Setting up OpenLDAP

Bob Hall rjhjr at cox.net
Sat Jul 26 08:02:07 PDT 2003 

On Sat, Jul 26, 2003 at 12:08:48PM +0100, Matthew Seaman wrote:
> On Sat, Jul 26, 2003 at 02:13:28AM -0400, Bob Hall wrote:
> > OpenLDAP 2.1.22, FBSD 4.8
> > 
> > I'm trying to set up LDAP to store passwords. Eventually I will 
> > want to store addresses and do general authentication, but right 
> > now I just want to do something really simple: add passwords.
> 
> While you can run OpenLDAP servers on FreeBSD 4.8 quite happily, you
> won't be able to have the FreeBSD 4.8 system be a full blown client of
> the LDAP server itself.  For that, you will need to upgrade to 5.1
> where you can install the net/nss_ldap as well as the
> security/pam_ldap port.
>  
> > I installed from the ports using portintall, couldn't get it to 
> > work, and went back and reinstalled doing
> > 	# make depend
> > 	# make
> > 	# make test 
> > The install didn't fail any of the tests, although make kept looping
> > through the tests until I hit ^C. But I still have the same problems. 
> > If anyone has succeeded in installing OpenLDAP from the ports, I'd 
> > be grateful for any pointers.
> 
> It's generally best to install using ports as that gets you any
> FreeBSD specific tweaks that have to be made, rather than following
> the generic Unix install instructions from the software writers.

I guess what I wrote above wasn't clear. I've installed from the ports.
 
> However, once the software is installed, you still need to follow the
> OpenLDAP installation guide for configuring the server.  If you're
> working from http://www.openldap.org/doc/admin21/quickstart.html, then
> the ports installation effectively gives you steps 1 -- 7, and you can
> jump to step 8 directly.

Yes, I'm aware of that. I'm following the instructions in the Quick Start 
Guide, as I explained below.
 
> You would be well advised to read through section 5 of the admin
> guide: http://www.openldap.org/doc/admin21/slapdconfig.html so that
> you can gain a deeper understanding of what the instructions in
> section 8 of the quick start guide actually do.

I've already read that. There's nothing that suggests why I'm 
unable to follow the Quick Start instructions.
 
> > I'm trying to do the Quick Install described at www.openldap.org. The 
> > first problem is that the doc claims that this is supposed to be a 
> > non-referring set up, which is what I want, but OpenLDAP complains that 
> > there's no referral. So I've uncommented the referral line in slapd.conf. 
> > But attempts to add records still fail. 
> > 
> > When I do search prior to adding records, I get
> > # /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)'
> > 	dn:
> > 	objectClass: top
> > 	objectClass: OpenLDAProotDSE
> > When I try to add records without a referral, I get 
> > # ldapadd -x -v -D "cn=Manager,dc=domain,dc=net" -W -f domain.ldif
> > 	additional info: referral missing
> > With the referral, I get
> > 	ldapadd: update failed: dc=domain, dc=net   objectclass: dcObject   
> > 		objectclass: organization   o: SNAFU   
> > 		dc: domain 
> > 	ldap_add: Referral (10)
> >        		referrals:
> >                 	ldap://root.openldap.org/dc=domain,dc=net%20%20%20objectclass:%20dcObject%20%20%20objectclass:%20organization%20%20%20o:%20SNAFU%20%20%20dc:%20domain
> > 
> > Configuration
> > # less slap.conf
> > include         /usr/local/etc/openldap/schema/core.schema
> > referral       ldap://root.openldap.org
> > pidfile         /var/run/ldap/slapd.pid
> > argsfile        /var/run/ldap/slapd.args
> > database        bdb
> > suffix          "dc=domain, dc=net"
> > rootdn          "cn=Manager, dc=domain, dc=net"
> > rootpw          <md5 hash>
> > directory       /var/db/openldap-data
> > index   objectClass     eq
> > 
> > # less domain.ldif
> > dn: dc=domain, dc=net
> >     objectclass: dcObject
> >     objectclass: organization
> >     o: SNAFU
> >     dc: domain
> > dn: cn=Manager, dc=domain, dc=net
> >     objectclass: organizationalRole
> >     cn: Manager
> 
> What's the BASE setting in /usr/local/etc/openldap/ldap.conf ? That
> will set the default dn where clients search for data.  As it is, your
> slapd.conf says that it serves the dn appropriate for 'domain.net' 

The default should be my LDAP server. I don't want my server to make 
any referrals. According to the OpenLDAP website, follwing the Quick 
Start instructions set up OpenLDAP with no referrals. The instructions 
say to use your domain name. "domain" is a substitute for my domain name, 
which is what is in my slapd.conf file. Why would it matter? The server 
isn't supposed to be doing any referrals.
 
> The other question is what security settings have you entered into
> slapd.conf ?  The default security setting is 'Allow read by all' and
> only the rootdn can write anywhere.  

I haven't made any changes to the security settings. Since I following 
the Quick Start instructions, I've made only the changes described in 
the Quick Start instructions. My immediate goal is to insert the record 
described in the Quick Start instructions. Once I'm able to do that, I 
can worry about altering the configuration.

Bob Hall

More information about the freebsd-questions mailing list