Command to set the password on an account:
ldappasswd -S -x -H ldap://ibmprint.uchicago.edu -D “cn=Manager,dc=ibmprint,dc=uchicago,dc=edu” -W “uid=user1,dc=ibmprint,dc=uchicago,dc=edu”
Archive for September, 2006
The entire reason for installing ldap was to be able to use it to set up users on one machine and have them be available on all others. Keeping /etc/passwd and /etc/shadow files up-to-date has been a hassle. So, on our server, I have created some dummy users, user2, user3, user4 and user5. I want to be able to login to our client computer using their credentials.
On the client, run authconfig. Under “User Information” turn on “Use LDAP”. Under “Authentication”, turn on “Use LDAP Authentication”. On the next screen, turn on “Use TLS”, put the ip address of the server on the next line and for the Base DN, use dc=ibmprint,dc=uchicago,dc=edu. Then ok.
First problem, authconfig doesn’t end. The window closes, but I don’t get the prompt back. I had to Ctrl-C to get the prompt back. I’m sure this is a problem. I didn’t wait long enough. It takes around two minutes. If you close it early, ldap authentication won’t work.
While working on the machine that is running the ldap server, I tried to add a user. This is after I got tls working. The only command that worked was:
ldapadd -H ldap://ibmprint.uchicago.edu -x -D “cn=Manager,dc=ibmprint,dc=uchicago,dc=edu” -W -f passwd.ldif
If I used ldaps:// in the command above, it didn’t work. I get the error, can’t contact ldap server…SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This doesn’t appear to be a problem, because when working on the ldap server, nothing goes out over the network, so I don’t need to worry whether it’s encrypted or not.
I got openldap and tls working, using the following ldap.conf file.
———————————————-
BASE dc=ibmprint,dc=uchicago,dc=edu
URI ldap://ibmprint.uchicago.edu ldaps://ibmprint.uchicago.edu:636
HOST 127.0.0.1
LogLevel -1
ssl start_tls
tls_cacertfile /usr/share/ssl/certs/ca-bundle.cert
tls_cacertdir /usr/share/ssl/certs
—————————————
I then opened up ethereal and watched all packets between the server and my laptop. On my laptop, I gave this command:
ldapadd -H ldaps://ibmprint.uchicago.edu -x -D “cn=Manager,dc=ibmprint,dc=uchicago,dc=edu” -W -f test.ldif
In ethereal, I could see that TLS was started and everything was encrypted.
——————
Can test which mechanisms are available with:
ldapsearch -H ldap://ibmprint.uchicago.edu -x -b “” -s base -LLL -ZZ supportedSASLMechanisms
ldapsearch -H ldaps://ibmprint.uchicago.edu -x -b “” -s base -LLL supportedSASLMechanisms
——————————–
Next step is to allow only TLS connections and to see if user logins will work with ldap.
To add data:
ldapadd -x -D “cn=Manager,dc=ibmprint,dc=uchicago,dc=edu” -W -f base.ldif
To show everything in the database:
ldapsearch -x -b dc=ibmprint,dc=uchicago,dc=edu
This also works when on a different machine:
ldapsearch -H ldap://ibmprint.uchicago.edu -x -b ‘dc=ibmprint,dc=uchicago,dc=edu’ This is all unencrypted
ldapadd -H ldap://ibmprint.uchicago.edu -x -D “cn=Manager,dc=ibmprint,dc=uchicago,dc=edu” -W -f base.ldif
I decided to install a newer version of RHEL (RHEL4 update 4) on the machine that I was using to learn openldap. I can now follow the instructions from redhat for getting tls working with ldap.
in /usr/share/ssl/certs, edit Makefile so that pem files are good for 10 years (3650 days) instead of 1 year.
make slapd.pem (and fill in the values as needed)
Somehow, I missed installing the openldap-servers…rpm, so I just installed it.
Edit /etc/openldap/slapd.conf and edit the dc lines to reflect our machine.
Edit /etc/openldap/ldap.conf and edit the dc lines to reflect our machine.
Edit /etc/syslog.conf to put LOCAL4.* to /var/log/ldap.log
Start ldap and it works without TLS. Now, need to get TLS going.
Configure options:
–prefix=/var/openldap home will be in /var/openldap
–enable-spasswd enable Cyrus SASL password verification
–with-tls include tls support
–with-cyrus-sasl include Cyrus SASL support
Got an error that it couldn’t find ssl.
Set this environment variable first:
setenv CPPFLAGS “-I/usr/include -I/usr/kerberos/include -I/usr/include/openssl”
——————————————————-
Next error is “BerkeleyDB version incompatible”
In config.log, it says:
checking Berkeley DB version for BDB/HDB backends
result: no
error: BDB/HDB: BerkeleyDB version incompatible
Could it be that the rpm doesn’t have the backends included?
In the log, the error message is TLS negotiation failure. No matter what I’ve tried, I always get this error. Since I just installed openldap from an rpm from redhat, I have no idea how this was compiled. So, I’m going to remove the rpm and recompile openldap from the beginning. This way I can be sure that I have support for tls, sasl and anything else I might want.
To get the ldap logging to work, added the following to /etc/syslog.conf.
# Save ldap log messages to ldap.log
local4.* /var/log/ldap.log
Then, restart syslogd.
I’ve exported the big disk on the server to everyone on the subnet. I’ve also mounted our old exported disks and am starting to copy data over. So, if the new raid system is mounted under /net and our old disks are mounted under /edg. I can copy files with this command:
in /edg/sw,
find IHP -print|cpio -dupmV /net/sw
Now I just have to do this for all of our data.