How to setup an LDAP server on Raspberry Pi

In this second tutorial for the Raspberry Pi I’m going to cover the basics of setting an LDAP server and how to configure a client to authenticate against it. For those unfamiliar with it, LDAP (Lightweight Directory Access Protocol) provides a directory of information that you can use to store your users and groups so that you’re not constantly setting up said entities on each local machine.

LDAP is actually fairly simple to setup in Debian despite what I think is a lack of clear-cut instructions for doing so. So let’s get down to it. Once again for this tutorial I’m starting out with just a fresh copy of Raspian “Wheezy” from the Raspberry Pi website.

Server Setup

The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.

sudo apt-get install slapd ldap-utils

Here put in the password you want for your LDAP administrator account.

installing-an-ldap-server-on-rpi-1

Re-enter it again.

installing-an-ldap-server-on-rpi-2

Unfortunately, since slapd doesn’t ask you for the domain we have to manually run the setup to set it. We can do this with the following command.

sudo dpkg-reconfigure slapd

At the first screen select no because we want to change the configuration.

installing-an-ldap-server-on-rpi-3

Next enter the name of your domain (this can be whatever you want, it’s not a real domain that you have to own or anything).

installing-an-ldap-server-on-rpi-4

Type in your organization name.

installing-an-ldap-server-on-rpi-5

Enter the password you want for your administrator account.

installing-an-ldap-server-on-rpi-6

Re-enter the password.

installing-an-ldap-server-on-rpi-7

Here we’ll just select HDB for the database as that’s what Debian recommends.

installing-an-ldap-server-on-rpi-8

When asked if we want to purge the database we’ll say no.

installing-an-ldap-server-on-rpi-9

Select yes here because we need to move the old database that Debian setup during the install.

installing-an-ldap-server-on-rpi-10

And here we can say no because LDAPv2 is obsolete.

installing-an-ldap-server-on-rpi-11

And with that our actual LDAP server is up and running now, but we need an easy way to manage it. Next we’ll install PHP, Nginx, and phpldapadmin so that we can manage our LDAP server using a web interface. We’re also going to install APC for PHP while we’re at it. This will help reduce the amount of recompiling that PHP does when we request web pages.

sudo apt-get install php5-fpm php5-cli php5-ldap php-apc phpldapadmin nginx

Now we need to crack open /etc/phpldapadmin/config.php and change a couple lines so that it matches the domain we just setup.

sudo nano /etc/phpldapadmin/config.php

We need to look for the following lines and modify them slightly.

//Original line
$servers->setValue('server','base',array('dc=example,dc=com'));
//Change to this domain so it matches yours like below
$servers->setValue('server','base',array('dc=ducky-pond,dc=lan'));

//Original line
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
//Change the line so it matches your LDAP admin user, my example below
$servers->setValue('login','bind_id','cn=admin,dc=ducky-pond,dc=lan');

Now we just need to make a modification to /etc/nginx/conf/sites-available/default so that Nginx knows where to serve up the PHP from.

sudo nano /etc/nginx/sites-available/default

Let’s comment out or remove main server block replace it with the following.

server {

        root /usr/share/phpldapadmin/htdocs;
        index index.php index.html;

        server_name localhost;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

We should be all set to use the web so let’s restart Nginx for the changes to take effect.

sudo service nginx restart

Now in a browser, head to the IP of your Raspberry Pi and you should be presented with the following screen.

installing-an-ldap-server-on-rpi-12

From the left side click Login and then enter your admin password to proceed.

installing-an-ldap-server-on-rpi-13

So this is the main interface for managing LDAP, I’m not going to go into great detail as it’s something you just have to explore and get a feel for but for now click Create new entry here in the left tree. From here we select the type of object we want to create. We need to have a group before we can have a user so go ahead and select Generic: POSIX Group.

installing-an-ldap-server-on-rpi-14

Now type a name for the group, hit Create object and then Commit on the page after that.

installing-an-ldap-server-on-rpi-15

Follow the same process to create user. When you get to the user screen, select the group you just created and fill in all necessary fields.

installing-an-ldap-server-on-rpi-16

Once the user and group are created then we’re ready to move on to setting up the Raspberry Pi to be able to authenticate against the LDAP server.

Client Setup

For setting up the client I’m going to just use the server we just setup LDAP on but you could perform these same steps for any Debian installation that you want to authenticate against LDAP.

The process of setting up a client for LDAP authentication used to be more manual, thankfully it’s lot easier to do. We’ll need to run the command below to install two packages which will get things going.

sudo apt-get install libpam-ldapd libnss-ldapd

At the first screen we need to enter the LDAP server address (port is optional). Since I’m doing this on the LDAP server I’m using the localhost address.

installing-an-ldap-server-on-rpi-17

Tell it the base DN where it needs to search for users and groups.

installing-an-ldap-server-on-rpi-18

Here we need to tell the system what we should use LDAP for, it’s safe to go ahead and select everything for now.

installing-an-ldap-server-on-rpi-19

Now we need to open /etc/pam.d/common-session and the add the following line. What this will do is create the LDAP users home directories upon login if they don’t exist.

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

At this point LDAP client authentication is setup, so if we run the following command you should see the user you added to the LDAP server previously at the bottom of the output.

sudo getent passwd

Go ahead and open and SSH console, or terminal session and try logging in as the LDAP user and you should be greeted with a command line prompt.

Hungry for more Pi?

For more project ideas be sure to check out our other Raspberry Pi Guides.

  • http://batman-news.com satish arya

    i got the below error as the packages are missing

    Err http://mirrordirector.raspbian.org/raspbian/ wheezy/main libslp1 armhf 1.2.1-9

    404 Not Found

    Failed to fetch http://mirrordirector.raspbian.org/raspbian/pool/main/o/openslp-dfsg/libslp1_1.2.1-9_armhf.deb 404 Not Found

    Unable to correct missing packages.

    E: Aborting install.

    any alternative sites..?

  • Ed Reed

    I must have a mistake at when you said “Let’s comment out or remove main server block replace it with the following.”

    I’m not sure what lines in the original get commented out in the original file. I did what I thought was right, near the beginning, but I’m getting errors complaining about “server name directive not allowed here” upon restarting (or trying to restart) Any better direction as to what constitutes the “main server block”