View previous topic :: View next topic |
Author |
Message |
endu80 n00b
Joined: 05 Mar 2007 Posts: 4
|
Posted: Thu May 10, 2007 4:54 pm Post subject: little openldap kickoff howto |
|
|
Ever got annoyed why openldap is just such a pain in the ass?
I did, but in the end it's never the fault of the package you try to install, but rather people not reading the docs.
There are a lot of Howto's out there, but none of them (which I found) are up to date.
So this little howto will get you started, hopefully.
###openldap installation and configuration in gentoo
###2007-05-10
###Merge all necessary packages with the following USE flags:
dev-libs/openssl-0.9.8e
USE="zlib -bindist -emacs -sse2 -test"
app-crypt/heimdal-0.7.2-r3
USE="berkdb ldap ssl -X -ipv6"
dev-libs/cyrus-sasl-2.1.22-r2
USE="berkdb crypt kerberos ldap pam postgres ssl -authdaemond -gdbm -java -mysql -ntlm_unsupported_patch -sample -srp -urandom"
net-nds/openldap-2.3.35-r1
USE="berkdb crypt kerberos odbc perl readline sasl ssl tcpd -debug -gdbm -ipv6 -minimal -overlays -samba (-selinux) -slp -smbkrb5passwd"
###We'll use the old syntax configfile to produce the new style configuration under /etc/openldap/slapd.d/
###This is the entire config File without all the commented options...
# /etc/openldap/slapd.conf.initial
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
password-hash {md5}
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
directory /var/lib/openldap-data
index objectClass eq
loglevel 256
database bdb
suffix "dc=my,dc=example,dc=com"
rootdn "cn=Manager,dc=my,dc=example,dc=com"
# following the md5 hash of the word 'secret'
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
#access regulation / should be on one line, expect problems with linebreaks!
defaultaccess none
access to * by group/organizationalRole/roleOccupant="cn=Manager, dc=my,dc=example,dc=com" write by roup/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" read by group/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" search
access to attr=userpassword
by self write
by group="cn=Manager,dc=my,dc=example,dc=com" write
#by * compare
access to * by self write
#by dn=".+" read by * none
#EOF
###Enable the new configuraton directory style in gentoo here:
# /etc/conf.d/slapd
# Uncomment the line below to use the new slapd configuration for openldap 2.3
OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
#EOF
###This is the configuration file for the BerkleyDB which must reside in
###/var/lib/openldap-data if not otherwise configured in /etc/openldap/slapd.conf.initial
# /var/lib/openldap-data/DB_CONFIG
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lg_dir /var/log/openldap
#EOF
#On clients who will be accessing the ldap server edit /etc/openldap/ldap.conf to match this:
# /etc/openldap/ldap.conf
BASE dc=my,dc=example,dc=com
URI ldap://ldap.example.com
#EOF
###Before you start the slapd daemon make sure that /var/lib/openldap-data only contains the file DB_CONFIG and is writeable by the ldap user
###and create the directory /etc/openldap/slapd.d owned by ldap:/
###Then start the daemon with this command, as we want to convert our old config file to the new config directory style configuration:
/usr/lib/openldap/slapd -f /etc/openldap/slapd.conf.initial -F /etc/openldap/slapd.d
###As we did this as root, wen need to give the ldap user access to the newly created files and dirs in that directory
chown -R ldap\: /etc/openldap/slapd.d
###
/etc/init.d/slapd start
###check the logs, if something doesn't work now, it is likely just a "little typo"
###if slapd doesn't terminate (which would be good) you can go ahead an try to connect from your client with jxplorer for example and populate your directory |
|
Back to top |
|
|
mark_alec Bodhisattva
Joined: 11 Sep 2004 Posts: 6066 Location: Melbourne, Australia
|
Posted: Sat May 12, 2007 2:48 am Post subject: |
|
|
Moved from Networking & Security to Documentation, Tips & Tricks. _________________ www.gentoo.org.au || #gentoo-au |
|
Back to top |
|
|
ruckc n00b
Joined: 10 Jun 2007 Posts: 1
|
Posted: Sun Jun 10, 2007 6:21 am Post subject: Re: little openldap kickoff howto |
|
|
endu80 wrote: |
dev-libs/openssl-0.9.8e
USE="zlib -bindist -emacs -sse2 -test"
app-crypt/heimdal-0.7.2-r3
USE="berkdb ldap ssl -X -ipv6"
dev-libs/cyrus-sasl-2.1.22-r2
USE="berkdb crypt kerberos ldap pam postgres ssl -authdaemond -gdbm -java -mysql -ntlm_unsupported_patch -sample -srp -urandom"
net-nds/openldap-2.3.35-r1
USE="berkdb crypt kerberos odbc perl readline sasl ssl tcpd -debug -gdbm -ipv6 -minimal -overlays -samba (-selinux) -slp -smbkrb5passwd"
|
I tried to emerge the above packages but by including ldap in the cyrus-sasl & heimdal packages it creates a circular dependency with openldap. Any suggestions? |
|
Back to top |
|
|
BigBaaadBob Guru
Joined: 19 Apr 2003 Posts: 342 Location: Swampscott, MA USA
|
Posted: Fri Jun 15, 2007 2:39 pm Post subject: |
|
|
Ditto: Code: | balls ~ # emerge -pv openldap
These are the packages that would be merged, in order:
Calculating dependencies... done!
[nomerge ] dev-libs/cyrus-sasl-2.1.22-r2 USE="berkdb crypt gdbm java kerberos ldap pam ssl -authdaemond -mysql -ntlm_unsupported_patch -postgres -sample -srp -urandom"
[nomerge ] net-nds/openldap-2.3.35-r1 USE="berkdb crypt gdbm ipv6 kerberos odbc perl readline sasl ssl tcpd -debug -minimal -overlays -samba (-selinux) -slp -smbkrb5passwd"
[nomerge ] dev-db/unixODBC-2.2.11-r1 USE="qt3"
[nomerge ] x11-libs/qt-3.3.8-r2 USE="cups gif ipv6 odbc opengl -debug -doc -examples -firebird -immqt -immqt-bc -mysql -nas -nis -postgres -sqlite -xinerama"
[nomerge ] net-print/cups-1.2.10-r1 USE="X dbus jpeg ldap nls pam png ppds ssl tiff -php -samba -slp"
[nomerge ] net-print/foomatic-filters-ppds-20070501
[nomerge ] net-print/foomatic-filters-3.0.20060720 USE="cups"
[nomerge ] app-text/ghostscript-gpl-8.54 USE="X cups emacs gtk -cjk -djvu -jpeg2k"
[nomerge ] x11-libs/gtk+-2.10.11 USE="X jpeg tiff -debug -doc -xinerama"
[nomerge ] x11-libs/cairo-1.4.6 USE="X directfb svg -debug -doc -glitz -xcb"
[nomerge ] dev-libs/DirectFB-0.9.25.1 USE="gif jpeg mmx mpeg png sdl truetype v4l v4l2 zlib -debug -fbcon -fusion -sse -sysfs"
[ebuild N ] media-libs/libsdl-1.2.11-r2 USE="X alsa dga directfb opengl oss svga xv -aalib -arts -esd -fbcon -ggi -libcaca -nas -noaudio -noflagstrip -nojoystick -novideo -xinerama"
[ebuild N ] dev-libs/DirectFB-0.9.25.1 USE="gif jpeg mmx mpeg png sdl truetype v4l v4l2 zlib -debug -fbcon -fusion -sse -sysfs"
[ebuild N ] dev-libs/cyrus-sasl-2.1.22-r2 USE="berkdb crypt gdbm java kerberos ldap pam ssl -authdaemond -mysql -ntlm_unsupported_patch -postgres -sample -srp -urandom"
[ebuild N ] net-nds/openldap-2.3.35-r1 USE="berkdb crypt gdbm ipv6 kerberos odbc perl readline sasl ssl tcpd -debug -minimal -overlays -samba (-selinux) -slp -smbkrb5passwd"
[ebuild N ] dev-db/unixODBC-2.2.11-r1 USE="qt3"
[ebuild N ] x11-libs/qt-3.3.8-r2 USE="cups gif ipv6 odbc opengl -debug -doc -examples -firebird -immqt -immqt-bc -mysql -nas -nis -postgres -sqlite -xinerama"
[ebuild N ] net-print/cups-1.2.10-r1 USE="X dbus jpeg ldap nls pam png ppds ssl tiff -php -samba -slp"
!!! Error: circular dependencies:
('ebuild', '/', 'dev-libs/DirectFB-0.9.25.1', 'merge') depends on
('ebuild', '/', 'media-libs/libsdl-1.2.11-r2', 'merge') (hard)
('ebuild', '/', 'x11-libs/qt-3.3.8-r2', 'merge') depends on
('ebuild', '/', 'net-print/cups-1.2.10-r1', 'merge') (hard)
('ebuild', '/', 'net-nds/openldap-2.3.35-r1', 'merge') depends on
('ebuild', '/', 'dev-db/unixODBC-2.2.11-r1', 'merge') (hard)
('ebuild', '/', 'dev-libs/cyrus-sasl-2.1.22-r2', 'merge') (hard)
('ebuild', '/', 'media-libs/libsdl-1.2.11-r2', 'merge') depends on
('ebuild', '/', 'dev-libs/DirectFB-0.9.25.1', 'merge') (hard)
('ebuild', '/', 'net-print/cups-1.2.10-r1', 'merge') depends on
('ebuild', '/', 'net-nds/openldap-2.3.35-r1', 'merge') (hard)
('ebuild', '/', 'dev-db/unixODBC-2.2.11-r1', 'merge') depends on
('ebuild', '/', 'x11-libs/qt-3.3.8-r2', 'merge') (hard)
('ebuild', '/', 'dev-libs/cyrus-sasl-2.1.22-r2', 'merge') depends on
('ebuild', '/', 'net-nds/openldap-2.3.35-r1', 'merge') (hard)
|
|
|
Back to top |
|
|
lelik Tux's lil' helper
Joined: 26 May 2005 Posts: 81 Location: Treasure Island
|
Posted: Sun Jul 01, 2007 1:58 am Post subject: |
|
|
Followed your guide, but the step when the daemon creates the new config directory style configuration:
/usr/lib/openldap/slapd -f /etc/openldap/slapd.conf.initial -F /etc/openldap/slapd.d
yields no files in /etc/openldap/slapd.d directory
Any ideas? |
|
Back to top |
|
|
klugefoo n00b
Joined: 04 Jul 2007 Posts: 2
|
Posted: Wed Jul 04, 2007 12:35 am Post subject: "small typo" found |
|
|
this line:
access to * by group/organizationalRole/roleOccupant="cn=Manager, dc=my,dc=example,dc=com" write by roup/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" read by group/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" search
should be this (missing g from "roup"):
access to * by group/organizationalRole/roleOccupant="cn=Manager, dc=my,dc=example,dc=com" write by group/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" read by group/organizationalRole/roleOccupant="cn=Manager, dc=my, dc=example ,dc=com" search
then slapd.d will have files |
|
Back to top |
|
|
lelik Tux's lil' helper
Joined: 26 May 2005 Posts: 81 Location: Treasure Island
|
Posted: Wed Jul 04, 2007 4:34 am Post subject: |
|
|
Thanks for the help. Fixing "roup" indeed created files in slap.d folder.
However,
Code: | /etc/init.d/slapd start
* Starting ldap-server ... [ !! ] |
and
gives
Code: | slapcat startup: initiated.
backend_startup_one: starting "dc=polo"
bdb_db_open: dc=polo
bdb_db_open: dbenv_open(/var/lib/openldap-data)
bdb_db_open: db_open(/var/lib/openldap-data/id2entry.bdb) failed: No such file or directory (2)
====> bdb_cache_release_all
bdb(dc=polo): Unknown locker ID: 0
backend_startup_one: bi_db_open failed! (2)
slap_startup failed |
Questions:
1. At what point id2entry.bdb should be created?
2. Is it Ok, "dc=polo" or should it be "dc=polo, dc=local" for the private domain? |
|
Back to top |
|
|
klugefoo n00b
Joined: 04 Jul 2007 Posts: 2
|
Posted: Wed Jul 04, 2007 11:12 am Post subject: |
|
|
I'm not too sure of what I'm doing (first time playing around with ldap) but make sure the /var/log/openldap directory is creates (specified in the db_config) and there may be some logged output in /var/log/messages to provide further context to why openldap isn't operating smoothly. |
|
Back to top |
|
|
fidel Guru
Joined: 16 Jul 2004 Posts: 407 Location: CH
|
Posted: Thu Jul 26, 2007 1:51 pm Post subject: |
|
|
I keep trying and playing around with ldap, never got it working the way I want it to though. Either I leave all access attributes in slapd.conf out ore I (no matter what I set there) don't get any access at all. Since I got it runing somehow quite a while ago though I just left it the way it is. Still, since I am not happy with the situation, I am trying now on a test machine to get ldap running the way I would like to.
I followed the steps below but couldn't access in any matter. So I started over again and since I understand even the less of the new configuration scheme I used the old one again (/etc/openldap/slapd.conf). Since I really wanted to start over again (want to find a solution that works, for the main server as well..), I stopped the server and changed configuration in order to use a bdb database and use the old config file /etc/openldap/slapd.conf. Afterwards I deleted the entries in /var/lib/openldap-data/ execpt for the DB_CONFIG files. Now I can't start the server anymore, I get exactly the same error as lelik:
Code: | #slapcat -d 255
...
slapcat startup: initiated.
backend_startup_one: starting "dc=testcube,dc=nigel"
bdb_db_open: dc=testcube,dc=nigel
bdb_db_open: dbenv_open(/var/lib/openldap-data)
bdb_db_open: db_open(/var/lib/openldap-data/id2entry.bdb) failed: No such file or directory (2)
====> bdb_cache_release_all
bdb(dc=testcube,dc=nigel): Unknown locker ID: 0
backend_startup_one: bi_db_open failed! (2)
slap_startup failed |
I know, there is not an id2entry.bdb anymore, I deleted it. What would I need to do in order to start over with an empty db?
Thanks for any hints!
(I definitely think that the documentation concerning ldap, even shown by the ebuild after the installation progress should get updated! Its a mess there, there is even no such ebuild migrationtools anymore...) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|