OpenLDAP as SAMBA 3 backend+ email address server can't bind

I am running Fedora Core 2 and I have been trying unsuccessfully for the last several weeks to configure Openldap (Slapd) to run properly (or at all for that matter.)  My intention is to get openldap running as a backend for user authentication because I want to be able to run samba 3 as a PDC for the domain I am building and would like to be able to replicate and have other systems running as BDC for redundancy.  The intermediate (beginning) step I just want to have Openldap working as an email addressbook.  I have been through various step by step howto's most notably the one on the Yolinux website and in the Fedora Core 2 "Bible" book.  I thought I was close, but when I attempt to connect for simple test query I get a can't bind to ldap server error.  I have done various searches and can't seem to figure out what is not configured correctly.  I even went back and used the sample ldif files and example settings verbatum off the yolinux site.  2 questions - Is there another better howto resource for Openldap (book or web)?  Secondly, what is this can't bind to ldap server message indicating?  i.e. what is wrong on the config.  (just an aside, is it just me, or is openldap a pain to get working?)
LVL 1
mmiseroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

de2ZotjesCommented:
OpenLDAP is not for the faint of hart. That being said, it is not to difficult a beast to make it work.

Your can't bind error indicates a problem with access rights to the information in the LDAP. It is very likely that something is wrong with that acl structure.

Without some more insight into you setup there is no way to solve the problem. Can you post your slapd.conf?
0
mmiseroAuthor Commented:
Like I mentioned in the original question I was using the yolinux.com example and the ldif file they had to at least see if I could get it working.  I have tried to play with the settings more and am still getting an error.  I even downloaded the latest openldap source and compiled it.  When I ran make test it came up with the same bind error.  This leads me to believe it might be something else in the config that is off.

Any insights or suggestions would be well appreciated.

Anyway here is the slapd.conf from /etc/openldap:

suffix          "o=stooges"
rootdn          "cn=StoogeAdmin,o=stooges"
rootpw          secret1
directory       /var/lib/ldap/stooges
defaultaccess   read
schemacheck     on
lastmod         on
# allow         *
# Indices to maintain
#index  objectClass                             eq
#index  objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
index   cn,sn,st                                pres,eq,sub

database        ldbm
suffix          "o=delta"
suffix          "dc=ldap,dc=delta,dc=org"
rootdn          "cn=DeanWormer,o=delta"
rootpw          secret2
directory       /var/lib/ldap/fraternity
defaultaccess   read
schemacheck     on
lastmod         on

0
de2ZotjesCommented:
This looks slightly off to me, the first but should have a database entry to start of with, I think. But we will try with the second set of data. Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server.

First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity

Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap
This should give you 1 or 2 lines ( ldap and possibly ldaps)

if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)

Let me know what you get from these commands
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

mmiseroAuthor Commented:
OK hear are the results:

....Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server....

Done - no protests from slapd

....First, check to see whether the dbase directory exists and contains data files:

ls -al /var/lib/ldap/fraternity.......

Exists -
Output =
[root@server openldap]# ls -al /var/lib/ldap/fraternity
total 8
drwxr-xr-x  2 ldap ldap 4096 Sep 16 11:32 .
drwxrwxrwx  4 ldap ldap 4096 Sep 16 11:32 ..


.....Next, check if the servers are listening:

netstat --ip -a|grep LISTEN|grep ldap ......

listening - results =
[root@server openldap]# netstat --ip -a|grep LISTEN|grep ldap
tcp        0      0 *:ldap                  *:*                     LISTEN

....if ldap is listening let's try to connect:
ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
This should return at least one entry (cn=DeanWormer,o=delta)....

This failed:
[root@server openldap]# ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
ldap_bind: Can't contact LDAP server (81)


Any ideas?
0
de2ZotjesCommented:
Yes, you don't have any data in your database. OpenLDAP does not appreciate that. Let's populate the database with a simple "person" entry. We will have to do that with the slap tools, since  the ldap tools only work when you have ldap-access. (sort of chicken or egg).

The basic idea is as follows:
1) create a ldif file containing the entries we want to add.
2) make sure the ldap server is STOPPED!
3) use slapadd to "copy" the entries from the ldif file to the database.
4) start the ldap server.

Step ONE: creating the ldif, this file should look something like this:

dn: o=delta
objectClass: top
objectClass: organization
o: delta

dn: cn=Dean_Wormer,o=delta
objectClass: top
objectClass: person
sn: Wormer
cn: Dean_Wormer
userPassword: {SSHA}9ojg/76Agrzha9caCgziXtxTzWrtMhtd
description: a person object for Dean Wormer

Save this file as initial.ldif.
You can find info on the objectclasses and allowed or mandatory keys in the schema files and the openldap site. The userpassword was generated using slappasswd, the password is hello.

Step TWO: stop the ldap. be nice about it: service ldap stop
or alternatively: killall -4 slapd (not nice, don't :)

Step THREE: copy the ldif to the database:
slapadd -b o=delta -l initial.ldif

This tells slapadd to fill the datbase in the directory pointed to by the o=delta suffix in the slapd.conf file in the default location and fill it with data from 'initial.ldif'. (That is long sentence, read it again, it makes sense)

Step FOUR: start the ldap and test access.

service ldap start
ldapsearch -x -h localhost -b 'o=delta' '(objectclass=*)'

the ldapsearch command should return to you the entry for Dean_Wormer...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mmiseroAuthor Commented:
Success!!! Thanks for hanging in there.  The other issue that I discovered on my own was that my hosts file was not correct and 127.0.0.1 was not listed as localhost.  So the last command failed at first until I corrected the hosts file.  One last question, any suggestions for futher books or resources to learn the in's and out's of LDAP better?

Thanks!
0
de2ZotjesCommented:
tldp.org has some decent info, then there is the openldap site. and I personally took a lot of info from an O' reilly book: LDAP system administration.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.