How to Set Up an LDAP Server on Debian 12 Bookworm

How to Set Up an LDAP Server on Debian 12 Bookworm
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over a network. It is commonly used for centralized authentication, storing user information, and managing access control. Setting up an LDAP server can be especially beneficial for organizations that need a centralized authentication system for multiple machines or services.

This guide will walk you through setting up an OpenLDAP server on Debian 12 Bookworm. We’ll cover installation, initial configuration, securing the server, and basic operations.

1. Prerequisites

Before we begin, ensure you have the following:

  • A system running Debian 12 Bookworm
  • Root or sudo privileges
  • Static IP address (recommended for server consistency)
  • Basic knowledge of the Linux command line

2. Update Your System

First, make sure your system is up-to-date:

sudo apt update && sudo apt upgrade -y

3. Install OpenLDAP Server and Utilities

Install the OpenLDAP server package along with the necessary utilities:

sudo apt install slapd ldap-utils -y

During installation, you may be prompted to set an admin password for the LDAP server (this is for the cn=admin,dc=example,dc=com user). If you’re not prompted, don’t worry — we’ll reconfigure it in the next step.

4. Reconfigure the OpenLDAP Server

To reconfigure the OpenLDAP server and define the domain name and admin password:

sudo dpkg-reconfigure slapd

You will be asked a series of questions. Here’s how to answer them:

  1. Omit OpenLDAP server configuration? → No
  2. DNS domain name: → e.g., example.com
  3. Organization name: → e.g., Example Inc.
  4. Administrator password: → Choose a secure password
  5. Database backend: → MDB (default and recommended)
  6. Do you want the database to be removed when slapd is purged? → No
  7. Move old database? → Yes (if prompted)
  8. Allow LDAPv2 protocol? → No

This setup will generate a base DN such as dc=example,dc=com.

5. Verify LDAP Installation

Check the LDAP directory structure using ldapsearch:

ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com

You should see a basic structure with the base DN and admin user.

6. Install and Configure phpldapadmin (Optional GUI Tool)

While not mandatory, phpldapadmin provides a web interface for managing your LDAP directory.

sudo apt install phpldapadmin -y

Then configure Apache to allow access:

sudo nano /etc/phpldapadmin/config.php

Find and update the following lines:

$servers->setValue('server','host','127.0.0.1');
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

Also, update Apache configuration if needed:

sudo nano /etc/apache2/conf-enabled/phpldapadmin.conf

Allow access from your IP or localhost:

<Directory /usr/share/phpldapadmin/htdocs>
    Require all granted
</Directory>

Restart Apache:

sudo systemctl restart apache2

Access phpldapadmin from your browser:

http://your-server-ip/phpldapadmin

7.1 Create a Self-Signed Certificate

sudo openssl req -new -x509 -nodes -out /etc/ssl/certs/ldap-selfsigned.crt -keyout /etc/ssl/private/ldap-selfsigned.key -days 365

7.2 Configure OpenLDAP to Use SSL

Create a new LDIF file /tmp/ssl.ldif:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-selfsigned.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap-selfsigned.key

Apply the configuration:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif

Restart the LDAP server:

sudo systemctl restart slapd

Test LDAPS (port 636):

ldapsearch -x -H ldaps://localhost -b dc=example,dc=com

8. Add Base LDAP Structure

Create a file base.ldif to add organizational units:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

Apply the configuration:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f base.ldif

9. Add LDAP Users

Create a user entry, for example john.ldif:

dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
sn: Doe
givenName: John
cn: John Doe
uid: john
mail: john@example.com
userPassword: secret

Note: The userPassword here is in plaintext for demonstration. Use hashed passwords for security:

slappasswd

It will prompt for a password and return a hash like:

{SSHA}V2wbHYvBlHjRSejK...

Use that value in the LDIF file.

Now, add the user:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f john.ldif

10. Add Groups

Create a group file group.ldif:

dn: cn=admins,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: admins
gidNumber: 10000
memberUid: john

Add it:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f group.ldif

11. Authenticate Against LDAP (Optional)

You can configure clients (like other Debian systems) to authenticate against your LDAP server using libnss-ldap or sssd. This step is useful for centralized login management, but it’s more advanced and depends on your environment needs.

Install on client:

sudo apt install libnss-ldap libpam-ldap nslcd

Answer the prompts with your LDAP server IP, base DN, and admin credentials.

To test LDAP login:

getent passwd john

If configured correctly, this will return user info from LDAP.

12. Backup and Restore LDAP Data

To back up your LDAP directory:

sudo slapcat > ldap-backup.ldif

To restore:

sudo systemctl stop slapd
sudo rm -rf /var/lib/ldap/*
sudo slapadd < ldap-backup.ldif
sudo chown -R openldap:openldap /var/lib/ldap
sudo systemctl start slapd

13. Troubleshooting Tips

  • Can’t bind to LDAP: Check if slapd is running and listening on the right interfaces.
  • Permission errors: Make sure file permissions for certificates and LDAP database are correct.
  • Search returns no results: Double-check your base DN and filter syntax.
  • SSL errors: Ensure your certificates are valid and paths are correct.

Use logs for diagnosis:

journalctl -xe | grep slapd

Or increase verbosity by running slapd manually:

sudo slapd -d 256

Conclusion

Setting up an LDAP server on Debian 12 Bookworm provides a scalable and centralized way to manage users and authentication across multiple systems. While LDAP configuration can be complex, especially in large environments, a basic installation like the one described here offers a solid foundation.

From installation to securing the server with SSL, and adding users and groups, you’ve covered all the essential steps to get your LDAP server up and running. From here, you can extend the setup with replication, ACLs, or integration with other authentication mechanisms such as Kerberos or Samba.

Let LDAP bring structure and order to your user management!


< How to Build and Deploy an IoT Application on Debian 12 Bookworm SystemHow to Implement a CDN Using Debian on Debian 12 Bookworm System >