LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Calling all LDAP Administrators...need help (https://www.linuxquestions.org/questions/linux-software-2/calling-all-ldap-administrators-need-help-49882/)

tarballed 03-14-2003 05:39 PM
Calling all LDAP Administrators...need help
 
Ok, I will get right to the point.
I have been assigned a project that includes setting up all our users on a LDAP server. I have been reading up on all sorts of documentation.

What I want to know is for the people out there who have installed LDAP, did you compile it from source from let's say, www.openldap.org or did you use a RPM package of some sort?

Reason I ask is that, as I learn here, depending on what version you use will decide on where the config files go. For instance, if you use RPMS, the slapd.conf file will be installed into /etc/openldap.
If you use the source and compile according to the guide at www.openldap.org, by default it installs it into /usr/local/openldap.

Now, if you use RPMS, you can stop and start using init scripts. If you use source, you can use the /usr/local/openldap/libexec/slapd start and stop command.

First, is there a difference? Is one better than the other?

Secondly, I wanted to use some tools of sort to help along with setting up along the way. I came across two tools that look promising:

http://www.ldapadministrator.com/main/index.php

http://diradmin.open-it.org/index.php

I have setup the directory administrator on the server that will be used as a LDAP server. For some reason, I can not connect to the LDAP server. I get a protocol error. I checked everything.

The other one, was something I found, but have not really played with yet.

So, if anyone out there has some suggestions here, I could really use some advice on where to continue to go with this project.

Thanks,

Tarballed

jamrock 03-14-2003 08:46 PM
Hi Tarballed,


There are a few gotchas to openldap. I used the download from http://www.openldap.org.

The benefit of using the source is that you can configure it for specific tasks. I haven't used the RPM but wouldn't be against using it.

If you post your slapd.conf file, maybe we can help. Also, post the command you are using to connect and add records.

I really haven't used any tools but I can see how these would come in handy. I will check out those links. Currently, I just create a ldif file and enter the data there.

By the way, how do you plan to use ldap? Is it for authentication or just to keep a list of staff and staff info.? That will make a big difference.

Check out http://www.linuxquestions.org/questi...highlight=ldap for some links.

turnip 03-14-2003 11:13 PM
LDAP will also generate a lot of logging information to syslog.

Post some of the connectio logs.. You can also have a look at Suns Iplanet Directory Server, which out of the box is ready to serve login requests.

Also,

Did you setup the rootdn account yet to log in with in slapd.conf ?

tarballed 03-17-2003 12:54 PM
hello everyone. Thanks for your input.

Let me start out with my intentions for using LDAP. We would like to setup our LDAP server to be used as authentication server. This project was given to me and I do not think my manager realizes just how long this may take. I have been plugging away at it, but it really is quite in depth and requires a lot of time and patience.

This is what I did:

I just happened to be going to www.devshed.com and noticed they had a two part series on LDAP. I bascially, read both articles and followed their instructions to a 'T'.

It seems kind of odd though when I read their instructions and what is going on with my machine. Reason I saw so is that, the full path to my slapd.conf is very long:

/usr/local/openldap/etc/openldap/

Which is ok, but I really dont like it.
Another thing. I currently have to use the full path to stop and start LDAP. I would prefer to use init scripts to stop and start so I can get a visually ok or failed when I stop and start.

Lastly, in the HOW-TO, they reference that the slapd.conf file should be in /etc/openldap. Not so in my case, mine is in the path listed above.

At this point, I was able to make some basic entries, do some searches and contact the LDAP server with a Eudora client, remotely.

At this point, I almost feel like I should completely start over, and clean up my Linux server so I will not have any "left overs" sort a speak. I will discuss that later.

Right now though, I can connect to the LDAP server from my workstation using Eudora and perform some basic queries to find information.

However, if I try to use the tool(s) I listed above, I cannot seem to connect. For instance, I get a 'Protocol error' when I try and connect to the server with both tools: One is a local client (directory administrator) the other is a remote client (LDAP Administrator).

In answer to your questions, I did setup a rootdn account with a basic name and password. I am still testing and feeling my way around.

Also, where would I find some of the connection logs for LDAP? /var/messages?

Let me know what I can post and I will do so.

Thanks.

Tarballed

tarballed 03-17-2003 04:30 PM
One last thing:

Let's say that I wanted to start all over with installin LDAP.

What would be the best way to clean out any residue off my Linux box without, performing a clean install of the OS and reinstall the software?

Any thoughts? I may do this eventually, but for the time being, I would like to continue to test and fix issues, then do a complete reinstall, nice and fresh like.

Thanks.

Tarballed

tarballed 03-17-2003 06:32 PM
Ok. I figured out what the problem was with LDAP Administrator. Now I am able to connect remotely to the LDAP server. That is good.

But, for some reason, I cannot connect locally with the Directory Administrator application.

For some reason, it is giving me a protocl error when I try and connect.

I have tried putting in the IP address, using local host, im lost at this point.
Any suggestions?

Tarballed

turnip 03-17-2003 07:29 PM
Directory Administrator might be trying to use SASL authentication instead of plain text, it's been awhile since I used that tool.. Maybe check the properities and see what its trying to use for login authentication.

IMHO where you install LDAP to is of no matter. be it
in /etc/openldap or in /usr/local/somepathverydeep/openldap
It's all the same in the end.

As far as an init script, you could always write one =)

For user authentication you are going to also need to go to www.padl.com and get the migration scripts and pam_ldap.

www.openldap.org has a pretty good faq system with a lot of information on what you are trying to do.

tarballed 03-18-2003 09:43 AM
As far as an init script, you could always write one

Yes, I would very much like to write one, however I dont know how. :)

I am learning though. Any idea on where I might be able to find some documentation on how to write the script?

Thanks turnip. I appreciate your help.

Tarballed

turnip 03-18-2003 09:53 AM
Code:

#!/bin/sh

case "$1" in
start)
        [ -x /usr/local/openldap/slapd ] && /usr/local/openldap/slapd -D > /dev/null && ec
ho -n  ' Starting LDAP'
        ;;
stop)
        [ -r /var/run/slapd.pid ] && /usr/bin/killall slapd  > /dev/null && echo -
n 'Killing LDAP'
        ;;
*)
        echo "Usage: `basename $0` {start|stop}" >&2
        ;;
esac

exit 0

You might need to adjust the paths a bit to get it to work but that should get you going.

tarballed 03-18-2003 04:48 PM
Ok. I seem to be making some progress now with LDAP.

My next step is to setup our users to authenticate with LDAP.

I am a little confused on how to setup users to authenticate against the LDAP server.

We plan to setup our users to authenticate against the server in order to access data on the particular server.

Anyone have any recommendations or experiences that would like to share? I feel this task may be daunting. :)

Tarballed

tarballed 03-18-2003 05:57 PM
Hmm, as I set here and research LDAP and authentication, I came across something.

The LDAP will be running on a Red Hat 8.0 server.
My clients are currently all using Windows Desktop computers because the software they use will only run under Windows.

Now, with that in mind, is it even possible to setup the users to be able to authenticate against the LDAP server since they are on Windows computers? Is there something different I need to configure?

Thanks for everyone's help.

Tarballed

turnip 03-18-2003 09:18 PM
Being that they are all on windows you have quite a large task ahead of you.

You first need to configure samba to act as a domain contoler/logon server. You also need to setup samba to get all of the account information from LDAP. You need to pass this option to samba at compile time (sounds like a reinstall of samba for you from source).

You then need to install pam_ldap from www.padl.com.
Next is adding all of the Computer/Domain accounts for the users and the computers they use.

There is a script that comes with the samba source that will add the samba user as well as a system user at the same time. You will need to use this to add your users from now on.

If you want users to be able to change there password, then you have more scripts to setup.

How many workstations is this for? I assume this is a work thing?

You can make a logon server without using LDAP, which will make things easier for you.

Is their a specific reason you want to use LDAP here? If so you might want to check the samba mailing lists, im not sure LDAP/Samba is ready for production use.

You also need to setup NSCD to answer all the requests for the getpw*(), getsh*() and getgr*() system calls.

This is a very involved task, I've done all this before. It is almost more trouble than it's worth in the end.

I'll see if I can dig up some links for you in a bit, dinner is almost ready =)

<edit>

link for you to read over:

http://de.samba.org/samba/ftp/docs/h...DAP-HOWTO.html


All times are GMT -5. The time now is 08:15 PM.