RHEL6 Openldap Server _ Laurent Domb OSS Blog

7/22/2019 RHEL6 Openldap Server _ Laurent Domb OSS Blog

http://slidepdf.com/reader/full/rhel6-openldap-server-laurent-domb-oss-blog 1/39

Linux

AboutPuppet

Virtualization

75 CommentsMar - 30 - 2011

laurent

Please note that all double quote characters in this example are plain ASCII ” characters not typographical ones!

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/ openldap

/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p=74

1 of 39 8/26/2013 10:17 AM



# vim / etc / openldap / slapd.d / cn=config / olcDatabase={1}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s / dc=my-domain,dc=com / dc=yourdmain,dc=com/ g

Step 3: We now set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV

olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem

olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim / etc / openldap / slapd.d / cn=config / olcDatabase={2}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s / cn=manager,dc=my-domain,dc=com / cn=Manager,dc=yourdomain,dc=com / g

Step 5: Now its time for the Database Cache

#updatedb

#cp / usr / share / doc / openldap-servers-2.4.19/ DB_CONFIG.example / var / lib / ldap / DB_CONFIG

#chown -Rf ldap:ldap / var / lib / ldap /

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldapSLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem# chmod -Rf 750 /etc/pki/tls/certs/$key.pem


2 of 39 8/26/2013 10:17 AMld b l h //bl d b /



Step 7: Time to test our configuration

# slaptest -uconfig file testing succeeded

Step 8: Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif

dn: dc=yourdomain,dc=net

dc: yourdomain

objectClass: top

objectClass: domain

dn: ou=People,dc=yourdomain,dc=net

ou: PeopleobjectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=yourdomain,dc=net

ou: GroupobjectClass: top


now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file

# vim /usr/share/migrationtools/migrate_common.ph


3 of 39 8/26/2013 10:17 AM

RHEL6 ld L t D b OSS Bl htt //bl d b t/? 74



Set:

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;

# Default base

$DEFAULT_BASE = ”dc=yourdomain,dc=com”;

#grep ”:5[0-9][0-9]” /etc/passwd > passwd #grep ”:5[0-9][0-9]” /etc/group > group

#./migrate_passwd.pl passwd > users.ldif

#./migrate_group.pl group > group.ldif

#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif

ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif

ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists

#ldapsearch -x ”cn=mani” -b ”dc=mycompany,dc=com”

If the test is successful your done

Categories: Linux

75 Responses so far.

Travis says:April 6, 2011 at 5:37 pm

Hey, this is a great posting. Thanks so much for taking the time to do this.

I do have one question though..

When I add: olcRootPW: {SSHA}…. as part of your instructions

1.


4 of 39 8/26/2013 10:17 AM

RHEL6 openldap server : Laurent Domb OSS Blog http://blog domb net/?p=74



I get the following message when I run the slaptest -u

olcRootPW: value #0: can only be set when rootdn is under suffix

I can’t see what I’ve missed. If I comment that line out of the olcDatabase={2}monitor.ldif the error goes away, but I of course can’t authenticate either.

Any ideas?

Reply

laurent says:

April 6, 2011 at 10:24 pm

Yes the 3 lines

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuVolcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem


have to be added to the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file not the olcDatabase={2}monitor.ldif.

Reply

Robert says:

April 9, 2011 at 4:42 pm

Hi, thanks for the help. I’ve been looking for some help for a while. I stuck on a certain point. Where you import base information:

ldapadd -x -W -D “cn=Manager,dc=yourdomain,dc=com” -f base.ldif

I get an error:

Enter LDAP Password:

ldap_bind: Invalid DN syntax (34)

additional info: invalid DN

I don’t know why I’m getting this error. I changed yourdomain to example which is my domain.

Any help would be appreciated, thanks,

Rob

Reply

laurent says:April 11, 2011 at 6:35 pm

2.


5 of 39 8/26/2013 10:17 AM

RHEL6 openldap server : Laurent Domb OSS Blog http://blog domb net/?p=74



Hi Robert,

You have to pay attention the syntax in the ldif file:

Here an example:

dn: dc=domb,dc=net // (dn:[whitespace] dc=domb,dc=net [ENTER])dc: domb

objectClass: top

objectClass: domain [ENTER]

[ENTER]

dn: ou=People,dc=domb,dc=net

ou: PeopleobjectClass: top

objectClass: organizationalUnit[ENTER]

[ENTER]dn: ou=Group,dc=domb,dc=netou: Group

objectClass: top


Hope this helps to solve your problem. If not post me your base.ldif

Reply

dave says:

April 15, 2011 at 8:49 pm

hello i finally found someone doing it on rhel6 thanks, but when i run the

slaptest -u

i get

<= str2entry: str2ad({SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK): empty AttributeDescription

slaptest: bad configuration file!

the {SSHA…..} string is what i added to my file /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif . these are the lines that i added to that file

(how it looks)

{SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK

olcRootPW: {SSHA}bfHIutM8Pjx+379BVH0gvdhUdRNwq5cK



what am i doing wrong?

3.

RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p 74

6 of 39 8/26/2013 10:17 AM




thank you

dave

Reply

laurent says:April 18, 2011 at 3:50 am

create the ssl cert and run the test again. When you run the slaptest -u before creating the certificate you’ll get that error.

Reply

James says:

April 20, 2011 at 8:36 pm

Where can I find the official RHEL-6 document of the configuration of both LDAP server and client?

Thanks,

James

Reply

laurent says:

April 21, 2011 at 2:44 am

You can find it at http://docs.redhat.com/docs/en-US/index.html

Reply

4.

Eris says:

April 25, 2011 at 5:17 am

Thank you very much for the post, and all of the others here too! I’m studying for the RHCE and although I have a good background with a lot of thematerial from working in webhosting for many years, LDAP is brand new to me and this was the simplest and most lucid tutorial I’ve yet found.

I do have one suggestion, and it may help others too. Please change the double quote characters in your example to use the plain ASCII ” character

instead of the typographical open and close quote characters. Like Robert above, the ldapadd command initially gave me this error



It turned out to be the result of the UTF-8 open and clsoe quote chars. I had to change the command from this

5.

RHEL6 openldap server : Laurent Domb OSS Blog http://blog.domb.net/?p 74

7 of 39 8/26/2013 10:17 AM





to this


(And I hope WordPress doesn’t auto change those quotes on me! The second line should have the non-curved typewriter double quote symbol from the

ASCII set.)

Reply

Eris says:

April 25, 2011 at 5:18 am

Hmpf. WordPress changed the quotes on me automatically.

Reply

6.

Lyndon says:

May 1, 2011 at 9:01 am

Thank you very much for detailed instruction! When I restarted slapd, I met the following issue:

Checking configuration files for slapd: [FAILED]

PROXIED attributeDescription “DC” inserted.<= str2entry: str2ad(dc): attribute type undefined


If I did not do a slapd restart, the ldap server seemed working fine. Do you know why it happened?

Thanks.

Reply

Andries says:July 10, 2012 at 9:01 am

Did you manage to solve this issue i am having the same problem

Reply

Mohamed says:

March 5, 2013 at 6:15 am

Did encounter this error, but resolved after removing my base.ldif and user.ldif files from the /etc/openldap/slapd.d/cn=config/ dir. Think that

7.

p p g p g p

8 of 39 8/26/2013 10:17 AM




no other files should be kept within this cn=config besides the slapd generated ldifs.

Reply

ramakrishna says:

May 31, 2011 at 6:02 am

hi

Thank you so much.

I been trying so long time with like old ldap configuration.Finally I got though you. Thanking you lot

Thanks

Ramakrishna

Reply

8.

JD says:June 29, 2011 at 12:28 am

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

# numResponses: 1

After step #ldapsearch -x -b ”dc=yourdomain,dc=com”

Also, I am not finding the following file to configure:

Step 9: Configure the base domain

#vi base.ldif

Where is this config file located at?

Any help would be great.

9.

p p g p g p

9 of 39 8/26/2013 10:17 AM




Reply

sridhar says:

June 30, 2011 at 10:38 am

plz tell me where is the error

dn: dc=sridhar,dc=net

dc: sridhar

objectClass: topobjectClass: domain

dn: ou=People,dc=sridhar,dc=net

ou: People

objectClass: topobjectClass: organizationalUnit

dn: ou=Group,dc=sridhar,dc=net

ou: Group

objectClass: top


Reply

10.

sridhar says:

June 30, 2011 at 10:53 am

type ls from where you first typed vi base.ldif

JD

Reply

11.

venku says:

July 6, 2011 at 12:37 pm

Plz tell me how I can add a new custom attribute which is not included presently to this OpenLDAP server of RHEL 6. I would like to extend the schema

of the same.

Reply

12.

Nolan says:

July 18, 2011 at 3:55 pm

13.

10 of 39 8/26/2013 10:17 AM




Hello, First of all thank you for the tutorial.

Running into a similar issue as the first comment. I have only add the 3 lines:olcRootPW: {SSHA}my-hash



To the end of:

/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

And I get the error:

[root@directory ~]# slaptest -u


config error processing olcDatabase={1}bdb,cn=config: can only be set when rootdn is under suffix


Not sure whats up and don’t know what else to change. Thanks !

Reply

Nolan says:

July 18, 2011 at 4:45 pm

Solved it, quotes around hash helped.

Reply

14.

Jorell says:

July 22, 2011 at 11:33 am

I just have to say thank you for this how-to

I only had to do one thing differently:

1chown -f root:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/certs

Reply

15.

sangita says:

July 25, 2011 at 1:15 pm

I am tring on my localhost with dc=test,dc=com

however LDAPSEARCH gave the following output :

16.

11 of 39 8/26/2013 10:17 AM




ldapsearch -x -b “dc=test,dc=com”

which gave me error as below:

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

here I have added localhost and given me following output:

ldapsearch -x -h localhost -b “dc=test,dc=com”

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)# requesting: ALL#

# search result

search: 2


# numResponses: 1

—————————————-Am I correct here?

I have created the base.ldif and tried ldapadd command as:

ldapadd -x -h 127.0.0.1 -D “cn=Manager,dc=test,dc=com” -W -f base.ldif

ldapadd -x -h locahost -D “cn=Manager,dc=test,dc=com” -W -f base.ldif

ldapadd -x -h -D “cn=Manager,dc=test,dc=com” -W -f base.ldif

with the password which was generated with cammand

#slappasswd

This gaves error as:

ldap_bind: Invalid credentials (49)

What is wrong ? Please help!!!!

Reply

Stas says:17.

12 of 39 8/26/2013 10:17 AM




July 28, 2011 at 7:03 am

Thank you for this how-to. Everything works. NOTE: Do not directly copy text of this how-to, better you enter the text on a new

Reply

Abhinav says:

August 3, 2011 at 8:54 am

Iam not able to find the the DB_CONFIG File in openldap-servers path

#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

AND

Please tell me the location of “base.ldif” file…

Reply

18.

mohit says:

August 8, 2011 at 1:55 pm

Please tell me the location of “base.ldif” file…

Reply

19.

shashank agarwal says:

August 9, 2011 at 11:58 am

i have done all steps upto 7 steps and all are working fine but when i start the slapd service ,it failed,when i start the slapd service 1st time it show me the

warning suffix of DB_CONFIG file has changed,performing data base recovery to apply new settings

dbb_db_open: database “dc=example.com,dc=com”:recpvery skipped in read only mode.run manual recovery if error persist

config file testing succeded.

starting slapd: [Failed]

and it shows service failed whenever i start the service

please help

Reply

20.

Robeto Mason says:

August 10, 2011 at 5:29 pm

Thanks for he tutorial. I’m not proficient with Openldap. This is he first time I’m trying to implement it at home. I’m running Centos 6.0 I’m stuck on step

21.

13 of 39 8/26/2013 10:17 AM




#9. When I do the <> I get the following error


where do u think I may have gone wrong?

Thanks

Reply

Roberto Mason says:

August 10, 2011 at 5:32 pm

Sorry, had to repost

Thanks for he tutorial. I’m not proficient with Openldap. This is he first time I’m trying to implement it at home. I’m running Centos 6.0 I’m stuck on step

#9. When I do the

# ldapadd -x -W -D “cn=Manager,dc=rmasonfamily,dc=info” -f /root/base.ldif

I get the following error


where do u think I may have gone wrong?

Thanks

Reply

22.

sandy says:

August 10, 2011 at 6:27 pm

Hey any one can help me to build my ldapserver after slaptest -u.

i have successfully tested my slaptest -u opting but as I start my slapd deamon it get failed neither it stops nor starts. And I want to inform that my eth0 isalso creating problem I cant configure Static IP it fails after service network restart. I am using COMPAQ CQ 40 series laptop. and RHEL 6.0. Plz help

me.

Reply

23.

Anonymous says:

August 12, 2011 at 4:54 am

what is wrong with my configuration? please see message below. tnx

#ldapadd -x -W -D ”cn=Manager,dc=ncfs” -f ncfs.ldif

24.

14 of 39 8/26/2013 10:17 AM







My ldif file:

==============

dn: dc=ncfsdc: ncfs

objectClass: top

objectClass: domain

dn: ou=People,dc=ncfsou: People

objectClass: top


dn: ou=Group,dc=ncfs

ou: Group

objectClass: top


Reply

Aik Zu Shyong says:

August 18, 2011 at 6:29 am

For those of you with errors:

————

PROBLEM

————


—————————————-

SOLUTION/TROUBLESHOOTING

—————————————-

Use ldapsearch in debug mode to identify the issue:

No encryption:

# ldapsearch -x -b “dc=yourdomain,dc=net” -d -1

With TLS:

# ldapsearch -x -b “dc=yourdomain,dc=net” -ZZ -d -1

One add on to Laurent’s entry if you use a self-signed Certification. Remember to add below line as well to bdb.ldif:

25.

15 of 39 8/26/2013 10:17 AM





Otherwise, you will get complaints about self-signed certificate.

Reply

Toomas says:

August 21, 2011 at 12:15 pm

It seems there’s a typo:

1

2

3

4

dn: ou=<b>Group</b>,dc=yourdomain,dc=net

ou: <b>Group</b>

objectClass: top


… as later Group is replaced with Groups. Anyway, I’ve got an error with plural and passed through with singular .

Reply

26.

vipin singhal says:

August 23, 2011 at 11:54 am

Hi, thanks for telling us the configuration of openldap server for RHEL 6. I have done all that you have written in this blog and my openldap service hasstarted…but

Can you tell me how i can integrate openldap with Samba as a PDC for RHEL 6?

Reply

rumbi says:

May 8, 2012 at 10:24 am

Did you manage to successfully configure samba with the ldap backend. I am looking for a solution to this.

If anyone has a solution please share

Reply

27.

Ali says:

August 24, 2011 at 11:30 pm

Hi,

Thanks so much bro for this helped me a lot, regarding the fact that redhat as explicitly mentioned not manually editing the ldif files

28.

16 of 39 8/26/2013 10:17 AM




(http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-configuration)

is there a neater way to do this using commands?

Reply

Simon Brennan says:

August 26, 2011 at 12:42 am

This is an excellent article, thanks for taking the time to write it.

I had built LDAP domains in CentOS 5 a number of times, but the new configuration layout threw me.

Thanks!

Reply

29.

Shout out for a great CentOS 6 LDAP Server setup blog | Myblog Nodeofcrash.com says:August 26, 2011 at 2:00 am

[...] There is a great article here on how to set it up, kudos to the Author! http://www.salsaunited.net/blog/?p=74 [...]

Reply

30.

Dhamu says:

August 29, 2011 at 9:47 am

When trying to add the ldap ,am getting the error…………….

ldapadd -x -W -D “cn=Manager,dc=rhceldap,dc=com” -f base.ldif



where is the location of base.ldif file?………..

Thanks in advance………..

Reply

31.

Dhamu says:

August 29, 2011 at 10:13 am


get solved by adding

URI ldap://192.168.0.4/

32.

17 of 39 8/26/2013 10:17 AM




BASE dc=rhceldap,dc=com

TLS_CACERTDIR /etc/openldap/cacerts

on /etc/openldap/ldap.conf

Reply

phani says:

September 2, 2011 at 5:21 am

This is a great, Thanks

Reply

33.

Jane says:September 5, 2011 at 5:17 am

A question on base.ldif.

The example for base.ldif is alway dc=yourdomain,dc=com. But the dc assigned to me at work is dc=area,dc=test,dc=org (my domain is area.test.org).

How would my base.ldif look like? What do I use on the dc:?

dn: dc=area,dc=test,dc=org

dc: ????objectClass: top

objectClass: domain

Thanks!

Reply

34.

flemin says:


Great posting… Thank you…

I configured LDAP as described above i didn’t got any errors but when i Start the LDAP service its failed .. i couldn’t figure out the error… When i

checked the certifacate folder /etc/pki/tls/certs i couldn’t find any certificates generated… So can you help me in this case…

Thankyou…

Reply

35.

18 of 39 8/26/2013 10:17 AM




Islam Eldib says:

September 11, 2011 at 9:53 pm

I get the following error when I try and do a slaptest -uslaptest -u

database init failed (monitor)

olcDatabase: value #0: only one monitor database allowed (monitor)

config error processing olcDatabase={1}monitor,cn=config: only one monitor database allowed


Can anyone help out ?

Reply

36.

Toomas says:


My five cents in addition to this very helpful howto:

Add

1TLS_CACERT /etc/pki/tls/certs/slapdcert.pem

to ldap.conf.

Otherwise, running request with TLS

ldapsearch -x -b “dc=yourdomain,dc=net” -ZZ

you’ll get ‘Self-signed certificate’ error.

Reply

37.

srikanth says:September 26, 2011 at 10:10 am

I got the following error

<= str2entry: str2ad(New Passowrd): AttributeDescription contains inappropriate characters


What I done mistake???

Reply

38.

19 of 39 8/26/2013 10:17 AM




srikanth says:


lol.. I got, I done a silly mistake.. when i redirect that password, i forgot to remove the New Password:Re-enter new password:

lines….. what a silly mistake i done.

Reply

39.

Randy Larson says:

October 2, 2011 at 5:32 pm

Excellent posting. I teach Linux at a local community college and after reading some of the postings I suspect some of the above users are coping and

pasting your text into their config files. This changes the formatting and will give them errors; even the command dos2unix will not always fix this. Thereis one typo that may throw a newbie off: you have “service sladp start” Like me, you probably have large fingers. Thanks again fro supporting the

community.Kind regards,

Randy

Reply

40.

rumbi says:

October 3, 2011 at 11:12 am

Thank you so much for an easy to follow guide.

I have installed and configured openldap on my rhel6 server and would want to use FreeRadius with openldap. The two are working well separatley and I

would now like to set them up such that users can connect through Freeradius and authenticate on an openldap backend. Can you point me to

documentation for doing this on rhel6?

The documentation that i am currently getting refers to a different version and I have configuration files (unedited) that are completely different from

what I am referred to. I understand that RHEL has a different radius configuration file and I wold want to know how to configure freeradius to se

openldap for authentication.

Reply

41.

Dhiraj Dwarapudi says:


@Abhinav

On RHEL 6 the DB_CONFIG.example file is located at /usr/share/DB_CONFIG.example

Reply

42.

20 of 39 8/26/2013 10:17 AM




rumbi says:


Ok To answer my own question , the authenticate and authorisation modules are in the modules directory. Another question, is there anyone who knowswhere documentation fro rhel6 is?

Reply

43.

Sohail says:


Thank you for putting out this step by step guide. Without it, it is almost impossible to get openLDAP setup with RHEL6. You should consider

contributing this piece to openldap project as there are many people who might be able to save time using this.

I had to change dc=com from dc=net in base.ldif because I was getting error when using dc=net.

Thanks again.

Reply

44.

Amit Saha says:


#slaptest -u

config file testing succeeded —NEXT— And ERROR I am getting down there is as……

[root@newspeak openldap]# ldapadd -x -W -D ”cn=Manager,dc=newspeak,dc=org” -f base.ldif



additional info: invalid DN ——————–NEXT———————–”GOT ERROR”———-

#vi base.ldif dn: dc=newspeak,dc=org

dc: newspeak

objectClass: top

objectClass: domain

dn: ou=People,dc=newspeak,dc=orgou: People

objectClass: topdn: olcDatabase={2}monitor objectClass: olcDatabaseConfig

olcDatabase: {2}monitor

45.

21 of 39 8/26/2013 10:17 AM




olcAccess: {0}to * by dn.base=”cn=Manager,dc=newspeak,dc=org” read by * non

e

olcAddContentAcl: FALSE

olcLastMod: TRUE

olcMaxDerefDepth: 15

olcReadOnly: FALSE

olcMonitoring: FALSE

structuralObjectClass: olcDatabaseConfig

entryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ff

creatorsName: cn=config

createTimestamp: 20111012032406Z

entryCSN: 20111012032406.106705Z#000000#000#000000

modifiersName: cn=configmodifyTimestamp: 20111012032406Z


dn: ou=Group,dc=newspeak,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit ——–NEXT———

#vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif

dn: olcDatabase={1}bdbobjectClass: olcDatabaseConfig

objectClass: olcBdbConfig

olcDatabase: {1}bdb

olcSuffix: dc=newspeak,dc=org


olcLastMod: TRUE


olcReadOnly: FALSE

olcRootDN: cn=Manager,dc=newspeak,dc=orgolcMonitoring: TRUE

olcDbDirectory: /var/lib/ldap

olcDbCacheSize: 1000olcDbCheckpoint: 1024 15

olcDbNoSync: FALSE

olcDbDirtyRead: FALSE

olcDbIDLcacheSize: 0

olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub

olcDbIndex: uid pres,eq,sub

22 of 39 8/26/2013 10:17 AM




olcDbIndex: uidNumber pres,eq

olcDbIndex: gidNumber pres,eq

olcDbIndex: mail pres,eq,sub

olcDbIndex: ou pres,eq,sub

olcDbIndex: loginShell pres,eq

olcDbIndex: sn pres,eq,sub

olcDbIndex: givenName pres,eq,sub

olcDbIndex: memberUid pres,eq,sub

olcDbIndex: nisMapName pres,eq,sub

olcDbIndex: nisMapEntry pres,eq,sub

olcDbLinearIndex: FALSE

olcDbMode: 0600

olcDbSearchStack: 16olcDbShmKey: 0

olcDbCacheFree: 1olcDbDNcacheSize: 0

structuralObjectClass: olcBdbConfigentryUUID: 629b5454-88cd-1030-94b4-5b8c5298a3ff

creatorsName: cn=config

createTimestamp: 20111012032406Z

entryCSN: 20111012032406.106705Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20111012032406ZolcRootPW: {SSHA}eCf/UCxBWzZuWc0Dd/mkW+jlaXxy++RF


olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem ———NEXT———

#vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif

dn: olcDatabase={2}monitor

objectClass: olcDatabaseConfig

olcDatabase: {2}monitor

olcAccess: {0}to * by dn.base=”cn=Manager,dc=newspeak,dc=org” read by * none


olcLastMod: TRUE


olcReadOnly: FALSE

olcMonitoring: FALSE

structuralObjectClass: olcDatabaseConfig

entryUUID: 629b5a62-88cd-1030-94b5-5b8c5298a3ff creatorsName: cn=configcreateTimestamp: 20111012032406Z

23 of 39 8/26/2013 10:17 AM




entryCSN: 20111012032406.106705Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20111012032406Z

Can anyone help regarding the same??? Thanks in advance!!

Reply

Amit Saha says:

October 12, 2011 at 10:09 am

I found the problem later. It was back quote (“). It is working now. Thank you very much Mr. Laurent. Good post!!!

Reply

46.

Deval says:

November 1, 2011 at 7:28 am

hey…thank you for the wonderful guide…

but i’m getting following error while ldapsearch

ldapsearch -x -b “dc=example,dc=com”

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

please help me..

Reply

47.

Mansoor Md says:

March 31, 2012 at 4:21 am

RHEL 6.0 Documentation

System name: ldap.example.com

Domain name: example.comSystem IP: 192.168.1.250

Step #1. Requirements

compat-openldap

openldap-clientsopenldap-devel

openldap-servers

migrationtools

You can install them using the command:

48.

24 of 39 8/26/2013 10:17 AM




yum install *openldap* migrationtools

Step #2. Create LDAP root user password [root@ldap ~]# slappasswd

New password:

Re-enter new password:

{SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW[root@ldap ~]# mkdir -m 700 /var/lib/ldap/example.com

[root@ldap ~]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ~]# chown -Rvf ldap:ldap /var/lib/ldap/

Step #3. Update /etc/openldap/slapd.conf for the root password [root@ldap ~]# cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.conf

[root@ldap ~]# vim /etc/openldap/slapd.conf

Esc :%s/my-domain/example/g Enter. Check the below lines same as in config filedatabase bdbsuffix “dc=example,dc=com”

rootdn “cn=Manager,dc=example,dc=com”

rootpw {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #4. vim /usr/share/migrationtools/migrate_common.ph change padl to exampleEsc :%s/padl/example/g & check the below line(71 & 74) is same in config

$DEFAULT_MAIL_DOMAIN = “example.comm”;

$DEFAULT_BASE = “dc=example,dc=com”;

Step # 5. Create a domain ldif file (/etc/openldap/example.com.ldif)

[root@ldap ~]# vim /etc/openldap/example.com.ldif

dn: dc=example,dc=com

dc: example

description: LDAP AdminobjectClass: dcObject

objectClass: organizationalUnitou: rootobject

dn: ou=People, dc=example,dc=com

ou: people

description: Users of example


dn: ou=Group, dc=example,dc=com

ou: Groupdescription: Groups of example

25 of 39 8/26/2013 10:17 AM





Step# 6 create a new config files using slaptest command

—————————————————————————————–

1. Delete all files in directory /etc/openldap/slapd.d/ with the command

[root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*

2. Run slaptest for test the configuration file and create new configuration in directory /etc/openldap/slapd.d/.

[root@ezylinux ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

3. Set permissions for a new configuration file.

[root@ezylinux ~]# chown -R ldap:ldap /etc/openldap/slapd.d

[root@ezylinux ~]# chmod -R 000 /etc/openldap/slapd.d

[root@ezylinux ~]# chmod -R u+rwX /etc/openldap/slapd.d

# service slapd restart (if any warning provide permission as chown ldap:ldap /var/lib/ldap –Rvf or chown ldap:ldap /etc/openldap/slapd.d)

Step # 7. Import all users in to the LDAPAdd the Domain ldif file[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/example.com.ldif


adding new entry “dc=example,dc=com”

adding new entry “ou=People, dc=example,dc=com”

adding new entry “ou=group, dc=example,dc=com”

[root@ldap ~]#

Add the users:[root@ldap ~]# mkdir /ldaphome[root@ldap ~]# useradd –u 1000 -d /ldaphome/testusr testusr

[root@ldap ~]# passwd testusr

Changing password for user testusr.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

Step # 8. Migrate local users to LDAP

[root@ldap ~]# grep testusr /etc/passwd > /etc/openldap/passwd.testusr

[root@ldap ~]# grep testusr /etc/group > /etc/openldap/group.testusr

[root@ldap ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/passwd.testusr /etc/openldap/testusr.ldif

[root@ldap ~]# /usr/share/migrationtools/migrate_group.pl /etc/openldap/group.testusr /etc/openldap/testusr-group.ldif

Setp# 9 Adding users & groups into Ldap server [root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/testusr.ldif


adding new entry “uid=ldapuser1,ou=People,dc=example,dc=com”

26 of 39 8/26/2013 10:17 AM

[ @ld ]# ld dd D “ M d l d ” W f / / ld / ldif




[root@ldap ~]# ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f /etc/openldap/testusr-group.ldif


adding new entry “uid=ldapuser1,ou=Group,dc=example,dc=com”

Step # 10. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b ‘dc=example,dc=com’ ‘(objectclass=*)’

Step# 11 NFS for ldapuser home share:

#yum install nfs-utils

#service rpcbind restart

Vim /etc/exports

/ldaphome *(rw,sync)

#Chkconfig nfs on#Service nfs restart

Home directory Creation in LDAP server(optional)

Reference from: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Create_The_Home_Directory_For_ldapuser_On_The_LDAP_Client

[root@smallfry tmp]# mkdir /ldaphome/wml

[root@smallfry tmp]# chmod 700 /home/ldaphome/wml[root@smallfry tmp]# cp /etc/skel/.* /home/ldaphome/wmlcp: omitting directory `/etc/skel/.’

cp: omitting directory `/etc/skel/..’

cp: omitting directory `/etc/skel/.kde’[root@smallfry tmp]# chown -R wml:group /home/ldaphome/wml

[root@smallfry tmp]#

2. 0. Step-by-step OpenLDAP Installation and Configuration of Client System

LDAP Client Configuration

Step # 1. Installation

[root@ldapclient ~]# yum install nss-pam-ldapd nfs-utils autofs

Step # 2. Autofs configuration

[root@ldapclient ~] vim /etc/auto.master

Add the below line in end:

/ldaphome /etc/auto.misc – -timeout=60

[root@ldapclient ~] vim /etc/auto.miscAdd the below line in end * -rw,soft,intr 192.168.1.250:/ldaphome/&

27 of 39 8/26/2013 10:17 AM

[ t@ld li t ] i t f t




[root@ldapclient ~] service autofs stop

[root@ldapclient ~] service autofs start

[root@ldapclient ~] service autofs reload

[root@ldapclient ~] service autofs restart

[root@ldapclient ~] service nfs restart

Step# 3 Settings ldap configuration[root@ldapclient ~]# setup

Step #3. Settings

[*] Use LDAP [*] Use LDAP Authentication

[Both should be checked]Click “Next”.

[ ] Use TLS

Server: ldap.example.comBase DN: dc=example,dc=comClick “Ok” to confirm.

OR

[root@ldapclient ~]# vim /etc/openldap/ldap.conf

URI ldap://ldap1.example.com

BASE dc=example,dc=com

[root@ldapclient ~] vim /etc/nssswitch.conf

passwd: files ldapshadow: files ldapgroup: files ldap

netgroup: files ldap

automount: files ldap

#chkconfig nfs on#chkconfig autofs on

#chkconfig rpcbind on[root@ldapclient ~] vim /etc/nslcd.conf

uid nslcd

gid ldap

uri ldap://ldap1.example.com

base dc=example,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts

[root@ldapclient ~] vim /etc/pam_ldap.conf

Comment #host 127.0.0.1

base dc=example,dc=com

28 of 39 8/26/2013 10:17 AM

uri ldap://ldap1 example com




uri ldap://ldap1.example.com

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

Reply

Olivier says:

April 30, 2012 at 8:26 am

Hello Laurent,

Here is my monitor section :

cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

dn: olcDatabase={2}monitor,cn=config

objectclass: olcDatabaseConfigolcaccess: {0}to * by dn.exact=”cn=Manager,dc=exemple,dc=fr”

by * none

olcaddcontentacl: FALSE

olcdatabase: {2}monitor

olclastmod: TRUE

olcmaxderefdepth: 15olcmonitoring: FALSE

olcreadonly: FALSE

olcsyncusesubentry: FALSE

….

slapd runs and respond :

ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b ‘olcDatabase={2}monitor,cn=config’ -s base 1.1

# {2}monitor, configdn: olcDatabase={2}monitor,cn=config

# search result

search: 2

result: 0 Success

However I can’t get any monitoring information :

$ ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b ‘cn=Monitor’ -s base 1.1

49.

29 of 39 8/26/2013 10:17 AM

# search result




# search result

search: 2


Would you have any advice to use openldap monitoring abilities ?

# cat /etc/issueRed Hat Enterprise Linux Server release 6.2 (Santiago)

openldap-servers-2.4.23-20.el6.x86_64

# slapd -VVV

@(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) $

[email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

Thanks !

Reply

manny says:

May 25, 2012 at 6:35 am

hi,

you really did best and i was successful through your steps, thing was i dont fine any /usr/share/migration folder in my server. mine is rhel-64bit.

i dont know why it was not ther ldap search is fine, ok,

please help me finish the last 2 stepsa

thank you.

Reply

50.

leolinux says:

June 2, 2012 at 1:50 am

]# yum install migrationtools

will install the directory and other useful

scripts inside …

Reply

51.

30 of 39 8/26/2013 10:17 AM




Glen says:

June 19, 2012 at 5:14 am

It works, good posts, thanks a lot! From China~

Reply

52.

Akhil says:

June 29, 2012 at 7:57 am

slaptest -u

PROXIED attributeDescription “DC” inserted.

<= str2entry: str2ad(dc): attribute type undefined


[root@dc share]# ldapsearch -x -b .dc=hamdard,dc=com.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Can any one help me on this. I have follow this post step by step.

Reply

admin says:

June 29, 2012 at 8:32 am

Did you use double quotes or just copy pasted my example? WordPress does not add correct double quotes…

Reply

53.

Akhil says:June 29, 2012 at 11:56 pm

I have followed this doc as it is i did not change any thing. Before generating the certificate and key it was working fine but when i did that then you said to restart the slapd and i did that it was down but it wasn’t up again.

Please guide me where i am going wrong.

Reply

54.

Akhil says:

June 30, 2012 at 2:59 am

Hi,

55.

31 of 39 8/26/2013 10:17 AM

Thank you for your all help i have configured successfully ldap server by following this guide.




y y p g y p y g g

Now my next question is how to move it into production environment where users can login on this ldap server.

I am configuring DNS with my domain on this server as well.

when i am trying to access this server by using above url ldap://192.168.0.6:389 it is not processing further can ou please tell me why ?

Reply

shankar says:

July 10, 2012 at 5:22 am

Thanks, very helpful.

I am configuring postfix+squirrelmail+dovecot with openldap on RHEL6.1_64 bit.

kindly help me to getthe rh-mail.schema.

Thanks,

Shankar

Reply

Priyank says:July 15, 2012 at 4:06 pm

hello,

Thanks for you help in providing steps to configure LDAP server in RHEL6 and everything seems to be working but I am not able to login into the client

machine using ldap server can any one please help me how can I do it?

My email address is

[email protected], please if possible reply me there or here

Reply

56.

ping says:

July 23, 2012 at 11:53 am

Hi,

I went thru the steps and it is working.

The clients I setup with the command

57.

32 of 39 8/26/2013 10:17 AM

authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=10.24.0.55 –enablemd5




g p p

–ldapbasedn=dc=mydomain,dc=com –updateall

The clients are able to authenticate the logins.

but if a user is added or an existing user’s passwd is changed, that user is unable to login with the new password. what could be the issue please? any help

would be greatly appreciated, as I am a newbie.

thanks

Ping

Reply

German Rosero says:

August 23, 2012 at 2:36 pm

Hello I am getting the following errors when i start slapd service:

service slapd start

Checking configuration files for slapd: [FAILED]


config error processing olcDatabase={2}bdb,cn=config: can only be set when rootdn is under suffix


But, if remove the lines that contains olcRootPW, olcTLSCertificateFile and

olcTLSCertificateKeyFile the service starts fine.

I have CentOS release 6.3 and OpenLDAP: slapd 2.4.23

Thanks for your help,G

Reply

58.

Abhisek says:

August 28, 2012 at 10:50 am

Hi, thanks a lot for this tutorial, it has been very helpful!

I had a small question:

why do we need this command:

sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif

I think this will replace or=Group with ou=Groups, but in the base.ldif, we are using:

59.

33 of 39 8/26/2013 10:17 AM

dn: ou=Group,dc=yourdomain,dc=net




Please let me know!

Thanks again!

Abhisek

Reply

vamsikrishna says:



dn: dc=example,dc=com

dc: exampleobjectClass: top

objectClass: example

dn: ou=Administration,dc=example,dc=com

ou: Adninistration

objectClass: top

objectClass: Administration


dn: ou=Group,dc=example,dc=com

ou: Group

objectClass: top


Error:

#ldapadd -x -W “cn=manager,dc=example,dc=com” -f base.ldif

Enter LDAP Password:ldap_bind: Invalid credentials (49)

MY ldap details:

MY DOMAIN IS : example.com

ORGANIZATION UNIT NAME : administrationLdap password is : password

please give me the solution to this error.

60.

34 of 39 8/26/2013 10:17 AM

Reply




ram says:

March 5, 2013 at 6:12 am

if i run ldapsearch -x -b ”dc=example,dc=com”

i got searchresult 2 then i got 34 dn syntax error

give me the solution

Reply

61.

tom says:

April 16, 2013 at 3:27 pm

i get the 34 dn syntax error from the wrong “. type from new the double quotes

Reply

62.

OPENLDAP Invalid Credentials Issue says:

May 23, 2013 at 8:09 am

[...] [...]

Reply

63.

OPENLDAP Invalid Credentials Issue says:

May 23, 2013 at 10:05 am

[...] ldap://10.205.21.76/ ~ I have followed the below link.. Please help me to resolve this issue.. http://blog.domb.net/?p=74 I have set the password to

secret then also am facing the problem.. [root@ip-10-205-21-76 [...]

Reply

64.

imports says:May 30, 2013 at 11:30 am

Nice post. I was checking continuously this blog and I am impressed!

Very useful info particularly the last part I care

for such info much. I was seeking this particular information for

a long time. Thank you and good luck.

Reply

65.

sunil says:66.

35 of 39 8/26/2013 10:17 AM

May 30, 2013 at 4:19 pm




Good one!

Reply

Name (required) Mail (required) Website

CAPTCHA Code *

Popular

Recent

Tags

RHEL6 openldap serve

Please note that all double quote characters in this example ...

RHEL6 virsh console

To use the #virsh console command on a RHEL6 Virtual ...

Puppet Dashboard, my

Syncing a 100-200 hosts every 30 minutes and reporting to ...

RHEL6 vsftp anonymou

36 of 39 8/26/2013 10:17 AM

First install the vsftpd package #yum install vsftpd after that edit the ...




RHEL6 as LDAP client

Edit the file /etc/openldap/ldap.conf URI ldap://$FQDN_OF_SERVER/ (has to be the same ...

Gitlab 5.2 on RHEL/C

Redhat release software collection January this year. It's kind of cool ...

DNS Master / SLAVE T

I am using 2 dns server here. 192.168.2.83 (Master) and ...

Kerberos on Centos 5

First make sure that your time is in sync. So ...

Foreman and mcollect

I've been working for a nice project the last month. ...

Logstash amqp ipv6 D

Today I was working on creating a logstash -> logstash ...

dns tsig rhcss errata foreman gitlab Linux Logstash ipv6 OEL puppet enterprise puppet pe RabbitMQ rhel 6.4 scl

Links

37 of 39 8/26/2013 10:17 AM




Recent Posts

Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software Collection

DNS Master / SLAVE TSIG on RHEL 5.8

Kerberos on Centos 5.9 RHCSS

Foreman and mcollective with puppet enterprise / puppet

Logstash amqp ipv6 DNS lookup on CentOS 6.2 openjdk jruby

Recent Comments

Laurent on Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software Collection

laurent on RHEL6 virsh console domain

sukrant on RHEL6 virsh console domain

sukrant on RHEL6 virsh console domain

Pat Podenski on Gitlab 5.2 on RHEL/Centos 6.4 with SCL / Software Collection

Archives

June 2013

May 2013

38 of 39 8/26/2013 10:17 AM

October 2012

September 2012




September 2012

August 2012

July 2012

April 2012

March 2012

January 2012July 2011

May 2011

March 2011

February 2011

January 2011

Categories

About

Linux

Puppet

Virtualization

Copyright © 2013 Laurent Domb OSS Blog - this blog is about OSS, Linux, virtualization, security, business.

Powered by WordPress 3.5.2 & Vulcan. Free WordPress Themes designs by FabThemes.com

39 of 39 8/26/2013 10:17 AM

Documents

RHEL6 Openldap Server _ Laurent Domb OSS Blog