The information on this page represents the experience of an NBIA user and is provided as a case study that you may find useful. It not meant to apply to all users.
Install OpenLdap
Install OpenLdap on Ubuntu.
These instructions are based on Ubuntu 18.04.
In a terminal window, issue the following commands:
sudo apt-get update sudo apt-get upgrade
In a terminal window, then issue the following command.
sudo apt install slapd ldap-utils
Modify the default Directory Information Tree (DIT) suffix by changing the DIT to fit your company's network needs. For example,
dc=smab,dc=org
. To do so, issue the following command.sudo dpkg-reconfigure slapd
- Enter the administrator's password.
Add initial data to the LDAP database from a file and create a single entry. In a terminal window, issue the following command.
vi ldap_data.ldif dn: ou=People,dc=smab,dc=org objectClass: organizationalUnit ou: People dn: ou=Groups,dc=smab,dc=org objectClass: organizationalUnit ou: Groups dn: cn=DEPARTMENT,ou=Groups,dc=smab,dc=org objectClass: posixGroup cn: SUBGROUP gidNumber: 5000 dn: uid=nciadevtest,ou=People,dc=smab,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: nciadevtest sn: Last name givenName: First name cn: nciadevtest displayName: Name uidNumber: 10000 gidNumber: 5000 userPassword: password gecos: Whole Name loginShell: /bin/bash homeDirectory: USERDIRECTORY
In this .ldif file, we created two organizationalUnit values, People and Groups.
Add the entities for these OU values. One entity must be nciadevtest for NBIA. The uid and cn must be this name. NBIA uses cn to as the default authentication. Some software applications use uid to authenticate.
Add the following entities to the LDAP server.
ldapadd -x -D cn=admin,dc=smab,dc=org -W -f ldap_data.ldif
Use this command to search the existing records. You can use the network loop IP address to test or use the real IP address.
ldapsearch -x -LLL -h 127.0.0.1 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'uid=nciadevtest' cn givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org givenName: First Name cn: nciadevtest gidNumber: 5000 ldapsearch -x -LLL -h 69.71.4.10 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'cn=nciadevtest' uid givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org uid: nciadevtest givenName: First Name gidNumber: 5000
Add the records. The LDAP server configuration looks similar to the following.
Title Value Base DN smab,dc=org Bind Admin admin,dc=smab,dc=org Bind Password Smab123456 User name for NBIA nciadevtest
Configuring the LDAP Administrator Client
You can add, modify, or remove records to or from the LDAP server in several ways.
- On a Linux server, use phpldapadmin to maintain the LDAP server. Refer to the following links to install phpldapadmin. (Note that phpldapadmin is not updated. There are some errors with php7.0 +).
- Use a Windows LDAP client such as Softerra LDAP Administrator to access the remote LDAP server.
To use Softerra LDAP Administrator
- Create a new profile.
- Add the server host (IP or domain), Base DN, and port.
- Add the bind admin information.
You use the LDAP client to create, delete, and modify entities with this information. Otherwise, you only have the read permission.
Troubleshooting
The OpenLdap can be installed on Ubuntu Server. The phpldapadmin also can work. The ldapsearch also can search the user information.
But when I tried to use LDAP client to access this LDAP server. The connection is timeout. There is no any response from LDAP server even if I enabled all ports.
I think the reason is the Ubuntu Server is blocked the LDAP be default (Maybe firewall reason). Currently, I haven’t find the way to solve this issue yet.
When I installed OpenLDAP on Ubuntu (Desktop version). All LDAP function works by default. There is no any issues. I can use any LDAP client tool to access the remote LDAP server, which is on Ubuntu Desktop.
NBIA LDAP Settings
In nbia.properties (Tomcat7.0/lib/nbia.properties)
authentication.type=ldap-auth ldap.url=ldap://192.168.56.101:389 ldap.basedn=dc=smab,dc=org ldap.user=CN=admin,dc=smab,dc=org ldap.pass=smab123456 ldap.memberOf.attribute.name=isMemberOf ldap.mail.attribute.name=mail ldap.group.ignore.list=PwmAdmins,devTeam,nlst,testGroup public.collection.access.group.name=General User product.variation=NBIA ldap.user and ldap.pass must be the administrator information of LDAP server. 3. In jaas.conf (Tomcat7.0/conf/jaas.conf) NCIA { gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule Required ldapHost="ldap://192.168.56.101:389" ldapSearchableBase="dc=smab,dc=org" ldapUserIdLabel="cn" ldapAdminUserName="CN=admin,dc=smab,dc=org" ldapAdminPassword="smab123456"; };
The jaas.conf is generated during the NBIA installation. The default ldapUserIdLabel is ‘cn’, which means the LDAP server will search ‘cn’ value, then compare to the login username. If the user name is exist in LDAP server, the LDAP server will do the authentication for this user.
Some LDAP server may use other field to store the login username like ‘uid’. So we have to change this value to ‘uid’ if the LDAP server use this field to store username.
ldapUserIdLabel="cn"
After changing that, we have to restart the Tomcat to take effect.