[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapadd not working for me
I am building a new server and want to use OpenLDAP as the core
directory service for a heterogeneous environment which includes
Linux, IRIX, Solaris, and Windows. The server is running Linux
Enterprise version 3 from Redhat. I have the following applications
installed:
openldap-clients-2.0.27-17
openldap-2.0.27-17
openldap-devel-2.0.27-17
openldap-servers-2.0.27-17
cyrus-sasl-plain-2.1.15-10
cyrus-sasl-md5-2.1.15-10
cyrus-sasl-gssapi-2.1.15-10
cyrus-sasl-devel-2.1.15-10
cyrus-sasl-2.1.15-10
To start I dug through my Linux Journals and found these articles:
"LDAP for Security" by Mick Bauer
"Large-Scale Mail with Postfix, OpenLDAP and Courier"
by Dave Dribin & Keith Garner
"OpenLDAP Everywhere" by Craig Swanson & Matt Lung
"Highly Available LDAP" by Cliff White & Jay D. Allen
"Secure Mail with LDAP and IMAP" by Mick Bauer
I started with the Mick Bauer article "LDAP for Security, Part I",
thinking I would be able to easily set-up a directory and add initial
entries to it. I tried to combine what was in Mick's article with the
"A Quick-Start Guide" in section 2 of the "OpenLDAP 2.0 Administrator's
Guide". I will outline what I did.
I edited the /etc/openldap/slapd.conf file following what was in Mick's
article "Listing 1". My slapd.conf file looks like this.
# cat slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
loglevel 4
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next three lines allow use of TLS for connections using a dummy
test
# certificate, but you should generate a proper certificate by changing
to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=math,dc=vpisu,dc=edu"
rootdn "cn=ldapguy,dc=math,dc=vpisu,dc=edu"
rootpw secret
directory /var/lib/ldap
#
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
I inserted the "loglevel 4" to get information into the SYSLOG.
I also had to update the /etc/syslog.conf file to include a
local4.* entry. I updated the database, suffix, rootdn and rootpw
entries.
I tried a rootdn entry with ldapguy and Manager. The Quick-Start
guide used Manager and Mick's article used ldapguy. I tried it
with a /etc/passwd entry for ldapguy and without.
I tried rootpw with a SSHA password created using slappasswd, with
a CRYPT password created using slappasswd and with "rootpw secret"
as per the Quick-Start guide.
I start slapd by issuing /etc/init.d/lapd/start.
When I issue the initial ldapsearch I get this:
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
version: 2
#
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=math,dc=vpisu,dc=edu
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I thought I was on the right track, but...that is as far as I get!
I keep getting stuck with the adding of initial entries to my
directory and would appreciate any help the list may provide.
I created a example.ldif file which looks like this:
dn: dc=math,dc=vpisu,dc=edu
objectclass: dcObject
objectclass: organization
o: ICAM
dc: icam
dn: cn=Manager,dc=math,dc=vpisu,dc=edu
objectclass: organizationalRole
cn: Manager
When I try and do the ldapadd I get errors:
# ldapadd -x -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials
# ldapadd -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
I am stumped! I have been searching the web and cannot find anything
to get me past this. If you know of a web location that can help,
could you point me in the right direction.
Thanks!