Install OpenLDAP Server on Debian 11 / Debian 10

In this blog post. you’ll learn how to install and configure OpenLDAP on Debian 11 / Debian 10 Linux systems. OpenLDAP is a free and open-source implementation of the Lightweight Directory Access Protocol released under OpenLDAP Public License.

After installing OpenLDAP Server on Debian 11 / Debian 10, you can optionally add phpLDAPadmin / LDAP Account Manager to ease daily administration of LDAP Server. We’ll cover the installation of LDAP UI Management tools on separate guides.

Follow the steps shared in the next sections to have a running OpenLDAP Server on Debian 11 / Debian 10. Before you start the installation, configure FQDN hostname for your server and add a record to file/etc/hosts.

$ sudo vim /etc/hosts
192.168.10.10 ldap.example.com

# Configure hostname
$ sudo hostnamectl set-hostname ldap.example.com --static

192.168.10.10 and ldap.example.com to be replaced with matching IP address and hostname respectively.

Step 1: Update Debian server

For setups done on a clean installation of Debian Server, ensure the system is updated and upgraded.

sudo apt -y update && sudo apt -y upgrade
sudo reboot

Step 2: Install OpenLDAP on Debian

After system update and successful reboot, we’re set to install OpenLDAP Server on Debian package from our system default repositories.

sudo apt -y install slapd ldap-utils

You’ll be prompted to enter the admin password for your LDAP directory.

Confirm password provided.

If your installation was successful, the slapcat command should provide OpenLDAP server details.

$ sudo slapcat
dn: dc=neveropen,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: geeksforgeeks.org
dc: neveropen
structuralObjectClass: organization
entryUUID: 3380a11a-587c-1039-8fb1-a76b7240a677
creatorsName: cn=admin,dc=neveropen,dc=com
createTimestamp: 20190821162641Z
entryCSN: 20190821162641.076360Z#000000#000#000000
modifiersName: cn=admin,dc=neveropen,dc=com
modifyTimestamp: 20190821162641Z

dn: cn=admin,dc=neveropen,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9eDN2SUVtUnRZMUFjeHZuREtMaDlwdjU5c3dMZkFaWmM=
structuralObjectClass: organizationalRole
entryUUID: 3380e3fa-587c-1039-8fb2-a76b7240a677
creatorsName: cn=admin,dc=neveropen,dc=com
createTimestamp: 20190821162641Z
entryCSN: 20190821162641.078129Z#000000#000#000000
modifiersName: cn=admin,dc=neveropen,dc=com
modifyTimestamp: 20190821162641Z

Step 3: Add base dn for Users and Groups

The next step is adding a base DN for users and groups. Create a file named basedn.ldif with below contents:

$ vim basedn.ldif
dn: ou=people,dc=neveropen,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=neveropen,dc=com
objectClass: organizationalUnit
ou: groups

Where neveropen and com are domain components, as shown by slapcat command.

When done, apply configurations with the command:

$ sudo ldapadd -x -D cn=admin,dc=neveropen,dc=com -W -f basedn.ldif
.......
Enter LDAP Password:
adding new entry "ou=people,dc=neveropen,dc=com"                
adding new entry "ou=groups,dc=neveropen,dc=com"

Step 4: Add User Accounts and Groups

Generate a password for the user account to add.

$ sudo slappasswd
New password: 
Re-enter new password: 
{SSHA}5D94oKzVyJYzkCq21LhXDZFNZpPQD9uE

Create ldif file for adding users.

$ vim ldapusers.ldif
dn: uid=jmutai,ou=people,dc=neveropen,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Josphat
sn: Mutai
userPassword: {SSHA}5D94oKzVyJYzkCq21LhXDZFNZpPQD9uE
loginShell: /bin/bash
homeDirectory: /home/testuser
uidNumber: 3000
gidNumber: 3000

• Replace jmutai with the username to add
• dc=neveropen,dc=com with your correct domain values.
• cn & sn with your user details
• {SSHA}5D94oKzVyJYzkCq21LhXDZFNZpPQD9uE with your hashed password generated.

Apply config:

$ sudo ldapadd -x -D cn=admin,dc=neveropen,dc=com -W -f ldapusers.ldif 
Enter LDAP Password: 
adding new entry "uid=jmutai,ou=people,dc=neveropen,dc=com"

A group is added in similar way.

Do the same of group. Create ldif file:

$ cat ldapgroups.ldif
dn: cn=jmutai,ou=groups,dc=neveropen,dc=com
objectClass: posixGroup
cn: jmutai
gidNumber: 3000
memberUid: jmutai

$ sudo ldapadd -x -D cn=admin,dc=neveropen,dc=com -W -f ldapgroups.ldif
Enter LDAP Password: 
 adding new entry "cn=jmutai,ou=groups,dc=neveropen,dc=com"

The two files can be combined into a single file.

Step 5: Install LDAP Account Manager

We’ll install and use LDAP Account Manager as our OpenLDAP Server graphical management dashboard. LDAP Account Manager (LAM) is a web frontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP director

Features of LDAP Account Manager

• Manages Unix, Samba 3/4, Kolab 3, Kopano, DHCP, SSH keys, a group of names and much more
• Has support for 2-factor authentication
• Support for account creation profiles
• CSV file upload
• Automatic creation/deletion of home directories
• setting file system quotas
• PDF output for all accounts
• schema and LDAP browser
• manages multiple servers with different configurations

Download the latest release of ldap account manager deb package:

wget https://github.com/LDAPAccountManager/lam/releases/download/lam_8_4/ldap-account-manager_8.4-1_all.deb
sudo apt install -f ./ldap-account-manager_*_all.deb

Step 6: Configure LDAP Account Manager

Access  LDAP Account Manager web interface from a trusted machine network on

http://(server’s hostname or IP address)/lam

The LDAP Account Manager Login form will be shown. We need to set our LDAP server profile by clicking on[LAM configuration] at the upper right corner.

Then click on,Edit server profiles

This will ask you for LAM Profile name Password:

Default password is lam

The first thing to change is Profile Password, this is at the end of General Settings page.

Next is to set LDAP Server address and Tree suffix. Mine looks like below, you need to use your Domain components as set in server hostname.

Set Dashboard login by specifying the admin user account and domain components under “Security settings” section.

Switch to “Account types” page and set Active account types LDAP suffix and List attributes.

You can also enable other available account types you wish to use. User and Group modules can be enabled and disabled on “Modules” page.

When done with the settings, click the Save button at the bottom of the page.

Step 7: Add user accounts and groups

Login with the accountadmin to LAM dashboard to start managing user accounts and groups.

You’ll use the Users and Groups links to manage user accounts and groups.

Add User Group

You need to add a user group before the actual user account. Click on Groups > New Group

Give the group a name, optional group ID and description.

Do the same to add other groups.

Add User Accounts

Once you have the groups for user accounts to be added, click on Users > New user to add a new user account to your LDAP server. You have three sections for user management:

• Personal – This contains user’s personal information like the first name, last name, email, phone, department, address e.t.c

• Unix: This section is where you set the Username, Common name, UID number(optional), User comment, User Primary group, and Secondary groups, Home directory and the default Login shell.

• Shadow: This section is where you add Shadow account extension, things related to password aging/expiry.

You may have more sections depending on the Modules enabled for User and Group management.

Our next guide will cover how to configure the LDAP client on Debian 11 / Debian 10. Also check:

• Install and configure OpenLDAP Server on Ubuntu
• Secure LDAP Server with SSL/TLS on Ubuntu