ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =

• -w '?' will prompt for a password (without echo)¹⁾
• -s scope search scope (base, one, or sub)
• dn is a dummy output attribute (distinguished name is printed in any case)

— Courtesy of Oliver D. 2010/05/04 15:04

apt-get install slapd phpldapadmin ldap-auth-config

• Disable
  $servers→setValue('server','base',array('dc=example,dc=com'));
  in /etc/phpldapadmin/config.php to get automatically the base DN you configured on your LDAP server
• Before creating a Posix Account you have to create a Posix Group (Thanks)
• To get rid of the error “Error trying to get a non-existant value (appearance,password_hash)” replace password_hash by password_hash_custom in line 2469 of /usr/share/phpldapadmin/lib/TemplateRender.php (Thanks)
• Uncomment und edit the line
  $servers→setValue('auto_number','min',array('uidNumber'⇒2000,'gidNumber'⇒500));
  in /etc/phpldapadmin/config.php to get a numerical uid range different from the one selected by local useradd.

• When creating Posix groups, the gid is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.
• The ldap adminstrator account is of the object class organizationalRole with auxilary class simpleSecurityObject. Maybe this can be used for simple accounts to authenticate against ldap itself with cn=… as well?

It should be done by ldapmodify, but as ldapsearch did not work²⁾, I modified /etc/ldap/slapd.d/cn=config.ldif

olcLogLevel: ACL stats stats2 shell

to confirm that libpam_ldap.so did use the right accounts, DNs and credentials.³⁾

If you get the error ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) when using authentication options -Y External -H ldapi:/// this might be due to slapd's apparmor profile. Run

aa-complain slapd

and try again to verify. If this helps, add the following lines to /etc/apparmor.d/local/usr.sbin.slapd:

/run/slapd/ldapi rw,

In any case, make sure to re-enforce with

aa-enforce slapd
/etc/init.d/slapd stop
/etc/init.d/slapd start

Only leave it in complain mode (on your own responsibility), if you know what you're doing

apparmor

To configure OpenLDAP you need to access it by ldapmodify and Bind DN cn=config⁴⁾ , which does not have a known password by default. To set it, create an ldif file

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <PW in Clear>

and load it as root with⁵⁾

ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>

NOTE: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool slappasswd to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:

 ~ $ slappasswd
New password: 
Re-enter new password: 
{SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx
 ~ $ 
 

and paste it into the ldif file:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx

Afterwards you cann access the config by

ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config

(Finally found here)

Of course you can skip setting the password and using external SASL authorization for ldapsearh by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'

as root.

1)

su - 
ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif

enableMemberOf.ldif:

enableMemberOf.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: memberof

2)

su - 
ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif

configureMemberOf.ldif:

configureMemberOf.ldif

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

I assume this depends on where your LDAP tree data is stored - this example assumes it to be in lcDatabase={1}hdb,cn=config. You check it with

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn

as root.

References:

• https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/

Add ldap to list of methods in /etc/nsswitch.con behind passwd and groups

:
passwd:         compat ldap
group:          compat ldap
:

add pam_mkhomedirs.so to common-session

:
session required pam_mkhomedir.so

 apt-get install libpam-ldapd libnss-ldapd

This will remove libpam-ldap and libnss-ldap but install nslcd which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in /local/home instead of the LDAP entries value homeDirectory, add this line to /etc/nslcd.conf:

:
map passwd homeDirectory "/local/home/$uid"
: 

(Found here)

• Download self-service-password_0.9-1_all.deb (or later) from http://ltb-project.org/wiki/download#self_service_password

dpkg -i self-service-password_0.9-1_all.deb
apt-get install php5-mcrypt''
php5enmod mcrypt

• Edit Apache configuration:

Alias /passwd /usr/share/self-service-password/

• Edit /usr/share/self-service-password/conf/config.ini.php
  • (ldap_url)
  • ldap_binddn
  • ldap_bindpw
  • ldap_base
  • hash
  • mail_from
  • (notify_on_change)
  • (debug)

/etc/init.d/apache2 stop
/etc/init.d/apache2 start

Simply change attribute olcLogLevel of the object cn=config by phpLDAPAdmin or ldapmodify using the credentials for the OLC⁶⁾ access, by default cn=config and value of attribute olcRootPW of object olcDatabase={0}config,cn=config, e.g.

ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif

with

config.ldif

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats stats2 shell

or

config.ldif

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: none

• http://www.zytrax.com/books/ldap/ch6/slapd-config.html
• https://www.openldap.org/doc/admin24/slapdconf2.html#cn=config
• https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server

Ubuntu LDAP OpenLDAP PAM