The Nightmare of Scaling Systems
Imagine you’re managing 5 servers; SSHing into each one to run adduser is still bearable. But when that number jumps to 50 or 100, everything changes. Every time a new employee joins or someone leaves, you’ll waste an entire morning just copy-pasting account deletion commands.
The breaking point comes at 2 AM, eyes glued to the screen, hands trembling while typing commands on the final production server, terrified of accidentally deleting the boss’s account. That’s when you need Centralized Identity Management.
OpenLDAP comes to the rescue. Instead of storing users locally in /etc/passwd, everything is pushed to a central repository. When a server needs authentication, it simply asks OpenLDAP: “Does this person have access? Is the password correct?”. Everything happens in an instant, synchronized and professional.
What is LDAP, exactly?
LDAP (Lightweight Directory Access Protocol) isn’t a relational database like MySQL or PostgreSQL. Think of it as a massive phone book. It is specifically optimized for reading and searching rather than continuous data writing.
Before we begin, remember these 3 core concepts:
- DIT (Directory Information Tree): A tree-like data structure.
- DN (Distinguished Name): A unique ID for an object, e.g.,
cn=admin,dc=itfromzero,dc=com. - ObjectClasses: A set of rules defining the attributes a user has (such as email, shell, or password).
Step 1: Installing OpenLDAP and Management Tools
LDAP is very sensitive to domain names. The first step is to set a proper hostname for your server.
sudo hostnamectl set-hostname ldap.itfromzero.com
Next, install slapd (LDAP server daemon) and ldap-utils. This utils package is vital for running queries later on.
sudo apt update
sudo apt install slapd ldap-utils -y
During installation, the system will prompt you for an LDAP admin password. Don’t use something like 123456. Create a complex string and store it in a Vault, as this is the master key to your entire system.
Step 2: Reconfiguring slapd
By default, Ubuntu configures itself based on the hostname, but this often doesn’t align with system requirements. I always prefer running the command below to control every parameter:
sudo dpkg-reconfigure slapd
Pay attention to these key options:
- Omit OpenLDAP server configuration? Select No.
- DNS domain name: Enter your domain (e.g.,
itfromzero.com). - Organization name: Your company or project name.
- Database backend: Select MDB. This is a modern backend, faster and more reliable than older ones like BDB or HDB.
- Allow LDAPv2 protocol? Select No for better security.
Step 3: Building the Tree Structure (Organizational Units)
Never edit configuration files directly in /etc/ldap. The professional standard is to use .ldif files and import them using the ldapadd command.
Typically, we split into two main branches: People (for users) and Groups (for groups). Create a base.ldif file:
dn: ou=People,dc=itfromzero,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=itfromzero,dc=com
objectClass: organizationalUnit
ou: Groups
Proceed to push this structure into the database:
ldapadd -x -D cn=admin,dc=itfromzero,dc=com -W -f base.ldif
If the screen shows adding new entry..., you’re on the right track.
Step 4: Creating the First Test User
For a user to SSH into a Linux server, they need the posixAccount attribute. I’ll create a group named devops and a user named tungdt in the users.ldif file.
# Create Group
dn: cn=devops,ou=Groups,dc=itfromzero,dc=com
objectClass: posixGroup
cn: devops
gidNumber: 5000
# Create User
dn: uid=tungdt,ou=People,dc=itfromzero,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tungdt
sn: Doan
givenName: Tung
cn: Tung Doan
uidNumber: 10001
gidNumber: 5000
userPassword: {SSHA}hashed_password_string
loginShell: /bin/bash
homeDirectory: /home/tungdt
Pro-tip: Use the slappasswd command to generate a hashed password string instead of using plain text. Also, uidNumber should start from 10000 to avoid conflicts with existing system users on local machines.
Import the user file into the system:
ldapadd -x -D cn=admin,dc=itfromzero,dc=com -W -f users.ldif
Step 5: Verifying the Results
To ensure the user is correctly stored in LDAP, use the search command. This is the fastest way to debug whenever the system encounters issues.
ldapsearch -x -b "dc=itfromzero,dc=com" "(uid=tungdt)"
Hard-won Lessons from Deployment
In reality, 90% of LDAP errors come from very small details:
- The Lethal Space: In LDIF files, a space is mandatory after the colon (:). An extra space at the end of a line can also cause the command to fail.
- Schema Errors: If you try to add a
mobileattribute to an unsupported objectClass, LDAP will throw an error immediately. Double-check your schema before importing. - Firewall: If the client can’t connect, check ports 389 (LDAP) and 636 (LDAPS).
sudo ufw allow 389/tcp
Conclusion
Installing OpenLDAP is just laying the foundation. To get the system fully operational, you need to configure clients (Ubuntu, CentOS) so they know to look to LDAP when someone logs in. Seeing dozens of servers sync users after a single ldapadd command is truly worth the effort. In the next post, I’ll show you how to install a Web interface for more intuitive user management, so you don’t have to keep typing LDIF files by hand.

