NOTE: I recommend you make a common normal user with sudo access for both the server and client. “regular” might be a good idea, but you’re free to choose what you like. :) Shell commands enumerated below are to be executed as user “root”.

OpenLDAP server setup

1. Setup a minimal Debian 12 64-bit. Deselect everything under “Software selection” (tasksel) window.

2. Note your host name and domain name, and substitute when necessary. I used “server” for the host name, and “ldap.lan” for the domain name.

3. # Remove CDROM from /etc/apt/sources.list and then

    apt-get update
    apt-get upgrade
    apt-get install net-tools openssh-server openssh-client sudo
    usermod -a -G sudo regular # This command adds user "regular" to group "sudo".
   

4. # Edit /etc/hosts appropriately. Make sure it has something like this(note that you need to substitute “192.168.1.2” with your IP):

    192.168.1.2 ldap.lan server.ldap server.ldap.lan server
   

5. # Also, comment out “127.0.1.1 server.ldap.lan server” in /etc/hosts if it’s there.

6. apt-get install slapd ldap-utils migrationtools

7. You will be prompted for the LDAP admin password. Please remember it. No special characters, please.

8. mv /etc/ldap/slapd.d /etc/ldap/slap.d.orig

9. dpkg-reconfigure slapd

    Omit OpenLDAP server configuration? No
    DNS domain name: ldap.lan
    Organization name: ldap
    Password: Use the one you entered in step 7.
    Do you want the database to be removed when slapd is purged? Yes
    Move old database? Yes
   

10. systemctl restart slapd.service

11. # Edit /etc/migrationtools/migrate_common.ph . Look for the following variables, and assign them as such:

    $DEFAULT_MAIL_DOMAIN = "ldap.lan";
    $DEFAULT_BASE = "dc=ldap,dc=lan";
    

12. apt-get install libfile-which-perl

13. cd /usr/share/migrationtools/

14. ./migrate_group.pl /etc/group ~/group.ldif

15. ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

16. cd ~

17. # Make a frontend.ldap.lan.ldif file with the following contents:

    dn: ou=People,dc=ldap,dc=lan
    objectclass: organizationalUnit
    objectclass: top
    ou: People
    
    dn: ou=Group,dc=ldap,dc=lan
    objectclass: organizationalUnit
    objectclass: top
    ou: Group
    

18. Now we add the LDIF in the following way, entering your admin LDAP password when prompted (the one you set during step 7 of “OpenLDAP server setup”):

    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f frontend.ldap.lan.ldif
    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f group.ldif
    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f passwd.ldif
    

19. # To make things handy, you can “sudo apt-get install phpldapadmin”. :) Edit /etc/phpldapadmin/config.php, and correct the “$servers->setValue(‘server’,‘base’,array(‘dc=example,dc=com’));” line. In this example, the proper value is “$servers->setValue(‘server’,‘base’,array(‘dc=ldap,dc=lan’));”. Also, change “$servers=>setValue(’login’,‘bind_id’,‘cn=admin,dc=example,dc=com’);” to “$servers=>setValue(’login’,‘bind_id’,‘cn=admin,dc=ldap,dc=lan’);".To access phpldapadmin, fire up a browser and browse http://192.168.1.2/phpldapadmin

20. apt-get install nscd nslcd libnss-ldapd libpam-ldapd

21. # When asked for “LDAP server URI:”, enter “ldap://server.ldap.lan/”

22. # When asked for the “LDAP server search base:”, enter “dc=ldap,dc=lan”

23. # When asked for “Name services to configure:”, choose “passwd”, “group”, and “shadow”.

24. mkdir /home/users

25. # Edit “/etc/pam.d/common-account”, and append the following line:

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
    

26. # In the server: “sudo reboot”. Logins through the server will be done through LDAP after successful reboot. It may take a little while after the “login:” prompt’s appearance before you could successfully login.

27. # To create an user:

    Open in a browser(substitute IP if necessary): http://192.168.1.2/phpldapadmin 
    Login, then expand "dc=ldap,dc=lan (2)"
    Expand "ou=People".
    Click "Create new entry here"
    Select "Generic: User Account" template.
    Supply the requested information for the new user. I suggest you use "users" for the "GID Number" option. And don't forget to give a shell ("bash" may be a good idea).
    

OpenLDAP client setup

1. Setup Debian 12 64-bit(this guide will also work with a minimal install). I used hostname “client001” and domain “ldap.lan”.

2. Remove CDROM from /etc/apt/sources.list. Then:

    apt-get update
    apt-get upgrade
    apt-get install net-tools openssh-server openssh-client
   

3. vi /etc/hosts # and add:

    192.168.1.2 ldap.lan server.ldap.lan server ldap
   

4. apt-get install libnss-ldapd libpam-ldapd nscd

    LDAP server URI: ldap://server.ldap.lan/
    LDAP server search base: dc=ldap,dc=lan
    Name services to configure: passwd, group, and shadow
   

5. mkdir /home/users

6. # Edit “/etc/pam.d/common-account”, and append the following line:

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
   

7. pam-auth-update # Make ensure that “LDAP Authentication” is the ONLY enabled option!

8. # The following steps are needed to give “sudo su -” (this is the only way to get root access in OpenLDAP clients setup in this procedure) access to an user. Please make sure you do this for at least one user, otherwise you’ll be locked out from root access.

    apt-get install sudo
    usermod -a -G sudo regular # This command adds user "regular" to group "sudo".
   

9. reboot

10. It may take a while to successfully login after the “login:” prompt appears.