[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: help troubleshooting
- To: scar <scar@drigon.com>, openldap-technical@openldap.org
- Subject: Re: help troubleshooting
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Thu, 09 Feb 2017 14:19:00 -0800
- Content-disposition: inline
- In-reply-to: <WM!6a80adc47c162241378345b35547c6c9167105097ae7b3088272d76f2efa40122ce4bd3734a85c402b751a7a9ca294df!@mailstronghold-2.zmailcloud.com>
- References: <0d0720fd-8678-7d16-2f16-330a1ac68502@drigon.com> <WM!fb0eded44b9345d638603402e962432a04e8d62377cd944bb11af50e38a73c54005b1691557392e9793eff9a8f8cfccb!@mailstronghold-1.zmailcloud.com> <C65D358754E6DEA99CA58F20@[192.168.1.30]> <d468e64c-d219-5a30-f810-32484074389c@drigon.com> <WM!6a80adc47c162241378345b35547c6c9167105097ae7b3088272d76f2efa40122ce4bd3734a85c402b751a7a9ca294df!@mailstronghold-2.zmailcloud.com>
--On Tuesday, February 07, 2017 5:01 PM -0700 scar <scar@drigon.com> wrote:
Well it's kind of a mess here and my lack of experience with LDAP isn't
helping much. There is no slapd-config program although there is a
manual page entry for it. "yum whatprovides */slapd-config" returns no
packages.
slapd-config is not a program. It's a database format. Please read the man
page for slapd-config(5).
I was able to enable users to change their passwords by directly
modifying /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif and
adding these lines to the bottom:
As noted at the top of those files, you should never, ever, manually modify
them by hand. You should be using the correct ldap client operations. You
can do this via ldapadd, ldapmod, etc.
I know that's not proper but i needed users to be able to change their
password. Thanks for the info about ACLs. the "next to last ACL"
mentioned is for the "database monitor" (see slapd.conf below) and i'm
not sure why "by * read" should be granted that access, perhaps you can
shed some light on why that exists in our config? maybe i don't need
ACLs for that so only rootdn has access?
That would be a separate block of ACLs that only applies to the monitor
backend. There is no requirement that by * read have access to the
monitoring backend. Who/what should have access to it depends on your
requirements.
We have a new LDAP server that I am setting up, so I'd like to focus on
moving the database and getting the new server into production, and we
can iron out the wrinkles in this mess at the same time. My
understanding is that I can use slapcat/slapadd to do the export/import...
I used "slapcat > /tmp/ldif" on current server, then moved ldif and
updated [slapd.conf] (see below) file to the new server, then ran
"slapadd -l /tmp/ldif -l /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d/" but i get an error when trying to start slapd:
"ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif: No
such file or directory" so how am i supposed to get the slapd.d/* files?
If I am to just copy those over from the current server then I'd like to
figure out why I had to modify the ldif file directly...
Your first slapcat exports the binary database, it has zero to do with the
slapd-config database. Please read the manpage for slapcat on the proper
way to export your slapd-config database. You don't use slapd.conf, you
should stop doing anything with it, as it is immaterial. You will need to
export/import your slapd-config database prior to importing your binary
database.
The current LDAP server is running RHEL 6.8 with kernel
2.6.32-642.11.1.el6.x86_64. The new LDAP server is running CentOS 6.8
with kernel 2.6.32-642.13.1.el6.x86_64. The nss/pam configuration for
one of our clients is this (i hope this is what Michael Wandel meant):
The RHEL build of OpenLDAP is known to be problematic, outdated, and it
links to the insecure MozNSS libraries. I personally would recommend
against using it. If you want to use a 3rd party OpenLDAP build, such as
RedHat's, you may find the LTB project build a better bet. If you require
support for your LDAP deployment, Symas offers supported builds for RHEL.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>