Install phpLDAPadmin on Ubuntu 24.04 / Debian 13

phpLDAPadmin is a web-based LDAP browser and administration tool that gives you a graphical interface for managing your OpenLDAP directory. Instead of running command-line utilities like ldapadd, ldapmodify, and ldapsearch for every operation, you get a point-and-click interface for creating organizational units, user accounts, groups, and modifying LDAP entries. The project is hosted on GitHub and has been a go-to LDAP management tool for years.

This guide walks through installing and configuring phpLDAPadmin on Ubuntu 24.04 and Debian 13. We cover the Apache web server setup, securing the interface with HTTPS using Let’s Encrypt, and basic LDAP directory management through the web UI.

Prerequisites

Before starting, make sure you have the following in place:

• A server running Ubuntu 24.04 LTS or Debian 13 with root or sudo access
• A working OpenLDAP server installed and configured on the same host or reachable over the network
• A fully qualified domain name (FQDN) pointing to your server – needed for Let’s Encrypt SSL
• Ports 80 (HTTP) and 443 (HTTPS) open in your firewall
• At least 1 GB RAM and 1 vCPU

If your OpenLDAP server is on a separate host, ensure that port 389 (LDAP) or 636 (LDAPS) is open between the phpLDAPadmin server and the LDAP server.

Step 1: Install phpLDAPadmin on Ubuntu 24.04 / Debian 13

phpLDAPadmin is available in the default repositories on both Ubuntu 24.04 (universe) and Debian 13. Install it along with Apache and the required PHP modules.

Update the package index first:

sudo apt update

Install phpLDAPadmin and Apache:

sudo apt install phpldapadmin apache2 libapache2-mod-php -y

This pulls in PHP, the PHP LDAP extension, and all other dependencies automatically. Verify the installation by checking the package version:

dpkg -l phpldapadmin | grep ^ii

You should see the installed package version confirmed in the output:

ii  phpldapadmin   1.2.6.7-1   all   web based interface for administering LDAP servers

Step 2: Configure phpLDAPadmin

The main configuration file is /etc/phpldapadmin/config.php. This file tells phpLDAPadmin how to connect to your LDAP server and controls the login behavior.

Open the configuration file:

sudo vi /etc/phpldapadmin/config.php

Find and update the following settings. Replace dc=example,dc=com with your actual LDAP base DN and adjust the server host if LDAP runs on a different machine:

/* Set the LDAP server name shown in the UI */
$servers->setValue('server','name','My LDAP Server');

/* LDAP server hostname - use 127.0.0.1 if on the same host */
$servers->setValue('server','host','127.0.0.1');

/* LDAP server port - 389 for plain LDAP, 636 for LDAPS */
$servers->setValue('server','port',389);

/* Base DN of your LDAP directory */
$servers->setValue('server','base',array('dc=example,dc=com'));

/* Admin bind DN - used for the login prompt default */
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

/* Hide the template warning on login page */
$servers->setValue('appearance','hide_template_warning',true);

If your OpenLDAP server uses LDAPS (port 636), change the host value to use the ldaps:// scheme. You can learn more about securing your LDAP connections in our guide on configuring SSL/TLS for OpenLDAP:

$servers->setValue('server','host','ldaps://ldap.example.com');
$servers->setValue('server','port',636);

Save and close the file when done.

Step 3: Configure Apache Virtual Host for phpLDAPadmin

By default, phpLDAPadmin drops an Apache config snippet in /etc/phpldapadmin/apache.conf that makes the interface available at http://your-server/phpldapadmin. For a production setup, create a dedicated virtual host instead.

Create a new virtual host configuration file:

sudo vi /etc/apache2/sites-available/phpldapadmin.conf

Add the following virtual host configuration. Replace ldap.example.com with your actual domain name:

<VirtualHost *:80>
    ServerName ldap.example.com
    DocumentRoot /usr/share/phpldapadmin/htdocs

    <Directory /usr/share/phpldapadmin/htdocs>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Alias for the default phpLDAPadmin path
    Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

    ErrorLog ${APACHE_LOG_DIR}/phpldapadmin_error.log
    CustomLog ${APACHE_LOG_DIR}/phpldapadmin_access.log combined
</VirtualHost>

Enable the new site and disable the default site if it is not needed:

sudo a2ensite phpldapadmin.conf
sudo a2dissite 000-default.conf

Test the Apache configuration for syntax errors:

sudo apachectl configtest

If the syntax check passes, you will see:

Syntax OK

Restart Apache to apply the changes:

sudo systemctl restart apache2

Confirm Apache is running:

sudo systemctl status apache2

The output should show the service as active and running:

● apache2.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: active (running) since ...
     ...

Step 4: Secure phpLDAPadmin with HTTPS

Running phpLDAPadmin over plain HTTP exposes LDAP credentials in transit. Use Certbot to obtain a free Let’s Encrypt SSL certificate and enable HTTPS.

Install Certbot and the Apache plugin:

sudo apt install certbot python3-certbot-apache -y

Request a certificate for your domain. Certbot will automatically modify the Apache virtual host to enable SSL:

sudo certbot --apache -d ldap.example.com

Follow the interactive prompts – provide your email address for renewal notices and agree to the terms of service. When asked about redirecting HTTP to HTTPS, choose to redirect all traffic.

After Certbot completes, it creates an SSL virtual host file and configures automatic redirects. Verify the certificate is in place:

sudo certbot certificates

The output shows the certificate details and expiry date:

Found the following certs:
  Certificate Name: ldap.example.com
    Domains: ldap.example.com
    Expiry Date: 2026-06-20 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/ldap.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ldap.example.com/privkey.pem

Certbot sets up a systemd timer for automatic renewal. Confirm the timer is active:

sudo systemctl status certbot.timer

You should see the timer listed as active, which means certificates will renew automatically before they expire.

Open the required firewall ports if UFW is enabled:

sudo ufw allow 'Apache Full'
sudo ufw status

Step 5: Access the phpLDAPadmin Web Interface

Open your browser and navigate to your domain:

https://ldap.example.com

You will see the phpLDAPadmin login page. Click the “login” link on the left sidebar. Enter your LDAP admin credentials:

• Login DN: cn=admin,dc=example,dc=com (your LDAP admin bind DN)
• Password: your LDAP admin password

After a successful login, the left panel displays your LDAP directory tree. You can expand nodes to browse existing entries.

Step 6: Browse Your LDAP Directory

Once logged in, the tree view on the left side shows your base DN and all entries underneath it. Click on any entry to view its attributes in the right panel.

The main navigation works as follows:

• Tree view (left panel) – expand/collapse nodes to browse the directory hierarchy
• Entry details (right panel) – view and edit attributes of the selected entry
• Search – use the search bar at the top to find entries by attribute values
• Schema browser – examine available LDAP object classes and attributes

You can also run custom LDAP searches by clicking “Advanced” in the search section. This accepts standard LDAP filter syntax like (&(objectClass=inetOrgPerson)(uid=jdoe)).

Step 7: Create Organizational Units, Users, and Groups

A well-structured LDAP directory separates entries into Organizational Units (OUs). Here is how to create the basic structure through phpLDAPadmin.

Create an Organizational Unit

OUs group related entries together – commonly ou=People for user accounts and ou=Groups for group entries.

• Click on your base DN in the left tree (e.g., dc=example,dc=com)
• Click “Create a child entry” in the right panel
• Select “Generic: Organisational Unit”
• Enter the OU name (e.g., People) and click “Create Object”
• Confirm the creation on the next screen

Repeat the process to create an ou=Groups organizational unit.

Create a User Account

To add a user under the People OU:

• Click on ou=People in the left tree
• Click “Create a child entry”
• Select “Generic: User Account”
• Fill in the required fields: Common Name, User ID, Last Name, Password, GID Number, Home Directory
• Click “Create Object” and confirm

The new user entry is created with the inetOrgPerson and posixAccount object classes, which work for both LDAP authentication and Linux system login. If you need to configure systems to authenticate against this directory, see our guide on setting up Ubuntu as an LDAP client.

Create a Group

To create a POSIX group under the Groups OU:

• Click on ou=Groups in the left tree
• Click “Create a child entry”
• Select “Generic: Posix Group”
• Enter the group name (e.g., developers) and GID number
• Click “Create Object” and confirm

To add members to the group, open the group entry after creation and add the memberUid attribute with the user’s UID value.

You can verify the entries were created correctly by searching from the command line on the LDAP server:

ldapsearch -x -LLL -b "dc=example,dc=com" "(objectClass=posixAccount)" uid cn

This returns all user accounts with their UID and common name attributes, confirming the entries you created through phpLDAPadmin are in the directory.

Step 8: Restrict Access to phpLDAPadmin by IP

Exposing phpLDAPadmin to the public internet is a security risk. Restrict access to specific IP addresses or internal networks using Apache configuration.

Edit the phpLDAPadmin virtual host file:

sudo vi /etc/apache2/sites-available/phpldapadmin.conf

Add a Directory block with IP restrictions inside the VirtualHost section. Replace the example IPs with your office or VPN network addresses:

<Directory /usr/share/phpldapadmin/htdocs>
    Options -Indexes +FollowSymLinks
    AllowOverride All

    # Allow access from specific IPs only
    Require ip 10.0.1.0/24
    Require ip 192.168.1.0/24
    Require ip 203.0.113.50
</Directory>

The Require ip directives accept individual IPs and CIDR ranges. Anyone outside these ranges gets a 403 Forbidden response.

Test and reload Apache:

sudo apachectl configtest && sudo systemctl reload apache2

Verify the restriction is working by trying to access phpLDAPadmin from an IP not in the allow list – you should get a 403 error.

For an extra layer of protection, you can also enable HTTP Basic Authentication in front of phpLDAPadmin. This means users need to pass an Apache password prompt before they even reach the LDAP login page:

sudo apt install apache2-utils -y
sudo htpasswd -c /etc/apache2/.htpasswd ldapadmin

Then add authentication directives to the Directory block in your virtual host:

<Directory /usr/share/phpldapadmin/htdocs>
    Options -Indexes +FollowSymLinks
    AllowOverride All

    AuthType Basic
    AuthName "phpLDAPadmin - Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>

Reload Apache after making changes:

sudo systemctl reload apache2

For alternatives to phpLDAPadmin, check out LDAP Account Manager which provides a different approach to LDAP directory management with user-friendly templates.

Conclusion

You now have phpLDAPadmin running on Ubuntu 24.04 or Debian 13 with Apache, secured by HTTPS and IP-based access restrictions. The web interface makes daily LDAP operations – creating users, managing groups, browsing entries – significantly faster than working with command-line tools.

For production environments, consider setting up OpenLDAP replication for high availability, configuring regular LDAP database backups with slapcat, and enabling audit logging to track directory changes. Keep phpLDAPadmin and your PHP packages updated to patch any security vulnerabilities.