15

I'm trying to set up a test openldap server, having not worked with openldap before. I'm using the standard openldap-servers package on a redhat based machine (using Oracle Linux). I've installed the packages, and started the server.

I now have no idea how to actually get the server to do something useful; I can't browse to it using luma ('No such object' when trying to access the top-level entry), the openldap docs are obtuse as to how you actually get a server to a basic working confuration, and all the information online is for the old slapd.conf file rather the new slapd.d and cn=config.

How do I get a vanilla packaged openldap install working where I can browse to the root dn in luma?

Improve this question

2 Answers 2

Reset to default
22

I feel your pain.

Try this (it's tested on Scientific Linux 6.5, so it should work on OL as well):

  • Install OpenLDAP servers: yum install openldap-servers openldap-clients)
  • start slapd: service slapd start (and maybe chkconfig slapd on)
  • Create passwords for cn=config and your normal LDAP admin user with slappasswd. Note the output of this.
  • Create an LDIF file with the following content: 
 dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj - replace: olcRootDN olcRootDN: cn=admin,dc=your,dc=base,dc=com - replace: olcSuffix olcSuffix: dc=your,dc=base,dc=com
  • The values for olcRootPW should be replaced with the output of slappaswd your noted earlier.
  • Naturally, olcSuffix and olcRootDN should be adapted to your new base DN.

  • Feed all this to the LDAP server with the following command:

    ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f yourfile.ldif

Afer that, you should be able to connect to both cn=config and dc=your,dc=base,dc=com via LDAP.

Improve this answer
2
  • 8
    Thanks, this is like nightmare for beginer. There is config, but in the first lines of slap.d/* - DO NOT EDIT, while all howto/getting started/guides tell about "open config in your favorite editor" Commented Jul 28, 2014 at 11:53
  • modifying entry "olcDatabase={2}bdb,cn=config" ldap_modify: No such object (32) matched DN: cn=config Commented Jun 19, 2023 at 9:46
10

Before you start the OpenLDAP server, you need to set up a few things first.

Basic configuration

You need to set up a root user and password, along with defining your base DN. In slapd.conf, look for the lines following lines, and set them to the values you want.

suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com"

Usually your base DN (defined as suffix in the file) is the components of your domain name, separated with commas and prefixed with dc=. So, serverfault.com might become dc=serverfault,dc=com. Your rootdn must be under that suffix.

You also need to change the line that defines the root password. You can set it to a plaintext value, or use slappasswd to create a hash. You then need to put either the plaintext value or the hashed value out of slappasswd in a line that looks like this:

rootpw myultrasecurepassword

Schemas

It is a good idea at this point to start thinking about the schemas you want to use. A schema defines the attributes an object can have, so you need to include the schemas that contain the attributes you need. These schemas are included at the top of slapd.conf, and the ones here are usually the absolute basic schemas you will need:

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema

These paths are the ones used in Arch Linux, so you may need to adjust them to fit Oracle Linux.

About slapd.conf vs slapd.d

OpenLDAP has switched from offline configuration (done in slapd.conf) to online configuration, storing data in a special cn=config tree found in slapd.d. Modifying the ldif files in slapd.d is a painful process however, so it is much easier to edit slapd.conf as above, then convert that into the new slapd.d format.

First, remove everything in slapd.d. Next, run the following command, making sure to adjust the paths to Oracle Linux:

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Then just set the owner to your LDAP user and group on that directory recursively, and you should be ready to go. This needs to be done every time you edit slapd.conf - just remember to stop the OpenLDAP server before doing it!

Initial run

Before you can actually use the directory, you need to create the base DN (and root user). Create an .ldif file, containing lines similar to the following:

dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: example.com dc: example dn: cn=root,dc=example,dc=com objectclass: organizationalRole cn: root

Now start the OpenLDAP server. We just need to push that information into the LDAP directory:

ldapadd -D "cn=root,dc=example,dc=com" -W -f initial.ldif

Obviously change the root DN and ldif filename to match what you have.

You should now have a working LDAP directory set up and ready to be populated!

The Arch Linux wiki is a great source of information about this topic - see https://wiki.archlinux.org/index.php/OpenLDAP and https://wiki.archlinux.org/index.php/LDAP_Authentication if you want to know more.

Improve this answer
3
  • Most of this is already done by the package manager and continuing to manage the configuration via slapd.conf and slaptest while the server is stopped beats the purpose of the online config. Commented Apr 9, 2014 at 14:49
  • 2
    For an initial configuration slapd.conf works just fine, and is certainly more intuitive than editing slapd.d directly. I don't know how much of the directory is done by the package manager in Oracle Linux, but if the OP couldn't access the base DN then it can't have been enough Commented Apr 9, 2014 at 15:19
  • 1
    The accepted answer has the information I needed, but the info on creating the initial objects was useful too Commented Apr 10, 2014 at 14:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.