(Last Updated On: January 10, 2018)

Learn to Install and Configure phpLDAPadmin on Ubuntu 16.04 and CentOS 7 by following this guide. If you have been administering OpenLDAP, you must be aware of challenges and complexities of using native OpenLDAP administration commands like ldapadd,ldapdelete, ldapmodify, ldapsearch, e.t.c.

The phpLDAPadmin is a web app written in PHP for administering Lightweight Directory Access Protocol servers. phpLDAPadmin is licensed under the GNU General Public License. And OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project.

In this guide, I’ll cover how to install OpenLDAP on both CentOS 7 and Ubuntu 16 servers, then proceed to installation and configuration of phpLDAPadmin.

Installing OpenLDAP on CentOS 7

Install epel-release, update yum cache and install OpenLDAP packages.

$ sudo yum -y install epel-release
$ sudo yum clean all && yum makecache fast && yum update
$ sudo yum -y install openldap-servers openldap-clients

Copy DB config:

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
$ sudo chown ldap. /var/lib/ldap/DB_CONFIG

Start and enable slapd password

$ sudo systemctl start slapd && sudo systemctl enable slapd

Generate OpenLDAP admin password:

$ sudo su -
# slappasswd 

New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

Create change_pw.ldif file which holds password to be set:

# cat  change_pw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

Replace the olcRootPW value with a hashed password given from your output of the command slappasswd.

Apply new password for admin user:

# ldapadd -Y EXTERNAL -H ldapi:/// -f   change_pw.ldif

Open ldap and ldaps service on the firewall:

# firewall-cmd --add-service={ldap,ldaps} --permanent
# firewall-cmd --reload

Installing OpenLDAP on Ubuntu 16.04

Update apt cache and install OpenLDAP packages:

$ sudo su -
# apt-get update && apt-get -y install slapd ldap-utils
# slapcat

Installing phpLDAPadmin on CentOS 7

Install Apache web server and PHP:

# yum -y install httpd php php-mbstring php-pear

Start and enable httpd service:

# systemctl start httpd   && systemctl enable httpd

Open HTTP and HTTPS ports o the firewall:

# firewall-cmd --add-service={http,https} --permanent
# firewall-cmd --reload

Install phpLDAPadmin:

# yum -y install epel-release

# yum -y install phpldapadmin

Edit /etc/phpldapadmin/config.php:

$servers->setValue('server','name','Local LDAP Server');
$servers->setValue('server','base', array('dc=example,dc=com'));
$servers->setValue('login','attr','dn');
//$servers->setValue('login','attr','uid');

Restart httpd:

# systemctl restart httpd

Installing phpLDAPadmin on Ubuntu 16.04

Install Apache 2 and php:

# apt-get -y install apache2  php php-cgi libapache2-mod-php php-mbstring php-common php-pear

Install phpLDAPadmin:

# apt-get -y install phpldapadmin

Modify access permissions on /etc/apache2/conf-enabled/phpldapadmin.conf:

Order deny,allow
 Deny from all
 Allow from 127.0.0.1 private-subnet/24

Restart apache:

# systemctl restart apache2

To access phpLDAPadmin,  you’ve to access  “http://(server’s hostname or IP address)/ldapadmin/” from a client which is in the network allowed.

phpLDAPadmin

Click “login” at the top left corner:

phpLDAPadmin

Securing  phpLDAPadmin with Letsencrypt:

Now that you have phpLDAPadmin installed and running, Let’s proceed to configure Letsencrypt SSL certificate for the server hostname. This will ensure that all traffic to phpLDAPadmin is encrypted. Let’s proceed to install certbot on Ubuntu and CentOS 7.

Installing certbot on CentOS 7 and Ubuntu 16.04

$ sudo su -
$ wget https://dl.eff.org/certbot-auto -P /usr/local/bin
$ chmod a+x /usr/local/bin/certbot-auto

Make sure https port is Open on the firewall for CentOS 7

# firewall-cmd --add-service https --permanent
# firewall-cmd --reload

Stop httpd service:

On CentOS:

$ sudo systemctl stop httpd

On Ubuntu 16.04:

$ sudo systemctl stop apache2

Generating Letsencrypt SSL certificate

Request for SSL certificate

$ sudo su -
# export DOMAIN=`hostname -f`
# export EMAIL="notification-email-address"
# certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos \
-n -m $EMAIL --keep-until-expiring

After certificate generation, configure apache for https and possibly http to https redirection:

Configuring Apache for https and http to https redirection

On CentOS, the file to be modified is located under /etc/httpd/conf.d/phpldapadmin.conf. On Ubuntu, the file is under  /etc/apache2/conf-enabled/phpldapadmin.conf. Please update this file accordingly

#
# Web-based tool for managing LDAP servers
#
<VirtualHost *:80>
ServerName ldap.example.com
ServerAlias ldap
ServerAdmin [email protected]

# Redirect http to https
Redirect / https://ldap.example.com/

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
</VirtualHost>

<Directory /usr/share/phpldapadmin/htdocs>
AllowOverride None
Require ip 192.168.10.20
Require ip 192.168.10.21
</Directory>

# HTTPS section
<VirtualHost *:443>
 
ServerName ldap.example.com
ServerAlias ldap
ServerAdmin [email protected]
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
 
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/ldap.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ldap.example.com/privkey.pem
 
</VirtualHost>

NB:  Replace all occurrences of ldap.example.com with server hostname and 192.168.10.20,192.168.10.21 with allowed IPs to access from, you can remove this if you’re not doing any restrictions. The domain example.com should be replaced with your real domain name. After making all the changes, then restart Apache web service.

On CentOS 7

$ sudo systemctl restart httpd

On Ubuntu 16.04

$ sudo systemctl retsart apache2

You can now access phpLDAPadmin via https –> https://ldap.example.com/ldapadmin and you should get redirect from http to https if you access it through http://ldap.example.com/ldapadmin

Wrapping up

phpLDAPadmin is a nice tool to have for any LDAP admin working with OpenLDAP. If you’re still new to OpenLDAP, phpLDAPadmin will be so helpful. You’ll have to spend some time learning to navigate on its UI. Some advanced configurations will have to be done on through command line though, like creating and updating ObjectClasses and Attributes. To this end, hope you enjoyed reading how to Install and Configure phpLDAPadmin on Ubuntu 16.04 and CentOS 7 guide.