November 8, 2010

Making LDAP Easy on Linux with phpLDAPadmin


Managing LDAP data doesn't have to be difficult. The phpLDAPadmin project provides a comprehensive Web-based admin tool for easy, accessible administration of your LDAP directory from the comfort of your Web browser.

No matter how you approach it, LDAP is a challenge. From understanding the fundamentals that make up the system to managing the data the system uses, it can be a bit overwhelming at times. To manage the LDAP data you have a number of ways you could go. You could use the command line (Manage LDAP from the Command on Linux), you could use the stand-alone, very capable 389 Directory Server (see Simplify LDAP with Fedora's 389 Directory Server), or you could go a completely different route and use the web-based phpLDAPadmin.

As you would expect, phpLDAPadmin is very much like phpMyadmin (a very powerful, user friendly tool for managing MySQL). But does phpLDAPadmin make managing LDAP as easy as phpMyadmin make managing MySQL? It does. In fact, phpLDAPadmin makes managing LDAP data so easy, just about anyone could take care of the task. Don't believe me? Let's take a look.

First Things First

I would be remiss if I didn't at least highlight the installation process of this tool. If you have installed and used phpMyadmin, then you should have no problem installing phpLDAPadmin. The task is simple:

  1. Make sure you have LDAP working correctly.
  2. Download the version that suits your distribution onto the same server hosting LDAP.
  3. Move the file to your web servers' document root.
  4. Unpack the archive.
  5. Change the newly created directory name to something more suitable (I prefer phpldapadmin).
  6. Change into the directory config directory of the newly renamed directory.
  7. Rename the config file with the command mv config.php.sample config.php.
  8. Point your browser to http://ADDRESS_TO_SERVER/phpldapadmin.
  9. You are ready to begin managing your data.

There is actually much more to the installation — such as the editing of the configuration file. Comb through the config.php file and you should be able to make sense out of the options thanks to the well commented sections.

Managing the Data

phpLDAPadmin logged in Your first task is to actually log into the tool. When you open up the page for phpLDAPadmin you will see a login button. Click on the login button and then enter your LDAP admin credentials. Remember, your credentials will be in the form of:


The credentials will have been set when you initially installed and configured LDAP.

Once you're in, you should see something like the screenshot in Figure 1. As you can see, I have already created a few entries for you.  But before we get into the creation of entries, let's examine the hierarchy that appears in the left-side navigation. 

At the top of the hierarchy you have the Base DN (in my example dc=wallen,dc=local). Under this entry you have the various objects and attributes that you can add to or edit. Let's take a look at doing the following: Adding a new group and then adding a user into that group.

Adding a Group

Creating a Posix group The first task is to decide where you want the group to live in the hierarchy. Let's assume you want the new group to live under the Base DN. To do this you could click the very bottom "Create new entry here" — the one directly above that will add an entry under the object ou=people.

Once you have clicked that entry the right pane will open for you to select the type of object you want to create. Let's create a Generic: Posix Group.  This will then take you to the object creation page (see Figure 2). Fill out all of the necessary attributes. Note, if you have a question about an attribute you can click on the attribute name to get a description.

After you have filled in all of the attributes click the Create Object button which will bring up a preview window that allows you to double-check your work. In this window you can select various attributes to skip in the creation (had you made a mistake or if you decide you don't need the attribute). When you are 100% sure of your information click the Commit button and your new object has been created.

Create a child entryNow, before you navigate away from the page you are shown after the object is created (see Figure 3), you will want to immediately create a child entry. This child entry can be a user that belongs under this organizational role. When you select that option you will be back at the Create Object templates listing.

Let's create a Generic user account for this purpose. Select Generic: User Account and then fill out all of the entries for that object. Since this is a user account, you will need to create a password for this user.

New objects addedFigure 4 shows the new hierarchy with my group (Writers) listed and a user who resides within that group (Jack Wallen).  If you click the Refresh button at the top of this pane you will then see another new entry appear in your group - an entry that allows you to directly create new entries under the group. You can now add as many entries under your new group as you need.

Export Your Data

For the sake of backup (or whatever purpose you need), you can export your LDAP data from within the phpLDAPadmin tool. To do this click on the Export button in the left pane. When you do this you will be greeted with a new window (see Figure 5). In this new window you simply need to fill out all of the information and click Proceed. Make sure, if you want to export the entire LDAP directory, to use the Base DN of the directory you want to back up. This is critical if you have more than one directory tree on your LDAP server.

If you want the entire tree make sure you check the box associated with Sub (otherwise you will only export the information about your Base DN). If you want to save this as a file, make sure you check that box before you click Proceed.

Once the data is exported you have a perfect copy of your data (most likely in ldif format) that you can then import to another LDAP server or for whatever purpose you might need.

Final Thoughts

The task of managing LDAP data doesn't need to be something for guru-level skills only. Thanks to tools like phpLDAPadmin, creating and managing LDAP data is as simple as creating a database or spreadsheet. Just make sure that whoever you put in charge of managing the data knows how critical this data is, so they don't accidentally start deleting objects that might render your LDAP data useless.

Click Here!