How to Setup OpenLDAP Server and Client Installation in Ubuntu 18.04 with Credentials Caching

8 min readJan 20, 2021

Hi Guys, for the last 5–10 days I am working on the OpenLDAP implementation and all the configuration and authentication is working fine for me, but the issue which is there is with the password caching (which will be useful in the case when the LDAP server is down or not reachable). Guys while setting up this configuration I faced so many issues, so if you stuck somewhere just ping me on Linkedin, I am ready to help.

So, in this blog, I am writing down the steps on how to install and setup the OpenLDAP server and client in Ubuntu 18.04 with password caching. So here are the steps:-

OpenLDAP Server Installation: -

Step 1: Set hostname for the ldap-server using command:-

hostnamectl set-hostname ldap.lw.com

Step 2: Edit the following line in the /etc/hosts file :-

192.168.29.50 ldap.lw.com

Step 3: OpenLDAP Server Installation using command:-

sudo apt install slapd ldap-utils -y

## While Installing it will ask for the password put any password ##

Step 4: Check the status of the slapd using :-

sudo systemctl status slapd

Step 5: configure the slapd with the command:

sudo dpkg-reconfigure slapd

######### IT Will Ask us for the following entries:-a. Omit OpenLDAP Server Configuration:     no                         
b. DNS domain name:                        dc=ldap,dc=lw,dc=com
c. Organization Name:                      lw.com
d. Adminstartor Password:                  admin123
e. Confirm Password:                       admin123
f. Database backend to use:                MDB
g. Do you want database to remove ...      no
h. Move old Database:                      yes

Step 6: Edit this file /etc/ldap/ldap.conf and put entry for the BASE and URI.

Step 7: verify the setup using the command:-

slapcat and ldapsearch -x

Step 8: Now create some entry for the people, groups, and users:-

vim new-user.ldif

dn: ou=people,dc=ldap,dc=lw,dc=com
objectClass: organizationalUnit
ou: peopledn: ou=groups,dc=ldap,dc=lw,dc=com
objectClass: organizationalUnit
ou: groupsdn: uid=mahesh,ou=People,dc=ldap,dc=lw,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mahesh
sn: mittal
givenName: mahesh
cn: mahesh
displayName: mahesh
uidNumber: 1647
gidNumber: 1002
userPassword: admin
gecos: mahesh singh
loginShell: /bin/bash
homeDirectory: /home/mahesh

REMEMBER TO CHANGE THE VALUE IN BOLD ACCORDING TO YOUR USER OR DN (distinguished name).
REMEMBER TO GIVE THE SPACE BETWEEN EACH ENTRY AS IT WAS GIVEN ABOVE, OTHERWISE IT WILL THROW ERROR.

Step 9: now using the command to add the above entry in the ldap server:-

ldapadd -x -D cn=admin,dc=ldap,dc=lw,dc=com -W -f new-user.ldif

OpenLDAP SSL/TLS Configuration:-

To get the password caching done, we need to set up the sssd and for sssd to work we need to set up the LDAP in the SSL/TLS mode, so follow the steps to get this done.

Step 10:

1. cd /etc/ssl/private2. openssl genrsa -aes128 -out ldap_server.key 4096  
 
#### it will ask for the password put any password #############3. openssl rsa -in ldap_server.key -out ldap_server.key
 
######## we are removing the password so it will not ask for password every-time a connection is made.4. openssl req -new -days 3650 -key ldap_server.key -out ldap_server.csrYou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:RJ
Locality Name (eg, city) []:ajmer
Organization Name (eg, company) [Internet Widgits Pty Ltd]:testing
Organizational Unit Name (eg, section) []:testing
Common Name (e.g. server FQDN or YOUR name) []:ldap.lw.com
Email Address []:admin@lw.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin123
An optional company name []:admin123############## Take Care of the Common Name while typing, it will be same as in the hostname ############5. openssl x509 -in ldap_server.csr -out ldap_server.crt -req -signkey ldap_server.key -days 36506. sudo cp /etc/ssl/private/{ldap_server.key,ldap_server.crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/######## Move the Certificates to the desired directory ########7. sudo chown -R openldap. /etc/ldap/sasl2 8. cd /etc/ldap/9. vim ldap_ssl.ldifdn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key10. ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif########### OUTPUT ################SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"10. slaptest -u  ################ OUTPUT ###########config file testing succeeded11. pkill slapd12. need to start the slapd now with the ldaps protocol as well, i use the command: , you can also edit the existing service systemd file of slapd to make this permanent.slapd -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d13. verify that ldaps is working using the netstat command:-netstat -tnlp | grep "389\|636"############ OUTPUT ##########tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      8741/slapd          
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      8741/slapd          
tcp6       0      0 :::636                  :::*                    LISTEN      8741/slapd          
tcp6       0      0 :::389                  :::*                    LISTEN      8741/slapd############ NOW OUR LDAP IS RUNNING ON SSL/TLS NOW WE CAN MOVE ON TO THE CONFIGURE THE CLIENT. ##################

OpenLDAP Client Configuration:-

Step 11: edit the /etc/hosts file and enter the same entry we did in step 2.
Step 12: download the CA certificate from the server:-

openssl s_client -connect ldap.lw.com:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'OUTPUT:-depth=0 C = IN, ST = RJ, L = ajmer, O = testing, OU = testing, CN = ldap.lw.com, emailAddress = admin@lw.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = RJ, L = ajmer, O = testing, OU = testing, CN = ldap.lw.com, emailAddress = admin@lw.com
verify return:1
-----BEGIN CERTIFICATE-----
MIIFizCCA3MCFFlyVNKiPb3KXovEsE8hrks1+hn4MA0GCSqGSIb3DQEBCwUAMIGB
MQswCQYDVQQGEwJJTjELMAkGA1UECAwCUkoxDjAMBgNVBAcMBWFqbWVyMRAwDgYD
VQQKDAdwZXJmaW9zMRAwDgYDVQQLDAdwZXJmaW9zMRQwEgYDVQQDDAtsZGFwLmx3
LmNvbTEbMBkGCSqGSIb3DQEJARYMYWRtaW5AbHcuY29tMB4XDTIxMDEyMDA4MDMy
NFoXDTMxMDExODA4MDMyNFowgYExCzAJBgNVBAYTAklOMQswCQYDVQQIDAJSSjEO
MAwGA1UEBwwFYWptZXIxEDAOBgNVBAoMB3BlcmZpb3MxEDAOBgNVBAsMB3BlcmZp
b3MxFDASBgNVBAMMC2xkYXAubHcuY29tMRswGQYJKoZIhvcNAQkBFgxhZG1pbkBs
dy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3hZ6AcOqM7/g/
Tfl+JSIevjGXAdguOTb1aAH9cjwAyTHGoLRbHa8OGpear/5nZn9PfC//mpM7t+hK
jzNreBvTRA6J+OE62h+wSflkRl+IRxjEZwvz15RElvAANGzf04Di4DA699lNkjNm
YhJschNFQgKr7fa+6weBAFsnpsp9Xao4c08r5Oi0U/WMwAx7RTCza1xu44rHImgL
MT4qPiY3i1O3I/+Fue31D+EOsKpT/jAv/e4UqhIuVaXwBYLEH0BOaGIAxmqE5LQf
3xUe+cqWyQq/E4sLbV6bFvBFjHhN1+yGExwlai6BKgG/tiNk2OHIbn89ArG9PlFo
1wAWfMIAcFDuR7xIDK5E9ZbIjtwnH4OE4D7WULBKdrHffOJLc7Ks3Nq74fmDchoA
Kjbd20mWlutmX/9FDn/iFsktA/SXNPCFQKxJHF7OlFCj+AN9SMvCFt+2B9PFKBkx
xR6CseeX7U1nqY6Lp+lNVlCN38ATT4w/w4im9OPn6EZeq4w9/BleHvoE9mSufcle
q93HDCAlQ6S3QDVOgHO/tjEvVsH+Q2kPl1rPQ2u1pt5lOAaDNPW1OCdoPtD6CH9S
dz1TG4SNdebKSfLd7/PHrr+nFunBvgriJaPVRhPy4FpeLcW2OCi3ZISrLJQVaWQy
WvP7DvFq7P+p3nrkK4BZVmzDRg837wPkg636Jyt/dfsdddgesdHBFJgGo6YossJg
4BgKshgU+qxs63WW/xyJtCab0MmRvdVeUwtXA4pn887EGCN4seIEvFbWZW4hAIp
VdoqBpWkSUXcVgFk+C0GNy8q/0rfssSz0SHuf/3M6wbh6VhrSbp3npaQfnApXNz3
CF14WIHP4WUneVyuARB+JZ7VoV/R080yYL/Pvy2fnvVqh1nLcJrH7W1rDc0BasK4
OB0zcEjV9XCDjbW0FHxSB58e2h89wM0FDCh9xTp0xbdd2cWIR5GtD4Jn8ecLEreD
IJnyS4H0NOEgsHrc/L6jrROiYtyV1O+mLmTJW+TAuxPXqqQmfoQVD+DDyTzEB1P/
peJrSoDd4jXZYgHA2OU0SP1BDaY97hq3EWz7hhpyW/JjDpit7fIlyzz1n2T5EnjU
VzjCdng/CXBvMTBYzxzwAu+GnZneGp27Oaia97aNxnDFoDZ+Ldha1CimIq27wPx/
qpB8RDBbPBmgXRDDzAi9TqjKCWOFCyrj6LyV3Jkn88YCrMaX5A+PJyTOl0aGQtST
bAIIfWdf6xgh6fuRu/LHPeLvApRMhRzQRdqk1xX7Cg==
-----END CERTIFICATE-----
DONE

Step 13: copy the certificate part only and paste it into the file (/etc/ssl/certs/cacert.crt )
Step 14: verify it using the command:-

cat /etc/ssl/certs/cacert.crt

Step 14: edit the file vim /etc/ldap/ldap.conf and add this line .

TLS_CACERT /etc/ssl/certs/cacert.crt

Step 15: Now run the following commands:-

1. apt update -y 2. sudo apt -y install libnss-ldap libpam-ldap ldap-utils######### IT Will Ask us for the following entries:-a. Set LDAP URI :                          ldaps://ldap.lw.com
b. Distinguished name:-                    dc=ldap,dc=lw,dc=com
c. put ldap version to:                    3 
d. Make local root Database admin to       yes
e. Does the LDAP database require login?   no
f. Ldap account for root to            cn=admin,dc=ldap,dc=lw,cn=com
g. provide the ldap account password:    <which is setup in step5>

Step 16: now edit the file /etc/nsswitch.conf .

passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat

Step 17: edit the file /etc/pam.d/common-password and remove the use_authtok from the line 26.

password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass

Step 18: edit the file /etc/pam.d/common-session and at the end but the below line.

session optional pam_mkhomedir.so skel=/etc/skel umask=077

NOW TRY TO REBOOT YOUR SYSTEM AND TRY TO LOGIN WITH THE USER CREATED ABOVE, IT WILL BE GET LOGGED IN, IF NOT TRY TO TROUBLESHOOT, UNTIL THIS STAGE YOUR LDAP CLIENT AUTHENTICATION IS WORKING, NOW TO ENABLE PASSWORD CACHING FOLLOW THE BELOW STEPS.

Installation of SSSD Package for password caching:-

Step 19: Install the sssd package:-

apt install sssd libpam-sss libnss-sss

Step 20: edit the file /etc/pam.d/common-session and put the below line after the session optional pam_sss.so line.

session required    pam_mkhomedir.so skel=/etc/skel/ umask=0022

Step 21: edit the file /etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = default[sudo][nss][pam]
offline_credentials_expiration = 60[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldap,dc=lw,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ldap.lw.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Step 22: run the followings command:-

1. chmod 600 -R /etc/sssd2. systemctl restart sssd && systemctl status sssd

Step 23: Now try to login with the user for example:-

CLI:-

GUI:-

Step 24 ( Optional ): If gui login is not working, then install the nscd service

sudo apt install nscd -y

Thank you Guys for Reading, Share it if you think this blog helps you. In Case of Any Error or Issue, you can connect me on Linkedin:

https://www.linkedin.com/in/tarun-mittal-1507/

Happy Reading.

How to Setup OpenLDAP Server and Client Installation in Ubuntu 18.04 with Credentials Caching

OpenLDAP Server Installation: -

OpenLDAP SSL/TLS Configuration:-

OpenLDAP Client Configuration:-

Installation of SSSD Package for password caching:-

Written by tarun mittal

No responses yet