tag:blogger.com,1999:blog-4619978964286106329.post1886202250784341328..comments2023-08-05T12:48:40.934-04:00Comments on Another I.T. blog: HOWTO : CentOS 6.2 OpenLDAP 2.4 SetupArsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.comBlogger179125tag:blogger.com,1999:blog-4619978964286106329.post-4027655777785947932018-01-07T15:20:45.206-05:002018-01-07T15:20:45.206-05:00Hi David,
Again Thanks for your document,I'll...Hi David,<br /><br />Again Thanks for your document,I'll try to follow it one more time and maybe succeed ...<br /><br />I don't know if it's normal but I can't access to linked samples, like ~/ldap/slapd.conf.fix.<br /><br />I don't know if it's usual but it could be really helpfull.<br /><br />Could you please update links or send them directly ?<br /><br />Thanks in advance,<br />Fred<br />berok37@hotmail.comfredouillehttps://www.blogger.com/profile/00882637497891152150noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-2807228138337583362016-10-31T00:27:00.928-04:002016-10-31T00:27:00.928-04:00Hi David,
thank's for your sharing
i'm a ...Hi David,<br /><br />thank's for your sharing<br />i'm a newbie, and i didn't get it what's the point in this section?<br />please help<br /><br />thank you<br /><br />Update! The latest version of OpenLDAP installs the pmi schema. The presence of this schema causes an error when running slaptest later in this tutorial. Since most of us don't need this schema, then we will remove it right here and now by running this command :<br /><br />sed -e "/pmi/d" ~/ldap/slapd.conf.temp | tee -a ~/ldap/slapd.conf.fix<br /><br />Thanks to Bas van Wetten for pointing this fix.<br /><br />Now let's edit this file to add several items :<br /><br /> Our OpenLDAP suffix. It's normally your DNS domain name, but it doesn't have to.<br /> the rootdn which is our OpenLDAP admin user. Think of him as the root user of your CentOS server. Let's use cn=admin,dc=company,dc=com as our super-user.<br /> A password to our rootdn user specified by rootpw. Keep in mind that this user has complete control over the OpenLDAP data. So make sure to keep this password in a safe place (such as keepass or gpg). The slappasswd(8C) command will generate a salted SHA password for us. Record the output as we will need it soon (the example below is a fake password not used anywhere).<br /> The type of backend database we want and where will it be located? Let's use the Oracle Berkely Database backend and place it into /var/lib/ldap.This directory was created when we installed the openldap-servers package.<br /> A few Access Control List (ACL) for the various backend databases. We will build on those later on.<br /> Where to write the process ID and the arguments file.<br /> Trun on database monitoring.<br /> We also remove the pmi.schema as we don't need it.<br /><br />Before you edit the file, record the output of the slappasswd(8C) command<br />Raditnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-90500726567079384342016-10-06T06:58:24.968-04:002016-10-06T06:58:24.968-04:00Hey Anonymous, thanks for the info!Hey Anonymous, thanks for the info!Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-84690370961365225712016-10-06T04:37:02.791-04:002016-10-06T04:37:02.791-04:00I couldn't get TLS to work with the self made ...I couldn't get TLS to work with the self made CA or with the Perl script (xCA.pl). It took me a couple of days to figure out why I couldn't get such a simple process to work. I finally managed to get TLS to work when I followed this guide: https://jamielinux.com/docs/openssl-certificate-authority/index.html<br /><br />I simply created the root ca, the intermediate ca and the server certificates. <br />My ldap.conf points to the root CA (ca.cert.pem if you follow the guide). Using TLSCACERTDIR resulted in errors, so that was removed. cn=config was configured to point to the server key and certificate, and the CA was pointed to the chain certificate (ca-chan.cert.pem if you followed the guide).<br /><br />I'm just posting this here in case anyone else runs in to the same error as me and seem to be stuck with a seemingly simple task.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-30516515086273900072016-07-13T12:24:42.588-04:002016-07-13T12:24:42.588-04:00Hello POLKOVNIK,
In order to get syslog informati...Hello POLKOVNIK,<br /><br />In order to get syslog information, you need to configure both the OpenLDAP daemon and your syslog daemon.<br /><br />In CentOS, the syslog is actually rsyslog. So make sure to edit /etc/rsyslog.conf to add these lines after the modules, global directives, template and rules section. That is, place the lines only once in the rules section.<br /><br /># Send mongod logs to /var/log/mongo/mongod.log<br />if $programname == 'slapd' then /var/log/slapd.log<br /><br />Then make sure to create the file:<br /><br />sudo touch /var/log/slapd.log<br /><br />Then make sure the file is kept under control by creating the /etc/logrotate.d/slapd if it doesn't yet exist: <br /><br /># /etc/logrotate.d/slapd<br />#<br /># Rotate slapd(8) log file.<br />#<br /># David Robillard, April 23rd, 2012.<br /><br />/var/log/slapd.log {<br /> rotate 7<br /> compress<br />}<br /><br /># EOF<br /><br />Now configure the OpenLDAP logging parameters. Check the documentation http://www.openldap.org/doc/admin24/runningslapd.html. The easy way is to edit /etc/sysconfig/ldap to add the -d switch to the SLAPD_OPTIONS variable. Something like SLAPD_OPTIONS="-4 -d 256" will result in a lot of debug info.<br /><br />HTH,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-12159228376333192132016-07-13T04:05:26.671-04:002016-07-13T04:05:26.671-04:00Please find the output of the command.
ps -ef | gr...Please find the output of the command.<br />ps -ef | grep slapd<br />ldap 2396 1 0 13:31 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap -4<br />root 2406 2272 0 13:33 pts/0 00:00:00 grep slapd<br /><br />it is running as ldap user.<br />POLKOVNIKhttps://www.blogger.com/profile/10175584022009266049noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-59185907222809111282016-07-12T12:43:15.419-04:002016-07-12T12:43:15.419-04:00Ah yes, well there is a big difference between the...Ah yes, well there is a big difference between the /etc/init.d/slapd startup script and the /etc/openldap/slapd.conf configuration file. The first is used to start the OpenLDAP daemon (named slapd) while the second one configures part of the daemon.<br /><br />Are you sure that the slapd daemon runs as the ldap user? To figure that one out, once the daemon is started, do a ps -ef | grep slapd. Or check the startup script or configuration file that we just talked about. One of these has the user and group ID of the daemon.Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-14298806866657447552016-07-12T11:44:40.027-04:002016-07-12T11:44:40.027-04:00Actually the 10th line I have edited as I got this...Actually the 10th line I have edited as I got this error<br />Original 10th line is # config: /etc/openldap/slapd.conf<br />After reverting the change and start the service again gives the following error.<br />ln: accessing `/var/run/openldap/slapd.pid': No such file or directory<br /><br />/var/log/slapd.log consist of the following<br />Jul 12 21:06:28 company slapd[1966]: @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd<br /><br />Also /var/log/messages doesnt have any logs.<br /><br />The folder already exists and I have set the permissions and ownership using the following commands<br /><br />chown ldap:ldap /var/run/openldap<br />chmod 700 /var/run/openldapPOLKOVNIKhttps://www.blogger.com/profile/10175584022009266049noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-7364422309069670712016-07-12T11:25:36.465-04:002016-07-12T11:25:36.465-04:00Hey POLKOVNIK,
Glad I could help!
Now, about yo...Hey POLKOVNIK,<br /><br />Glad I could help! <br /><br />Now, about your problem, can you please show me what is the line 10 in your /etc/init.d/slapd file? A simple command like this will show the fist 11 lines : head -11 /etc/init.d/slapd.<br /><br />And about the other error, it simply looks like the directory doesn't exist. Create it like so :<br /><br />sudo mkdir -p /var/run/openldap<br /><br />Then make sure you set the proper ownership on the directory. It is to be owned and read / write by the user slapd will run as.<br /><br />HTH,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-47036086978334608942016-07-12T11:20:39.115-04:002016-07-12T11:20:39.115-04:00Hey David,
First of all thanks for this wonderful ...Hey David,<br />First of all thanks for this wonderful document.<br />Really helpful.<br /><br />After configuration when I start the service I get the following error.<br /><br />/etc/init.d/slapd: line 10: config:: command not found<br />ln: accessing `/var/run/openldap/slapd.pid': No such file or directory<br /><br />Thank you.POLKOVNIKhttps://www.blogger.com/profile/10175584022009266049noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-86315294022866407682016-06-21T08:23:30.260-04:002016-06-21T08:23:30.260-04:00Hey 4n3i5v74,
Thanks, glad I could help! :)
Davi...Hey 4n3i5v74,<br /><br />Thanks, glad I could help! :)<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-76693522908382447112016-06-21T08:22:54.188-04:002016-06-21T08:22:54.188-04:00Ah ha! Good point :)Ah ha! Good point :)Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-37323662186105858412016-06-21T07:18:21.543-04:002016-06-21T07:18:21.543-04:00Amazing posts on openldap, David. I spent weeks an...Amazing posts on openldap, David. I spent weeks and learned tons of stuff through this series of posts.4n3i5v74https://www.blogger.com/profile/00277476677670544877noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-5497299012404075352016-03-31T13:33:17.653-04:002016-03-31T13:33:17.653-04:00Actually not an error, I figured it out last night...Actually not an error, I figured it out last night in the middle of the night. Woke up having a "V8" moment.<br /><br />The second one is for the second database "monitor"Michael Tiernanhttps://www.blogger.com/profile/16268531842152390960noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-67788872976512071222016-03-31T10:04:27.276-04:002016-03-31T10:04:27.276-04:00Yep! That's right :)Yep! That's right :)Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-61372319667871573842016-03-31T10:04:03.247-04:002016-03-31T10:04:03.247-04:00Hey Anonymous,
Yes, the changes you applied are a...Hey Anonymous,<br /><br />Yes, the changes you applied are all valid. I simply chose not to enable LDAPS because it is deprecated as LDAP over TLS is now the suggested route to encrypt the communications.<br /><br />It will still work, but on TCP port 636 instead.<br /><br />Cheers,<br /><br />DA+Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-76333777595487997082016-03-31T10:01:16.425-04:002016-03-31T10:01:16.425-04:00Hello Michael,
That's probably an error. I...Hello Michael,<br /><br />That's probably an error. I'll double check my own servers next week when I'm back from vacations.<br /><br />Thanks,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-92035030591209720662016-03-29T12:24:20.305-04:002016-03-29T12:24:20.305-04:00Question for you. In your example slapd.conf file ...Question for you. In your example slapd.conf file you have this line twice:<br />access to *<br /> by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage<br /><br />Is there a reason for doing it twice?<br /><br />(One above and one below the database monitor command)<br /><br />Thanks.Michael Tiernanhttps://www.blogger.com/profile/16268531842152390960noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-70272977296405475772015-10-19T22:08:25.548-04:002015-10-19T22:08:25.548-04:00Also, to get more verbose logging I needed to run ...Also, to get more verbose logging I needed to run ldapmodify with this input:<br /><br />dn: cn=config<br />changetype: modify<br />replace: olcLogLevel<br />olcLogLevel: statsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-11037408773465559842015-10-19T03:32:31.465-04:002015-10-19T03:32:31.465-04:00Hello David, thanks very much for this.
I found i...Hello David, thanks very much for this.<br /><br />I found it worked for me on CENTOS 6.7 with the following changes<br /><br />0. Delete<br /> include /etc/openldap/schema/collective.schema<br /> from the slapd.conf.fix file<br /><br />1. In the Self-Signed Certificate via the OpenSSL Command section, change<br /> sudo mv server.pem /etc/pki/tls/certs/alice.company.com.crt<br /> to<br /> sudo mv alice.company.com.crt /etc/pki/tls/certs/alice.company.com.crt<br /><br />2. In the Self-Signed Certificate via the OpenSSL Command section, change<br /> sudo mv privkey.pem /etc/pki/tls/certs/alice.company.com.key<br /> to<br /> sudo mv alice.company.com.key /etc/pki/tls/certs/alice.company.com.key<br /><br />3. In the Self-Signed Certificate via the OpenSSL Command section, change<br /> olcTLSCertificateFile: /etc/pki/tls/certs/alice.company.com.pem<br /> to<br /> olcTLSCertificateFile: /etc/pki/tls/certs/alice.company.com.crt<br /><br />4. The example output from the <br /><br /> sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i tls<br /><br /> command also has some inconsistencies with earlier set-up:<br /><br /> olcTLSCertificateFile: /etc/pki/tls/certs/alice.company.com.pem<br /> would be<br /> olcTLSCertificateFile: /etc/pki/tls/certs/alice.company.com.crt<br /><br /> olcTLSCACertificateFile: /etc/pki/tls/certs/companyCA.crt<br /> would be<br /> olcTLSCACertificateFile: /etc/pki/tls/certs/rootca.crt<br /><br />5. In the /etc/openldap/ldap.conf file, change<br /><br /> TLS_CACERT /etc/pki/tls/certs/companyCA.crt<br /> to<br /> TLS_CACERT /etc/pki/tls/certs/rootca.crt<br /><br />6. A step needs to be added, prior to restarting slapd, to update /etc/sysconfig/ldap to change<br /> SLAPD_LDAPS=no<br /> to<br /> SLAPD_LDAPS=yes<br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-34548301011859206202015-02-24T06:50:28.800-05:002015-02-24T06:50:28.800-05:00UPD: I got that rootdn has no access to the other ...UPD: I got that rootdn has no access to the other DBs by default (namely, cn=config) but I think you adding ACL for the actual BDB as well in one of the ACL ldif's. No biggie, just though it was superfluous.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-79413528403811044402015-01-09T17:22:57.301-05:002015-01-09T17:22:57.301-05:00Hi David! Thanks for your efforts!
Could you howe...Hi David! Thanks for your efforts!<br /><br />Could you however explain why would you add ACLs for the rootdn?<br /><br />http://www.openldap.org/doc/admin24/access-control.html<br />The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.<br /><...><br />Never add the rootdn to the by clauses. ACLs are not even processed for operations performed with rootdn identity (otherwise there would be no reason to define a rootdn at all).<br /><br />Am I missing something?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-66212843727247733512014-10-27T12:59:02.490-04:002014-10-27T12:59:02.490-04:00Hello Roberto,
Make sure you read the http://itda...Hello Roberto,<br /><br />Make sure you read the http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html section of this blog series, it should answer that question :)<br /><br />Let me know if you're still confused or if you need more help.<br /><br />Cheers,<br /><br />DA+Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-34921696869993989262014-10-27T12:38:00.222-04:002014-10-27T12:38:00.222-04:00Hello David,
but on the LDAP server must be create...Hello David,<br />but on the LDAP server must be created with useradd?Robertonoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-74484319708023265172014-10-26T12:41:32.269-04:002014-10-26T12:41:32.269-04:00Hello Roberto,
No, you don't need to create t...Hello Roberto,<br /><br />No, you don't need to create the users on each machine locally. The idea is that users are managed centrally, which means at a single place. And that place is the OpenLDAP server. <br /><br />So the key here is that the getent(1) command must return the OpenLDAP user you query. For example, let's say that user « davidr » is configured in the OpenLDAP server, but not in the local system's /etc/passwd file. And that machine is not the OpenLDAP server, it's a client. If you run this :<br /><br />getent passwd davidr<br /><br />It should return the same info as if you'd used grep(1) to find the user in the local passwd(5) file.<br /><br />HTH,<br /><br />DA+Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.com