[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

OpenLDAP as SAMBA 3 backend+ email address server can't bind

Posted on 2004-10-21
7
Medium Priority
?
368 Views
Last Modified: 2013-12-06
I am running Fedora Core 2 and I have been trying unsuccessfully for the last several weeks to configure Openldap (Slapd) to run properly (or at all for that matter.)  My intention is to get openldap running as a backend for user authentication because I want to be able to run samba 3 as a PDC for the domain I am building and would like to be able to replicate and have other systems running as BDC for redundancy.  The intermediate (beginning) step I just want to have Openldap working as an email addressbook.  I have been through various step by step howto's most notably the one on the Yolinux website and in the Fedora Core 2 "Bible" book.  I thought I was close, but when I attempt to connect for simple test query I get a can't bind to ldap server error.  I have done various searches and can't seem to figure out what is not configured correctly.  I even went back and used the sample ldif files and example settings verbatum off the yolinux site.  2 questions - Is there another better howto resource for Openldap (book or web)?  Secondly, what is this can't bind to ldap server message indicating?  i.e. what is wrong on the config.  (just an aside, is it just me, or is openldap a pain to get working?)
0
Comment
Question by:mmisero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 12387561
OpenLDAP is not for the faint of hart. That being said, it is not to difficult a beast to make it work.

Your can't bind error indicates a problem with access rights to the information in the LDAP. It is very likely that something is wrong with that acl structure.

Without some more insight into you setup there is no way to solve the problem. Can you post your slapd.conf?
0
 
LVL 1

Author Comment

by:mmisero
ID: 12406715
Like I mentioned in the original question I was using the yolinux.com example and the ldif file they had to at least see if I could get it working.  I have tried to play with the settings more and am still getting an error.  I even downloaded the latest openldap source and compiled it.  When I ran make test it came up with the same bind error.  This leads me to believe it might be something else in the config that is off.

Any insights or suggestions would be well appreciated.

Anyway here is the slapd.conf from /etc/openldap:

suffix          "o=stooges"
rootdn          "cn=StoogeAdmin,o=stooges"
rootpw          secret1
directory       /var/lib/ldap/stooges
defaultaccess   read
schemacheck     on
lastmod         on
# allow         *
# Indices to maintain
#index  objectClass                             eq
#index  objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
index   cn,sn,st                                pres,eq,sub

database        ldbm
suffix          "o=delta"
suffix          "dc=ldap,dc=delta,dc=org"
rootdn          "cn=DeanWormer,o=delta"
rootpw          secret2
directory       /var/lib/ldap/fraternity
defaultaccess   read
schemacheck     on
lastmod         on

0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 12414446
This looks slightly off to me, the first but should have a database entry to start of with, I think. But we will try with the second set of data. Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server.

First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity

Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap
This should give you 1 or 2 lines ( ldap and possibly ldaps)

if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)

Let me know what you get from these commands
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:mmisero
ID: 12453048
OK hear are the results:

....Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server....

Done - no protests from slapd

....First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity.......

Exists -
Output =
[root@server openldap]# ls -al /var/lib/ldap/fraternity
total 8
drwxr-xr-x  2 ldap ldap 4096 Sep 16 11:32 .
drwxrwxrwx  4 ldap ldap 4096 Sep 16 11:32 ..


.....Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap ......

listening - results =
[root@server openldap]# netstat --ip -a|grep LISTEN|grep ldap
tcp        0      0 *:ldap                  *:*                     LISTEN

....if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)....

This failed:
[root@server openldap]# ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
ldap_bind: Can't contact LDAP server (81)


Any ideas?
0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 2000 total points
ID: 12456081
Yes, you don't have any data in your database. OpenLDAP does not appreciate that. Let's populate the database with a simple "person" entry. We will have to do that with the slap tools, since  the ldap tools only work when you have ldap-access. (sort of chicken or egg).

The basic idea is as follows:
1) create a ldif file containing the entries we want to add.
2) make sure the ldap server is STOPPED!
3) use slapadd to "copy" the entries from the ldif file to the database.
4) start the ldap server.

Step ONE: creating the ldif, this file should look something like this:

dn: o=delta
objectClass: top
objectClass: organization
o: delta

dn: cn=Dean_Wormer,o=delta
objectClass: top
objectClass: person
sn: Wormer
cn: Dean_Wormer
userPassword: {SSHA}9ojg/76Agrzha9caCgziXtxTzWrtMhtd
description: a person object for Dean Wormer

Save this file as initial.ldif.
You can find info on the objectclasses and allowed or mandatory keys in the schema files and the openldap site. The userpassword was generated using slappasswd, the password is hello.

Step TWO: stop the ldap. be nice about it: service ldap stop
or alternatively: killall -4 slapd (not nice, don't :)

Step THREE: copy the ldif to the database:
slapadd -b o=delta -l initial.ldif

This tells slapadd to fill the datbase in the directory pointed to by the o=delta suffix in the slapd.conf file in the default location and fill it with data from 'initial.ldif'. (That is long sentence, read it again, it makes sense)

Step FOUR: start the ldap and test access.

service ldap start
ldapsearch -x -h localhost -b 'o=delta' '(objectclass=*)'

the ldapsearch command should return to you the entry for Dean_Wormer...
0
 
LVL 1

Author Comment

by:mmisero
ID: 12460472
Success!!! Thanks for hanging in there.  The other issue that I discovered on my own was that my hosts file was not correct and 127.0.0.1 was not listed as localhost.  So the last command failed at first until I corrected the hosts file.  One last question, any suggestions for futher books or resources to learn the in's and out's of LDAP better?

Thanks!
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 12461252
tldp.org has some decent info, then there is the openldap site. and I personally took a lot of info from an O' reilly book: LDAP system administration.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question