How to install LDAP server on Windows and work with Omada Router to achieve unified account management
This article applies to: ER605 v2; Omada Controller v5.8 and above
LDAP (Lightweight Directory Access Protocol) is a lightweight directory access protocol with strong user authentication and permission management mechanisms. It allows the use of Access Control Lists (ACLs) to control permissions to read or write to data within a certain scope. ACLs can control which users are allowed to access data, what data is accessed, where data is accessed, how it is accessed, etc.
The basic model of LDAP is based on an "entry" (Entry), which is a collection of one or more attributes with a globally unique "distinguishable name" (denoted by dn). By analogy with a relational database, an entry is equivalent to a record in the database, while a dn is equivalent to a keyword for a record in the database and an attribute is equivalent to a field in the database. In LDAP, the data is organized into a tree structure, as shown in the following figure:
Each node in the graph is saved with an entry. Different types of nodes may require different data to be saved, and in LDAP the data required by different nodes (called attributes) is controlled by the type of objectclass. At the same time, each entry has a dn, and because the dn is unique, the node data needed can be found quickly. dn is composed in the form of a step-by-step search for the parent node starting from the entry's own name and ending with the root entry. As shown above, the dn of the bottom node in the diagram can be expressed as
DN: cn= Jane Smith, ou= people, dc=example, dc=org
Common Attributes
Attribute Name |
Full Name |
Description |
dc |
Domain Component |
The part of the domain name, the format is the complete domain name into several parts, such as the domain name for example.org into dc = example, dc = org (a record belongs to the location) |
ou |
Organization Unit |
Organizational units, which can contain various other objects (including other organizational units), such as the "ou = people" (the organization to which a record belongs) |
cn |
Common Name |
Usually refers to the name of an object. If it is a person, the full name needs to be used. Example: cn = Jane Smith |
dn |
Distinguished Name
|
Unique identification name, similar to absolute path, each object has a unique identification name. Example: cn= Jane Smith, ou= people, dc=example, dc=org |
uid |
User Id |
Usually refers to the user login name. Example: uid = Jane Smith |
rdn |
Relative dn |
Relative identifier name, similar to relative path. Example: cn= Jane Smith or ou= people |
sn |
Surname |
Usually refers to a person's last name. Example: sn = Smith |
(1) Refer to the following link to download the OpenLDAP for Windows application:
https://www.maxcrc.de/en/download-en/
(2) Once the download is complete, double-click the program to enter the OpenLDAP application installation and click Yes to proceed to the next step.
(3) Click Next in the upper right corner for next installation, check the user certificate statement and click Next.
(4) Select the installation path, it is recommended to modify it to the rest of the disk except C disk, such as D:/OpenLDAP, click next; Make user settings, the default can be.
(5) Set the LDAP server name, here we fill in tplink, and choose the default value MBD for the database backend.
(6) Set the password to default (secret), click Next, and click Install. We can change the password after the installation is complete.
(7) The installation is complete when the screen shown below is displayed, click Close to close the installation screen.
(8) Open the CMD command on the PC, go to the OpenLDAP installation path and change the administrator password:
D:
cd OpenLDAP
slappasswd –h {SSHA}
After entering the changed password (here, we change the password to 123456), an encrypted key string will be generated, copy this key information.
Open the slapd.conf file in the OpenLDAP(D:\OpenLDAP) installation directory as a notepad and change the content after rootpw to the key information you just copied. The password change is complete.
(9) Go to the installation directory at the CMD command line: D:/OpenLDAP/run, then type run to start the LDAP server.
At the end it will show slapd starting, which means it started successfully.
Finally, in Task Manager > Services, check if the LDAP Server background process OpenLDAP-slapd is running properly.
(1) LdapAdminv1830 can configure the LDAP Server installed on the local host, such as performing LDAP user addition, modification, and deletion operations. Please refer to the following link for download: Download LdapAdminv1830
(2) Click on the start option under connections to connect and click on New connection.
(3) Set up according to the following example:
Connection name: ldap
Host: IP address of the host where the LDAP server is located
Port: 389 (If you choose TLS/SSL encryption, the port becomes 636)
Version: 3
Base: dc=maxcrc,dc=com (Click on Fetch DNs will automatically fetch)
Username: cn=manager,dc=maxcrc,dc=com
Password: 123456 (The password just changed in the previous step)
Note: Base and username can be found in the slapd.conf file, with suffix corresponding to Base and rootdn corresponding to username. Here we do not modify them, just use the default values.
Click OK and double click on the newly created connection named ldap to connect to the LDAP Server that needs to be configured.
(4) Select the connected LDAP server and click edit > new > organizational unit, add two entries of OU=People and OU=Group.
(5) Check the OU=people entry, click edit > new > User, add user uid=username1, configure the user information according to the figure below, the information filled in the figure is mandatory, the rest is optional.
(6) Check the added uid=username1 user entry and click edit > Set Password to set the password for this user.
(7) Repeat the above steps to create two user entries with uid=username2, uid=username3 respectively.
(8) Add the cn=team1 subentry for OU=Group. Select the OU=Group entry and click edit > new > Group; Create a new Group. Enter the name as team1, click add on the page and select the group members username1 and username2 to be added. Then click OK.
Go to Authentication > LDAP, Click Add to fill the parameter as shown in the figure below.
- Name: ldap
- Bind Type: Regular Mode (The windows LDAP server only supports this mode)
- Server Address: 192.168.0.101 (The IP address of LDAP Server)
- Destination Port: 389 (SSL/TLS is not enabled on the server)
- Regular DN: cn=manager,dc=maxcrc,dc=com (Administrator's account information, only Regular Mode requires this information to be entered)
- Regular Password: 123456 (Password for administrator account)
- Common Name Identifer: uid (The generic name of the user name entered during user authentication, usually "uid")
- Base Distinguished Name: ou=People,dc=maxcrc,dc=com (The base name used for user authentication can be searched by clicking the icon on the right for the ldap directory tree. Here we choose ou=People, indicating that all three user information under ou=People can be authenticated. Of course, you can also select specific users under the ou=People entry. )
- Group Distinguished Name: ou=Group,dc=maxcrc,dc=com (This is an optional field that allows filtering on user groups. Here we select ou=Group, which means that only users under ou=Group can be authenticated, i.e. username1 and username2.)
At this point, the LDAP-related configuration is complete.
The PPTP/L2TP/OpenVPN and web authentication on Omada router can be used with LDAP to realize centralized management of account information. Next, we introduce how L2TP VPN, OpenVPN and web authentication can be used with LDAP.
(1) Go to VPN > L2TP > L2TP Server, Click Add to fill the parameter as shown in the figure below. Don't forget to create the VPN IP Pool in advance. When the authentication Type is LDAP, select the LDAP Profile you just created. Click OK to complete the configuration, no need to create additional users for the VPN in Users.
(2) Using the client for VPN connection. For details, please refer to this link: How to configure PPTP/L2TP client on remote PC
One thing to note is that Unencrypted password (PAP) needs to be checked in the VPN NIC created to ensure proper connection. This is because LDAP also uses the PPP protocol, which can cause user information to be unauthenticated if encrypted.
(3) We can use the accounts usename1 and username2 configured on the LDAP server for VPN login authentication, and after successful connection, we can see the corresponding client information in VPN > L2TP > Tunnel List.
(1) Go to VPN > OpenVPN > OpenVPN Server, Click Add to fill the parameter as shown in the figure below. It needs to enable the AccountPWD first and can choose the Authentication Type. When the authentication Type is LDAP, select the LDAP Profile you just created. Click OK to complete the configuration, no need to create additional users for the VPN in Users.
(2) Click Export on the right to export and send the OVPN profile to the client that needs to connect.
(3) Use OpenVPN Connect to connect. Import the OVPN file exported from the router, enter the username and password configured on the LDAP Server, and connect normally.
(1) Go to Authentication > Authentication Settings > Web Authentication, enabled the Status and choose LDAP for the Authentication Type.
(2) When the client wants to access the Internet, it will jump to the interface shown below, and the account information of both username1 and username2 can pass the authentication.
(3) When the client is authenticated, the information of the corresponding client can be seen in the Authentication > Authentication Status.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Fick du svar på din fråga?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.