LDAP, or Lightweight Directory Access Protocol, is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
It can be used to store any kind of information and it is often used as one component of a centralized authentication system.
In this guide, we’ll show you how to install and configure an OpenLDAP server on an Ubuntu 14.04 server. We will then install and secure a phpLDAPadmin interface to provide an easy web interface.
First you need to login to your Ubuntu 14.04 VPS as user ‘root’ :
# ssh root@hostname
Before we begin, we need to install the necessary software.
# apt-get update # apt-get install slapd ldap-utils
You will be asked to select and confirm an administrator password for LDAP during the installation.
Even though LDAP was just installed, we need to reconfigure the defaults that Ubuntu installs. For that purpose enter the following command:
# dpkg-reconfigure slapd
Answer the questions asked as you go through this process:
Since most users will find it easier to use a web interface, we are going to install phpLDAPadmin, which provides this functionality, to help remove some of the friction of learning the LDAP tools.
# apt-get install phpldapadmin
Although, the web server is now configured to serve your application you will need to make some additional changes in order to use the domain schema configured for LDAP. Also, make some adjustments to secure your configuration.
Open the main configuration file in your favorite text editor:
# vim /etc/phpldapadmin/config.php
Add the configuration details that you set up for your LDAP server. Look for the host parameter and set it to your server’s domain name or public IP address. This parameter reflects how you will access the web interface:
Next, you need to configure the domain name you selected for your LDAP server. Translate this into LDAP syntax by replacing each domain component into the value of a dc specification.
This means that instead of writing testdomain.com, you will need to write something like dc=testdomain,dc=com. Find the parameter that sets the server base parameter and use this format:
Adjust the same thing in the section ‘login bind_id parameter’. The cn parameter is already set as “admin”. This is correct. Adjust the dc portions:
By default phpLDAPadmin throws quite a few annoying warning messages in its web interface about the template files that have no impact on the functionality. You need to remove these warnings by uncommenting the line that contains it, and setting it to “true”:
$config->custom->appearance['hide_template_warning'] = true;
Save and close the file when finished.
It is recommended to secure your connection to the LDAP server with SSL so that outside parties cannot intercept the communications.
Set up a self-signed SSL certificate that your server can use.
Create a directory to hold your certificate and key:
# mkdir /etc/apache2/ssl
Next, create the key and certificate by typing:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
After you answer the questions, your certificate and key will be written to the /etc/apache2/ssl directory.
Even though phpLDAPadmin has password authentication, you might want to password protect your phpLDAPadmin location. This will provide an extra level of protection.
Install the utility needed in order to create a password authentication file.
# apt-get install apache2-utils
Create a password file that will contain a username that you choose and the associated hashed password.
Keep this in the /etc/apache2 directory. Create the file and specify the username you want to use by typing:
# htpasswd -c /etc/apache2/htpasswd test-user
Enable the SSL module in Apache:
# a2enmod ssl
The Apache Web Server is reading a file called 000-default.conf for regular, unencrypted HTTP connections. It is best to redirect requests for the phpLDAPadmin interface to your HTTPS interface so that the connection is encrypted.
Open the file in your favorite text editor:
# vim /etc/apache2/sites-enabled/000-default.conf
Add the required information about your domain name or IP address. Also, you need to set up a redirect to point all HTTP requests to the HTTPS interface.
The changes will end up looking like this. Modify it with your own values:
Save and close the file when finished.
Apache includes a default SSL Virtual Host file. However, sometimes, it is not enabled by default.
Enable it by typing:
# a2ensite default-ssl.conf
This will link the file from the sites-available directory into the sites-enabled directory. Now edit this file now by typing:
# vim /etc/apache2/sites-enabled/default-ssl.conf
Set the ServerName value to your server’s domain name or IP address again and change the ServerAdmin directive as well:
ServerAdmin webmaster@server_domain_or_IP ServerName server_domain_or_IP
Next, set the SSL certificate directives to point to the key and certificate that were created. The directives should already exist in this file, so just modify the files they point to:
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Now, set up the location block that will implement the password protection for the entire phpLDAPadmin installation.
Do this by referencing the location where phpLDAPadmin is served and setting up authentication using the file that was generated. This will require anyone attempting to access this content to authenticate as a valid user:
Save and close the file when you are finished.
Restart Apache to implement all of the changes that were made:
# service apache2 restart
Now open your favorite web browser and access the phpLDAPadmin web interface using: your_server_domain_name_or_IP/phpldapadmin
Of course you don’t have to do any of this if you use one of our Linux VPS hosting services, in which case you can simply ask our expert Linux admins to install this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.