Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

OpenLDAP as SAMBA 3 backend+ email address server can't bind

I am running Fedora Core 2 and I have been trying unsuccessfully for the last several weeks to configure Openldap (Slapd) to run properly (or at all for that matter.)  My intention is to get openldap running as a backend for user authentication because I want to be able to run samba 3 as a PDC for the domain I am building and would like to be able to replicate and have other systems running as BDC for redundancy.  The intermediate (beginning) step I just want to have Openldap working as an email addressbook.  I have been through various step by step howto's most notably the one on the Yolinux website and in the Fedora Core 2 "Bible" book.  I thought I was close, but when I attempt to connect for simple test query I get a can't bind to ldap server error.  I have done various searches and can't seem to figure out what is not configured correctly.  I even went back and used the sample ldif files and example settings verbatum off the yolinux site.  2 questions - Is there another better howto resource for Openldap (book or web)?  Secondly, what is this can't bind to ldap server message indicating?  i.e. what is wrong on the config.  (just an aside, is it just me, or is openldap a pain to get working?)
0
mmisero
Asked:
mmisero
  • 4
  • 3
1 Solution
 
de2ZotjesCommented:
OpenLDAP is not for the faint of hart. That being said, it is not to difficult a beast to make it work.

Your can't bind error indicates a problem with access rights to the information in the LDAP. It is very likely that something is wrong with that acl structure.

Without some more insight into you setup there is no way to solve the problem. Can you post your slapd.conf?
0
 
mmiseroAuthor Commented:
Like I mentioned in the original question I was using the yolinux.com example and the ldif file they had to at least see if I could get it working.  I have tried to play with the settings more and am still getting an error.  I even downloaded the latest openldap source and compiled it.  When I ran make test it came up with the same bind error.  This leads me to believe it might be something else in the config that is off.

Any insights or suggestions would be well appreciated.

Anyway here is the slapd.conf from /etc/openldap:

suffix          "o=stooges"
rootdn          "cn=StoogeAdmin,o=stooges"
rootpw          secret1
directory       /var/lib/ldap/stooges
defaultaccess   read
schemacheck     on
lastmod         on
# allow         *
# Indices to maintain
#index  objectClass                             eq
#index  objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
index   cn,sn,st                                pres,eq,sub

database        ldbm
suffix          "o=delta"
suffix          "dc=ldap,dc=delta,dc=org"
rootdn          "cn=DeanWormer,o=delta"
rootpw          secret2
directory       /var/lib/ldap/fraternity
defaultaccess   read
schemacheck     on
lastmod         on

0
 
de2ZotjesCommented:
This looks slightly off to me, the first but should have a database entry to start of with, I think. But we will try with the second set of data. Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server.

First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity

Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap
This should give you 1 or 2 lines ( ldap and possibly ldaps)

if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)

Let me know what you get from these commands
0
A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

 
mmiseroAuthor Commented:
OK hear are the results:

....Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server....

Done - no protests from slapd

....First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity.......

Exists -
Output =
[root@server openldap]# ls -al /var/lib/ldap/fraternity
total 8
drwxr-xr-x  2 ldap ldap 4096 Sep 16 11:32 .
drwxrwxrwx  4 ldap ldap 4096 Sep 16 11:32 ..


.....Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap ......

listening - results =
[root@server openldap]# netstat --ip -a|grep LISTEN|grep ldap
tcp        0      0 *:ldap                  *:*                     LISTEN

....if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)....

This failed:
[root@server openldap]# ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
ldap_bind: Can't contact LDAP server (81)


Any ideas?
0
 
de2ZotjesCommented:
Yes, you don't have any data in your database. OpenLDAP does not appreciate that. Let's populate the database with a simple "person" entry. We will have to do that with the slap tools, since  the ldap tools only work when you have ldap-access. (sort of chicken or egg).

The basic idea is as follows:
1) create a ldif file containing the entries we want to add.
2) make sure the ldap server is STOPPED!
3) use slapadd to "copy" the entries from the ldif file to the database.
4) start the ldap server.

Step ONE: creating the ldif, this file should look something like this:

dn: o=delta
objectClass: top
objectClass: organization
o: delta

dn: cn=Dean_Wormer,o=delta
objectClass: top
objectClass: person
sn: Wormer
cn: Dean_Wormer
userPassword: {SSHA}9ojg/76Agrzha9caCgziXtxTzWrtMhtd
description: a person object for Dean Wormer

Save this file as initial.ldif.
You can find info on the objectclasses and allowed or mandatory keys in the schema files and the openldap site. The userpassword was generated using slappasswd, the password is hello.

Step TWO: stop the ldap. be nice about it: service ldap stop
or alternatively: killall -4 slapd (not nice, don't :)

Step THREE: copy the ldif to the database:
slapadd -b o=delta -l initial.ldif

This tells slapadd to fill the datbase in the directory pointed to by the o=delta suffix in the slapd.conf file in the default location and fill it with data from 'initial.ldif'. (That is long sentence, read it again, it makes sense)

Step FOUR: start the ldap and test access.

service ldap start
ldapsearch -x -h localhost -b 'o=delta' '(objectclass=*)'

the ldapsearch command should return to you the entry for Dean_Wormer...
0
 
mmiseroAuthor Commented:
Success!!! Thanks for hanging in there.  The other issue that I discovered on my own was that my hosts file was not correct and 127.0.0.1 was not listed as localhost.  So the last command failed at first until I corrected the hosts file.  One last question, any suggestions for futher books or resources to learn the in's and out's of LDAP better?

Thanks!
0
 
de2ZotjesCommented:
tldp.org has some decent info, then there is the openldap site. and I personally took a lot of info from an O' reilly book: LDAP system administration.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now