[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapadd not working for me



I am building a new server and want to use OpenLDAP as the core
directory service for a heterogeneous environment which includes
Linux, IRIX, Solaris, and Windows.  The server is running Linux
Enterprise version 3 from Redhat.  I have the following applications
installed:

	openldap-clients-2.0.27-17
	openldap-2.0.27-17
	openldap-devel-2.0.27-17
	openldap-servers-2.0.27-17

	cyrus-sasl-plain-2.1.15-10
	cyrus-sasl-md5-2.1.15-10
	cyrus-sasl-gssapi-2.1.15-10
	cyrus-sasl-devel-2.1.15-10
	cyrus-sasl-2.1.15-10

To start I dug through my Linux Journals and found these articles:

	"LDAP for Security" by Mick Bauer

	"Large-Scale Mail with Postfix, OpenLDAP and Courier"
		by Dave Dribin & Keith Garner

	"OpenLDAP Everywhere" by Craig Swanson & Matt Lung

	"Highly Available LDAP" by Cliff White & Jay D. Allen

	"Secure Mail with LDAP and IMAP" by Mick Bauer

I started with the Mick Bauer article "LDAP for Security, Part I",
thinking I would be able to easily set-up a directory and add initial
entries to it.  I tried to combine what was in Mick's article with the
"A Quick-Start Guide" in section 2 of the "OpenLDAP 2.0 Administrator's
Guide".  I will outline what I did.

I edited the /etc/openldap/slapd.conf file following what was in Mick's
article "Listing 1".  My slapd.conf file looks like this.





# cat slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema
  
# Define global ACLs to disable default read access.
  
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
  
#pidfile        //var/run/slapd.pid
#argsfile       //var/run/slapd.args
  
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile     /var/lib/ldap/master-slapd.replog
 
loglevel        4
  
# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
  
#
# The next three lines allow use of TLS for connections using a dummy
test
# certificate, but you should generate a proper certificate by changing
to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
#       Allow read access of root DSE
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default is:
#       Allow read by all
#
# rootdn can always write!
  
#######################################################################
# ldbm database definitions
#######################################################################
  
database        ldbm
suffix          "dc=math,dc=vpisu,dc=edu"
rootdn          "cn=ldapguy,dc=math,dc=vpisu,dc=edu"
rootpw          secret
directory       /var/lib/ldap
#
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#       bindmethod=sasl saslmech=GSSAPI
#       authcId=host/ldap-master.example.com@EXAMPLE.COM





I inserted the "loglevel 4" to get information into the SYSLOG.
I also had to update the /etc/syslog.conf file to include a
local4.* entry.  I updated the database, suffix, rootdn and rootpw
entries.

I tried a rootdn entry with ldapguy and Manager.  The Quick-Start
guide used Manager and Mick's article used ldapguy.  I tried it
with a /etc/passwd entry for ldapguy and without.

I tried rootpw with a SSHA password created using slappasswd, with
a CRYPT password created using slappasswd and with "rootpw secret"
as per the Quick-Start guide.

I start slapd by issuing /etc/init.d/lapd/start.

When I issue the initial ldapsearch I get this:




# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
version: 2
 
#
# filter: (objectclass=*)
# requesting: namingContexts
#
 
#
dn:
namingContexts: dc=math,dc=vpisu,dc=edu
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1





I thought I was on the right track, but...that is as far as I get!

I keep getting stuck with the adding of initial entries to my
directory and would appreciate any help the list may provide.

I created a example.ldif file which looks like this:




dn: dc=math,dc=vpisu,dc=edu
objectclass: dcObject
objectclass: organization
o: ICAM
dc: icam
 
dn: cn=Manager,dc=math,dc=vpisu,dc=edu
objectclass: organizationalRole
cn: Manager





When I try and do the ldapadd I get errors:




# ldapadd -x -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials


# ldapadd -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error





I am stumped!  I have been searching the web and cannot find anything
to get me past this.  If you know of a web location that can help,
could you point me in the right direction.

Thanks!