[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: basic usage of ldap




Brandon,
     The /etc/rc.d/init.d/.....  command format is standard with all Redhat
Linux versions.  I have written the following script so I don't have to
type in the full path to the init.d directory in order to start/stop a
service application under RH linux.  I install this program on all my RH
machines and that way I only have to remember one command - "pcontrol".  If
you want to use this just copy it to a file called "/usr/sbin/pcontrol" and
after you close the file you need to do a
chmod 700 /usr/sbin/pcontrol to make the file executable only by root.
Then just type "pcontrol" and it will list all the scripts (in case you
forgot how it was spelled) or type "pcontrol ldap restart" to stop and
restart the ldap program. Here's the program.  Just copy the part between
the two lines of ****s.


*******************copy below
here************************************************
#!/bin/sh
#
# Program: /usr/sbin/pcontrol
# Function: Script to control system apps
# Command format:  pcontrol app_name [start|stop|restart]
# Written by:  Ken Smith, Dec/98

if [ -z "$1" ]; then
        echo;
        echo "Usage: `basename $0` script-name [start|stop|restart]";
        echo;
        echo "Script-names are:";
        ls /etc/rc.d/init.d;
        exit 1;
fi

if [ -z "$2" ]; then
        echo "Usage: `basename $0` script-name [start|stop|restart]";
        exit 1;
fi

if [ ! -f "/etc/rc.d/init.d/$1" ]; then
        echo "Application \"$1\" does not exist";
        exit 1;
else
        /etc/rc.d/init.d/$1 $2;
fi

# end of pcontrol program

*******************copy above
here************************************************




                                                                                                                                
                    Brandon Young                                                                                               
                    <bkyoung@ku.edu>                  To:     Philippe BEAU <philippe@beau.nom.fr>                              
                    Sent by:                          cc:     openldap-software@OpenLDAP.org                                    
                    owner-openldap-software@Op        Subject:     Re: basic usage of ldap                                      
                    enLDAP.org                                                                                                  
                                                                                                                                
                                                                                                                                
                    02/24/02 08:58 AM                                                                                           
                                                                                                                                
                                                                                                                                




For anyone who may be interested (and for the sake of possibly helping
someone in the future who may be digging through the mailing list
archives) I solved a problem, and want to recap.


The issue was that I was stepping through the quickstart guide, trying
to get an ldap server working on a RedHat 7.2 box.  Once I started
slapd, I wasn't able to populate the database because I was being told I
wasn't providing proper credentials.  To further frustrate the
situation, the existing documentation pertaining to passwords is vague
at best.  Here's what I did:

1.  First I shut down slapd.  This step seems like a no brainer, but
it's important, and you must do it PROPERLY ... (kill -9 pid_of_slapd
doesn't cut it) for RH 7.2 this is "/etc/init.d/ldap stop".

2.  Generate an encrypted password using slappasswd.  Paste the result
into slapd.conf.  the entry goes w/ rootpw and looks something like:

     rootpw {SSHA}gPZZYt2wRuL/c8pER9740wqevrAXdWqo

3.  Start slapd again.  Again, in RH it's "/etc/init.d/ldap start".

4.  ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif
          [as per the quickstart guide]

That looks just like the instructions in the quickstart guide, but the
extra stuff I mention makes a difference; especially the part about how
to start and stop ldap.  That seems to be of critical importance.


Brandon



On Mon, 2002-02-25 at 02:41, Philippe BEAU wrote:
> so, i found !!!
>
> so, at first, configure in your slapd.conf :
>
> rootdn "cn=Manager,dc=beau,dc=com"
> rootpw secret
>
> it's mine configuration. But, at first clear your var/openldap/ldbm
> directory and kill slapd and relaunches all your database creation !
>
> Regards
>
> Philippe B.
>
>
> ----- Original Message -----
> From: "Young, Brandon Khan" <bkyoung@ku.edu>
> To: "'Philippe BEAU '" <philippe@beau.nom.fr>
> Sent: Sunday, February 24, 2002 5:51 PM
> Subject: RE: basic usage of ldap
>
>
> > Yes I did try slappasswd, but the man page is pretty vague about the
> > mechanics of slappasswd. do I run slappasswd and then the passwd is
set,
> or
> > do I run slappasswd and paste the result into slapd.conf?  I've tried
> both,
> > and don't seem to get any change in behavior ... It's very unclear how
to
> > deal with passwords in the config file, and how to generate the
passwords
> to
> > put into the config file.  There's a way to put in plain text
passwords,
> but
> > I don't even understand how to do that ... in short, the password issue
is
> > too glossed over in the documentation for me to figure out what I'm
> supposed
> > to do.
> >
> > Maybe I'm unclear about this instead: as I have configured the
slapd.conf,
> > should I be trying to access the database as 'Manager', and providing
the
> > passwd, or should I be trying it as root, or ... ???
> >
> > Thank you for your time and assistance.
> >
> >
> > Brandon
> >
> >
> >
> > -----Original Message-----
> > From: Philippe BEAU
> > To: Young, Brandon Khan
> > Sent: 2/24/02 2:59 AM
> > Subject: Re: basic usage of ldap
> >
> > hello !
> >
> > Do you try with slappassword ?
> >
> > Regards
> >
> > Philippe B.
> >
> >
> > ----- Original Message -----
> > From: "Young, Brandon Khan" <bkyoung@ku.edu>
> > To: <openldap-software@OpenLDAP.org>
> > Sent: Sunday, February 24, 2002 9:44 AM
> > Subject: basic usage of ldap
> >
> >
> > > In advance, thank you for your time and patience on this matter.
> > >
> > > I, as a proof of concept, installed all the packages necessary in
> > RedHat
> > 7.2
> > > to get openldap2 up and running.  In following the quickstart guide,
I
> > came
> > > up with the following slapd.conf, where I simply addressed the things
> > > mentioned in the quickstart guide step #8 and beyond.
> > >
> > >
> > >
> > >
> > >
> > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
> > 20:00:31
> > > kurt Exp $
> > > #
> > > # See slapd.conf(5) for details on configuration options.
> > > # This file should NOT be world readable.
> > > #
> > > include         /etc/openldap/schema/core.schema
> > > include         /etc/openldap/schema/cosine.schema
> > > include         /etc/openldap/schema/inetorgperson.schema
> > > include         /etc/openldap/schema/nis.schema
> > > include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
> > > include         /etc/openldap/schema/redhat/autofs.schema
> > > include         /etc/openldap/schema/redhat/kerberosobject.schema
> > >
> > > # Define global ACLs to disable default read access.
> > >
> > > # Do not enable referrals until AFTER you have a working directory
> > > # service AND an understanding of referrals.
> > > #referral       ldap://root.openldap.org
> > >
> > > #pidfile        //var/run/slapd.pid
> > > #argsfile       //var/run/slapd.args
> > >
> > > # Create a replication log in /var/lib/ldap for use by slurpd.
> > > #replogfile     /var/lib/ldap/master-slapd.replog
> > >
> > > # Load dynamic backend modules:
> > > # modulepath    /usr/sbin/openldap
> > > # moduleload    back_ldap.la
> > > # moduleload    back_ldbm.la
> > > # moduleload    back_passwd.la
> > > # moduleload    back_shell.la
> > >
> > > #
> > > # The next two lines allow use of TLS for connections using a dummy
> > test
> > > # certificate, but you should generate a proper certificate by
> > changing to
> > > # /usr/share/ssl/certs, running "make slapd.pem", and fixing
> > permissions
> > on
> > > # slapd.pem so that the ldap user or group can read it.
> > > # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > #
> > > # Sample Access Control
> > > #       Allow read access of root DSE
> > > #       Allow self write access
> > > #       Allow authenticated users read access
> > > #       Allow anonymous users to authenticate
> > > #
> > > #access to dn="" by * read
> > > #access to *
> > > #       by self write
> > > #       by users read
> > > #       by anonymous auth
> > > #
> > > # if no access controls are present, the default is:
> > > #       Allow read by all
> > > #
> > > # rootdn can always write!
> > >
> > >
> > #######################################################################
> > > # ldbm database definitions
> > >
> > #######################################################################
> > >
> > > database        ldbm
> > > suffix          "dc=infinity-computing,dc=com"
> > > #suffix         "o=My Organization Name,c=US"
> > > rootdn          "cn=Manager,dc=infinity-computing,dc=com"
> > > #rootdn         "cn=Manager,o=My Organization Name,c=US"
> > > # Cleartext passwords, especially for the rootdn, should
> > > # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> > > # Use of strong authentication encouraged.
> > >  rootpw         secret
> > > # rootpw        {crypt}a_OOAbS2vPWRY
> > > # The database directory MUST exist prior to running slapd AND
> > > # should only be accessible by the slapd/tools. Mode 700 recommended.
> > > directory       /var/lib/ldap
> > > # Indices to maintain
> > > index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> > > index   cn,mail,surname,givenname                       eq,subinitial
> > > # Replicas to which we should propagate changes
> > > #replica host=ldap-1.example.com:389 tls=yes
> > > #       bindmethod=sasl saslmech=GSSAPI
> > > #       authcId=host/ldap-master.example.com@EXAMPLE.COM
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > step #9 returned results such as follows:
> > >
> > > [root@redhat bkyoung]# ldapsearch -x -b '' -s base '(objectclass=*)'
> > > namingContexts
> > > version: 2
> > >
> > > #
> > > # filter: (objectclass=*)
> > > # requesting: namingContexts
> > > #
> > >
> > > #
> > > dn:
> > > namingContexts: dc=infinity-computing,dc=com
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > >
> > >
> > >
> > >
> > >
> > > in step #10 I created the following example.ldif, taking care to only
> > edit
> > > the applicable parts from those provided in the example LDIF file in
> > that
> > > step of the quickstart:
> > >
> > > dn: dc=infinity-computing,dc=com
> > > objectclass: dcObject
> > > objectclass: organization
> > > o: Infinity Computing
> > > dc: infinity-computing
> > >
> > > dn: cn=Manager,dc=infinity-computing,dc=com
> > > objectclass: organizationalRole
> > > cn: Manager
> > >
> > >
> > >
> > > AND HERE'S WHERE MY TROUBLE IS ...
> > >
> > > [root@redhat bkyoung]# ldapadd -x -D
> > > "cn=Manager,dc=infinity-computing,dc=com" -W -f example.ldif
> > > Enter LDAP Password: {here I type secret, and i get ... }
> > > ldap_bind: Invalid credentials
> > >
> > > I'm lost.  It is obvious to me that I am missing something extremely
> > simple;
> > > I have no idea what the mechanics of adding crypted passwords to the
> > > slapd.conf file is, or even plain text passwords.  I just want to get
> > > SOMETHING to work, and then I'll fuss about the finer points.  The
man
> > pages
> > > and the HOWTO are not very clear about passwords.  I tried using
> > slappasswd
> > > ... but it's unclear to me whether this generates a crypted password
> > to
> > > paste into the slapd.conf, or if it set the passwd.  At any rate, I
> > have
> > had
> > > no success getting past this point, and that's very frustrating.
> > Could
> > > someone coach me through this part of the set up?  Again, thank you
in
> > > advance.
> > >
> > >
> > >
> > > Brandon
> > >
> >