Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, I will get right to the point.
I have been assigned a project that includes setting up all our users on a LDAP server. I have been reading up on all sorts of documentation.
What I want to know is for the people out there who have installed LDAP, did you compile it from source from let's say, www.openldap.org or did you use a RPM package of some sort?
Reason I ask is that, as I learn here, depending on what version you use will decide on where the config files go. For instance, if you use RPMS, the slapd.conf file will be installed into /etc/openldap.
If you use the source and compile according to the guide at www.openldap.org, by default it installs it into /usr/local/openldap.
Now, if you use RPMS, you can stop and start using init scripts. If you use source, you can use the /usr/local/openldap/libexec/slapd start and stop command.
First, is there a difference? Is one better than the other?
Secondly, I wanted to use some tools of sort to help along with setting up along the way. I came across two tools that look promising:
I have setup the directory administrator on the server that will be used as a LDAP server. For some reason, I can not connect to the LDAP server. I get a protocol error. I checked everything.
The other one, was something I found, but have not really played with yet.
So, if anyone out there has some suggestions here, I could really use some advice on where to continue to go with this project.
The benefit of using the source is that you can configure it for specific tasks. I haven't used the RPM but wouldn't be against using it.
If you post your slapd.conf file, maybe we can help. Also, post the command you are using to connect and add records.
I really haven't used any tools but I can see how these would come in handy. I will check out those links. Currently, I just create a ldif file and enter the data there.
By the way, how do you plan to use ldap? Is it for authentication or just to keep a list of staff and staff info.? That will make a big difference.
Let me start out with my intentions for using LDAP. We would like to setup our LDAP server to be used as authentication server. This project was given to me and I do not think my manager realizes just how long this may take. I have been plugging away at it, but it really is quite in depth and requires a lot of time and patience.
This is what I did:
I just happened to be going to www.devshed.com and noticed they had a two part series on LDAP. I bascially, read both articles and followed their instructions to a 'T'.
It seems kind of odd though when I read their instructions and what is going on with my machine. Reason I saw so is that, the full path to my slapd.conf is very long:
/usr/local/openldap/etc/openldap/
Which is ok, but I really dont like it.
Another thing. I currently have to use the full path to stop and start LDAP. I would prefer to use init scripts to stop and start so I can get a visually ok or failed when I stop and start.
Lastly, in the HOW-TO, they reference that the slapd.conf file should be in /etc/openldap. Not so in my case, mine is in the path listed above.
At this point, I was able to make some basic entries, do some searches and contact the LDAP server with a Eudora client, remotely.
At this point, I almost feel like I should completely start over, and clean up my Linux server so I will not have any "left overs" sort a speak. I will discuss that later.
Right now though, I can connect to the LDAP server from my workstation using Eudora and perform some basic queries to find information.
However, if I try to use the tool(s) I listed above, I cannot seem to connect. For instance, I get a 'Protocol error' when I try and connect to the server with both tools: One is a local client (directory administrator) the other is a remote client (LDAP Administrator).
In answer to your questions, I did setup a rootdn account with a basic name and password. I am still testing and feeling my way around.
Also, where would I find some of the connection logs for LDAP? /var/messages?
Let's say that I wanted to start all over with installin LDAP.
What would be the best way to clean out any residue off my Linux box without, performing a clean install of the OS and reinstall the software?
Any thoughts? I may do this eventually, but for the time being, I would like to continue to test and fix issues, then do a complete reinstall, nice and fresh like.
Directory Administrator might be trying to use SASL authentication instead of plain text, it's been awhile since I used that tool.. Maybe check the properities and see what its trying to use for login authentication.
IMHO where you install LDAP to is of no matter. be it
in /etc/openldap or in /usr/local/somepathverydeep/openldap
It's all the same in the end.
As far as an init script, you could always write one =)
For user authentication you are going to also need to go to www.padl.com and get the migration scripts and pam_ldap.
www.openldap.org has a pretty good faq system with a lot of information on what you are trying to do.
Hmm, as I set here and research LDAP and authentication, I came across something.
The LDAP will be running on a Red Hat 8.0 server.
My clients are currently all using Windows Desktop computers because the software they use will only run under Windows.
Now, with that in mind, is it even possible to setup the users to be able to authenticate against the LDAP server since they are on Windows computers? Is there something different I need to configure?
Being that they are all on windows you have quite a large task ahead of you.
You first need to configure samba to act as a domain contoler/logon server. You also need to setup samba to get all of the account information from LDAP. You need to pass this option to samba at compile time (sounds like a reinstall of samba for you from source).
You then need to install pam_ldap from www.padl.com.
Next is adding all of the Computer/Domain accounts for the users and the computers they use.
There is a script that comes with the samba source that will add the samba user as well as a system user at the same time. You will need to use this to add your users from now on.
If you want users to be able to change there password, then you have more scripts to setup.
How many workstations is this for? I assume this is a work thing?
You can make a logon server without using LDAP, which will make things easier for you.
Is their a specific reason you want to use LDAP here? If so you might want to check the samba mailing lists, im not sure LDAP/Samba is ready for production use.
You also need to setup NSCD to answer all the requests for the getpw*(), getsh*() and getgr*() system calls.
This is a very involved task, I've done all this before. It is almost more trouble than it's worth in the end.
I'll see if I can dig up some links for you in a bit, dinner is almost ready =)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.