Solved

OpenLDAP as SAMBA 3 backend+ email address server can't bind

Posted on 2004-10-21
362 Views
Last Modified: 2013-12-06
I am running Fedora Core 2 and I have been trying unsuccessfully for the last several weeks to configure Openldap (Slapd) to run properly (or at all for that matter.)  My intention is to get openldap running as a backend for user authentication because I want to be able to run samba 3 as a PDC for the domain I am building and would like to be able to replicate and have other systems running as BDC for redundancy.  The intermediate (beginning) step I just want to have Openldap working as an email addressbook.  I have been through various step by step howto's most notably the one on the Yolinux website and in the Fedora Core 2 "Bible" book.  I thought I was close, but when I attempt to connect for simple test query I get a can't bind to ldap server error.  I have done various searches and can't seem to figure out what is not configured correctly.  I even went back and used the sample ldif files and example settings verbatum off the yolinux site.  2 questions - Is there another better howto resource for Openldap (book or web)?  Secondly, what is this can't bind to ldap server message indicating?  i.e. what is wrong on the config.  (just an aside, is it just me, or is openldap a pain to get working?)
0
Question by:mmisero
    7 Comments
     
    LVL 6

    Expert Comment

    by:de2Zotjes
    OpenLDAP is not for the faint of hart. That being said, it is not to difficult a beast to make it work.

    Your can't bind error indicates a problem with access rights to the information in the LDAP. It is very likely that something is wrong with that acl structure.

    Without some more insight into you setup there is no way to solve the problem. Can you post your slapd.conf?
    0
     
    LVL 1

    Author Comment

    by:mmisero
    Like I mentioned in the original question I was using the yolinux.com example and the ldif file they had to at least see if I could get it working.  I have tried to play with the settings more and am still getting an error.  I even downloaded the latest openldap source and compiled it.  When I ran make test it came up with the same bind error.  This leads me to believe it might be something else in the config that is off.

    Any insights or suggestions would be well appreciated.

    Anyway here is the slapd.conf from /etc/openldap:

    suffix          "o=stooges"
    rootdn          "cn=StoogeAdmin,o=stooges"
    rootpw          secret1
    directory       /var/lib/ldap/stooges
    defaultaccess   read
    schemacheck     on
    lastmod         on
    # allow         *
    # Indices to maintain
    #index  objectClass                             eq
    #index  objectClass,uid,uidNumber,gidNumber     eq
    #index  cn,mail,surname,givenname               eq,subinitial
    index   cn,sn,st                                pres,eq,sub

    database        ldbm
    suffix          "o=delta"
    suffix          "dc=ldap,dc=delta,dc=org"
    rootdn          "cn=DeanWormer,o=delta"
    rootpw          secret2
    directory       /var/lib/ldap/fraternity
    defaultaccess   read
    schemacheck     on
    lastmod         on

    0
     
    LVL 6

    Expert Comment

    by:de2Zotjes
    This looks slightly off to me, the first but should have a database entry to start of with, I think. But we will try with the second set of data. Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server.

    First, check to see whether the dbase directory exists and contains data files:

    ls -al /var/lib/ldap/fraternity

    Next, check if the servers are listening:

    netstat --ip -a|grep LISTEN|grep ldap
    This should give you 1 or 2 lines ( ldap and possibly ldaps)

    if ldap is listening let's try to connect:
    ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
    This should return at least one entry (cn=DeanWormer,o=delta)

    Let me know what you get from these commands
    0
     
    LVL 1

    Author Comment

    by:mmisero
    OK hear are the results:

    ....Could you take out the second suffix line from that bit ( the line suffix "dc=ldap,dc=delta,dc=org").  After this restart the ldap server....

    Done - no protests from slapd

    ....First, check to see whether the dbase directory exists and contains data files:

    ls -al /var/lib/ldap/fraternity.......

    Exists -
    Output =
    [root@server openldap]# ls -al /var/lib/ldap/fraternity
    total 8
    drwxr-xr-x  2 ldap ldap 4096 Sep 16 11:32 .
    drwxrwxrwx  4 ldap ldap 4096 Sep 16 11:32 ..


    .....Next, check if the servers are listening:

    netstat --ip -a|grep LISTEN|grep ldap ......

    listening - results =
    [root@server openldap]# netstat --ip -a|grep LISTEN|grep ldap
    tcp        0      0 *:ldap                  *:*                     LISTEN

    ....if ldap is listening let's try to connect:
    ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
    This should return at least one entry (cn=DeanWormer,o=delta)....

    This failed:
    [root@server openldap]# ldapsearch -x -h localhost -b "o=delta" '(objectclass=*)'
    ldap_bind: Can't contact LDAP server (81)


    Any ideas?
    0
     
    LVL 6

    Accepted Solution

    by:
    Yes, you don't have any data in your database. OpenLDAP does not appreciate that. Let's populate the database with a simple "person" entry. We will have to do that with the slap tools, since  the ldap tools only work when you have ldap-access. (sort of chicken or egg).

    The basic idea is as follows:
    1) create a ldif file containing the entries we want to add.
    2) make sure the ldap server is STOPPED!
    3) use slapadd to "copy" the entries from the ldif file to the database.
    4) start the ldap server.

    Step ONE: creating the ldif, this file should look something like this:

    dn: o=delta
    objectClass: top
    objectClass: organization
    o: delta

    dn: cn=Dean_Wormer,o=delta
    objectClass: top
    objectClass: person
    sn: Wormer
    cn: Dean_Wormer
    userPassword: {SSHA}9ojg/76Agrzha9caCgziXtxTzWrtMhtd
    description: a person object for Dean Wormer

    Save this file as initial.ldif.
    You can find info on the objectclasses and allowed or mandatory keys in the schema files and the openldap site. The userpassword was generated using slappasswd, the password is hello.

    Step TWO: stop the ldap. be nice about it: service ldap stop
    or alternatively: killall -4 slapd (not nice, don't :)

    Step THREE: copy the ldif to the database:
    slapadd -b o=delta -l initial.ldif

    This tells slapadd to fill the datbase in the directory pointed to by the o=delta suffix in the slapd.conf file in the default location and fill it with data from 'initial.ldif'. (That is long sentence, read it again, it makes sense)

    Step FOUR: start the ldap and test access.

    service ldap start
    ldapsearch -x -h localhost -b 'o=delta' '(objectclass=*)'

    the ldapsearch command should return to you the entry for Dean_Wormer...
    0
     
    LVL 1

    Author Comment

    by:mmisero
    Success!!! Thanks for hanging in there.  The other issue that I discovered on my own was that my hosts file was not correct and 127.0.0.1 was not listed as localhost.  So the last command failed at first until I corrected the hosts file.  One last question, any suggestions for futher books or resources to learn the in's and out's of LDAP better?

    Thanks!
    0
     
    LVL 6

    Expert Comment

    by:de2Zotjes
    tldp.org has some decent info, then there is the openldap site. and I personally took a lot of info from an O' reilly book: LDAP system administration.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
    Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    934 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now