[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perplexed



fre, 2002-08-09 kl. 23:24 skrev Renato A. Q. Salles:

> You are a very lucky man, and a suppose you worked a lot for it!

I worked hard for it :-) But I'm also very skeptical and refuse to take
what others say is true, without questioning "why?" *[1]

> Me, i'm in deep troeble traying to make thinks work well around here.
> Beeing franc, the first time i started to work with ldap, i was wondering
> it could be at least better then 'Active Directory' from ms. Let's say,
> a port from iplanet to the OpenSource community.

It probably isn't, I don't know Active Directory. But Openldap is
non-proprietary and "ours", not Microsoft or Novell's or Sun's and "we"
can do what "we" want with it.

> I have near 6 years of
> exp. in Linux, but all my brain power was not enough yet to make openldap
> work for us as expected.

You have to take it bit by bit. Start with the very least basics and
then say: "If I can do this, then I must be able to do that". In which
respect, specialist lists like Openldap, Exim, FreeS/WAN (need a good
spam- and antivirus screen :-> etc. tell you what others can, "so it
must be possible."

> I just can't make it work with TLS.

A comprehensive PKI background helps a lot (i.e. having made things work
with FreeS/WAN and/or Apache SSL).

http://www.rsasecurity.com/rsalabs/pkcs/index.html is a good start.

> So, i look
> and browse all data trough gq and 'directory_adminitrator' but no chance
> to insert or modify any content inside it.

Not with these, no. If you read the GQ README, you,ll see that the two
guys more or less renounce all claims to SSL/TLS support. If you run SSL
slapd in -d 5 mode, you'll see it saying that GQ's using an incompatible
protocol. GQ is good for learning and manipulating LDAP hierarchies. You
can even drag and drop, but not with SSL.

> The reason is simple: i can not
> log as manager in ldap  to make things happen.

This has nothing to do with SSL, though? Why would you want to start off
with a new installation using SSL?

> The last version of ''migration-tools' simply din't work for me,
> forcing us to downgrade to the previous openldap version.

I've never used the migration tools, so I wouldn't know what they're
for. I've never bothered to find out, nor had any experience. I began on
Openldap with 2.1.2 and ldbm, the went over to 2.1.3 and Berkeley BDB 4.
I only ever had passwd/shadow users and on my notebook there aren't too
many of them ;-) I've made a few ldap based users and imported around 60
contacts into the directory database: That's my total "people" base. The
whole experience was originally to gain knowledge and experience, but
I've become addicted to Openldap so ...

> Im in trouble
> now. Any change i could think about in config of slapd, ldap.conf and
> pam.d was donne, without any success, just the old adaggio: 'ldap_bind:
> Invalid credentials'

In as much as you have neither said what you want and why, what you've
tried nor what you have (Linux, Openldap etc.), I'm afraid no one can
help you.

> What the black magic did you find to make things happen?

There was no black magic in making things happen, just trying different
angles and when they didn't work knocking my head against brick walls
until I could think clearly again. To me Openldap is still magic. The
black magic is in finding out what other people tell you to do doesn't
necessarily work, and then finding out that your own conclusions are
better (see [1] below) and what works for them doesn't necessarily work
for you. 

> There is
> already 2 weeks of work, for nothing! I'm at the point to give up about
> all this shift (without the 'f').

No experience is ever for nothing. The English say "it's all grist to
the mill", the Norwegians say: «da' e' aldri noko so gali atte da' ikkje
e' godt fyre noko anna.» Which means the same, if you come from Sogn in
West Norway.

What you need to do is to get a test machine, install your very own,
favorite, latest version of Linux (which should be Red Hat 7.3 :-) on it
and then compile and install your base Berkeley 4 from Sleepycat,
Openldap 2.1.3 (or since it's apparently buggy, whatever gets given out
after it), pam_ldap-148/nss_ldap-197 from PADL.com *and begin from
scratch*, i.e. begin from the beginning. Build things up from the
examples you're given. That's your starting point. First add a base dn:
Your organisation. Then add a user. Like Manager, for example. When that
works, go further. Then you can start using non-SSL GQ to manage things
(tip: make an admin user as soon as possible and cut out Manager: He's
too omnipotent).

> I'm new in the list, and i appreciate your
> strong skeel with openldap

Mr. Williams might be laughing his head off at that. I owe him a lot :-)

> maybe you could help us to make thinks came a
> little bit painless for us.

No, you have to go on bashing your head against brick walls. The people
on this list could possibly help to alleviate the immediate effects.

> But not last: what the address of the previous sended messages to
> our list? I cant find it! Is it faq-o-matic?

There's precious little in that. I don't suppose people know how to put
things in. There's no obvious maintainer; it's free for all.

The mailing list archives are at:

http://www.openldap.org/lists/openldap-software

Other helpful things are:

ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

(Sure Mr. Williams will forgive me for that. Look around, while you're
there. There's more besides)

http://www.openldap.org/doc/
http://www.mandrakesecure.net/en/docs/ldap-auth.php
http://docsrv.caldera.com/NET_ldap/
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
(A fellow who knows a great deal, and has done a lot)
Red Hat 7.2: file:///usr/share/doc/pam-0.75/html/index.html
http://www.padl.com
http://www.bayour.com/LDAPv3-HOWTO.html (learn Swedish first :-)
http://www.openssl.org/
(This site is in Canada and is *difficult* to reach, for us in Europe)

There are *many* more, but I haven't got the patience ;-)

> end

Look, do the basics first, huh? When that works, we'll get onto SSL.

Best,

Tony

-- 

Tony Earnshaw

[1] "If you do what I tell you, you will gain eternal life."

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel