LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-04-2014, 05:48 AM   #16
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33

I have now removed everything inside the directory slapd.d/ (I made a backup first)

Then did the conversion again :
Code:
[root@ldap1 openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
But the directory slapd.d/ is still empty !
 
Old 02-04-2014, 06:35 AM   #17
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
Originally Posted by jonaskellens View Post
I have now removed everything inside the directory slapd.d/ (I made a backup first)

Then did the conversion again :
Code:
[root@ldap1 openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
But the directory slapd.d/ is still empty !
You need to specify the slapd.d directory location using the -F option:
Code:
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -v
You may read this for more details.

Regards
 
Old 02-04-2014, 06:45 AM   #18
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I have read that the -F flag was not nessecary if you use the default /etc/openldap/slapd.d

But with specifying this directory, I have now the following in /etc/openldap/slap.d/ :
Code:
drwxr-x--- 3 root root 4,0K feb  4 12:40 cn=config
-rw------- 1 root root 1,1K feb  4 12:40 cn=config.ldif
Which is good !

But next problem :
Code:
[root@ldap1 openldap]# /sbin/service slapd restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:                    [FAILED]
ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
/var/log/slapd.log only says :
Code:
Feb  4 12:40:47 ldap1 slapd[25217]: daemon: shutdown requested and initiated.
Feb  4 12:40:47 ldap1 slapd[25217]: slapd shutdown: waiting for 0 operations/tasks to finish
Feb  4 12:40:47 ldap1 slapd[25217]: slapd stopped.

Last edited by jonaskellens; 02-04-2014 at 06:46 AM.
 
Old 02-04-2014, 07:42 AM   #19
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
drwxr-x--- 3 root root 4,0K feb 4 12:40 cn=config
-rw------- 1 root root 1,1K feb 4 12:40 cn=config.ldif
I guess slapd.d should be owned by the user/group that runs slapd, usually ldap/ldap for RHEL based distros. So
Code:
chown -R ldap:ldap /etc/openldap/slapd.d
 
Old 02-04-2014, 08:38 AM   #20
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Thanks. Managed to get slapd running.

Now, next step :

Quote:
Originally Posted by bathory View Post
Now you need to populate your ldap directory using a ldif file.
I do not seem to be able to populate :
Code:
[root@ldap1 openldap]# /usr/bin/ldapadd -f 140204.ldif -D "cn=Manager,dc=mydomain" -w MyPassword
adding new entry "dc=mydomain"
ldap_add: Constraint violation (19)
	additional info: structuralObjectClass: no user modification allowed
 
Old 02-04-2014, 04:07 PM   #21
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
I do not seem to be able to populate :
Code:

[root@ldap1 openldap]# /usr/bin/ldapadd -f 140204.ldif -D "cn=Manager,dc=mydomain" -w MyPassword
adding new entry "dc=mydomain"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Stop slapd from running and use slapadd to add the initial DN
Code:
slapadd -l 140204.ldif

Last edited by bathory; 02-04-2014 at 04:12 PM.
 
Old 02-05-2014, 08:34 AM   #22
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
Stop slapd from running and use slapadd to add the initial DN
slapadd worked, thanks !

Now when I start the slapd service again, I get some notices :

Code:
[root@ldap1 openldap]# /sbin/service slapd start
/var/lib/ldap/log.0000000010 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000009 is not owned by "ldap"        [WARNING]
/var/lib/ldap/ou.bdb is not owned by "ldap"                [WARNING]
/var/lib/ldap/log.0000000003 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000008 is not owned by "ldap"        [WARNING]
/var/lib/ldap/telephoneNumber.bdb is not owned by "ldap"   [WARNING]
/var/lib/ldap/log.0000000013 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000017 is not owned by "ldap"        [WARNING]
/var/lib/ldap/sn.bdb is not owned by "ldap"                [WARNING]
/var/lib/ldap/log.0000000016 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000015 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000012 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000005 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000018 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000006 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000011 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000007 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000014 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000004 is not owned by "ldap"        [WARNING]
/var/lib/ldap/log.0000000002 is not owned by "ldap"        [WARNING]
Starting slapd:                                            [  OK  ]
 
Old 02-05-2014, 08:59 AM   #23
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Again you need to set the correct ownership to that directory.
Stop slapd and run:
Code:
chown ldap:ldap -R /var/lib/ldap
Then restart the service.
 
Old 02-05-2014, 09:13 AM   #24
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
OK thanks. No more notices now.

However there is still a problem with credentials.

When I log on as Manager (root), I can make a search with results :
Code:
[root@ldap1 openldap]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "dc=mydomain" -W
...
# search result
search: 2
result: 0 Success

# numResponses: 15605
# numEntries: 15604
When I try to make a search with a user, it fails with wrong credentials :
Code:
[root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
I am sure I'm using the correct password. It works perfect on the "old" ldap-server.

So there is still something wrong after conversion.

/var/log/slapd.log :
Code:
Feb  5 15:12:44 slap01 slapd[22217]: conn=1002 fd=13 ACCEPT from IP=127.0.0.1:59241 (IP=0.0.0.0:389)
Feb  5 15:12:44 slap01 slapd[22217]: conn=1002 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" method=128
Feb  5 15:12:44 slap01 slapd[22217]: conn=1002 op=0 RESULT tag=97 err=49 text=
Feb  5 15:12:44 slap01 slapd[22217]: conn=1002 fd=13 closed (connection lost)
 
Old 02-05-2014, 02:47 PM   #25
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
When I try to make a search with a user, it fails with wrong credentials :
Code:

[root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Doh! Are you sure that this DN "cn=U101001,ou=101001,dc=mydomain" really exists?
Do a search for it:
Code:
ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "cn=U101001,ou=101001,dc=mydomain" -W
 
Old 02-06-2014, 04:59 AM   #26
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
Doh! Are you sure that this DN "cn=U101001,ou=101001,dc=mydomain" really exists?
Code:
# extended LDIF
#
# LDAPv3
# base <cn=U101001,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# U101001, 101001, mydomain
dn: cn=U101001,ou=101001,dc=mydomain
cn: U101001
sn: U101001
objectClass: inetOrgPerson
objectClass: top
userPassword:: e1NTSEF9OVBTNmltR3ZpUEhzK1JRQVpickNVdVR5cS9Iejg5TzY=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 
Old 02-06-2014, 07:49 AM   #27
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
So, if the user exists and you're sure about the password, then it should be an ACL problem.
Perhaps your user does not have read rights in the directory. Try adding
Code:
olcAccess: {XX}to *  by users read  by * none
in olcDatabase={2}bdb.ldif and see if it works.
You need to replace XX with the appropriate serial number based on the amount of the existing ACLs
 
Old 02-06-2014, 07:54 AM   #28
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
This is what is written in the file /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif after conversion :
Code:
olcAccess: {3}to dn.regex="ou=tbook[12345],ou=contacten,ou=101001,dc=mydomain
 "  attrs=children  by group/groupOfNames/member.exact="cn=admins,ou=101001,dc
 =mydomain" write  by * none break
olcAccess: {4}to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"  by gr
 oup/groupOfNames/member.exact="cn=admins,ou=101001,dc=mydomain" write  by gr
 oup/groupOfNames/member.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
 " read
olcAccess: {5}to dn.one="ou=tbook2,ou=contacten,ou=101001,dc=mydomain"  by gr
 oup/groupOfNames/member.exact="cn=admins,ou=101001,dc=mydomain" write  by gr
 oup/groupOfNames/member.exact="cn=tbook2,ou=gebruikers,ou=101001,dc=mydomain
 " read
olcAccess: {6}to dn.one="ou=tbook3,ou=contacten,ou=101001,dc=mydomain"  by gr
 oup/groupOfNames/member.exact="cn=admins,ou=101001,dc=mydomain" write  by gr
 oup/groupOfNames/member.exact="cn=tbook3,ou=gebruikers,ou=101001,dc=mydomain
 " read
olcAccess: {7}to dn.one="ou=tbook4,ou=contacten,ou=101001,dc=mydomain"  by gr
 oup/groupOfNames/member.exact="cn=admins,ou=101001,dc=mydomain" write  by gr
 oup/groupOfNames/member.exact="cn=tbook4,ou=gebruikers,ou=101001,dc=mydomain
 " read
olcAccess: {8}to dn.one="ou=tbook5,ou=contacten,ou=101001,dc=mydomain"  by gr
 oup/groupOfNames/member.exact="cn=admins,ou=101001,dc=mydomain" write  by gr
 oup/groupOfNames/member.exact="cn=tbook5,ou=gebruikers,ou=101001,dc=mydomain
 " read
Works perfect in the old ldap-server in the old notation form.
 
Old 02-06-2014, 09:35 AM   #29
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
Works perfect in the old ldap-server in the old notation form.
You can (re)move the slapd.d directory (and modify the slapd startup script if needed), so it uses slapd.conf to start.
The default is to use slapd.d, but if that directory doesn't exist, it uses slapd.conf as a fallback
Other than that I don't know what else you have to try as a last resort.
 
Old 02-07-2014, 05:56 AM   #30
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
When I let slapd use the ldap.conf file, I can log in but I still have no search result :

Code:
[root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
I get : 32 No Such Object

When I look with phpLDAPadmin, I see that there are objects inside the tree.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ldap_bind: Invalid credentials (49) when trying OpenLDAP query Sma11T0wnITGuy Linux - Server 19 08-17-2016 07:12 PM
FreeBSD : OpenLDAP : ldap_bind: Invalid credentials (49) problem. Need Help id2login *BSD 12 06-05-2011 07:15 PM
[SOLVED] openldap ldap_bind: Invalid credentials (49) sanjaydelhi Linux - Newbie 9 03-16-2011 10:29 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 10:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 04:23 PM


All times are GMT -5. The time now is 09:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration