Dear expert Server-users,

LDAP is endlessly not working, due to difficulties to simply configure it. I even cannot make the first steps of the installations ... It seems so difficult ... After many howto, wiki, reading, re-reading the errors are still there, always different, and not working.

Is there an admin, coming from hell, that made running a LDAP server for sharing the basic configuratin files /var.. /etc... of a working LDAP Server in a tar.gz?

Thank you very much in advance!

(For Ubuntu or Debian would be a preference, but every help welcome)

OpenLDAP is not rocket surgery, if you can't follow the standard docs, an arbitrary configuration file for someone elses services is hardly going to help you is it?

OPENLDAP is very difficult. If someone make a tar.gz with the right permissions and working of an ubuntu/debian config. It would work sure.

Howtos? - well they are all non defaults or non standard, and non following debian. Since 1-2 months I am trying hard to install LDAP and no way (server) for Debian standard install from apt-get. there is always some errors. This is

And to find that this is the key to debug, try to read many hours:
Reference: http://www.openldap.org/doc/admin24/quickstart.html

OK, compile it from source to have a package that works, to use it as /etc/openldap as most gentoo wiki, error because you find not :
the db-devel in the debian repositories (berkeley devel database), even.
super

In the default installation, there is no SSL enabled, super:
nothing
well what a default configuration.

It is NOT difficult. Any self respecting professional Linux administrator should be able to get it running from scratch in a morning without touching the sides. Copying in someone elses config verbatim won't help you here.

Why should SSL be enabled by default? LDAPS is not recommended, you should be using TLS on 389 instead of SSL on 636. The docuemntation you linked to give a good guide to configuring TLS in chapter 16. Additionally 10 seconds on Google gets me here: http://www.openldap.org/faq/data/cache/185.html and enabling SSL on 636 quickety quick.

I reinstalled linux, and followed this best howto.
working

# apt-get install slapd ldap-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
odbcinst odbcinst1debian1 unixodbc
Suggested packages:
libmyodbc odbc-postgresql tdsodbc unixodbc-bin
The following NEW packages will be installed:
ldap-utils odbcinst odbcinst1debian1 slapd unixodbc
0 upgraded, 5 newly installed, 0 to remove and 208 not upgraded.
Need to get 2,047kB of archives.
After this operation, 5,353kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://http.us.debian.org squeeze/main odbcinst 2.2.11-21 [34.5kB]
Get:2 http://http.us.debian.org squeeze/main odbcinst1debian1 2.2.11-21 [60.7kB]
Get:3 http://http.us.debian.org squeeze/main unixodbc 2.2.11-21 [199kB]
Get:4 http://http.us.debian.org squeeze/main slapd 2.4.17-2.1 [1,469kB]
Get:5 http://http.us.debian.org squeeze/main ldap-utils 2.4.17-2.1 [284kB]
Fetched 2,047kB in 13s (154kB/s)
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Preconfiguring packages ...
Configuring slapd
-----------------

Please enter the password for the admin entry in your LDAP directory.

Administrator password:


Please enter the admin password for your LDAP directory again to verify that you have typed it correctly.

Confirm password:

Please enter the admin password for your LDAP directory again to verify that you have typed it correctly.

Confirm password:


Selecting previously deselected package odbcinst.
(Reading database ... 119718 files and directories currently installed.)
Unpacking odbcinst (from .../odbcinst_2.2.11-21_i386.deb) ...
Selecting previously deselected package odbcinst1debian1.
Unpacking odbcinst1debian1 (from .../odbcinst1debian1_2.2.11-21_i386.deb) ...
Selecting previously deselected package unixodbc.
Unpacking unixodbc (from .../unixodbc_2.2.11-21_i386.deb) ...
Selecting previously deselected package slapd.
Unpacking slapd (from .../slapd_2.4.17-2.1_i386.deb) ...
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Selecting previously deselected package ldap-utils.
Unpacking ldap-utils (from .../ldap-utils_2.4.17-2.1_i386.deb) ...
Processing triggers for man-db ...
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Setting up ldap-utils (2.4.17-2.1) ...
Setting up odbcinst (2.2.11-21) ...
Setting up odbcinst1debian1 (2.2.11-21) ...
Setting up unixodbc (2.2.11-21) ...
Setting up slapd (2.4.17-2.1) ...
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Creating new user openldap... done.
Creating initial slapd configuration... done.
_#################### 100.00% eta none elapsed none fast!
Closing DB...
done.
Starting OpenLDAP: slapd.



dpkg-reconfigure slapd

Omit OpenLDAP server configuration? no
DNS domain name: example.org
Name of your organization: example_organization
Admin password: secret
Database backend to use: BDB
Do you want your database to be removed when slapd is purged? no
move old database yes
Allow LDAPv2 protocol? no

Stopping OpenLDAP: slapd.
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial slapd configuration... done.
_#################### 100.00% eta none elapsed none fast!
Closing DB...
done.
Starting OpenLDAP: slapd.



ldapsearch -x -b dc=example,dc=org
# ldapsearch -x -b dc=example,dc=org
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: example_organization
dc: example

# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2




cd /etc/ldap

# cat base.ldif
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit



ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif



# ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=example,dc=org"

adding new entry "ou=Group,dc=example,dc=org"



# cat group.ldif

dn: cn=ldapusers,ou=Group,dc=example,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 9000


ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f group.ldif



/etc/ldap# ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f group.ldif
Enter LDAP Password:
adding new entry "cn=ldapusers,ou=Group,dc=example,dc=org"





/etc/ldap# cat myuser.ldif
dn: cn=Myuser,ou=People,dc=example,dc=org
cn: Myuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: myuser
uidNumber: 1025
gidNumber: 9000
homeDirectory: /tmp


/etc/ldap# ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f myuser.ldif
Enter LDAP Password:
adding new entry "cn=Myuser,ou=People,dc=example,dc=org"




etc/ldap# tar cvf /root/ldap-server-installed.tar.gz /etc/ssl/ /etc/ldap/ /etc/passwd /var/lib/ldap/


(I will make this post in edited in some 10min, with formating)
+ provide a tar.gz with the configuration files.

You reinstall the entire operating system for ldap??

yeap. I couldnt do anything. I want to learn.

Now the client pc says:
the ip is ok of the server.
ldap://192.168.10.100

The client doesnt let me go to root to fix it.
Client unworking ... reinstall the whole client ?
I followed this howto step after step, every single http://www.linux.com/archive/feature/114074



the server is running on port: 389 from nmap -sSNot shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
389/tcp open ldap

#

what to do?

I am running on 2 differnet PC, i.e. 1 server ldap and one client ldap, freshly re-installed . two linux boxes debian stable.

the proposed solution against the BUG to debian stable LDAP is not working:

I added the nvram using knoppix pendrive bootable

nss_ldap reconnecting... error...

what shall be the content of the ldap files /etc/pam.d ??
noone really post this how too...

it could be easy that someone post a tar.gz of a working LDAP configuration for server + client. what does it cost? - nothing, just few minutes

BIND?? What does any of this have to do with bind???

You're clearly trying to run before you can walk. Until you can happily do an ldapsearch of the server, don't even think about doing anything more useful with LDAP whatsoever.

I think part of the problem is that LDAP switched from putting the configurations in slapd.conf to putting them in the directory itself. The problem with this is that just about every "How-To" on the Internet is telling you how to do it the old way. Try following the instructions from the authors.

HTH

Forrest

I made it !!

that's crazy. no single how to is well explaining the thing. I am making an installation script...

But but but ... it is not secured this thing?

How to do with nfs ?

fstab:
192.168.10.100:/home /home nfs defaults 0 0

I mean can I still use it ??

If you know the root of any pc, you get the file:
pam_ldap.secret
or boot with knoppix
then you can login from root (su)
su myuserldap
and that's it I am on the account

from the root yes. But is it unsecured this thing I kick the /etc/shadow for the root with knoppix, then, I restart, I login the root, and then full power over the LDAP

once you put no password for root with knoppix, then, you can get access to root ldap on the server,
then change the nfs mounted to /home to whatever will



fstab:
192.168.10.100:/home /home nfs defaults 0 0
is still unsecured. Every machine on hte network can kick the root passwrd on local, change the nsswitch file to compat instead of ldap files, and then:
mount the machine 192.168.10.100:/home to /home
and with root (from the local ) he can see all the server box.

I still try to understand this LDAP process, so, I am certainly wrong. I do believe that ldap is secured.

WTF does NFS have to do with LDAP???

I could figure out that the security was coming from kerberos. LDAP + NFS is possible, even + SSH, but for higher security, its kerberos. Well, I wont make it this kerberos. Too difficult, already ldap is difficult for me. But now I have my server and client working, well client cannot boot alone.


it works. The problem is only at boot.
Once I boot wiht compat in nsswitch, it works.

If with ldap files into it, it says :

but the LDAP works, sure.
If I boot with compat, then logins as root, replace nsswicht (%s/compat/ ldap files/g) , then
then
wait 20sec around

tada ! voila !
My users are under the LDAP Server

login : myuserldap
passwd : *************

works

I am running debian stable.

Is it a bug? or can it be solved somehow for debian stable?

a BUG? Of course it's not. You have very clearly not configured LDAP correctly. "ldaps://LDAPSERVER.HERE"??

I must remember to stop replying to your threads...

0 members found this post helpful.