Configuring LDAP on a private address range

air

Hi there,
Just starting out with LDAP.
I want to use it initially to provide a global address book with the office.

My first problem is that all the examples that I can find use a domain for the dn entry (eg dc=example, dc=.com).

I want to run the LDAP server on an internal IP that doesnt have any dns entry.
I have tried somethink like (dc=192, dc=168, dc=1, dc=x) where this is the IP of the machine in question, but I've had no luck.

In ldap.conf it looks for a base url etc so I'm not sure what the story is.

Any help appreciated.

krinDar

air wrote:

My first problem is that all the examples that I can find use a domain for the dn entry (eg dc=example, dc=.com).

I want to run the LDAP server on an internal IP that doesnt have any dns entry.
I have tried somethink like (dc=192, dc=168, dc=1, dc=x) where this is the IP of the machine in question, but I've had no luck.

AIUI the rootdn that you use does not have to be a FQDN unless you are
integrating with DNS, which in this case you probably are not.

Is this Openldap or something else ?

gerryk

The base dn is no more than a heirarchically arranged name... it doesn't have to be a domain, although this allows for more logical organisation in a large LDAP setup.
The server location is configured in /etc/ldap.conf and various confs in /etc/ldap/
This is for OpenLDAP, though... not sure about any others like NS.

air

Its openldap alright, I think my problems are actually due to the backend database.
Good to hear I dont need an FQDN, I'll have another look at it on Monday.

Can I use anything I want for the dn entry then?
Thanks lads.

krinDar

air wrote:

Its openldap alright, I think my problems are actually due to the backend database.

Did you get any errors ? Or just not working ?

Can I use anything I want for the dn entry then?

Yes, anything at all.

air

Ok, I'm trying to get a basic address book set up as in the tutorial on the onlamp website

I'm using Suse 9.1 X86_64 and openldap.

LDAP.CONF
###################################
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
##############################################

SLAPD.CONF
#######################################################################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by * read

access to dn.base="cn=Subschema"
by * read

access to attr=userPassword,userPKCS12
by self write
by * auth

access to attr=shadowLastChange
by self write
by * read

access to *
by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# bdb database definitions
#######################################################################

database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
#######################################################################

DIRECTORY.LDIF
#######################################################################
dn: dc=example, dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: My Organisation Name
dn: ou=addressbook, dc=example, dc=com
objectClass: top
objectClass: organizationalUnit
ou: addressbook
#######################################################################



When I run "ldapadd -D 'dc=example, dc=com' -f directory.ldif -W
It prompts me for the password (secret) which I enter then it says

"lapd_sasl_interactive_bind_s: No such attribute(16)"

I suspect it may have something to do with me not having done anything with the bdb backend database?
Do I have to initialise it first or something?

krinDar

air wrote:

When I run "ldapadd -D 'dc=example, dc=com' -f directory.ldif -W
It prompts me for the password (secret) which I enter then it says

"lapd_sasl_interactive_bind_s: No such attribute(16)"

It appears to be using SASL to connect, and you have not configured that yet. Try adding the '-x' argument to the ldapadd command. This will force it to use "Simple" authentication, i.e just use the password.

I suspect it may have something to do with me not having done anything with the bdb backend database?
Do I have to initialise it first or something?

No, LDAP should take care of all of that for you.

air

When I run "ldapadd -D 'dc=example, dc=com' -f directory.ldif -W -x

It replies prompting me for the LDAP password, then it says:
ldap_bind: Invalide Credentials (49)

krinDar

air wrote:

It replies prompting me for the LDAP password, then it says:
ldap_bind: Invalide Credentials (49)

the -D argument is incorrect, you are not telling LDAP who you want to connect as, try:

ldapadd -D 'cn=Manager,dc=example, dc=com' -f directory.ldif -W -x

air

Hi krinDar,
Thanks for the reply, I've just tried that though & it's still giving the same Invalid Credentials error..

krinDar

air wrote:

I've just tried that though & it's still giving the same Invalid Credentials error..

Ok. I cannot see any problem with what you have, so perhaps it is time to turn on all debugging (set the loglevel to -1 in slapd.conf), restart slapd, try and connect again and have a look at the logs.

air

Ok, it's now giving:

adding new entry "dc=example, dc=com"
ldap_add: Undefined attribute type(17)
additional info: dn: attribute type undefined

krinDar

air wrote:

Ok, it's now giving:

adding new entry "dc=example, dc=com"
ldap_add: Undefined attribute type(17)
additional info: dn: attribute type undefined

Good, that means that you are now authenticating properly and the next problem is in your ldif.

Looking at the ldif, the most likely problem is that you are not leaving an empty line between the entries, you want:

dn: dc=example, dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: My Organisation Name

dn: ou=addressbook, dc=example, dc=com
objectClass: top
objectClass: organizationalUnit
ou: addressbook

Note the empty line before the second dn.

air

Good man yourself, that sorted it.
The onlamp.com example never actually posts the entire ldif it just shows sections so I was unaware as to how to format it.

Now to delete that entry, create a real one & actually start using it!

Thanks again.

Red Alert

Forget SASL unless you're paranoid. SSL/TLS is actually a lot easier to setup. Just set the example.com style domain you use internally as dc=example,dc=com.