LDAP as an Active Directory Equivalent in Linux

Last updated: December 12, 2023

Reviewed by: Hiks Gerganov

1. Introduction

In the realm of Linux, having an alternative to the Microsoft Active Directory can simplify tasks like centralizing user and group management, ensuring authentication and authorization, and easing system administration.

The main alternative we have is the Lightweight Directory Access Protocol (LDAP), a software protocol to access and manage directory information. It’s commonly used to facilitate centralized management of user accounts, groups, and other directory-related data within an organization.

Its pros lie in the fact that LDAP in a Linux environment can provide centralized directory services and cross-platform support. However, it may lack some of the user-friendly features and integrations that Active Directory offers.

In this tutorial, we’ll explore LDAP through installing, configuring, and connecting a Linux client to an LDAP directory.

2. Installing the LDAP Server

First, we set the hostname via hostnamectl:

$ sudo hostnamectl set-hostname ldap.baeldung.com

Then, let’s install LDAP via apt-get and sudo:

$ sudo apt-get install slapd ldap-utils

Here, we’ll be prompted to set an LDAP administrator password. Further, slapd is the name of the OpenLDAP server package which is an open-source implementation of the LDAP protocol. Additionally, ldap-utils is used for interacting with LDAP directories, performing searches, and making changes to the directory data.

3. Configuring the LDAP Server

Now, let’s configure the LDAP server and set up the necessary components for an LDAP directory.

3.1. Start Configuration

First, we configure the LDAP server via dpkg-reconfigure:

$ sudo dpkg-reconfigure slapd
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
Configuring slapd
-----------------

If you enable this option, no initial configuration or database will be created
for you.

Here, we choose no to start the configuration:

Omit OpenLDAP server configuration? [yes/no] no

Once the password is confirmed, we’ll be asked about the database.

3.2. Specify DNS Domain Name

Then, we specify the domain name:

The DNS domain name is used to construct the base DN of the LDAP directory. For
example, 'foo.example.org' will create the directory with 'dc=foo, dc=example,
dc=org' as base DN.

DNS domain name: ldap.baeldung.com

In this case, ldap.baeldung.com is the domain name.

3.3. Set Organization Name

Then, we specify the organization name:

Please enter the name of the organization to use in the base DN of your LDAP
directory.

Organization name: Baeldung

In this case, Baeldung is the organization’s name.

3.4. Admin Password

Now, we set the admin password:

Please enter the password for the admin entry in your LDAP directory.

Administrator password: 

...

Confirm password:

Once the password is confirmed, we’ll be asked about the database:

Do you want the database to be removed when slapd is purged? [yes/no] no

At this point, we choose no to indicate that we want to keep the database even after removing the LDAP server.

3.5. Database Configuration

Finally, we’ll move the old database:

There are still files in /var/lib/ldap which will probably break the
configuration process. If you enable this option, the maintainer scripts will
move the old database files out of the way before creating a new database.
Move old database? [yes/no] yes

Here, we choose yes because we want to move the old database files out of the way before creating a new database.

This starts the initial configuration:

Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.16+dfsg-0ubuntu0.22.04.1... done.
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial configuration... done.
Creating LDAP directory... done.

As we can see, the log confirms that the initial configuration and LDAP directory creation steps are completed successfully.

3.6. Edit Configuration File

Finally, we edit the configuration file:

$ cat /etc/ldap/ldap.conf
...
BASE    dc=baeldung,dc=com
URI     ldap://ldap.baeldung.com
...

Here, we defined the BASE and URI. These settings specify the LDAP server’s location and the starting point for LDAP directory searches.

4. Verifying the Configuration

Now, we verify the installation via slapcat:

$ sudo slapcat
dn: dc=ldap,dc=baeldung,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Baeldung
dc: ldap
structuralObjectClass: organization
entryUUID: 46843600-0acf-103e-8cb0-fbeaa6a525c6
creatorsName: cn=admin,dc=ldap,dc=baeldung,dc=com
createTimestamp: 20231029174938Z
entryCSN: 20231029174938.863797Z#000000#000#000000
modifiersName: cn=admin,dc=ldap,dc=baeldung,dc=com
modifyTimestamp: 20231029174938Z

In this case, the output provides detailed information about the specific LDAP entry for the organization in LDIF format. It includes details about its object classes, attributes, creation and modification timestamps, and related metadata.

5. Adding User and Group

First, we create a file to add a base Distinguished Name (DN) of Users and Groups:

$ cat baseDN.ldif
# OU for Users
dn: ou=Users,dc=baeldung,dc=com
objectClass: organizationalUnit
ou: Users

# OU for Groups
dn: ou=Groups,dc=baeldung,dc=com
objectClass: organizationalUnit
ou: Groups

As we can see, we create baseDN.ldif for the base DN. As a result, we organize the directory structure to separate Users and Groups, which can be useful for managing and searching for these types of entries within the LDAP directory.

Then, we add the file contents to the LDAP directory:

$ ldapadd -x -D "cn=admin,dc=baeldung,dc=com" -W -f baseDN.ldif
Enter LDAP Password: 
adding new entry "ou=Users,dc=baeldung,dc=com"
adding new entry "ou=Groups,dc=baeldung,dc=com"

Let’s break down the code:

  • -x indicates the use of simple authentication
  • -D specifies the DN of the user with write permissions (in this case, the LDAP admin)
  • -W prompts for the password of the -D user
  • -f specifies the file containing the LDIF entry to be added

In summary, ldapadd uses this data to create the specified Organizational Units (OU) for Users and Groups in the LDAP directory, helping to organize the directory structure as per the contents of the LDIF file.

6. Configuring the LDAP Client

Now, we’ll configure the LDAP client to enable LDAP-based user authentication and directory services on a Linux system.

Lightweight Directory Access Protocol (LDAP) is an unencrypted communication protocol used for accessing and managing directory information. Moreover, it operates over port 389 and doesn’t provide data encryption or security by default.

On the other hand,  LDAP over SSL/TLS  LDAPS is a secure version of LDAP. It uses SSL/TLS encryption to protect data transmission. Moreover, LDAPS operates over port 636 and requires SSL/TLS certificates for secure communication. Afterward, it’s commonly used for secure external access to directory services.

6.1. Add LDAP Server Address

First, if we don’t have an active DNS server in the network, we add the LDAP server address in the /etc/hosts file:

$ sudo cat /etc/hosts
10.211.55.5 ldap.baeldung.com

In this case, 10.211.55.5 is the IP address of ldap.baeldung.com in this network.

6.2. Install LDAP Client Utilities

Then, we install the LDAP client utilities:

$ sudo apt-get -y install libnss-ldap libpam-ldap ldap-utils

Before starting the installation, we’ll be prompted for various settings.

6.3. Specify LDAP Server URI

Once installed, the client configuration will start:

...

 LDAP server Uniform Resource Identifier:
 ldapi:///ldap.baeldung.com

In this case, we specify the URI of the LDAP server ldapi://ldap.baeldung.com, which indicates we connect to the LDAP server at ldap.baeldung.com using the LDAPS protocol. The ldapi:// scheme suggests that we use a local socket for LDAP communication.

6.4. Set Distinguished Name (DN) Search Base

Now, we specify the distinguished name:

...

Distinguished name of the search base: dc=baeldung,dc=com

In this instance, we provide dc=baeldung,dc=com, a common format for specifying the base DN for LDAP searches. We use this value to determine the starting point for LDAP directory searches.

6.5. Selecting LDAP Protocol Version

Next, we select the version of the LDAP protocol:

Please enter which version of the LDAP protocol should be used by ldapns. It is usually
a good idea to set this to the highest available version.

  1. 3  2. 2
LDAP version to use: 1

In this case, we select 1 which corresponds to LDAP version 3.

6.6. Toggle Pluggable Authentication Module (PAM)

Then, we enable the usage of the Pluggable Authentication Module (PAM):

...

If you are using NFS mounted /etc or any other custom setup, you should disable this.

Make local root Database admin: [yes/no] yes

In this case, we select yes which means we enable PAM to manage root password changes.

6.7. Login Password Requirement

Afterward, we specify if a password for login is required:

Choose this option if you are required to login to the database to retrieve entries.

Note: Under a normal setup, this is not needed.

Does the LDAP database require login? [yes/no] no

Here, we select no which means we don’t need to provide login credentials to access the LDAP database.

6.8. Root LDAP Account

Then, we specify the LDAP account for the root:

This account will be used when root changes a password.

Note: This account has to be a privileged account.

LDAP account for root: cn=admin,dc=baeldung,dc=com

In this instance, we provided cn=admin,dc=baeldung,dc=com, the LDAP account to use when root changes a password.

6.9. Set LDAP Root Account Password

Afterward, we set a password for the root account:

...
LDAP root account password:

In summary, these settings are essential for configuring the system to use LDAP for user authentication and directory services. They enable the system to connect to the specified LDAP server and perform LDAP-related operations based on the provided configuration.

7. Testing the LDAP Connection

ldapsearch is one of the most commonly used tools for testing the connection between LDAP client and server:

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "dc=baeldung,dc=com" dn

Enter LDAP Password:
dn: dc=baeldung,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Baeldung
dc: baeldung

# admin, baeldung.com
dn: cn=admin,dc=baeldung,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
...

So, let’s break down the code:

  • -Q quiet mode, which suppresses some warning messages
  • -LLL specifies LDIF output format, which is a common format for representing LDAP data
  • -Y EXTERNAL is the authentication method for using the external mechanism
  • -H ldapi:/// uses the LDAP socket connection to connect to the local server
  • -b “dc=baeldung,dc=com” is the search base, specifying the starting point for the search
  • dn attribute to retrieve which stands for distinguished name

In summary, the output indicates that the LDAP client successfully connected to the LDAP server and retrieved entries from the specified base.

8. Conclusion

In this article, we talked about LDAP and delved into the process of installing, configuring, and establishing a connection between a Linux client and an LDAP directory.

Thus, we made a Linux environment well-equipped for centralized directory services and efficient system management.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.