[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapadd not working for me
2.0 is quite historic. I suggest you start with at least the most
recent "stable" release. I also suggest you start with the
Quick Start Guide example (instead of some combined thing).
Kurt
At 07:20 AM 3/18/2005, Steve Greenfield wrote:
>I am building a new server and want to use OpenLDAP as the core
>directory service for a heterogeneous environment which includes
>Linux, IRIX, Solaris, and Windows. The server is running Linux
>Enterprise version 3 from Redhat. I have the following applications
>installed:
>
> openldap-clients-2.0.27-17
> openldap-2.0.27-17
> openldap-devel-2.0.27-17
> openldap-servers-2.0.27-17
>
> cyrus-sasl-plain-2.1.15-10
> cyrus-sasl-md5-2.1.15-10
> cyrus-sasl-gssapi-2.1.15-10
> cyrus-sasl-devel-2.1.15-10
> cyrus-sasl-2.1.15-10
>
>To start I dug through my Linux Journals and found these articles:
>
> "LDAP for Security" by Mick Bauer
>
> "Large-Scale Mail with Postfix, OpenLDAP and Courier"
> by Dave Dribin & Keith Garner
>
> "OpenLDAP Everywhere" by Craig Swanson & Matt Lung
>
> "Highly Available LDAP" by Cliff White & Jay D. Allen
>
> "Secure Mail with LDAP and IMAP" by Mick Bauer
>
>I started with the Mick Bauer article "LDAP for Security, Part I",
>thinking I would be able to easily set-up a directory and add initial
>entries to it. I tried to combine what was in Mick's article with the
>"A Quick-Start Guide" in section 2 of the "OpenLDAP 2.0 Administrator's
>Guide". I will outline what I did.
>
>I edited the /etc/openldap/slapd.conf file following what was in Mick's
>article "Listing 1". My slapd.conf file looks like this.
>
>
>
>
>
># cat slapd.conf
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
>20:00:31 kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/redhat/autofs.schema
>include /etc/openldap/schema/redhat/kerberosobject.schema
>
># Define global ACLs to disable default read access.
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral ldap://root.openldap.org
>
>#pidfile //var/run/slapd.pid
>#argsfile //var/run/slapd.args
>
># Create a replication log in /var/lib/ldap for use by slurpd.
>#replogfile /var/lib/ldap/master-slapd.replog
>
>loglevel 4
>
># Load dynamic backend modules:
># modulepath /usr/sbin/openldap
># moduleload back_ldap.la
># moduleload back_ldbm.la
># moduleload back_passwd.la
># moduleload back_shell.la
>
>#
># The next three lines allow use of TLS for connections using a dummy
>test
># certificate, but you should generate a proper certificate by changing
>to
># /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
>on
># slapd.pem so that the ldap user or group can read it.
># TLSCertificateFile /usr/share/ssl/certs/slapd.pem
># TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
># TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
>#
># Sample Access Control
># Allow read access of root DSE
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
>#
>#access to dn="" by * read
>#access to *
># by self write
># by users read
># by anonymous auth
>#
># if no access controls are present, the default is:
># Allow read by all
>#
># rootdn can always write!
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database ldbm
>suffix "dc=math,dc=vpisu,dc=edu"
>rootdn "cn=ldapguy,dc=math,dc=vpisu,dc=edu"
>rootpw secret
>directory /var/lib/ldap
>#
># Indices to maintain
>index objectClass,uid,uidNumber,gidNumber,memberUid eq
>index cn,mail,surname,givenname eq,subinitial
># Replicas to which we should propagate changes
>#replica host=ldap-1.example.com:389 tls=yes
># bindmethod=sasl saslmech=GSSAPI
># authcId=host/ldap-master.example.com@EXAMPLE.COM
>
>
>
>
>
>I inserted the "loglevel 4" to get information into the SYSLOG.
>I also had to update the /etc/syslog.conf file to include a
>local4.* entry. I updated the database, suffix, rootdn and rootpw
>entries.
>
>I tried a rootdn entry with ldapguy and Manager. The Quick-Start
>guide used Manager and Mick's article used ldapguy. I tried it
>with a /etc/passwd entry for ldapguy and without.
>
>I tried rootpw with a SSHA password created using slappasswd, with
>a CRYPT password created using slappasswd and with "rootpw secret"
>as per the Quick-Start guide.
>
>I start slapd by issuing /etc/init.d/lapd/start.
>
>When I issue the initial ldapsearch I get this:
>
>
>
>
># ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
>version: 2
>
>#
># filter: (objectclass=*)
># requesting: namingContexts
>#
>
>#
>dn:
>namingContexts: dc=math,dc=vpisu,dc=edu
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>
>
>
>
>
>I thought I was on the right track, but...that is as far as I get!
>
>I keep getting stuck with the adding of initial entries to my
>directory and would appreciate any help the list may provide.
>
>I created a example.ldif file which looks like this:
>
>
>
>
>dn: dc=math,dc=vpisu,dc=edu
>objectclass: dcObject
>objectclass: organization
>o: ICAM
>dc: icam
>
>dn: cn=Manager,dc=math,dc=vpisu,dc=edu
>objectclass: organizationalRole
>cn: Manager
>
>
>
>
>
>When I try and do the ldapadd I get errors:
>
>
>
>
># ldapadd -x -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
>Enter LDAP Password:
>ldap_bind: Invalid credentials
>
>
># ldapadd -D "cn=Manager,dc=math,dc=vpisu,dc=edu" -W -f example.ldif
>Enter LDAP Password:
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Local error
>
>
>
>
>
>I am stumped! I have been searching the web and cannot find anything
>to get me past this. If you know of a web location that can help,
>could you point me in the right direction.
>
>Thanks!