How To Install LDAP For FreedomBox

# Based on

sudo apt-get install slapd ldap-utils ldapscripts libnss-ldap libpam-ldap nscd
dpkg-reconfigure -plow slapd

Configure OpenLDAP

#Verify configuration: Look at the configuration using server side tools

sudo slapcat

Look at the configuration using a ldap client tool

ldapsearch -x -W -D cn=admin,dc=example,dc=org -H ldapi:/// -b dc=example,dc=org

Both comands should display the properties for two objects: the root organization object and the admin security object

# Break down of the ldapsearch command Quick tutorial on ldapsearch:

#Load standard schema files (you can ignore any errors) These commands load the standard schemes for LDAP objects used to manage account information. They may already be loaded, but it never hurts to tell LDAP to add them again.

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

#Configure LDAP client You can update the LDAP client configuration file to set some sane defaults to minimize typing.


        # Uncomment BASE
        # Uncomment URI

Test configuration

ldapsearch -x
sudo slapcat

#Create OU tree To store users and groups we first need to create organizational units (OUs) to store the objects in. The simplest way of adding objects is to create LDAP Interface File (LDIF) formated files and use the standard openldap commandlines tools import the data. Note the blank lines. In LDIF recorrds are blank line seperated.


dn: ou=People,dc=example,dc=org
ou: People
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: organizationalUnit

ldapadd -c -x -D cn=admin,dc=example,dc=org -W -f ou.ldif

You can also create a user account using LDIF files, but below we show a way of using commandline scripts to make the process a little simpler. In keeping with the tradition of making a unique group for each user, we will make a group before creating the user account so we can set that users default group.


dn: cn=nick,ou=group,dc=example,dc=org
cn: nick
gidNumber: 20000
objectClass: top
objectClass: posixGroup
dn: uid=nick,ou=people,dc=example,dc=org
uid: nick
uidNumber: 20000
gidNumber: 20000
cn: Nick
sn: Jones
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/nick

ldapadd -c -x -D cn=admin,dc=example,dc=org -W -f user.ldif

If you want to set a password for the user run this command:

ldappasswd -x -D cn=admin,dc=example,dc=org -W -S uid=nick,ou=people,dc=example,dc=org

#Integrating with local authenication. These steps are optional if you are only interested in web authenication or authorization. They show how to use LDAP as the source for local account information. At the end of these steps you should be able to log into the local computer using account information stored in the traditional /etc/passwd file or stored in the LDAP directory.

First verify a local account with the same username as the LDAP account you just created does not exist:

id nick

Update the Name Service Switch to look at your LDAP server


        base dc=example,dc=org
        uri ldap://ldap-server


        passwd:         files ldap
        group:          files ldap

Now verify that the local system can look up the account information for LDAP accounts:

id nick

PAM should already be configured to use LDAP to authenicate users logging in locally, but you will need to modify PAM to auto-create home directories when users log on the first time.

echo 'session required skel=/etc/skel/ umask=0022' | sudo tee -a /etc/pam.d/common-session

Instead of using LDIF formatted files you can also use ldapscript commands that are similar to traditional adduser command. To use the commands you first need to update the ldapscripts configuration file to point at your local directory server.


        # update BINDDN to "cn=admin,dc=example,dc=org"
        # update SUFFIX to "dc=example,dc=org"

You will also need to provide the password for the admin account created when configuring OpenLDAP. Be sure to use the echo command to create the password file instead of a editor. Most editors will automatically add extra characters to the end of the file and your password won't work anymore.

echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd