[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: basic usage of ldap
- To: Philippe BEAU <philippe@beau.nom.fr>
- Subject: Re: basic usage of ldap
- From: Brandon Young <bkyoung@ku.edu>
- Date: 24 Feb 2002 22:58:44 +0600
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <018d01c1bd73$a90b3fe0$c50a10ac@creditsnet.com>
- References: <AA33E10E16DAD411BDFD0008C7CF50E6023EDC42@hawk.mail.ukans.edu> <018d01c1bd73$a90b3fe0$c50a10ac@creditsnet.com>
For anyone who may be interested (and for the sake of possibly helping
someone in the future who may be digging through the mailing list
archives) I solved a problem, and want to recap.
The issue was that I was stepping through the quickstart guide, trying
to get an ldap server working on a RedHat 7.2 box. Once I started
slapd, I wasn't able to populate the database because I was being told I
wasn't providing proper credentials. To further frustrate the
situation, the existing documentation pertaining to passwords is vague
at best. Here's what I did:
1. First I shut down slapd. This step seems like a no brainer, but
it's important, and you must do it PROPERLY ... (kill -9 pid_of_slapd
doesn't cut it) for RH 7.2 this is "/etc/init.d/ldap stop".
2. Generate an encrypted password using slappasswd. Paste the result
into slapd.conf. the entry goes w/ rootpw and looks something like:
rootpw {SSHA}gPZZYt2wRuL/c8pER9740wqevrAXdWqo
3. Start slapd again. Again, in RH it's "/etc/init.d/ldap start".
4. ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif
[as per the quickstart guide]
That looks just like the instructions in the quickstart guide, but the
extra stuff I mention makes a difference; especially the part about how
to start and stop ldap. That seems to be of critical importance.
Brandon
On Mon, 2002-02-25 at 02:41, Philippe BEAU wrote:
> so, i found !!!
>
> so, at first, configure in your slapd.conf :
>
> rootdn "cn=Manager,dc=beau,dc=com"
> rootpw secret
>
> it's mine configuration. But, at first clear your var/openldap/ldbm
> directory and kill slapd and relaunches all your database creation !
>
> Regards
>
> Philippe B.
>
>
> ----- Original Message -----
> From: "Young, Brandon Khan" <bkyoung@ku.edu>
> To: "'Philippe BEAU '" <philippe@beau.nom.fr>
> Sent: Sunday, February 24, 2002 5:51 PM
> Subject: RE: basic usage of ldap
>
>
> > Yes I did try slappasswd, but the man page is pretty vague about the
> > mechanics of slappasswd. do I run slappasswd and then the passwd is set,
> or
> > do I run slappasswd and paste the result into slapd.conf? I've tried
> both,
> > and don't seem to get any change in behavior ... It's very unclear how to
> > deal with passwords in the config file, and how to generate the passwords
> to
> > put into the config file. There's a way to put in plain text passwords,
> but
> > I don't even understand how to do that ... in short, the password issue is
> > too glossed over in the documentation for me to figure out what I'm
> supposed
> > to do.
> >
> > Maybe I'm unclear about this instead: as I have configured the slapd.conf,
> > should I be trying to access the database as 'Manager', and providing the
> > passwd, or should I be trying it as root, or ... ???
> >
> > Thank you for your time and assistance.
> >
> >
> > Brandon
> >
> >
> >
> > -----Original Message-----
> > From: Philippe BEAU
> > To: Young, Brandon Khan
> > Sent: 2/24/02 2:59 AM
> > Subject: Re: basic usage of ldap
> >
> > hello !
> >
> > Do you try with slappassword ?
> >
> > Regards
> >
> > Philippe B.
> >
> >
> > ----- Original Message -----
> > From: "Young, Brandon Khan" <bkyoung@ku.edu>
> > To: <openldap-software@OpenLDAP.org>
> > Sent: Sunday, February 24, 2002 9:44 AM
> > Subject: basic usage of ldap
> >
> >
> > > In advance, thank you for your time and patience on this matter.
> > >
> > > I, as a proof of concept, installed all the packages necessary in
> > RedHat
> > 7.2
> > > to get openldap2 up and running. In following the quickstart guide, I
> > came
> > > up with the following slapd.conf, where I simply addressed the things
> > > mentioned in the quickstart guide step #8 and beyond.
> > >
> > >
> > >
> > >
> > >
> > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
> > 20:00:31
> > > kurt Exp $
> > > #
> > > # See slapd.conf(5) for details on configuration options.
> > > # This file should NOT be world readable.
> > > #
> > > include /etc/openldap/schema/core.schema
> > > include /etc/openldap/schema/cosine.schema
> > > include /etc/openldap/schema/inetorgperson.schema
> > > include /etc/openldap/schema/nis.schema
> > > include /etc/openldap/schema/redhat/rfc822-MailMember.schema
> > > include /etc/openldap/schema/redhat/autofs.schema
> > > include /etc/openldap/schema/redhat/kerberosobject.schema
> > >
> > > # Define global ACLs to disable default read access.
> > >
> > > # Do not enable referrals until AFTER you have a working directory
> > > # service AND an understanding of referrals.
> > > #referral ldap://root.openldap.org
> > >
> > > #pidfile //var/run/slapd.pid
> > > #argsfile //var/run/slapd.args
> > >
> > > # Create a replication log in /var/lib/ldap for use by slurpd.
> > > #replogfile /var/lib/ldap/master-slapd.replog
> > >
> > > # Load dynamic backend modules:
> > > # modulepath /usr/sbin/openldap
> > > # moduleload back_ldap.la
> > > # moduleload back_ldbm.la
> > > # moduleload back_passwd.la
> > > # moduleload back_shell.la
> > >
> > > #
> > > # The next two lines allow use of TLS for connections using a dummy
> > test
> > > # certificate, but you should generate a proper certificate by
> > changing to
> > > # /usr/share/ssl/certs, running "make slapd.pem", and fixing
> > permissions
> > on
> > > # slapd.pem so that the ldap user or group can read it.
> > > # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > #
> > > # Sample Access Control
> > > # Allow read access of root DSE
> > > # Allow self write access
> > > # Allow authenticated users read access
> > > # Allow anonymous users to authenticate
> > > #
> > > #access to dn="" by * read
> > > #access to *
> > > # by self write
> > > # by users read
> > > # by anonymous auth
> > > #
> > > # if no access controls are present, the default is:
> > > # Allow read by all
> > > #
> > > # rootdn can always write!
> > >
> > >
> > #######################################################################
> > > # ldbm database definitions
> > >
> > #######################################################################
> > >
> > > database ldbm
> > > suffix "dc=infinity-computing,dc=com"
> > > #suffix "o=My Organization Name,c=US"
> > > rootdn "cn=Manager,dc=infinity-computing,dc=com"
> > > #rootdn "cn=Manager,o=My Organization Name,c=US"
> > > # Cleartext passwords, especially for the rootdn, should
> > > # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> > > # Use of strong authentication encouraged.
> > > rootpw secret
> > > # rootpw {crypt}a_OOAbS2vPWRY
> > > # The database directory MUST exist prior to running slapd AND
> > > # should only be accessible by the slapd/tools. Mode 700 recommended.
> > > directory /var/lib/ldap
> > > # Indices to maintain
> > > index objectClass,uid,uidNumber,gidNumber,memberUid eq
> > > index cn,mail,surname,givenname eq,subinitial
> > > # Replicas to which we should propagate changes
> > > #replica host=ldap-1.example.com:389 tls=yes
> > > # bindmethod=sasl saslmech=GSSAPI
> > > # authcId=host/ldap-master.example.com@EXAMPLE.COM
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > step #9 returned results such as follows:
> > >
> > > [root@redhat bkyoung]# ldapsearch -x -b '' -s base '(objectclass=*)'
> > > namingContexts
> > > version: 2
> > >
> > > #
> > > # filter: (objectclass=*)
> > > # requesting: namingContexts
> > > #
> > >
> > > #
> > > dn:
> > > namingContexts: dc=infinity-computing,dc=com
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > >
> > >
> > >
> > >
> > >
> > > in step #10 I created the following example.ldif, taking care to only
> > edit
> > > the applicable parts from those provided in the example LDIF file in
> > that
> > > step of the quickstart:
> > >
> > > dn: dc=infinity-computing,dc=com
> > > objectclass: dcObject
> > > objectclass: organization
> > > o: Infinity Computing
> > > dc: infinity-computing
> > >
> > > dn: cn=Manager,dc=infinity-computing,dc=com
> > > objectclass: organizationalRole
> > > cn: Manager
> > >
> > >
> > >
> > > AND HERE'S WHERE MY TROUBLE IS ...
> > >
> > > [root@redhat bkyoung]# ldapadd -x -D
> > > "cn=Manager,dc=infinity-computing,dc=com" -W -f example.ldif
> > > Enter LDAP Password: {here I type secret, and i get ... }
> > > ldap_bind: Invalid credentials
> > >
> > > I'm lost. It is obvious to me that I am missing something extremely
> > simple;
> > > I have no idea what the mechanics of adding crypted passwords to the
> > > slapd.conf file is, or even plain text passwords. I just want to get
> > > SOMETHING to work, and then I'll fuss about the finer points. The man
> > pages
> > > and the HOWTO are not very clear about passwords. I tried using
> > slappasswd
> > > ... but it's unclear to me whether this generates a crypted password
> > to
> > > paste into the slapd.conf, or if it set the passwd. At any rate, I
> > have
> > had
> > > no success getting past this point, and that's very frustrating.
> > Could
> > > someone coach me through this part of the set up? Again, thank you in
> > > advance.
> > >
> > >
> > >
> > > Brandon
> > >
> >