OpenLDAP Setup for Ubuntu with sAMAccountName support
Aug. 4, 2025 | Categories: linux devopsThe idea here is to setup OpenLDAP to work similar to AD LDAP. The sAMAccountName support is the main thing here. Testing django-auth-ldap as the LDAP client in this situation.
We will call our sample app here Mojo.
Our FQDN will be cfw.local and our base DN will be dc=cfw,dc=local.
You will have to set your own FQDN for your network.
1. Install OpenLDAP on Ubuntu
Update package list
sudo apt update
Install OpenLDAP server and utilities
sudo apt install slapd ldap-utils
Reconfigure slapd for proper setup
sudo dpkg-reconfigure slapd
During the reconfiguration, configure:
Omit OpenLDAP server configuration: No
DNS domain name: cfw.local (matches your setup)
Organization name: Your organization name
Administrator password: Set a secure password
Database backend: MDB (recommended)
Remove database when slapd is purged: No
Move old database: Yes
2. Add sAMAccountName Schema Support
Create the sAMAccountName attribute definition
Create schema file for sAMAccountName
sudo tee /tmp/samaccountname.ldif << 'EOF'
dn: cn=samaccountname,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samaccountname
olcAttributeTypes: ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
olcObjectClasses: ( 1.2.840.113556.1.5.6
NAME 'samAccountNameObject'
SUP top
AUXILIARY
MAY sAMAccountName )
EOF
Add the schema to OpenLDAP
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/samaccountname.ldif
3. Configure Base Directory Structure
Create base directory structure:
sudo tee /tmp/base_structure.ldif << 'EOF'
dn: dc=cfw,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: CFW Organization
dc: cfw
dn: ou=people,dc=cfw,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=cfw,dc=local
objectClass: organizationalUnit
ou: groups
EOF
Add base structure
sudo ldapadd -x -D "cn=admin,dc=cfw,dc=local" -W -f /tmp/base_structure.ldif
4. Create MOJO Group (with required prefix)
Create the mojo_mojo group (required by MOJO coordinator)
sudo tee /tmp/mojo_group.ldif << 'EOF'
dn: cn=mojo_mojo,ou=groups,dc=cfw,dc=local
objectClass: top
objectClass: groupOfNames
cn: mojo_mojo
description: MOJO Users Group
member: cn=admin,dc=cfw,dc=local
EOF
Add the group
sudo ldapadd -x -D "cn=admin,dc=cfw,dc=local" -W -f /tmp/mojo_group.ldif
5. Create User with sAMAccountName Support
Create user aallred with sAMAccountName
sudo tee /tmp/aallred_user.ldif << 'EOF'
dn: uid=aallred,ou=people,dc=cfw,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: samAccountNameObject
uid: aallred
cn: Aaron Allred
sn: Allred
givenName: Aaron
mail: aallred@cfw.local
sAMAccountName: aallred
userPassword: {SSHA}YourHashedPasswordHere
EOF
Add the user (you'll be prompted for admin password)
sudo ldapadd -x -D "cn=admin,dc=cfw,dc=local" -W -f /tmp/aallred_user.ldif
Set user password interactively
sudo ldappasswd -x -D "cn=admin,dc=cfw,dc=local" -W -S "uid=aallred,ou=people,dc=cfw,dc=local"
6. Add User to MOJO Group
Add aallred to mojo_mojo group
sudo tee /tmp/add_user_to_group.ldif << 'EOF'
dn: cn=mojo_mojo,ou=groups,dc=cfw,dc=local
changetype: modify
add: member
member: uid=aallred,ou=people,dc=cfw,dc=local
EOF
Apply the change
sudo ldapmodify -x -D "cn=admin,dc=cfw,dc=local" -W -f /tmp/add_user_to_group.ldif
7. Configure OpenLDAP for External Access
Edit the OpenLDAP configuration to allow external connections:
Allow connections from your network
sudo tee /tmp/allow_external.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to * by self write by dn="cn=admin,dc=cfw,dc=local" write by * read
EOF
Apply access controls
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/allow_external.ldif
8. Configure Firewall (if needed)
Allow LDAP traffic
sudo ufw allow 389/tcp
sudo ufw allow 636/tcp # For LDAPS if you configure TLS later
9. Test the Configuration
Test basic LDAP connection
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=cfw,dc=local" -W -b "dc=cfw,dc=local"
Test sAMAccountName search specifically
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=cfw,dc=local" -W -b "dc=cfw,dc=local" "(sAMAccountName=aallred)"
Test user authentication
ldapwhoami -x -H ldap://localhost:389 -D "uid=aallred,ou=people,dc=cfw,dc=local" -W
Test group membership
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=cfw,dc=local" -W -b "cn=mojo_mojo,ou=groups,dc=cfw,dc=local"
10. DJango-auth-ldap app Integration
Your Django app's .env configuration should be:
AUTH_USING_AD="y"
MOJO_LDAP_SERVER_URI_1="ldap://ldap.cfw.local:389"
MOJO_LDAP_BIND_DN_1="cn=admin,dc=cfw,dc=local"
MOJO_LDAP_BIND_PASSWORD_1="your_admin_password"
MOJO_LDAP_GROUP_TYPE_1="CN"
MOJO_LDAP_GROUP_PREFIX_1="mojo_"
MOJO_LDAP_USER_SEARCH="ou=people,dc=cfw,dc=local"
MOJO_LDAP_GROUP_SEARCH="ou=groups,dc=cfw,dc=local"
11. Test MOJO Integration
Use our built-in LDAP test script:
poetry run python ldap_test.py \
--uri ldap://ldap.cfw.local:389 \
--bind "cn=admin,dc=cfw,dc=local" \
--password your_admin_password \
--base "dc=cfw,dc=local" \
--query "(sAMAccountName=aallred)"
Key Points for MOJO Integration
Group Naming: The group MUST be named mojo_mojo (not just mojo) because MOJO strips the mojo_ prefix
Login Name: Use aallred as the login name in MOJO
sAMAccountName: This attribute is now properly supported and will be used by django-auth-ldap
User Search: The system searches for (sAMAccountName=%(user)s) format. I had to switch this to (uid=%(user)s) since I couldn't index sAMAccountName.
Optional: Enable TLS/SSL
For production environments, configure TLS:
Generate self-signed certificate (or use proper CA-signed cert)
sudo openssl req -new -x509 -nodes -out /etc/ssl/certs/slapd.crt -keyout /etc/ssl/private/slapd.key -days 365
Configure TLS in OpenLDAP
sudo tee /tmp/tls_config.ldif << 'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/slapd.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls_config.ldif
This setup provides a complete OpenLDAP installation with sAMAccountName support that's fully compatible with your django-auth-ldap apps configuration.