LDAP Authentication

LDAP Authentication

LDAP (Lightweight Directory Access Protocol) is the standard protocol for centralizing user accounts and authentication in enterprise environments. Instead of creating the same user account on every server, you create it once in an LDAP directory and all LDAP-configured servers authenticate against it. When an employee leaves, you disable one account in LDAP and they lose access to all systems instantly. OpenLDAP is the open-source LDAP server used on Ubuntu.

LDAP concepts

LDAP directory structure (tree):

  dc=example,dc=com (root domain)
  |
  +-- ou=People,dc=example,dc=com
  |   |-- uid=irfan,ou=People,dc=example,dc=com  (user entry)
  |   |-- uid=ahmed,ou=People,dc=example,dc=com
  |
  +-- ou=Groups,dc=example,dc=com
      |-- cn=sysadmins,ou=Groups,...
      |-- cn=developers,ou=Groups,...

  DN (Distinguished Name) = unique path to an entry
  Example: uid=irfan,ou=People,dc=example,dc=com

  Ubuntu clients search this tree to authenticate users

OpenLDAP server setup

sudo apt update
sudo apt install -y slapd ldap-utils

# Reconfigure with your domain:
sudo dpkg-reconfigure slapd
# Enter: DNS domain name: example.com
# Enter: Organization: Example Corp
# Enter: Admin password (strong password)

# Check LDAP is running:
ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W

# Add users with LDIF files:
cat > /tmp/add-user.ldif << 'EOF'
dn: uid=irfan,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: irfan
sn: Aslam
givenName: Irfan
cn: Irfan Aslam
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/irfan
loginShell: /bin/bash
userPassword: {SSHA}hashedpassword
EOF

ldapadd -x -H ldap://localhost   -D "cn=admin,dc=example,dc=com"   -W -f /tmp/add-user.ldif

Configuring Ubuntu as LDAP client

# Install LDAP client packages on servers that will authenticate via LDAP:
sudo apt install -y libnss-ldap libpam-ldap ldap-utils nscd

# During installation, provide:
# - LDAP server URI: ldap://ldap.example.com
# - Distinguished name: dc=example,dc=com
# - LDAP version: 3
# - Admin bind DN, password

# Configure NSS to use LDAP:
sudo nano /etc/nsswitch.conf

/etc/nsswitch.conf — add ldap to passwd, group, shadow

passwd:     files systemd ldap
group:      files systemd ldap
shadow:     files ldap

# Create home directories on first login:
sudo nano /etc/pam.d/common-session
# Add: session required pam_mkhomedir.so skel=/etc/skel umask=0022

# Restart and test:
sudo systemctl restart nscd
getent passwd irfan    # Should show LDAP user entry

LDAP management commands

# Search all users:
ldapsearch -x -H ldap://ldap.example.com   -b "ou=People,dc=example,dc=com" "(objectClass=posixAccount)" uid cn

# Change a user's password:
ldappasswd -H ldap://ldap.example.com   -D "cn=admin,dc=example,dc=com"   -W   "uid=irfan,ou=People,dc=example,dc=com"   -S    # Prompt for new password

# Delete a user:
ldapdelete -H ldap://ldap.example.com   -D "cn=admin,dc=example,dc=com"   -W   "uid=irfan,ou=People,dc=example,dc=com"

# Test authentication (verify credentials work):
ldapsearch -x -H ldap://ldap.example.com   -D "uid=irfan,ou=People,dc=example,dc=com"   -W -b "dc=example,dc=com" "(uid=irfan)"

Conclusion

LDAP over plain TCP sends passwords in cleartext unless you use LDAPS (port 636, TLS) or STARTTLS. Always configure TLS for production LDAP. The nscd (Name Service Cache Daemon) caches LDAP lookups to improve performance and provide brief offline functionality if the LDAP server is unreachable — configure a short cache TTL (300 seconds) to avoid users retaining access too long after account disabling.