This tutorial explains how you can set up centralised LDAP authentication for a network, covering both the setting up of the LDAP server and client. Whilst based on Fedora 13, it may also apply to other versions.
That’s right, Fedora 13, so I haven’t tested this on Fedora 19 or 20… many things have changed, but something might still be useful.
LDAP stands for Lightweight Directory Access Protocol, which is a computer protocol for querying and modifying a database backed directory service. While Fedora ships its own LDAP based server (389 Directory Server), we will be using the OpenLDAP implementation, with Berkley Database (bdb) as the database backend. Data is entered into the LDAP server via plain text LDIF (LDAP Data Interchange Format) files. We will use a set of perl scripts from the migrationtools package to create most of these for us, but we will also create a few manually for adding a new user and group.
Finally, there are probably better (and more Fedora-specific) ways to do some of these tasks. If so, please let me know!
Note: For the purposes of this how to, our domain is test.lan and our LDAP server is server.test.lan – replace this with your server details instead!
Outline
The outline of steps is as follows:
- Install required packages.
- Configure the LDAP server configuration file for our domain, test.lan (dc=test,dc=lan).
- Configure the LDAP server to use TLS encryption, using a self-signed certificate.
- Start the LDAP server and test.
- Create LDIF files of our base domain, users and groups using migration tools.
- Populate the LDAP server using LDIF files.
- Configure clients to authenticate to LDAP server over secure channel.
- Configuring password policy (contributed by Sunil Tumma).
Prerequisites
This how to assumes you have performed a standard Fedora install, or a base install with relevant configuration tools installed.
- Networking is configured (see below).
- DNS is working, or at least you can resolve the LDAP server’s FQDN (fully qualified domain name), i.e. server.test.lan.
- You have the (awesome) text editor vim installed (if not, substitute and edit as required).
Disable NetworkManager
First, you may wish to use standard network configuration rather than NetworkManager on the server.
If so, let’s become root, disable NetworkManager and tell it to not start automatically on boot.
[user@server ~]$ su -
[root@server ~]$ service NetworkManager stop
[root@server ~]$ chkconfig NetworkManager off
Enable standard networking
Next we enable the standard networking daemon and tell it to start automatically on boot.
[root@server ~]$ service network start
[root@server ~]$ chkconfig network on
Now you’ll need to configure networking, which you can do via the graphical tool.
[root@server ~]$ system-configure-network-gui
Set eth0 (or your network device) to be static/use DHCP, whatever is required by your network setup, by selecting it and clicking edit.
Finally, activate the device and close the tool.
[[Image:fedora-network-client-config.png|thumb|500px|none|Fedora – configure networking]]
Now that your network is configured, let’s get started with LDAP!
Let’s begin!
As we need to run lots of commands on the LDAP server, it’s easier to to this as root.
If you’re not yet root, become so.
[user@server ~]$ su -
Install packages
We must install the required packages. The first is the LDAP server itself, the second is a set of perl scripts which help us create LDIF files for populating the LDAP server.
[root@server ~]$ yum install openldap-servers migrationtools
Create admin password
There is an all-powerful root LDAP user which will populate our directory. Rather than publishing this password in cleartext with in the configuration file, we want to encrypt it.
To do so, we run the slappasswd command, which will encrypt our password and return the value.
[root@server ~]$ slappasswd
New password:
Re-enter new password:
{SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K
Copy the final encrypted output (i.e. {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K) for use in the next section.
Configuration
Previously, OpenLDAP was previously managed via a single configuration file (/etc/openldap/slapd.conf), however these days the configuration for LDAP is stored inside the LDAP server itself! As such, the configuration is done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Fedora supports both methods. We can either delete the slapd.d directory and use a slapd.conf file, or go along with the new method and edit the LDIF files before starting up our LDAP server.
Config file
If you wish to use the config file (which some will find easier), then follow these instructions.
Remove the existing slapd.d directory (else Fedora will not read our configuration).
[root@server ~]$ rm -Rf /etc/openldap/slapd.d/
Create a new config file from the existing template.
[root@server ~]$ cp -a /etc/openldap/slapd.conf.bak /etc/openldap/slapd.conf
Now that we have the base files in place, we need to begin configuring the file. We need to set several options, most importantly the domain (dc=test,dc=lan), and the admin password.
First, open it.
[root@server ~]$ vim /etc/openldap/slapd.conf
If you’re using Vim, just run the following command.
:%s/dc=my-domain,dc=com/dc=test,dc=lan/g
If not, find and set the following domain values
suffix "dc=test,dc=lan"
rootdn "cn=Manager,dc=test,dc=lan"
...
# allow only rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=test,dc=lan" red
by * none
Next, we need to set the admin user’s password (which we generated earlier) and tell LDAP where to find the certificate and key for encryption (which we will create in a later step).
rootpw {SSHA}MP0BeMJzmCoCi5olBhwcRDYJaGBFgN5K
TLSCertificateFile: /etc/openldap/ssl/slapdcert.pem
TLSCertificateKeyFile: /etc/openldap/ssl/slapdkey.pem
Finally, save and quit the file.
:wq
Non-config file
Here’s now to edit the LDIF files under slapd.d to store the LDAP server configuration within LDAP (cn=config) itself.
The first of two LDIF files is the base database file.
[root@server ~]$ vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
If you’re using Vim, then just run the following.
:%s/dc=my-domain,dc=com/dc=test,dc=lan/g
Else, find and replace the following entry.
olcRootDN: dc=test,dc=lan
Now we must set the admin password and specify the location of our encryption certificate and key.
olcRootPW: {SSHA}ccFKiy8ska8IhNwwlaNYxiBNbilWe5M1
olcTLSCertificateFile /etc/openldap/ssl/slapdcert.pem
olcTLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
Open the second file, which specifies monitoring privileges.
[root@server ~]$ vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
Once again, use Vim to replace the required entry.
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=test,dc=lan/g
Or replace it yourself.
That’s it! Now you can continue with the how to.
Database cache
You should now have configured LDAP using either the single config file, or by specifying LDIF files. If not, see above.
Back at the terminal, copy a default DB_CONFIG file which sets cache and tuning options for the Berkley database backend (this also needs to be writeable by the ldap user).
[root@server ~]$ cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]$ chown -Rf ldap:ldap /var/lib/ldap/
Test configuration
Lastly, test your configuration by running the command, and check return:
[root@server ~]$ slaptest -u
config file testing succeeded
That’s all the initial base configuration we should need to do! Next we will configure encryption.
Encryption (LDAPS) using TLS
Because we are using LDAP for authentication across a network, we want to encrypt the traffic. This means we can either run LDAP (on default port of 389) with TLS, or the LDAPS (on port 636) with TLS. We will do the latter.
We need to tell Fedora how to start the secure LDAP daemon, which is done by editing the sysconfig entry for ldap.
[root@server ~]$ vim /etc/sysconfig/ldap
Set the following:
SLAPD_LDAPS=yes
When the service is started, it will also run LDAP Secure (LDAPS).
Generate and configure keys
Now that we have told LDAP to run on secure port 636 we need to generate SSL keys and configure the LDAP service to use them!
Fedora has a script to automate this process, but it’s easy enough to generate the keys manually (when prompted, fill in the information as below, but replace the hostname with the FQDN of the LDAP server!).
[root@server ~]$ mkdir /etc/openldap/ssl/
[root@server ~]$ openssl req -new -x509 -nodes -out /etc/openldap/ssl/slapdcert.pem -keyout /etc/openldap/ssl/slapdkey.pem -days 365
Generating a 2048 bit RSA private key
....................................................+++
writing new private key to '/etc/openldap/ssl/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: AU
State or Province Name (full name) []: ACT
Locality Name (eg, city) [Default City]: Canberra
Organization Name (eg, company) [Default Company Ltd]: Company
Organizational Unit Name (eg, section) []: Section
Common Name (eg, your name or your server's hostname) []: server.test.lan
Email Address []: user@test.lan
This will create the two required keys in the /etc/openldap/ssl/ directory, but we need to make sure that the ldap user can read them.
[root@server ~]$ chown -Rf root:ldap /etc/openldap/ssl
[root@server ~]$ chmod -Rf 750 /etc/openldap/ssl
We have already told the LDAP server to use them, so once we start the server it should be good to go!
Start LDAP service
It’s time to start the LDAP service, and tell it to start on bootup.
[root@server ~]$ service slapd start
Starting slapd: [ OK ]
Test that the server came up properly and is listening on the LDAPS port
[root@server ~]$ netstat -lt |grep ldap
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
If so, tell Fedora to start the LDAP server on bootup.
[root@server ~]$ chkconfig slapd on
Test configuration
[root@server ~]$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=test,dc=lan
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This should returns a success, as above.
If all that went as planned, congratulations, you have a basic LDAP server configured! Next we need to populate this with our users and groups.
Configure base domain
We should now have a base LDAP server running, configured for our domain. However we do not have any users (People) or groups (Group) configured! We do that in the next step Now we need to set up our base, authentication and group files.
This is done via a migration of your existing local unix accounts already configured on the system, which are converted into an LDIF file for loading into LDAP. First however, we need to create a template base.ldif file which creates the base structure of our directory (test.lan), which we will import into LDAP database first.
[root@server ~]$ vim base.ldif
Add the following to the base.ldif file:
dn: dc=test,dc=lan
dc: test
objectClass: top
objectClass: domain
dn: ou=People,dc=test,dc=lan
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=test,dc=lan
ou: Group
objectClass: top
objectClass: organizationalUnit
Now that we have the base information for our LDAP structure, we can (hopefully!) import that information into our LDAP database (use the password you created above):
[root@server ~]$ ldapadd -x -W -D "cn=Manager,dc=test,dc=lan" -f ./base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=lan"
adding new entry "ou=People,dc=test,dc=lan"
adding new entry "ou=Group,dc=test,dc=lan"
If you saw the above, then it worked! If you get an error about authentication issues connecting to my-domain.com then it’s not reading your configuration properly, and is using the default. Stop the service and start again.
Migrate users and groups
We are now going to use the migration tools to create ldif files for our existing users and groups, which we will import into LDAP like in the previous step.
First, tell the migration scripts which domain to use by default (we want to use test.lan instead of the default padl.com).
[root@server ~]$ vim /usr/share/migrationtools/migrate_common.ph
Set the following:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.lan";
# Default base
$DEFAULT_BASE = "dc=test,dc=lan";
Users (People)
Now, we will use the migration script to create an ldif which we will use to populate LDAP with all our existing users (note, this will pull in the user account).
[root@server ~]$ /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif
Once you have the file, we can import the entries into LDAP:
[root@server ~]$ ldapadd -x -W -D "cn=Manager,dc=test,dc=lan" -f people.ldif
Groups (Group)
Now, we will use the migration script to create an ldif which we will use to populate LDAP with all our existing groups (note, this will pull in the user group).
[root@server ~]$ /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
Once you have the file, we can import the entries into LDAP:
[root@server ~]$ ldapadd -x -W -D "cn=Manager,dc=test,dc=lan" -f group.ldif
Test contents of LDAP database
Now, we have our database populated with info. It’s time to test our work. First, you can use the ldapsearch command to look for your username. You should get a successful response back, as below.
[root@server ~]$ ldapsearch -xWD “cn=Manager,dc=test,dc=lan” -b “dc=test,dc=lan” “cn=user”
# extended LDIF
#
...
# user, Group, test.lan
dn: cn=user,ou=Group,dc=test,dc=lan
objectClass: posixGroup
objectClass: top
cn: user
userPassword:: E2NyeXB0fXG=
gidNumber: 500
# search result
search: 2
result: 0 Success
...
Adding a new user and group
To add a new user, we create an ldif for the user account, and the group. Then we import these into the LDAP server, like we did with the base, people and groups previously.
User
To add a user, simply create an ldif file (like chris.ldif) with contents like so:
dn: uid=chris,ou=People,dc=test,dc=lan
uid: chris
cn: Chris Smart
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$XemGNmMU9f3FRFo/vt7Uld/gUcP/2N7/R.uw5SK.
shadowLastChange: 14846
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/chris
gecos: Chris Smart
Group
Then, add the group information for this user (like chris-group.ldif):
dn: cn=chris,ou=Group,dc=test,dc=lan
objectClass: posixGroup
objectClass: top
cn: chris
userPassword: {crypt}x
gidNumber: 501
Add to LDAP
Then add these into LDAP!
[root@server ~]$ ldapadd -x -W -D "cn=Manager,dc=test,dc=lan" -f chris.ldif
Enter LDAP Password:
adding new entry "uid=chris,ou=People,dc=test,dc=lan"
[root@server ~]$ ldapadd -x -W -D "cn=Manager,dc=test,dc=lan" -f chris-group.ldif
Enter LDAP Password:
adding new entry "cn=chris,ou=Group,dc=test,dc=lan"
Now you have a new user called chris!
Client Configuration
Now that we have a server which is responding correctly, we can configure our clients to authenticate to the LDAP server.
For Fedora machines, authconfig-gtk or authconfig-tui:
[root@server ~]$ authconfig-gtk
In the tool, select and fill in the details below.
User Account Configuration
User Account Database: LDAP
LDAP Search Base DN: dc=test,dc=lan
LDAP Server: ldaps://server.test.lan
Authentication Configuration
Authentication Method: LDAP Password
[[File:fedora-client-ldap-config.png|thumb|500px|none|LDAP Client Authentication]]
Now, we need to tell Fedora the location of the encryption certificate. Click on Download CA Certificate and pass the location of the file.
Note: If this is a local machine, you can use file://, however if it’s a remote machine, you’ll need to put the certificate on an NFS, FTP or HTTP share.
[[File:fedora-client-ldap-cacert.png|thumb|500px|none|LDAP Client Authentication – location of certificate]]
On the Advanced Options tab, tick Create home directories on the first login – else although users can authenticate, they won’t have a home directory when they log in!
[[File:fedora-client-ldap-config-2.png|thumb|500px|none|LDAP Client Authentication – create home directories]]
Hit Apply and we should now be able to log in as our users!
Test
Of course, to test this you can just log out and back in, but a quicker way (in case something’s not right) is to open a non-root terminal and switch to the new user you created (i.e. chris as above).
[user@server ~]$ su - chris
This should ask for chris’ password and if everything’s working correctly, you should be able to switch to this user.
If it fails, check your /var/log/messages to see if there are some helpful errors.
The following has been contributed by Sunil Tumma:
OpenLDAP with ppolicy
Overlays are dynamically configurable modules that provide additional functionality to OpenLDAP. The ppolicy overlay provides some useful functionalities for enforcing a password policy for the domain.
Requirement was the following
- Account should be locked out after 5 failed authentication attempts
- Password expiration on 90 days
- Minimum password length of 8
All of our desktops were authenticating to the OpenLDAP server (test.lan) which was setup on a CentOS box. We were able to achieve the 99999 days password expiration using the default shadowAccount objectClass as given below.
# test, People, test.lan
dn: uid=test,ou=People,dc=test,dc=lan
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEMzOxxxxxxxxxx
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/test
But we couldn’t find any way to implement the password expirartion and password length polcies using the default OpenLDAP configuration. So I started my experiments with password policy (ppolicy) overlays. The ppolicy overlay provides enhanced password management capabilities that are applied to non-rootdn bind attempts in OpenLDAP.
Installation
The ppolicy and other overlays are included in the package openldap-servers-overlays for Redhat/CentOS servers. So we need first install this package assuming OpenLDAP server and dependencies are already installed.
yum install openldap-servers-overlays
The ppolicy module file should get installed at /usr/lib64/openldap/ppolicy.la and schema file at /etc/openldap/schema/ppolicy.schema on a 64 bit CentOS/Redhat server and in the /usr/lib/openldap/ directory on a 32bit i686 server.
Server Configuration
We need to configure the ppolicy overlays now. Add the following lines to /etc/openldap/slapd.conf in the respective sections.
include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib64/openldap
moduleload ppolicy.la
This is assuming that ppolicy overlay files are in respective locations. The ACL’s should be set such that clients bind to OpenLDAP server by self-authentication. We should not allow anonymous or rootdn binds to the server although the default configuration is to allow anonymous binds to server. So I added ACL as given below in the ACL section of slapd.conf.
#ACL
access to attrs=userPassword
by self =xw
by anonymous auth
by * none
access to *
by self write
by * read
Next we need to add default password policy we are going to enforce on the domain. Add the following after the DB section in slapd.conf.
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=test,dc=lan"
ppolicy_use_lockout
This should complete the configuration of slapd.conf. You should be able to restart the LDAP server without any issues now.
Importing the password policy
Create a LDIF file called password-policy.ldif with following content:
dn: ou=policies,dc=test,dc=lan
ou: policies
objectClass: top
objectClass: organizationalUnit
# default, policies, test.lan
dn: cn=default,ou=policies,dc=test,dc=lan
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
This sets the following policies
- password expiration at 90 days
- password lockout on 5 failures and lockout duration of 15 mintues
- minimum password length of 8
- 3 earlier password in history
To import the policy run the following command:
ldapadd -D "cn=Manager,dc=test,dc=lan" -W -x -f password-policy.ldif
This ldapadd command should add to policy on authentication as LDAP administrator and we should be able to see the newly imported policy now when we do an ldapsearch.
ldapsearch -x -D "cn=Manager,dc=test,dc=lan" -W -b "dc=test,dc=lan"
This completes the server configuration.
Client Side Configuartion
On the LDAP clients we need make the following change in LDAP client configuration file /etc/ldap.conf assuming the client was configured to authenticate to our LDAP server before. Uncomment the pam_lookup_policy line which should be already there in /etc/ldap.conf, to enable it:
pam_lookup_policy yes
Now the password policy should be enforced for all non-rootdn authentication attempts.
Licensed under Creative Commons 3.0 non-ported license.
162 thoughts on “OpenLDAP How To (Fedora)”
Thanks, Excellent blog for openLDAP installation in FC 13 !!!
Hi,
Excellent Information.
Is it possible to create groups/users from OpenLdap admin gui in OpenAm?
Sanjay,
nikalje.503@gmail.com
I’m not familiar with it myself, sorry.. If it talks OpenLDAP, then I’d say so 🙂
-c
Hi,
Thanks a lot for this how to
I try to follow your example to configure OpenLdap server, i used Non-config file method, but i met a problem on Configure base domain section: when i type ldapadd -x -W -D “cn=Manager,dc=test,dc=lan” -f chris.ldif i receive the following message “ldap_bind: Invalid credentials (49)”, can you help me please
NB: in the Database cache section, when i test my configuration by running the slaptest – u command, i receive the following message:
ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif”
ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif”
config file testing succeeded
Hey, I’m sorry I never found the time to get the non-config version up and running. Can you try using the config file?
-c
Hi,
thanks for this how to,
if i want to add other domain, what i should do?
also on the step of client confiduration, when i try to add the location of the encryption certificate the error “Error downloading CA certificate” is appear,
can you help me please
Hi Dimetry,
I haven’t set up a second domain, but I’d assume you could just do the set up again on the same box, just don’t change the Manager’s password. A domain is unique dc=example,dc=com so you should be able to also add dc=anotherexample,dc=com without any conflict – I haven’t tried this though.
As for the error downloading the certificate, what URL are you putting in there?
Cheers,
Chris
i putted “/etc/openldap/ssl/slapdcert.pem”, i tried also with “/etc/openldap/ssl/slapdkey.pem”.
It needs a protocol, so if you’re accessing it on disk, add file://, so:
file:///etc/openldap/ssl/slapdcert.pem
But from memory you should be giving it the cacert, not your LDAP server’s certificate.. been a while though. Try! 🙂
-c
I was able to add the users and groups like you shown in your tutorial but I’m getting this error:
# ldapsearch -xWD “cn=Manager,dc=pgrlive,dc=com” -b “dc=pgrlive,dc=com” “cn=user”
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Are you copying that from the webpage directly? Make sure those are speech marks and not html characters. I assume that this is connecting to localhost?
-c
Hi Chris,
Thanks for these instructions, I’ve not found any others like this online for setting up LDAP. I’m using Centos and have gone through each step. Everything has worked as per your instructions except at the final step to test ldap is working where I get this error and messages in the log:
# su – user3
su: user user3 does not exist
/var/log/messages
Apr 26 11:40:43 server1 nslcd[21495]: [8b4567] ldap_start_tls_s() failed: Connect error (uri=”ldap://127.0.0.1/”)
Apr 26 11:40:43 server1 nslcd[21495]: [8b4567] failed to bind to LDAP server ldap://127.0.0.1/: Connect error
Apr 26 11:40:43 server1 nslcd[21495]: [8b4567] no available LDAP server found
Server and client are on the same machine although I get the same problem with a remote LDAP client.
Did you encounter any errors like this at all?
Regards
Gareth
p.s. I go the same error as Peter R which turned out to be an issue with the quotes character I copied off this page.
You can ignore my previous question as I’ve solved the problem.
I hadn’t listed the LDAP server name correctly, I had ‘ldap://server1’ but it should have been ‘ldap://server1.example.com’. I’d thought it would work as I could resolve the name server1 but it actually has to match the name you put in the certificate.
Hi Gareth, sorry I didn’t reply in time. Glad you fixed it.
-c
Hi Chris,
in final step I get the error like above question, server and client are on the same machine and I want use localhost for server, how should I ?? sorry for my bad English
Can you post your command and result?
Hi,
I’ve created a new attribute called ‘uid’ in opendj and need to back populate the field for existing data. Could you please let me know if there is a way to do it.
Thanks,
Manasa
What do you mean? There should already be a uid addribute?
-c
I successfully add dn=hassan,dn=com to my ldap server using
base.ldif
dn: dc=hassan,dc=com
dc: hassan
ou: hassan dot com
objectClass: dcObject
objectClass: organizationalUnit
but When I add ou to dn I get error, Here is my ou ldif
dn: ou=People,dc=hassan,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=hassan,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
~
The error is :
[root@Hassan-PC ~]# ldapadd -xWD “cn=Manager,dc=hassan,dc=com” -f base.ldifEnter LDAP Password:
adding new entry “ou=People,dc=hassan,dc=com”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: index generation failed
Can you Help ??
I think it’s because your base unit is an organisation unit when it shouldn’t be. It should be something like:
dn: dc=hassan,dc=com
dc: hassan
objectClass: top
objectClass: domain
This was really helpful Thanks very much for the thorough overview. With this information I was able to get my LDAP up and working… Much better information than the $35 book I bought from O’Reilly.
Excellent post Chris!!
I have been struggling to get ldap work under the new non-config style but very scanty information around. I have a basic setup now thanks to you! 🙂
Glad it could help!
Hi Chris
Should it work if u do not have dns working?
Thanks,
It should still work, but it depends if you’re connecting via localhost or not. If you don’t have dns, maybe add the requires hosts to /etc/hosts
sir i have a question under the last part. when downloading the TLS. how can i share that files? to other network so one of my client machine can locate that cert. thanks in advance. best information ive seen
Hi Kenny,
Somehow I lost my images, but it’s here:
So you can put it on an http server somewhere or something.
Chris,
Your article puts the official documentation to shame.
I have struggled to connect a debian client to a fedora 14 nfs4 server with LDAP providing the authentication so that I could connect with the same UID and GID for the nfs mount.
I wonder if you might put up the next steps to set up the server to share nfs mounts to clients via ssh with ldap authentication?
Thanks Chris!. I have system up and running, my linux client machine can log in with ldaps authentication. Here my couple of questions:
1.How to enable logging
2.After user log in, is there a way to tell server its ip address or how can server track machine ip address ( In Window AD, I used log on/off script to retrieve client’s ip address via policy)
How can we set the Undoundedid java arg environment variable in ldap server. and what is the meaning of mild warning,server warning.
Thank you
Hmm.. I’m not sure what AD can do, but your LDAP server’s log might tell you something. I haven’t done this before I’m afraid, so can’t give much advice. There’s another project, FreeIPA, which will do much more of what you want. I plan to write up a howto sometime.
Hi Naresh,
I’m not sure what that Java arg is, or the warnings. Do you have some more details where you saw these things?
-c
After i configure the ldap server. i cant log in into ldap using fedora. in centos i used authconfig-tui
no TLS
Server:ldap://ldap.test.com
Base DN: dc=test,dc=com
it works but when i used authconfig-gtk
User Account Database: LDAP
LDAP Search Base DN: dc=test,dc=com
LDAP Server: ldaps://ldap.test.com
even if i used Download CA Certificate and get the pem i did slapdcert.pem. i copy it over to the network using rsync and get the file://var/tmp/slapdcert.pem( i also change the chown to root:ldap after i copy) but seems that it all not working selinux disable firewall disable. tnx in advance hope to help me . Thx Alot chris
Can you try using authconfig-tui with TLS? Once you get this working then I think Fedora will work (I suspect that’s where the problem is). From memory Fedora must use TLS, although there was a way to force “legacy” so that it could do non-encrypted.
Also, TLS should be using regular port, not SSL port. Maybe try Fedora with ldap://ldap.test.com rather than ldaps..
-c
thank you so much. haha i found the real problem why is not logging in. it is because the client machine need to install nss_ldap and pam_ldap also thank Chris 🙂
Unable to import that information into our LDAP database
Below error is ocured
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Please help.
I am entering the same password which i have set in slapd.conf file.
I have also resetted the password by donig slappasswd and copied the encrypted password into slapd.conf file but same error…
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Please help.
Maybe your user is wrong? What command are you running?
Thanks for the reply Chris. But the problem has already resolved.
One more issue, How do i login suing ldap authentication on Windows system is there any client?
And i have configured the client machine for ldap authentication but i am unable to login using ldap(Authentication failed) but the same user id is working on the ldap server.
Please revert..
I am able to import the users into ldap directory.
But now i am unable to login using ldap.
Error in Windows System :- Authentication via ldap is failed : Invalid creadentials
but the same user id is able to login in simulaton tab in pGina.
Error CentOS :- Authencation failed
I have checked the slapd.conf file properly but unable to fine the problem
Is there any other settings to be done in ldap server to login via ldap server.
If you need any more details please revert.
Please also provide the ldap logs path..
Regards,
Sunil Tumma
Ldap server configured on Centos 6.2 this is FYI.
Hi am able to search the user with below command on client machine(Centos)
ldapsearch -x
[root@ESS-SAG-LT-013 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
[root@ESS-SAG-LT-013 ~]#
and also able to see the users in passwd file with below command(Centos)
getent passwd
[root@ESS-SAG-LT-013 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
test2:x:20209:0:test1:/home/test2:/bin/bash
root:x:0:0:root:/root:/bin/bash
operator:x:11:0perator:/root:/sbin/nologin
test3:x:501:501:test3:/home/test3:/bin/bash
test4:x:502:502:test4:/home/test4:/bin/bash
but i am unable to login with the ldap users and unable to switch user with ldap users
Error :- system error in GUI / incorrect password in CLI
I have also tried on windows machine using pGina
Error :- Authentication failed.
I’m sorry I haven’t had much luck with Windows, although if you’re using SSL I seem to remember that you have to import the CA cert into Windows somewhere..
but i am unable to login using the ldap server and unable to switch user using ldap users
Error :- system error in GUI / incorrect password in CLI
Didn’t see that it doesn’t work on linux either. So does this work as root:
su - test4
here is the result
[root@ESS-SAG-LT-013 ~]# su – test4
[ESS_Storage@ESS-SAG-LT-013 ~]$ su – test4
Password:
su: incorrect password
[ESS_Storage@ESS-SAG-LT-013 ~]$
I have changes the password two to three times
Please try as root.
result On the ldap server
[root@centosldap ~]# su – test1
su: warning: cannot change directory to /home/test1: Permission denied
-bash: /home/test1/.bash_profile:Permission denied
-bash-4.1$
here is the result
[root@ESS-SAG-LT-013 ~]# su – root
[root@ESS-SAG-LT-013 ~]#
Hi Chris,
One more thing i am using Centos karnel linux 2.6.32 and openldap server 2.4
Regards,
Sunil Tumma