratch, you can skip this step.

sudo apt-get purge slapd ldap-utils

 

Prepare the machine and install the LDAP server

it’s a good practice to set the hostname of the machine properly and define the host address for each IP address associated to the virtual machine.

let’s assume that my virtual machine has 2 IP addresses: 52.59.52.59 and 10.251.251.10

echo "52.59.50.19 SAAP.user.com" | sudo tee -a /etc/hosts
echo "10.251.214.145 SAAP.user.com" | sudo tee -a /etc/hosts
sudo hostnamectl set-hostname SAAP.user.com

with the above commands, we have set SAAP.user.com as hostname of my virtual machine

Now let’s proceed with the installation of the LDAP required software: slapd and ldap-utils

sudo apt update
sudo apt -y install slapd ldap-utils

During the installation, you are asked to set up a password, use your favorite password; in this example, we have used Password1.

Now reconfigure the service

sudo dpkg-reconfigure slapd

and use the following details:

  • Omit initial configuration: No
  • DNS domain name: user.com
  • Password: Password1
  • Database type: MDB
  • Remove db when purged: Yes
  • Move old database: Yes
  • Org name: SAAP

I’d like to suggest you install the LDAP Account Manager graphical UI, it’s an optional step and not required for the setup of the LDAP server, but especially if you are not an expert with LDAP, it could be useful to navigate the server structure.

sudo apt -y install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear
sudo a2enconf php7.2-cgi
sudo  systemctl reload apache2
sudo apt -y install ldap-account-manager

now edit with your favorite editor the file /etc/apache2/conf-enabled/ldap-account-manager.conf 

sudo vim /etc/apache2/conf-enabled/ldap-account-manager.conf

and limit the access to Account Manager to the desired interfaces, for example with the following modification:

#Require all granted
Require ip 127.0.0.1 10.251.251.10/24

This configuration only permits to have access to the Account Manager in localhost and from the network interface 10.251.251.10, but not from 52.59.52.59.

If you would like to have it accessible from any IP keep the file as is with the setting Require all  granted.

 

Install a second database

Create the directory structure for the database

root@SAAP:~/ldap# mkdir /var/lib/ldap-mdb
root@SAAP:~/ldap# chown openldap:openldap /var/lib/ldap-mdb
root@SAAP:~/ldap# vim /etc/apparmor.d/usr.sbin.slapd
# the databases and logs
/var/lib/ldap-mdb/ r,
/var/lib/ldap-mdb/** rwk,

# lock file
/var/lib/ldap-mdb/alock kw,

root@SAAP:~/ldap# service apparmor reload

Create a new password Password1

root@SAAP:~/ldap# slappasswd -h {SSHA}
New password:
Re-enter new password:{SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1

Create the database configuration, it consists of a file that we have called domain2_conf.ldif with the following content

dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap-mdb/
olcDatabase: mdb
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDBNoSync: TRUE
olcSuffix: dc=People
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=People" write by * read
olcRootDN: cn=admin,dc=People
olcRootPW: {SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1

Change the current slapd configuration

root@SAAP:~/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain2_conf.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"

Add the database with the top level for the database People. Create a file named domain2_db.ldif

dn: dc=People
objectClass: top
objectClass: dcObject
objectClass: organization
dc: People
o: People
description: People

dn: cn=admin,dc=People
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}UeRTHEhF/6HSSHAtIHSTRING9l9ynYW1
description: People Manager

And now commit the changes

root@SAAP:~/ldap# ldapadd -x -D "cn=admin,dc=People" -w Welcome1 -f domain2_db.ldif
adding new entry "dc=People"

adding new entry "cn=admin,dc=People"

 

Install Apache Directory Studio

The tool is currently available here: Apache Directory Studio Homepage

Open Directory Studio and from the menu File create a New LDAP Connection

Complete the wizard with the following details for the connection:

  • Simple authentication
  • Bind DN: cn=admin,dc=People
  • Password: Password1

Now we need to create a new Element in the root folder dc=People 

In the wizard select to start from scratch. In the list of classes select uidObject

In the next step, the wizard asks you for the Distinguish Name; for the field RDN select uid and as value EBEF to create an user called EBEF.

Before completing the wizard add some elements in the last window, add each element by pressing the plus button to add the following details:

  • sn=EBEF
  • cn=EBEF
  • objectClass=inetOrgPerson (structural)
  • objectClass=organizationalPerson (structural)
  • objectClass=person (structural)
  • userPassword
    • use SSHA as hash
    • “Initial” as password

This is the correct setup for the password

Finally, your object should look like the following picture

 

Conclusion

In this blog post, we have learned how to configure correctly an LDAP server in an Ubuntu 18 virtual machine.

We have also learned how to configure correctly the users that will be used into the SAP Leonardo IoT Edge Services examples.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.