0

I am new to LDAP and Directory Services in general (My goal is to import ldif files containing certificates from a Public Key Directory (pkddownloadsg.icao.int/download)).

But I am already failing at setting up OpenLDAP in Ubuntu correctly. I followed this guide: https://ubuntu.com/server/docs/service-ldap The setup process seems to be working correctly but when I want to see the entire DIT; the rootDN is somehow missing:

user1@computer:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn dn: dc=example,dc=com

There should be a 2nd line:

dn: cn=admin,dc=example,dc=com

That's probably the reason why I cannot add ldif files:

user1@computer:~$ sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f icaopkd.ldif -v ldap_initialize( <DEFAULT> ) Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Any idea what might be causing this?

Improve this question

1 Answer 1

Reset to default
1

The rootDN for OpenLDAP does not need to exist within the DIT. As a special case, you can bind even as a nonexistent rootDN, as long as you use the password that was specified as olcRootPW: in your slapd DB backend configuration.

(If you do decide to create an entry corresponding to the rootDN, then the password will be checked against the userPassword of that entry as usual, although it'll retain its "root" privileges.)

Start by using sudo -u ldap slapcat -n 1 to directly dump the database contents as LDIF (bypassing slapd's access controls, as inaccessible entries are also invisible by default).

  • If the "cn=admin" entry is indeed not there and you want to have it as a real entry in the DIT, then use sudo -u ldap slapadd... to manually insert it from an LDIF.

  • If the entry is not there and you would prefer the simpler approach, then use ldapmodify to update the olcRootPW: attribute of your olcDatabase={1}mdb,cn=config backend entry to whichever password you want – see the section "Change the RootDN password" in the Ubuntu docs for an example.

(All of the slap* tools work directly against the DB files, so they should be sudo'd to whichever user owns them; typically ldap or openldap or slapd – I don't remember which one Ubuntu uses.

Meanwhile, you don't have to sudo the ldap* commands unless they are specifically working with local socket authentication – that is, unless they use -H ldapi:/// -Y EXTERNAL. In all other cases the tools should be run as your normal user.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.