[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: basic usage of ldap



> For anyone who may be interested (and for the sake of possibly helping
> someone in the future who may be digging through the mailing list
> archives) I solved a problem, and want to recap.
>
>
> The issue was that I was stepping through the quickstart guide, trying
> to get an ldap server working on a RedHat 7.2 box.  Once I started
> slapd, I wasn't able to populate the database because I was being told I
> wasn't providing proper credentials.  To further frustrate the
> situation, the existing documentation pertaining to passwords is vague
> at best.  Here's what I did:
>
> 1.  First I shut down slapd.  This step seems like a no brainer, but
> it's important, and you must do it PROPERLY ... (kill -9 pid_of_slapd
> doesn't cut it) for RH 7.2 this is "/etc/init.d/ldap stop".

Look at /etc/rc.d/init.d/ldap :

.....
function stop() {
        # Stop daemons.
......
 killproc ${slapd}
.....
}....

so i think all our problems came from we do a lot of test and we don't clean
the ldap database .. (it was mine, and next it was ok !!)

> 2.  Generate an encrypted password using slappasswd.  Paste the result
> into slapd.conf.  the entry goes w/ rootpw and looks something like:
>
> rootpw {SSHA}gPZZYt2wRuL/c8pER9740wqevrAXdWqo
>
> 3.  Start slapd again.  Again, in RH it's "/etc/init.d/ldap start".
>
> 4.  ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif
> [as per the quickstart guide]
>
> That looks just like the instructions in the quickstart guide, but the
> extra stuff I mention makes a difference; especially the part about how
> to start and stop ldap.  That seems to be of critical importance.
>
>
> Brandon
>
>
>
> On Mon, 2002-02-25 at 02:41, Philippe BEAU wrote:
> > so, i found !!!
> >
> > so, at first, configure in your slapd.conf :
> >
> > rootdn "cn=Manager,dc=beau,dc=com"
> > rootpw secret
> >
> > it's mine configuration. But, at first clear your var/openldap/ldbm
> > directory and kill slapd and relaunches all your database creation !
> >
> > Regards
> >
> > Philippe B.
> >
> >
> > ----- Original Message -----
> > From: "Young, Brandon Khan" <bkyoung@ku.edu>
> > To: "'Philippe BEAU '" <philippe@beau.nom.fr>
> > Sent: Sunday, February 24, 2002 5:51 PM
> > Subject: RE: basic usage of ldap
> >
> >
> > > Yes I did try slappasswd, but the man page is pretty vague about the
> > > mechanics of slappasswd. do I run slappasswd and then the passwd is
set,
> > or
> > > do I run slappasswd and paste the result into slapd.conf?  I've tried
> > both,
> > > and don't seem to get any change in behavior ... It's very unclear how
to
> > > deal with passwords in the config file, and how to generate the
passwords
> > to
> > > put into the config file.  There's a way to put in plain text
passwords,
> > but
> > > I don't even understand how to do that ... in short, the password
issue is
> > > too glossed over in the documentation for me to figure out what I'm
> > supposed
> > > to do.
> > >
> > > Maybe I'm unclear about this instead: as I have configured the
slapd.conf,
> > > should I be trying to access the database as 'Manager', and providing
the
> > > passwd, or should I be trying it as root, or ... ???
> > >
> > > Thank you for your time and assistance.
> > >
> > >
> > > Brandon
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Philippe BEAU
> > > To: Young, Brandon Khan
> > > Sent: 2/24/02 2:59 AM
> > > Subject: Re: basic usage of ldap
> > >
> > > hello !
> > >
> > > Do you try with slappassword ?
> > >
> > > Regards
> > >
> > > Philippe B.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Young, Brandon Khan" <bkyoung@ku.edu>
> > > To: <openldap-software@OpenLDAP.org>
> > > Sent: Sunday, February 24, 2002 9:44 AM
> > > Subject: basic usage of ldap
> > >
> > >
> > > > In advance, thank you for your time and patience on this matter.
> > > >
> > > > I, as a proof of concept, installed all the packages necessary in
> > > RedHat
> > > 7.2
> > > > to get openldap2 up and running.  In following the quickstart guide,
I
> > > came
> > > > up with the following slapd.conf, where I simply addressed the
things
> > > > mentioned in the quickstart guide step #8 and beyond.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
> > > 20:00:31
> > > > kurt Exp $
> > > > #
> > > > # See slapd.conf(5) for details on configuration options.
> > > > # This file should NOT be world readable.
> > > > #
> > > > include         /etc/openldap/schema/core.schema
> > > > include         /etc/openldap/schema/cosine.schema
> > > > include         /etc/openldap/schema/inetorgperson.schema
> > > > include         /etc/openldap/schema/nis.schema
> > > > include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
> > > > include         /etc/openldap/schema/redhat/autofs.schema
> > > > include         /etc/openldap/schema/redhat/kerberosobject.schema
> > > >
> > > > # Define global ACLs to disable default read access.
> > > >
> > > > # Do not enable referrals until AFTER you have a working directory
> > > > # service AND an understanding of referrals.
> > > > #referral       ldap://root.openldap.org
> > > >
> > > > #pidfile        //var/run/slapd.pid
> > > > #argsfile       //var/run/slapd.args
> > > >
> > > > # Create a replication log in /var/lib/ldap for use by slurpd.
> > > > #replogfile     /var/lib/ldap/master-slapd.replog
> > > >
> > > > # Load dynamic backend modules:
> > > > # modulepath    /usr/sbin/openldap
> > > > # moduleload    back_ldap.la
> > > > # moduleload    back_ldbm.la
> > > > # moduleload    back_passwd.la
> > > > # moduleload    back_shell.la
> > > >
> > > > #
> > > > # The next two lines allow use of TLS for connections using a dummy
> > > test
> > > > # certificate, but you should generate a proper certificate by
> > > changing to
> > > > # /usr/share/ssl/certs, running "make slapd.pem", and fixing
> > > permissions
> > > on
> > > > # slapd.pem so that the ldap user or group can read it.
> > > > # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > > # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > > #
> > > > # Sample Access Control
> > > > #       Allow read access of root DSE
> > > > #       Allow self write access
> > > > #       Allow authenticated users read access
> > > > #       Allow anonymous users to authenticate
> > > > #
> > > > #access to dn="" by * read
> > > > #access to *
> > > > #       by self write
> > > > #       by users read
> > > > #       by anonymous auth
> > > > #
> > > > # if no access controls are present, the default is:
> > > > #       Allow read by all
> > > > #
> > > > # rootdn can always write!
> > > >
> > > >
> > >
#######################################################################
> > > > # ldbm database definitions
> > > >
> > >
#######################################################################
> > > >
> > > > database        ldbm
> > > > suffix          "dc=infinity-computing,dc=com"
> > > > #suffix         "o=My Organization Name,c=US"
> > > > rootdn          "cn=Manager,dc=infinity-computing,dc=com"
> > > > #rootdn         "cn=Manager,o=My Organization Name,c=US"
> > > > # Cleartext passwords, especially for the rootdn, should
> > > > # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> > > > # Use of strong authentication encouraged.
> > > >  rootpw         secret
> > > > # rootpw        {crypt}a_OOAbS2vPWRY
> > > > # The database directory MUST exist prior to running slapd AND
> > > > # should only be accessible by the slapd/tools. Mode 700
recommended.
> > > > directory       /var/lib/ldap
> > > > # Indices to maintain
> > > > index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> > > > index   cn,mail,surname,givenname
eq,subinitial
> > > > # Replicas to which we should propagate changes
> > > > #replica host=ldap-1.example.com:389 tls=yes
> > > > #       bindmethod=sasl saslmech=GSSAPI
> > > > #       authcId=host/ldap-master.example.com@EXAMPLE.COM
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > step #9 returned results such as follows:
> > > >
> > > > [root@redhat bkyoung]# ldapsearch -x -b '' -s base '(objectclass=*)'
> > > > namingContexts
> > > > version: 2
> > > >
> > > > #
> > > > # filter: (objectclass=*)
> > > > # requesting: namingContexts
> > > > #
> > > >
> > > > #
> > > > dn:
> > > > namingContexts: dc=infinity-computing,dc=com
> > > >
> > > > # search result
> > > > search: 2
> > > > result: 0 Success
> > > >
> > > > # numResponses: 2
> > > > # numEntries: 1
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > in step #10 I created the following example.ldif, taking care to
only
> > > edit
> > > > the applicable parts from those provided in the example LDIF file in
> > > that
> > > > step of the quickstart:
> > > >
> > > > dn: dc=infinity-computing,dc=com
> > > > objectclass: dcObject
> > > > objectclass: organization
> > > > o: Infinity Computing
> > > > dc: infinity-computing
> > > >
> > > > dn: cn=Manager,dc=infinity-computing,dc=com
> > > > objectclass: organizationalRole
> > > > cn: Manager
> > > >
> > > >
> > > >
> > > > AND HERE'S WHERE MY TROUBLE IS ...
> > > >
> > > > [root@redhat bkyoung]# ldapadd -x -D
> > > > "cn=Manager,dc=infinity-computing,dc=com" -W -f example.ldif
> > > > Enter LDAP Password: {here I type secret, and i get ... }
> > > > ldap_bind: Invalid credentials
> > > >
> > > > I'm lost.  It is obvious to me that I am missing something extremely
> > > simple;
> > > > I have no idea what the mechanics of adding crypted passwords to the
> > > > slapd.conf file is, or even plain text passwords.  I just want to
get
> > > > SOMETHING to work, and then I'll fuss about the finer points.  The
man
> > > pages
> > > > and the HOWTO are not very clear about passwords.  I tried using
> > > slappasswd
> > > > ... but it's unclear to me whether this generates a crypted password
> > > to
> > > > paste into the slapd.conf, or if it set the passwd.  At any rate, I
> > > have
> > > had
> > > > no success getting past this point, and that's very frustrating.
> > > Could
> > > > someone coach me through this part of the set up?  Again, thank you
in
> > > > advance.
> > > >
> > > >
> > > >
> > > > Brandon
> > > >
> > >
>
>