harlow
asked on
LDAP server setup and operation
I am an absolute, total, ignorant newbie when it comes to LDAP, but I'd like to set up a server for my address books. I am running RH 7.1, and openldap is installed. I went to openldap.org and tried to follow the "easy" instructions to set up a simple-minded, proof-that-it-is-working database. Unfortunately, I can't get past square one. When I follow their instructions to run ldapadd and create a simple database, I get what appears to be an authentication error:
#
ldapadd -x -D "cn=Manager,dc=localhost,d c=localdom ain" -W
-f /home/harlow/tmp/test.ldif
Enter LDAP Password: <here I entered the password "secret">
ldap_bind: Invalid credentials
#
Here is my slapd.conf file, which is just a bare-bones edit of the default:
# $OpenLDAP: pkg/ldap/servers/slapd/sla pd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core. schema
include /etc/openldap/schema/cosin e.schema
include /etc/openldap/schema/ineto rgperson.s chema
include /etc/openldap/schema/nis.s chema
include /etc/openldap/schema/redha t/rfc822-M ailMember. schema
include /etc/openldap/schema/redha t/autofs.s chema
include /etc/openldap/schema/redha t/kerberos object.sch ema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile /var/run/slapd.pid
#argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd .pem
# and uncomment the following lines.
# TLSCertificateFile /usr/share/ssl/certs/slapd .pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd .pem
########################## ########## ########## ########## ########## #####
# ldbm database definitions
########################## ########## ########## ########## ########## #####
database ldbm
suffix "dc=localhost, dc=localdomain"
#suffix "o=My Organization Name, c=US"
rootdn "cn=Manager, dc=localhost, dc=localdomain"
#rootdn "cn=Manager, o=My Organization Name, c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber, gidNumber eq
index cn,mail,surname,givenname eq,subinitial
As I understand the setup here, it creates a default superuser account called Manager, with a cleartext password "secret". However as you can see above, it doesn't recognize this.
None of the FAQs seem to provide any insight on troubleshooting, and they are all written for those who already understand. Any help would be much appreciated.
JEH
#
ldapadd -x -D "cn=Manager,dc=localhost,d
-f /home/harlow/tmp/test.ldif
Enter LDAP Password: <here I entered the password "secret">
ldap_bind: Invalid credentials
#
Here is my slapd.conf file, which is just a bare-bones edit of the default:
# $OpenLDAP: pkg/ldap/servers/slapd/sla
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.
include /etc/openldap/schema/cosin
include /etc/openldap/schema/ineto
include /etc/openldap/schema/nis.s
include /etc/openldap/schema/redha
include /etc/openldap/schema/redha
include /etc/openldap/schema/redha
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile /var/run/slapd.pid
#argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd
# and uncomment the following lines.
# TLSCertificateFile /usr/share/ssl/certs/slapd
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd
##########################
# ldbm database definitions
##########################
database ldbm
suffix "dc=localhost, dc=localdomain"
#suffix "o=My Organization Name, c=US"
rootdn "cn=Manager, dc=localhost, dc=localdomain"
#rootdn "cn=Manager, o=My Organization Name, c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,
index cn,mail,surname,givenname eq,subinitial
As I understand the setup here, it creates a default superuser account called Manager, with a cleartext password "secret". However as you can see above, it doesn't recognize this.
None of the FAQs seem to provide any insight on troubleshooting, and they are all written for those who already understand. Any help would be much appreciated.
JEH
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm off from my openldap-on-linux-box, so can only give unprooved hints, sorry.
AFAIK, openldap assign a default passwd to rootdn if not specified elsewhere. Probably it's best to remove the installtion and install it again (or read the docs).
BTW, can you perform a ldapsearch, a) anonymous search without specifying a db, b) a search as specified dn ?
AFAIK, openldap assign a default passwd to rootdn if not specified elsewhere. Probably it's best to remove the installtion and install it again (or read the docs).
BTW, can you perform a ldapsearch, a) anonymous search without specifying a db, b) a search as specified dn ?
ASKER
I reinstalled openldap and things seem to work better. I read all the HOWTOs and FAQs, but man, this stuff is opaque! I am very accustomed to Linux/Unix documentation challenges, but this is the worst ever. The examples in some of the openldap docs conflict with each other and many of them seem to have been written for earlier versions of the clients, with syntax that is no longer valid. If I ever figure all this out, I may try to write a new HOWTO myself!
Thanks
JEH
Thanks
JEH
> I may try to write a new HOWTO myself!
Great, the whole (LDAP)world (me too:) is waiting for a usable doc.
LDAP (even Netscape's NDS) is poorly documented, it simply works if setup properly :-|
Great, the whole (LDAP)world (me too:) is waiting for a usable doc.
LDAP (even Netscape's NDS) is poorly documented, it simply works if setup properly :-|
I have same configuration and I un-comment the rootpw entry, I having the same error ldap_bind: Invalid credentials
should work after restart
ASKER