Setting up LDAP on RHEL4 with Webmin

AoiShikaku · 07-29-2008, 02:18 PM

Mkay so I'll try to speed this up and still be informative as possible so to avoid any questions later on.

OS: RedHat Enterprise Lunix 4 (RHEL4)
- Installed Webmin
- Installed OpenLDAP stuff through Webmin (client, server, user and group settings, etc.)
- Installed OpenLDAP stuff from RPM on RHEL4 disc (I did remove the ones from Webmin before doing so)
- Using some stock settings to set it up (ex= cn=Manager,dc=example,dc=com)

In short - just want create a user account with details then have the computer-name automatically added/resolved when connecting onto the domain.

I'm new to LDAP and its configuration. So I might be replying on more issues later on if I can't find a resource on the net.

Any answers with Webmin would be a bonus for me =D

THE ISSUE
got the LDAP Server configured (so I think) and when I try to start it (through webmin or terminal "service ldap start") I get these errors

Through terminal:

Quote:

[root@redhatbox5 openldap]# service ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [FAILED]
[root@redhatbox5 openldap]#

Through Webmin

Quote:

Failed to start LDAP server : /usr/sbin/slapd failed :

"slapd -d -1" output

Quote:

[root@redhatbox5 /]# slapd -d -1
@(#) $OpenLDAP: slapd 2.2.13 (Aug 19 2004 21:22:15) $
root@porky.build.redhat.com:/usr/src/build/440386-i386/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
daemon_init: <null>
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: bind(6) failed errno=98 (Address already in use)
daemon: bind(6) failed errno=98 (Address already in use)
slap_open_listener: failed on ldap:///
slapd stopped.
connections_destroy: nothing to destroy.

Here is what my slap.conf looks like

Quote:

# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_anon_dn

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_anon_dn

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix dc=example,dc=com
rootdn cn=Manager,dc=example,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
rootpw {crypt}52VNMTtThnWumSsTR0SHFY

blacky_5251 · 07-29-2008, 11:35 PM

I get the same error if I try to use the slapd -d -1 command when ldap is already running. The error output is identical.

It looks to me like you already have ldap running, or you have other processes running on the ldap ports.

Try "service ldap status" to see if ldap is running or not. Perhaps "service ldap restart" might be useful too.

Ian

billymayday · 07-30-2008, 12:19 AM

or

ps aux | grep slap

AoiShikaku · 07-30-2008, 09:51 AM

Man, I've been stuck on that error for a long time. Thanks for the replies =D

I stopped the service and started the service through webmin and I finally got past that problem, but....

NEW PROBLEM:
Under trees I want to create a new DN with a dummy user account using Webmin. When I am done with what I want it to do I click on create and receive this error:

Quote:

Failed to create new tree : No user to login as has been configured

When I try to browse the database I get this error:

Quote:

The LDAP browser cannot be used : No user to login as has been configured

Under the Schemas tab I have Core, Consine, OpenLDAP, Inetorgperson, and NIS running

I tried to setup the LDAP users and groups, but I wasn't able to create a new user or a new group. (no existing ones there also)

My LDAP client is still on the same computer and I'm still trying to get that setup to talk to the LDAP server.

I dont know what I am missing here or what I should do. Can someone please point me in the correct direction. Such a pain troubleshooting something when you dont know where you are =p

MartyHeyman · 07-30-2008, 12:44 PM

We noticed that the version of OpenLDAP provided by the Red Hat release you are using is 2.2. OpenLDAP 2.4 is now available and OpenLDAP 2.3 is the most common production level. We would highly recommend you upgrade to either of those substantially improved and more capable releases. The easy way to do it is to install Symas OpenLDAP which is a binary package (RPMs available) including OpenLDAP, BDB, OpenSSL, and Cyrus SASL at coordinated patch levels. The package is tested as a unit and installs without interfering with other copies of libraries on your systems. Free downloads are available as is commercial support. See us at www dot symas dot com.

billymayday · 07-30-2008, 03:36 PM

Why don't you try migrating existing users across to make sure your basic setup is working. It may well be the data you are trying to insert is incorrect. See http://www.linuxhomenetworking.com/w...DAP_and_RADIUS as a good example howto (and yes, it works).

Also, I gave up on webmin ages ago, but there are some good ldap utilities like phpldapadmin and ldapam (account manager) that are specifically designed for ldap

blacky_5251 · 07-31-2008, 04:01 PM

I second the suggestion to use something other than Webmin. I like Webmin for many reasons, but LDAP isn't one of them. I now use phpldapadmin to manage my LDAP system.

webman · 12-15-2008, 01:31 AM

Witch type of the webmin can i install,my sysytem is still rhel4,thanks.
Where can I download?