RHEL 6.3 – LDAP Series – Part 1 : Implementation of LDAP Authentication

Rhel 6.3 - LDAP Implementation - What is LDAP 

LDAP ( Lightweight Directory Access Protocol) is client-server protocol which provides directory services to the client machines.  Each LDAP server contain the  data required to making up the  LDAP database, commonly BDB  ( Berkely DB),  a high performance transactional database.  LDAP manages it’s data in the form objects which are defined with several attributes.

  Right now the current LDAP standard provides following  basic types of object classes:

  • Groups  – unordered lists of individual objects or groups of objects
  • Location –  e.g. Country name and description
  • Organisational Units  –  for Organisational  classification of the  directory
  • People –  Individual user login accounts in the directory

As mentioned earlier each object class supported by additional information in the form of attributes. And these attributes are paired together with the values that customizes each object as unique entity in the LDAP database.

e.g:  for example the “user” object has an attribute named “commonName  in short cn”  which is having the user name as it’s  value

 

In this post, I am providing the steps required to configure a LDAP  Server ( RHEL 6.3 ) with basic LDAP configuration, and then later configure a ldap client to use the nscld authentication ( legecy for  RHEL6.3). And we also discussed about sssd autentication which is out of scope for this document.
 

Configuration of LDAP Server

Ldap network

Check for the required LDAP Packages 
[root@gurkulrhel1 ~]# rpm -qa|grep ldap
compat-openldap-2.3.43-2.el6.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-servers-sql-2.4.23-26.el6_3.2.x86_64
python-ldap-2.3.10-1.el6.x86_64
openldap-devel-2.4.23-26.el6_3.2.x86_64
krb5-server-ldap-1.9-33.el6.x86_64
bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64
openldap-servers-2.4.23-26.el6_3.2.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
php-ldap-5.3.3-14.el6_3.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
ldapjdk-4.18-6.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64
 
[root@gurkulrhel1 ~]# cat /var/lib/ldap/DB_CONFIG
cat: /var/lib/ldap/DB_CONFIG: No such file or directory
 
 
[root@gurkulrhel1 ~]# egrep -v “^#|^$” /usr/share/openldap-servers/DB_CONFIG.example
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
Initialize the DB_CONFIG Settings from default file
 
[root@gurkulrhel1 ~]# egrep -v “^#|^$” /usr/share/openldap-servers/DB_CONFIG.example > /var/lib/ldap/DB_CONFIG
 
 
Before Proceeding for futher configuration just stop the iptables first

# service iptables stop

Get the copy of sample slapd.conf and mke modifications as per our requirement

[root@gurkulrhel1 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /root/slapd.conf

Generate root password for LDAP cn=config configuration:

[root@gurkulrhel1 ~]# slappasswd
New password: <pasword>
Re-enter new password:<password>
{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q    <== note down this encrypted password [root@gurkulrhel1 ~]# vi /root/slapd.conf
And made below modifiations, under “database  bdb” Sectionsuffix          “dc=gurkulindia,dc=com”
checkpoint      1024 15                                
rootdn          “cn=Manager,dc=my-domain,dc=com”        
rootdn          “cn=Manager,dc=gurkulindia,dc=com”
rootpw          {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q [root@gurkulrhel1 log]#
 
Stop the Slapd Service while you make modifications
 
# service  slapd stop
 
Modify /root/slapd.conf to reflect the domain name  and password
 
[root@gurkulrhel1 log]# cat /root/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args # Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap # moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile “”
OpenLDAP Server   “”
TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config)
database config
access to *
        by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
        by * none # enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
        by dn.exact=”cn=Manager,dc=my-domain,dc=com” read
        by * none #######################################################################
# database definitions
####################################################################### database        bdb
suffix          “dc=gurkulindia,dc=com”
checkpoint      1024 15
rootdn          “cn=Manager,dc=gurkulindia,dc=com”
rootpw          {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap # Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub # Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@gurkulrhel1 log]#
 
Note :  
In earlier versions, LDAP configuration used to done by the file slapd.conf file, where as in RHEL 6 the file level configuration become obsolete and  now we have to dynamic configuration (cn=config) using the ldap backend tools like ldapadd/ldapdel/ldapmodify.
But Instead of using dynamic configuration from the basic setup, we are configuring slapd.conf file and converting it into dynamic configuration using ldaptest. As a prerequisite we will remove the all existing configuration as shown below.
Removing default ldap configuration data

[root@gurkulrhel1 ~]# rm -rf /etc/openldap/slapd.d/*[root@gurkulrhel1 ~]# rm -rf /var/lib/ldap/*

Initialize DB files for content in /var/lib/ldap directory

[root@gurkulrhel1 ~]# echo “” | slapadd -f /root/slapd.conf

The first database does not allow slapadd; using the first available one (2)

Convert the slapd.conf to cn=config model

root@gurkulrhel1 ~]# slaptest -f /root/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@gurkulrhel1 ~]# ls -l /etc/openldap/slapd.d/
total 8
drwxr-x— 3 root root 4096 Mar 24 20:52 cn=config
-rw——- 1 root root 1120 Mar 24 20:52 cn=config.ldif
 
Make sure ldap user has read & write permission under /etc/openldap/slapd.d and /var/lib/ldap directory.
 
[root@gurkulrhel1 ~]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@gurkulrhel1 ~]# chmod -R u+rwX /etc/openldap/slapd.d
[root@gurkulrhel1 ~]#  chown -R ldap.ldap /var/lib/ldap
 
 
Make sure slapi support enabled in /etc/sysconfig/ldap file
[root@gurkulrhel1 ~]# grep LDAPI /etc/sysconfig/ldap
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
SLAPD_LDAPI=yes
# – it doesn’t overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# – it isn’t overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
 
 
Start the slapd server
 
 
[root@gurkulrhel1 ~]# service slapd start
Starting slapd:                                            [  OK  ]
 
 
Test if the slapd backend configurations can be listed with an ldapsearch command.
[root@gurkulrhel1 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config |more
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# # config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /root/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0 ::::::   SNIP the ouput :::: # # {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=gurkulindia,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=gurkulindia,dc=com
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0 # search result
search: 2
result: 0 Success # numResponses: 19
# numEntries: 18
 
 

Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory

 
root@gurkulrhel1 ~]# slaptest -f /root/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
 
 
Making a change to slapd backend using ldapmodify.
 
 
The sample configuration steps mentioned above does not add a rootpw for cn=config, if the  slapd backend configuration needs to be viewed/modified remotely, then a bind password is needed(so we can bind using cn=admin,cn=config. The following example shows how to add a rootpw for cn=config using the ldapi:// interface as root user.
 
 
[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]#
[root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q      <<< the encrypted password that we created using slappasswd earlier
modifying entry “olcDatabase={0}config,cn=config” ^D
 
 
 
Now we will make some basic entries for domain, and organizational units, groups and people.
 
 
[root@gurkulrhel1 log]# cat > /root/domain.ldif
dn: dc=gurkulindia,dc=com
objectClass: top
objectClass: domain
dc: gurkulindia dn: ou=Groups,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups dn: ou=People,dc=gurkulindia,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
 
^D
[root@gurkulrhel1 log]# [root@gurkulrhel1 cn=config]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/domain.ldif -W
Enter LDAP Password:  <== enter the password you enabled for bdb database
adding new entry “dc=gurkulindia,dc=com”
adding new entry “ou=Groups,dc=gurkulindia,dc=com”
adding new entry “ou=People,dc=gurkulindia,dc=com”
 
 
Now we will add one sample user name “gurkuluser” and group named “redhat”, using the ldif file /root/user.ldif
 
 
[root@gurkulrhel1 cn=config]# cat > /root/user.ldif
dn: uid=gurkuluser,ou=People,dc=gurkulindia,dc=com
givenName: ldap
sn: user1
loginShell: /bin/bash
uidNumber: 1250
gidNumber: 1500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: gurkuluser
cn: ldap user1
homeDirectory: /home/gurkuluser
userPassword: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q dn: cn=redhat,ou=Groups,dc=gurkulindia,dc=com
objectClass: posixGroup
objectClass: top
cn: redhat
gidNumber: 1500
 
[root@gurkulrhel1 cn=config]# ldapadd -x -h localhost -D cn=Manager,dc=gurkulindia,dc=com -f /root/user.ldif -W
Enter LDAP Password:  <- enter the password we set for bdb databse
adding new entry “uid=gurkuluser,ou=People,dc=gurkulindia,dc=com”
adding new entry “cn=redhat,ou=Groups,dc=gurkulindia,dc=com”

 

Gurkulrhel2 : LDAP CLient Configuration

 

Check for all required  client Packages

 
[root@gurkulrhel2 log]# rpm -qa|grep ldap
pam_ldap-185-11.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
ldapjdk-4.18-6.el6.x86_64
[root@gurkulrhel2 log]#
 
 
REDHAT 6 support using two kinds of authentication procedures
 
 
 
Two Types of  Authentication Services helps LDAP clients to allow logins:
1. SSSD ( System Security Services Daemon)
2. NSLCD based Authentication
 
 
 
Authentication Type 1 :  SSSD ( system Security Services Daemon) : A service which provides access to different identity and authentication providers. SSSD uses the configuration information from /etc/sssd.conf for identity lookup and authentication. But inorder to user SSSD based LDAP authentication either TLS/SSL or LDAPS is required. If the LDAP server is used only as an identity provider an encrypted channel is not needed. Configuring LDAP client using SSSD (Recommended)
 
Required SSSD packages:          
 
         # yum install sssd sssd-client
         
Configure the system, using command-line
          # authconfig –enableldap –enableldapauth  –ldapserver=”gurkulrhel1″ –ldapbasedn=”dc=gurkulindia,dc=com” –enableldaptls –update
         
Or If you want to use menu based configuration(GUI) use the below command
         
          System>Administration>Authentication (or execute authconfig-gtk from a terminal)
 
Important Note :  If No Certificate servers available for TLS authentication you won’t be able to login using the ldapusers, and you will get following errors:::: Client login says access denied as below   
 
     login as: gurkuluser
     gurkuluser@192.168.1.32’s password:
     Access denied::: syslog will log below errors  /var/log/messages     Mar 24 11:10:48 gurkulrhel2 sssd: Starting up
     Mar 24 11:10:48 gurkulrhel2 sssd[be[default]]: Starting up
     Mar 24 11:10:48 gurkulrhel2 sssd[nss]: Starting up
     Mar 24 11:10:48 gurkulrhel2 sssd[pam]: Starting up
     Mar 24 11:10:59 gurkulrhel2 sssd[be[default]]: Could not start TLS encryption. TLS error -8157:Certificate extension not found.
 
Authentication Type 2 :  Configuring LDAP client using nslcd.The nss-pam-ldapd provides the nss-pam-ldapd daemon (nslcd) which uses a directory server to look up name service information on behalf of a lightweight nsswitch module. The authentication part is handled by pam_ldap ( nss_ldap from padl.com ).
 
Currently nss-pam-ldapd’s own pam_ldap is disabled.nslcd uses configuration information from /etc/nslcd.conf file and pam_ldap uses /etc/pam_ldap.conf file(If authconfig is used, both the files are updated automatically).
 
Install Required Packages :
 
# yum install nss-pam-ldapd pam_ldap
 
 Edit /etc/sysconfig/authconfig, change “FORCELEGACY” option to “yes”, as below
 
Authconfig will try to use sssd by default, in order to configure nslcd, enable FORCELEGACY option in authconfig as shown below.  
 
      FORCELEGACY=yes
         
      or you can enable this parameter from command line , using
    
      # authconfig –enableforcelegacy –update
    
Finally enable ldap authentication for the client using the command
 
[root@gurkulrhel1]# authconfig –enableldap –enableldapauth –ldapserver=ldapserver –ldapbasedn=”dc=gurkulindia,dc=com” –update
Starting nslcd:                                            [  OK  ]
Starting oddjobd:                                          [  OK  ] 
 
Restart the nslcd service.
 
[root@gurkulrhel2 log]# service nslcd restart
Stopping nslcd:                                            [FAILED]
Starting nslcd:                                            [  OK  ]
 
 
Confirm that server able to see the ldap users.
 
[root@gurkulrhel2 log]# getent passwd gurkuluser
gurkuluser:{SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q:1250:1500:ldap user1:/home/gurkuluser:/bin/bash
 
 
Login from the client
 
login as: gurkuluser
gurkuluser@192.168.1.32’s password:
Creating home directory for gurkuluser.
[gurkuluser@gurkulrhel2 ~]$

 

If you want to know little more about LDAP jsut stay tuned with me, for the next post. 

 

How to Stay Close to Us ?

You can simply subscribe for our free email posts from here

 

You can always stay close to us by connecting in  Facebook,  LinkedIn , twitter and Google + social networks. We are also managing the unixbook as a writing space for  you.  And We have very active Facebook’s just-UNIX-no-noise group and   Linked in  Enterprise UNIX administration group, for active discussions.

We always love to hear your comments and feedback. 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

24 Responses

  1. venu says:

    HI ,

    I am getting below error,please some one help me ..
    ldap_bind: Invalid credentials (49)

  2. venu says:

    Hi,
    How to give the full permission to change the password to ldap user ? Please help me .

  3. siddharth says:

    ldapmodify -Y EXTERNAL -H ldapi:///
    it’s take too much time

  4. siddharth says:

    How to Solve This

    [root@ldap migrationtools]# ldapadd -x -h localhost -D cn=Manager,dc=example,dc=com -f /root/user.ldif -W
    Enter LDAP Password:
    ldapadd: attributeDescription “dn”: (possible missing newline after line 19, entry “uid=gurkuluser,ou=People,dc=example,dc=com”?)
    adding new entry “uid=gurkuluser,ou=People,dc=example,dc=com”
    ldap_add: Invalid syntax (21)
    additional info: gidNumber: value #1 invalid per syntax

    • Ramdev Ramdev says:

      please Check if there are any typos in the user.dif file, because the error says invalid syntax with the parameter “gidNumber”

  5. Kman says:

    I get the following error when adding the domain i.e.

    [root@ldap ~]# ldapadd -x -h localhost -D cn=Manager,dc=testdom,dc=com -f /root/domain.ldif -W
    Enter LDAP Password:
    adding new entry “dc=testdom,dc=com”
    ldap_add: Type or value exists (20)
    additional info: objectClass: value #0 provided more than once

    my domain.ldif file conains this:

    dn: dc=testdom,dc=com
    objectClass: top
    objectClass: domain
    dc: testdom dn: ou=Groups,dc=testdomdc=com
    objectClass: top
    objectClass: organizationalunit
    ou: Groups dn: ou=People,dc=testdom,dc=com
    objectClass: top
    objectClass: organizationalunit
    ou: People

    Can you advise?

    Thanks
    Kman

  6. Ramdev Ramdev says:

    Hello, it seems some content from the file  domain.ldif  had duplicate entries please doble check.

  7. Tim says:

    Seems there’s an error in the procedure. The step “Initialize the DB_CONFIG Settings from default file” builds the /var/lib/ldap/DB_CONFIG file, but the step “Removing default ldap configuration data” deletes it.

  8. Tim says:

    Also, the step “Now we will make some basic entries for domain, and organizational units named  groups and people.” is missing some line breaks.

  9. Abhishek says:

    After openldap configuration i am facing following issue

    [root@ldap01 ldap]#  ldapsearch -x -b “cn=config” -D “cn=admin,cn=config” -w config -h localhost dn -LLL | grep -v ^$
    ldap_bind: Invalid credentials (49)
    [root@rldap01 ldap]#
     

  10. Ataur Rahman says:

    when I am trying to add olcRootPW following by instruction – it is giving me an ERROR ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
    Could you please help to solve this ERROR
    My OS Version is – Red Hat Enterprise Linux Server release 6.4 (Santiago)

    [root@gurkulrhel1 ~]# ldapmodify -Y EXTERNAL -H ldapi:///
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}5kO/K1KBzJ0wEaKBAGjIDY6MG6TGzg9Q
    modifying entry “olcDatabase={0}config,cn=config”

    ERROR
    modifying entry “olcDatabase={0}config,cn=config”
    ldap_modify: Inappropriate matching (18)
    additional info: modify/add: olcRootPW: no equality matching rule

    • Ramdev Ramdev says:

      I suspect there might be issues with the step “Modify /root/slapd.conf to reflect the domain name and password” .. please do verify the file again and also make sure the verification was good with the below command.

      “ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config”

      Ideally the olcRootPW should show the default password here

  11. Rahul says:

    Missing required extension
    Your install of PHP appears to be missing LDAP support.

    Please install LDAP support before using phpLDAPadmin.
    (Dont forget to restart your web server afterwards)

  12. RAHUL P.S says:

    I am new to a company and i got a task to setup a linux domain for users authentication and management. i went through different articles and finally decided to configure openldap. i have seen different methods to create it and i tried almost all of them also the method just described above. none of them was a success.
    Actually i am totally confused that which method will give a positive output. I need to create it as soon as possible..
    server in RHEL6 and the client Fedora20 please help !

  13. Deepak says:

    Hi All,

    i getting some error on openldap client side. please assist. when i run ldapsearch command on client side it give me an error : ldap_sasl_bind(simple) can’t contact ldap server (-1). i am using nslcd authentication. i am not using TLS or certificate. its just a simple authentication.

    Machine : Fedora 20

    [root@client ~]# systemctl -l status nslcd.service
    nslcd.service – Naming services LDAP client daemon.
    Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled)
    Active: active (running) since Mon 2014-08-25 16:54:35 IST; 3min 12s ago
    Process: 19065 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
    Main PID: 19066 (nslcd)
    CGroup: /system.slice/nslcd.service
    └─19066 /usr/sbin/nslcd

    Aug 25 16:54:24 client.example.com systemd[1]: Unit nslcd.service entered failed state.
    Aug 25 16:54:24 client.example.com systemd[1]: Starting Naming services LDAP client daemon….
    Aug 25 16:54:35 client.example.com systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
    Aug 25 16:54:35 client.example.com nslcd[19066]: version 0.8.13 starting
    Aug 25 16:54:35 client.example.com nslcd[19066]: accepting connections
    Aug 25 16:54:35 client.example.com systemd[1]: Started Naming services LDAP client daemon..
    Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Connection timed out
    Aug 25 16:55:14 client.example.com nslcd[19066]: [8b4567] no available LDAP server found: Can’t contact LDAP server: Connection timed out
    Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] failed to bind to LDAP server ldap://15.0.0.1: Can’t contact LDAP server: Transport endpoint is not connected
    Aug 25 16:56:47 client.example.com nslcd[19066]: [7b23c6] no available LDAP server found: Can’t contact LDAP server: Transport endpoint is not connected

    Thanks in Advance

    Deepak

  14. shivakumar says:

    Hi Ramdev, very nicely explained the article. but i am facing below mentioned issue.

    1. i have followed the steps as mentioned in article but not getting : getent command output.

    kindly let me know the reason & solution.

    [root@ldapmaster ~]# getent passwd jeevetha
    [root@ldapmaster ~]# nothing getting.

    slapcat output:-
    [root@ldapmaster ~]# slapcat
    The first database does not allow slapcat; using the first available one (2)
    dn: dc=shiva,dc=com
    objectClass: top
    objectClass: domain
    dc: shiva
    structuralObjectClass: domain
    entryUUID: 3abc86ec-d820-1033-9ae9-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.323033Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: ou=Groups,dc=shiva,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou:: R3JvdXBzIA==
    structuralObjectClass: organizationalUnit
    entryUUID: 3abe5cc4-d820-1033-9aea-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.335061Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: ou=People,dc=shiva,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: People
    structuralObjectClass: organizationalUnit
    entryUUID: 3abf04d0-d820-1033-9aeb-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924102102Z
    entryCSN: 20140924102102.339363Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924102102Z

    dn: uid=jeevetha,ou=People,dc=shiva,dc=com
    givenName: ldap
    sn: user1
    loginShell: /bin/bash
    uidNumber: 1250
    gidNumber: 1500
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    uid: jeevetha
    cn: ldap user1
    homeDirectory: /home/jeevetha
    userPassword:: e1NTSEF9d1F2L1Y3eE84WVJvR2xWK0l3dUNMOGZobnhSb2RKZS8=
    structuralObjectClass: inetOrgPerson
    entryUUID: 14449e80-d822-1033-9aec-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924103416Z
    entryCSN: 20140924103416.777242Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924103416Z

    dn: cn=redhat,ou=Groups,dc=shiva,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: redhat
    gidNumber: 1500
    structuralObjectClass: posixGroup
    entryUUID: 1448e7ce-d822-1033-9aed-67219d7b460e
    creatorsName: cn=Manager,dc=shiva,dc=com
    createTimestamp: 20140924103416Z
    entryCSN: 20140924103416.805334Z#000000#000#000000
    modifiersName: cn=Manager,dc=shiva,dc=com
    modifyTimestamp: 20140924103416Z

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us