The information on this page represents the experience of an NBIA user and is provided as a case study that you may find useful. It not meant to apply to all users.

Install OpenLdap

1. Install OpenLdap on Ubuntu.

   These instructions are based on Ubuntu 18.04.

2. In a terminal window, issue the following commands:

   sudo apt-get update
   sudo apt-get upgrade

3. In a terminal window, then issue the following command.

   sudo apt install slapd ldap-utils

4. Modify the default Directory Information Tree (DIT) suffix by changing the DIT to fit your company's network needs. For example,  dc=smab,dc=org. To do so, issue the following command.

   sudo dpkg-reconfigure slapd

5. Enter the administrator's password.

6. Add initial data to the LDAP database from a file and create a single entry. In a terminal window, issue the following command.

   vi ldap_data.ldif
   
   dn: ou=People,dc=smab,dc=org
   objectClass: organizationalUnit
   ou: People
   dn: ou=Groups,dc=smab,dc=org
   objectClass: organizationalUnit
   ou: Groups
   
   dn: cn=DEPARTMENT,ou=Groups,dc=smab,dc=org
   objectClass: posixGroup
   cn: SUBGROUP
   gidNumber: 5000
   
   dn: uid=nciadevtest,ou=People,dc=smab,dc=org
   objectClass: inetOrgPerson
   objectClass: posixAccount
   objectClass: shadowAccount
   uid: nciadevtest
   sn: Last name
   givenName: First name
   cn: nciadevtest
   displayName: Name
   uidNumber: 10000
   gidNumber: 5000
   userPassword: password
   gecos: Whole Name
   loginShell: /bin/bash
   homeDirectory: USERDIRECTORY

   In this .ldif file, we created two organizationalUnit values, People and Groups.

7. Add the entities for these OU values. One entity must be nciadevtest for NBIA. The uid and cn must be this name. NBIA uses cn to as the default authentication. Some software applications use uid to authenticate.

8. Add the following entities to the LDAP server.
   

   ldapadd -x -D cn=admin,dc=smab,dc=org -W -f ldap_data.ldif

9. Use this command to search the existing records. You can use the network loop IP address to test or use the real IP address.
   

   ldapsearch -x -LLL -h 127.0.0.1 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'uid=nciadevtest' cn givenName gidNumber 
   Result:
   dn: uid=nciadevtest,ou=People,dc=smab,dc=org
   givenName: First Name
   cn: nciadevtest
   gidNumber: 5000
   
   ldapsearch -x -LLL -h 69.71.4.10 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'cn=nciadevtest' uid givenName gidNumber
   Result:
   dn: uid=nciadevtest,ou=People,dc=smab,dc=org
   uid: nciadevtest
   givenName: First Name
   gidNumber: 5000

10. Add the records. The LDAP server configuration looks similar to the following.

    Title Value
    Base DN smab,dc=org
    Bind Admin admin,dc=smab,dc=org
    Bind Password Smab123456
    User name for NBIA nciadevtest

Configuring the LDAP Administrator Client

You can add, modify, or remove records to or from the LDAP server in several ways.

• On a Linux server, use phpldapadmin to maintain the LDAP server. Refer to the following links to install phpldapadmin. (Note that phpldapadmin is not updated. There are some errors with php7.0 +).
  • https://www.techrepublic.com/article/how-to-install-phpldapadmin-on-ubuntu-18-04/
  • https://www.techrepublic.com/article/how-to-install-and-configure-ldap-and-phpldapadmin/
• Use a Windows LDAP client such as Softerra LDAP Administrator to access the remote LDAP server. 

To use Softerra LDAP Administrator

1. Create a new profile.
2. Add the server host (IP or domain), Base DN, and port.
3. Add the bind admin information.

You use the LDAP client to create, delete, and modify entities with this information. Otherwise, you only have the read permission.

Troubleshooting Note

OpenLdap can be installed on an Ubuntu Server. The phpldapadmin can also work. Use ldapsearch to search the user information. You may find that when you try to use the LDAP client to access this LDAP server, the connection times out with no response from the LDAP server even if all ports are enabled. The user did not find any solution for this issue.

When installing OpenLDAP on Ubuntu (Desktop version), all LDAP functions worked without any issues. Any LDAP client can access the remote LDAP server.

NBIA LDAP Settings

The following code is the contents of nbia.properties (Tomcat7.0/lib/nbia.properties).

authentication.type=ldap-auth

ldap.url=ldap://192.168.56.101:389
ldap.basedn=dc=smab,dc=org
ldap.user=CN=admin,dc=smab,dc=org
ldap.pass=smab123456

ldap.memberOf.attribute.name=isMemberOf
ldap.mail.attribute.name=mail
ldap.group.ignore.list=PwmAdmins,devTeam,nlst,testGroup
public.collection.access.group.name=General User
product.variation=NBIA
ldap.user and ldap.pass must be the administrator information of LDAP server.
3. In jaas.conf (Tomcat7.0/conf/jaas.conf)
NCIA
{
gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule Required
ldapHost="ldap://192.168.56.101:389"
ldapSearchableBase="dc=smab,dc=org"
ldapUserIdLabel="cn"
ldapAdminUserName="CN=admin,dc=smab,dc=org"
ldapAdminPassword="smab123456";
};

The jaas.conf is generated during NBIA installation. The default ldapUserIdLabel is cn, which means the LDAP server will search the cn value, then compare it to the login username. If the user name exists in the LDAP server, the LDAP server will authenticate this user.

Some LDAP servers may use another field to store the login username, such as uid. In this case, change the username value to uid.For example, ldapUserIdLabel="cn"

Restart Tomcat for the change to take effect.