Bobcares

Install OpenLDAP and phpLDAPadmin on Ubuntu 14.04 Server

by | Feb 24, 2021

Want to install OpenLDAP and phpLDAPadmin on Ubuntu? We can help you.

We can use OpenLDAP to store any kind of information and it is often used as one component of a centralized authentication system.

The system that we set up is quite flexible and we can design our own organizational schema and manage groups of resources as our needs demand.

As part of our Server Management Servies, we assist our customers with several LDAP queries.

Today, let us see an effective method to install OpenLDAP and phpLDAPadmin on Ubuntu 14.04 Server.

 

Install OpenLDAP and phpLDAPadmin on Ubuntu

In this article, let us see how to install and configure an OpenLDAP server on an Ubuntu 14.04 server. We will then install and secure a phpLDAPadmin interface to provide an easy web interface.

  • Install LDAP and Helper Utilities

We need to install all necessary software and the packages are available in Ubuntu’s default repositories.

First, refresh the local package index.

$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils

During the installation, we have to set an administrator password for LDAP.

Have look at https://bobcares.com/blog/install-openldap-on-ubuntu/ for more information.

 

  • Reconfigure slapd to Select Better Settings

We reconfigure it because a lot of important configuration questions are skipped over in the installation process.

We can gain access to all of the prompts if we reconfigure the package:

$ sudo dpkg-reconfigure slapd

There are quite a few questions we encounter as we go through this process:

Omit OpenLDAP server configuration? No
DNS domain name?
– It will determine the base structure of our directory path. Read the message to understand exactly how this will be implemented.
– We can select whatever “domain name” value, even if we do not own the actual domain. However, if we have a domain name for the server, it is probably wise to use that.
– Here, we select test.com for our configuration.
Organization name?
– It is entirely up to our preferences.
– For this article, we will be using the example as the name of our organization.
Administrator password?
– Anything we select here will overwrite the previous password we used.
Database backend? HDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

Eventually, our LDAP will be configured.

 

Install phpLDAPadmin to Manage LDAP with a Web Interface

Although we can administer LDAP through the command line, it is easier to use a web interface.

The Ubuntu repositories contain the phpLDAPadmin package. To install, we run:

$ sudo apt-get install phpldapadmin

This will install the administration interface, enable the necessary Apache virtual hosts files and reload Apache.

 

  • Configure phpLDAPadmin

We configure a few things to connect with the LDAP directory structure that was created during the OpenLDAP configuration stage.

To begin, we open the main configuration file with root privileges in any text editor:

$ sudo nano /etc/phpldapadmin/config.php

Here, we add the configuration details. Initially, look for the host parameter and set it to the server’s domain name or public IP address.

This parameter reflects the way we plan on accessing the web interface:

$servers->setValue(‘server’,’host’,’serverdomainnameorIP’);

Next up, we need to configure the domain name. We need to translate it into LDAP syntax by replacing each domain component into the value of a dc specification.

We should find the parameter that sets the server base parameter and use the format to reference the domain we decide on:

$servers->setValue(‘server’,’base’,array(‘dc=test,dc=com’));

Then we adjust the same in our login bind_id parameter. The cn parameter is already set as “admin”. We just need to adjust the dc portions again:

$servers->setValue(‘login’,’bind_id’,’cn=admin,dc=test,dc=com’);

Finally, we need to adjust a setting that controls the visibility of warning messages.

By default, phpLDAPadmin will throw quite a few annoying warning messages. We can hide these by searching for the hide_template_warning parameter, uncommenting the line that contains it, and setting it to “true”:

$config->custom->appearance[‘hidetemplatewarning’] = true;

Eventually, we can save and close the file.

 

  • Create an SSL Certificate

We have to secure our connection with SSL and thereby avoid intercept in communications.

Since the admin interface is talking to the LDAP server itself on the local network, we do not need to use SSL for that connection.

However, we need to secure the external connection to our browser when we connect.

For that, we need to set up a self-signed SSL certificate that our server can use. This will allow us to encrypt our messages.

The OpenSSL packages will be on our system by default. First, we should create a directory to hold our certificate and key:

$ sudo mkdir /etc/apache2/ssl

Then, we create the key and certificate:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

In the prompt that says Common Name, enter the server’s domain name or IP address.

Once done, the certificate and key will be written to the /etc/apache2/ssl directory.

 

  • Create a Password Authentication File

We need to password protect our phpLDAPadmin location.

Run the below command to get the utility:

$ sudo apt-get install apache2-utils

We will keep this in the /etc/apache2 directory. Create the file and specify the username:

$ sudo htpasswd -c /etc/apache2/htpasswd demo_user

Now, we are ready to modify Apache to take advantage of our security upgrades.

 

  • Secure Apache

Initially, we should enable the SSL module in Apache. To do that, run:

$ sudo a2enmod ssl

This will enable the module. We still need to configure Apache to take advantage.

We need to tell Apache to redirect requests for our phpLDAPadmin interface to our HTTPS interface so that the connection is encrypted.

While on the same, we will also implement the password file to authenticate users. In addition, we will also change the location of the phpLDAPadmin interface itself to minimize targeted attacks.

 

  • Modify the phpLDAPadmin Apache Configuration

First, we modify the alias that is set up to serve our phpLDAPadmin files.

Open the file with root privileges in any text editor:

$ sudo nano /etc/phpldapadmin/apache.conf

Here we need to decide on the URL location where we want to access our interface. The default is /phpldapadmin. However, we will change this to cut down on random login attempts by bots and malicious parties.

For our purpose, we will use the location /superldap.

We need to modify the line that specifies the Alias. This should be in an IfModule mod_alias.c block. Once done, it should look like this:

<IfModule mod_alias.c>
Alias /superldap /usr/share/phpldapadmin/htdocs
</IfModule>

Eventually, save and close the file.

 

  • Configure the HTTP Virtual Host

Next, we to modify our current Virtual Hosts file, open it with root privileges in our editor:

$ sudo nano /etc/apache2/sites-enabled/000-default.conf

Inside, we will see a rather bare configuration file that looks like this:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>

We have to add information about our domain name or IP address to define our server name and set up our redirect to point all HTTP requests to the HTTPS interface.

The changes will look like this:

<VirtualHost *:80>
ServerAdmin webmaster@serverdomainorIP
DocumentRoot /var/www/html
ServerName serverdomainorIP
Redirect permanent /superldap https://server_domain_or_IP/superldap
ErrorLog ${APACHELOGDIR}/error.log
CustomLog ${APACHELOGDIR}/access.log combined
</VirtualHost>

Eventually, save and close the file.

 

  • Configure the HTTPS Virtual Host File

Apache includes a default SSL Virtual Host file. However, it is not enabled by default.

In order to enable it, run:

$ sudo a2ensite default-ssl.conf

This will link the file from the sites-available directory into the sites-enabled directory. To edit the file, run:

$ sudo nano /etc/apache2/sites-enabled/default-ssl.conf

This file involves more than the last one, so we will discuss the changes that we make.

All of the changes below should go within the Virtual Host block in the file.

First of all, set the ServerName value to the server’s domain name or IP address and change the ServerAdmin directive:

ServerAdmin webmaster@serverdomainorIP
ServerName serverdomainorIP

Then, we set the SSL certificate directives to point to the key and certificate that we created. The directives should already exist in our file, so just modify:

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Finally, we need to set up the location block that will implement our password protection for the entire phpLDAPadmin installation.

We do this by referencing the location where we serve the phpLDAPadmin and setting up authentication using the file we generated.

<Location /superldap>
AuthType Basic AuthName “Restricted Files”
AuthUserFile /etc/apache2/htpasswd Require valid-user
</Location>

Eventually, save and close the file.

Restart Apache to implement all of the changes:

$ sudo service apache2 restart

We can now move on to the actual interface.

 

  • Log into the phpLDAPadmin Web Interface

We access the web interface by visiting the server’s domain name or public IP address followed by the alias we configured:

http://serverdomainnameorIP/superldap

There will probably be a warning about the site’s SSL certificate. It is to let us know that the browser does not recognize the certificate authority that signed our certificate.

It is expected and not a problem. Click the “Proceed anyway” button.

Then, we will see the password prompt. Use the credentials we created with the htpasswd command.

In the main phpLDAPadmin landing page, click on the “login” link.

We will be taken to a login prompt.

It will pre-populate the correct value for the admin account if we configured phpLDAPadmin correctly. For us, it will look like this:

cn=admin,dc=test,dc=com

Eventually, enter the administrator password configured during the LDAP configuration.

 

Add Organizational Units, Groups, and Users

In the phpLDAPadmin interface, we have the ability to add users, organizational units, groups, and relationships.

LDAP is flexible in how we wish to structure our data and directory hierarchies. In addition, we can create rules for how they interact.

  • Create Organizational Units

First, we will create categories to store information. Since this is a basic setup, we will make two categories: groups and users.

  1. Click on the “Create new entry here” link on the left-hand side.
  2. Since we use this as an organizational structure, we will use the “Generic: Organizational Unit” template.
  3. In the prompt to create a name for our organizational unit, type “groups”.
  4. Then we need to commit the changes.
  5. Once done, we can see a new entry on the left-hand side.

Repeat the procedure to create one more organizational structure. However, this time, use the name “users”.

To create the groups within the “groups” organizational unit. Click on the group category >> Create a child entry.

This time, we will choose the “Generic: Posix Group” category.

Fill in “admin” as the group name. Click “Create Object” and then confirm on the next page.

We can see an overview in the “ou=groups” category by clicking on that entry, and then clicking on “View 3 children”.

  • Create Users

Next, we will create users to put in these groups. Click ou=users >> Create a child entry.

Then we choose “Generic: User Account” for these entries.

Note that the “Common Name” needs to be unique for each entry in a category. So we may want to use a username format instead of the default “FirstName LastName” that is auto-populated.

Click “Create Object” at the bottom and confirm on the following page.

To create additional users, we will take advantage of the ability to copy entries.

Click on the user we just created in the left-hand panel. In the main pane, click “Copy or move this entry”:

Adjust the “cn=user” portion of the entry to point it to the common name we would like to use for the new entry. Click “Copy” at the bottom.

We will be given the next page populated with our first user’s data. We will need to adjust it to match the new user’s information.

Make sure to adjust the uidNumber. Click the “Create Object” button at the bottom.

  • Add Users to Groups

We can add users to various groups by clicking on the group in question. In the main pane, select “Add new attribute”.

Select “memberUid” from the drop-down menu.

In the text field that populates, enter the first user we would like to add. Click “Update Object” at the bottom.

We can then add more members by clicking “modify group members” and selecting them from the available choices.

 

Few common errors

While we install OpenLDAP and phpLDAPadmin on Ubuntu, we may come across an error. Here’s how our Support Techs solve it.

  • Error: Unable to connect to xxx.xxx.xxx.xxx:8080

While installing OpenLDAP we might receive the error:

root@server# sudo apt-get install slapd ldap-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
libodbc1 libslp1
Suggested packages:
libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc
The following NEW packages will be installed:
ldap-utils libodbc1 libslp1 slapd
0 upgraded, 4 newly installed, 0 to remove and 284 not upgraded.
Need to get 2,243 kB of archives.
After this operation, 5,595 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Err http://us.archive.ubuntu.com/ubuntu/ quantal/main libodbc1 i386 2.2.14p2-5ubuntu4
Could not connect to 172.19.48.164:8080 (172.19.48.164). – connect (110: Connection timed out)
Err http://us.archive.ubuntu.com/ubuntu/ quantal/main libslp1 i386 1.2.1-9
Unable to connect to 172.19.48.164:8080:

Apparently, the APT configuration is set to connect using a proxy server. This server cannot be reached and that is what the error is about.

In order to solve this, our Support Techs suggest the following:

Assume the proxy server is not online anymore and we do not want to use it anymore.

Find the configuration line responsible for it:

$ grep -rni proxy /etc/apt

Our output will be like this:

$ /etc/apt/apt.conf:1:Acquire::http::Proxy “http://1.2.3.4:8000/”;

In the file /etc/apt/apt.conf on line 1, APT is configured to connect using that proxy address. On our system filename and line are likely to be different.

Then edit the file with the line. Comment it (prepend it with a hash #) or simply remove the line. Use a text editor, e.g. nano):

$ sudo nano /etc/apt/apt.conf

Save and close.

Finally, update the APT lists:

$ sudo apt-get update

[Stuck with the procedures? We’d be happy to assist]

 

Conclusion

In short, we saw how to install OpenLDAP and phpLDAPadmin on Ubuntu. In addition, we covered the prospective error and its solution as well.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.