RHEL 6.3 – LDAP Series – Part 1 : Implementation of LDAP Authentication

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

Loading Facebook Comments ...

24 Responses

  1. Avatar venu says:

    HI ,

    I am getting below error,please some one help me ..
    ldap_bind: Invalid credentials (49)

  2. Avatar venu says:

    Hi,
    How to give the full permission to change the password to ldap user ? Please help me .

  3. Avatar siddharth says:

    ldapmodify -Y EXTERNAL -H ldapi:///
    it’s take too much time

  4. Avatar siddharth says:

    How to Solve This

    [root@ldap migrationtools]# ldapadd -x -h localhost -D cn=Manager,dc=example,dc=com -f /root/user.ldif -W
    Enter LDAP Password:
    ldapadd: attributeDescription “dn”: (possible missing newline after line 19, entry “uid=gurkuluser,ou=People,dc=example,dc=com”?)
    adding new entry “uid=gurkuluser,ou=People,dc=example,dc=com”
    ldap_add: Invalid syntax (21)
    additional info: gidNumber: value #1 invalid per syntax

    • Ramdev says:

      please Check if there are any typos in the user.dif file, because the error says invalid syntax with the parameter “gidNumber”

  5. Avatar Kman says:

    I get the following error when adding the domain i.e.

    [root@ldap ~]# ldapadd -x -h localhost -D cn=Manager,dc=testdom,dc=com -f /root/domain.ldif -W
    Enter LDAP Password:
    adding new entry “dc=testdom,dc=com”
    ldap_add: Type or value exists (20)
    additional info: objectClass: value #0 provided more than once

    my domain.ldif file conains this:

    dn: dc=testdom,dc=com
    objectClass: top
    objectClass: domain
    dc: testdom dn: ou=Groups,dc=testdomdc=com
    objectClass: top
    objectClass: organizationalunit
    ou: Groups dn: ou=People,dc=testdom,dc=com
    objectClass: top
    objectClass: organizationalunit
    ou: People

    Can you advise?

    Thanks
    Kman

  6. Ramdev says:

    Hello, it seems some content from the file  domain.ldif  had duplicate entries please doble check.

  7. Avatar Tim says:

    Seems there’s an error in the procedure. The step “Initialize the DB_CONFIG Settings from default file” builds the /var/lib/ldap/DB_CONFIG file, but the step “Removing default ldap configuration data” deletes it.

  8. Avatar Tim says:

    Also, the step “Now we will make some basic entries for domain, and organizational units named  groups and people.” is missing some line breaks.

  9. Avatar Abhishek says:

    After openldap configuration i am facing following issue

    [root@ldap01 ldap]#  ldapsearch -x -b “cn=config” -D “cn=admin,cn=config” -w config -h localhost dn -LLL | grep -v ^$
    ldap_bind: Invalid credentials (49)
    [root@rldap01 ldap]#
     

  10. Avatar Ataur Rahman says:

    when I am trying to add olcRootPW following by instruction – it is giving me an ERROR ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
    Could you please help to solve this ERROR
    My OS Version is – Red Hat Enterprise Linux Server release 6.4 (Santiago)

    [root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
    modifying entry “olcDatabase={0}config,cn=config”

    ERROR
    modifying entry “olcDatabase={0}config,cn=config”
    ldap_modify: Inappropriate matching (18)
    additional info: modify/add: olcRootPW: no equality matching rule

    • Ramdev says:

      I suspect there might be issues with the step “Modify /root/slapd.conf to reflect the domain name and password” .. please do verify the file again and also make sure the verification was good with the below command.

      “ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config”

      Ideally the olcRootPW should show the default password here

  11. Avatar Rahul says:

    Missing required extension
    Your install of PHP appears to be missing LDAP support.

    Please install LDAP support before using phpLDAPadmin.
    (Dont forget to restart your web server afterwards)

  12. Avatar RAHUL P.S says:

    I am new to a company and i got a task to setup a linux domain for users authentication and management. i went through different articles and finally decided to configure openldap. i have seen different methods to create it and i tried almost all of them also the method just described above. none of them was a success.
    Actually i am totally confused that which method will give a positive output. I need to create it as soon as possible..
    server in RHEL6 and the client Fedora20 please help !

  13. Avatar Deepak says:

    Hi All,

    i getting some error on openldap client side. please assist. when i run ldapsearch command on client side it give me an error : ldap_sasl_bind(simple) can’t contact ldap server (-1). i am using nslcd authentication. i am not using TLS or certificate. its just a simple authentication.

    Machine : Fedora 20

    [root@client ~]# systemctl -l status nslcd.service
    nslcd.service – Naming services LDAP client daemon.
    Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled)
    Active: active (running) since Mon 2014-08-25 16:54:35 IST; 3min 12s ago
    Process: 19065 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
    Main PID: 19066 (nslcd)
    CGroup: /system.slice/nslcd.service
    └─19066 /usr/sbin/nslcd

    Aug 25 16:54:24 client.example.com systemd[1]: Unit nslcd.service entered failed state.
    Aug 25 16:54:24 client.example.com systemd[1]: Starting Naming services LDAP client daemon….
    Aug 25 16:54:35 client.example.com systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
    Aug 25 16:54:35 client.example.com nslcd[19066]: version 0.8.13 starting
    Aug 25 16:54:35 client.example.com nslcd[19066]: accepting connections
    Aug 25 16:54:35 client.example.com systemd[1]: Started Naming services LDAP client daemon..
    Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Connection timed out
    Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] no available LDAP server found: Can’t contact LDAP server: Connection timed out
    Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Transport endpoint is not connected
    Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] no available LDAP server found: Can’t contact LDAP server: Transport endpoint is not connected

    Thanks in Advance

    Deepak

  14. Avatar shivakumar says:

    Hi Ramdev, very nicely explained the article. but i am facing below mentioned issue.

    1. i have followed the steps as mentioned in article but not getting : getent command output.

    kindly let me know the reason & solution.

    [root@ldapmaster ~]# getent passwd jeevetha
    [root@ldapmaster ~]# nothing getting.

    slapcat output:-
    [root@ldapmaster ~]# slapcat
    The first database does not allow slapcat; using the first available one (2)
    dn: dc=shiva,dc=com
    objectClass: top
    objectClass: domain
    dc: shiva
    structuralObjectClass: domain
    entryUUID: 3abc86ec-d820-1033-9ae9-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.323033Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: ou=Groups,dc=shiva,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou:: R3JvdXBzIA==
    structuralObjectClass: organizationalUnit
    entryUUID: 3abe5cc4-d820-1033-9aea-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.335061Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: ou=People,dc=shiva,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: People
    structuralObjectClass: organizationalUnit
    entryUUID: 3abf04d0-d820-1033-9aeb-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.339363Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: uid=jeevetha,ou=People,dc=shiva,dc=com
    givenName: ldap
    sn: user1
    loginShell: /bin/bash
    uidNumber: 1250
    gidNumber: 1500
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    uid: jeevetha
    cn: ldap user1
    homeDirectory: /home/jeevetha
    userPassword:: e1NTSEF9d1F2L1Y3eE84WVJvR2xWK0l3dUNMOGZobnhSb2RKZS8=
    structuralObjectClass: inetOrgPerson
    entryUUID: 14449e80-d822-1033-9aec-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924103416Z
    entryCSN: 20140924103416.777242Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924103416Z

    dn: cn=redhat,ou=Groups,dc=shiva,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: redhat
    gidNumber: 1500
    structuralObjectClass: posixGroup
    entryUUID: 1448e7ce-d822-1033-9aed-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924103416Z
    entryCSN: 20140924103416.805334Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924103416Z

What is in your mind, about this post ? Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers