Step 1: first we need to install the required packages:
#yum install openldap-servers migrationtools
Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Now create the ldap password:
#slappasswd
you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.
# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3: We now set the admin password and specify the location of our encryption certificate and key.
add these 3 lines at the end of the file bdb.ldif file:
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4: Now we have to specify the monitoring privileges
#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
again, we have to replace the default domain name with our domain name
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g
Step 5: Now its time for the Database Cache
#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/
Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Now we can create the certificate
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Step 7: Time to test our configuration
# slaptest -u
config file testing succeeded
Step 8: Start the ldap server
#service sladp start
lets check if our ldap server really works:
#ldapsearch -x -b ”dc=yourdomain,dc=com”
if you get a search: 2 then your on track!
Step 9: Configure the base domain
#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
now we import our base information to the ldap directory:
#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif
Step 10: lets migrate the users
Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif
Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x ”cn=mani” -b ”dc=mycompany,dc=com”
If the test is successful your done :)
************************All The Best*******************regards cnuvasan
#yum install openldap-servers migrationtools
Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
Now create the ldap password:
#slappasswd
you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.
# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
substitute my-domain.com with yourdomain.com
:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g
Step 3: We now set the admin password and specify the location of our encryption certificate and key.
add these 3 lines at the end of the file bdb.ldif file:
olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
Step 4: Now we have to specify the monitoring privileges
#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
again, we have to replace the default domain name with our domain name
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g
Step 5: Now its time for the Database Cache
#updatedb
#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -Rf ldap:ldap /var/lib/ldap/
Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.
#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
Now we can create the certificate
#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.
# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem
Step 7: Time to test our configuration
# slaptest -u
config file testing succeeded
Step 8: Start the ldap server
#service sladp start
lets check if our ldap server really works:
#ldapsearch -x -b ”dc=yourdomain,dc=com”
if you get a search: 2 then your on track!
Step 9: Configure the base domain
#vi base.ldif
dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
now we import our base information to the ldap directory:
#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif
Step 10: lets migrate the users
Go to the directory /usr/share/migrationtools. Edit the file
# vim /usr/share/migrationtools/migrate_common.ph
Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;
#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif
Step 11: Testing the ldap server. We check if user mani exists
#ldapsearch -x ”cn=mani” -b ”dc=mycompany,dc=com”
If the test is successful your done :)
************************All The Best*******************regards cnuvasan
24 comments:
Hello
Firstly let me say thanks for some great post on your site.
I am trying to setup open LDAP on RHEL6 and have been following your steps.
All seems to be going well until I get to Step 9. Please see the below.
ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Any help would be most appreciated.
Best regards
try this
ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif
use single coats instead of double coats .....
I've already configured this and working fine, but I'm unable to change the ldap password from client side do you have any idea about how to do it?
Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:
Try this instead:
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
PS: Thanks for an AWESOME TUTORIAL!
Another edit: on RHEL6 my DB_CONFIG.example was in:
/usr/share/openldap-servers/DB_CONFIG.example
Running this command ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif
gives error : Invalid Credentials (49)
hi all ---
when i am running this command --
#ldapsearch -x -b "dc=example,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
this message display.
please give me solution ...
Run this command
#ldapsearch -h ldapserverIP(eg. 192.168.1.10) -x -b "dc=example,dc=com"
address for download certificate on client side
Hey
how if the url is "www.education.edu.au"?
how do we change it?
how can make certificates ready on my ftp, for client authentication?
thanks for perfect note on ldap.
[root@centos6 ~]# ldapadd -x -W -D "cn=Manager,dc=sam,dc=com" -f base.ldif
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 8, entry "dc=sam,dc=net"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 9, entry "dc=sam,dc=net"?)
adding new entry "dc=sam,dc=net"
ldap_add: Type or value exists (20)
additional info: objectClass: value #0 provided more than once
how to integrate mani ldap user with xp client login, i know the pgina toools . Can you tell me exactly how to use this tool to login mani user from xp client.
Note: found out that the base.ldif file presented here needs an edit. Notice the blank lines separating the dn:
Try this instead:
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
Hi everybody.
I have followed these steps and installed openldap, i am able to add users and groups. I can also able to search the users & groups.
But when i try to search using -W (or) -w mypass
it is showing the following error
"ldap_bind: Invalid credentials (49)"
Even if i try to change the password it is showing the same error.
Followed this URL : http://www.ezylinux.com/en/red-hat-6-how-to-fixes-ldapadd-ldap_bind-invalid-credentials-49/
Not solved. Can anyone help me out.
Proper step To Configure LDap Server Successfull done...
Step by Step Installation and Configuration Open LDAP Server
Software: RHEL 6.2 Server
System name: ldap.sms.com
Domain name: sms.com
System IP: 192.168.1.5
Note: Use your domain name and IP instead of sms.com
Step #1. Requirements
compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E
You can install them using the command:
yum install *openldap* -y
Step #2. Start the service
[root@ldap ~]# chkconfig --levels 35 ldap on
[root@ldap ~]# service slapd start
Prepare customized configuration file in slapd.example.conf:
cp /etc/openldap/slapd.conf.bak /etc/openldap/slapd.example.conf
Step #3. Update /etc/openldap/slapd.example.conf for the root password
[root@ldap ~]# vi /etc/openldap/slapd.example.conf
database bdb
suffix "dc=sms,dc=com"
rootdn "cn=root,dc=sms,dc=com"
rootpw secret
Step #4 . Import all users in to the LDAP
1) Adding the Organization
vi parent.ldif
# Root entry
dn: dc=mumbai,dc=com
objectclass: dcObject
objectclass: organization
o: Munbai Company
dc: mumbai
# Add an Organization Role
dn: cn=root,dc=mumbai,dc=com
objectclass: organizationalRole
cn: root
2) Adding The Orgnizational unit
vi ou.ldif
dn: ou=BANGALORE,dc=mumbai,dc=com
ou: BANGALORE
objectClass: organizationalUnit
dn: ou=CALCUTTA,dc=mumbai,dc=com
ou: CALCUTTA
objectClass: organizationalUnit
3) Adding Users to Ldap Directory
vi users.ldif
dn: uid=,ou= BANGALORE,dc=mumbai,dc=com
uid: sajeesh.prabhakar
objectClass: top
objectClass: person
objectClass: inetOrgPerson
ou: BANGALORE
givenName: SAJEESH
sn: PRABHAKAR
cn: MUM/PROJ/SAJEESH PRABHAKAR
mail: sajeesh.prabhakar@mumbai.com
dn: uid=pankaj.patil,ou= CALCUTTA,dc=mumbai,dc=com
uid: pankaj.patil
objectClass: top
objectClass: person
objectClass: inetOrgPerson
ou: CALCUTTA
givenName: Pankaj
sn: patil
cn: MUM/PROJ/pankaj patil
mail: pankaj.patil@mumbai.com
Make sure service is not running:
service slapd stop
Clean up configuration:
rm -rf /etc/openldap/slapd.d/*
Clean up content:
rm -rf /var/lib/ldap/*
Copy the file:
cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Initialize DB files for content in /var/lib/ldap directory:
echo "" | slapadd -f /etc/openldap/slapd.example.conf
This is required, otherwise you will get this error:
bdb_db_open: database "dc=example,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
Convert configuration file into dynamic configuration under /etc/openldap/slapd.d directory:
slaptest -f /etc/openldap/slapd.example.conf -F /etc/openldap/slapd.d
Initialize LDAP DB with initial content:
slapadd -l parent.ldif
Set permissions:
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d
Test initial configuration
Start server:
service slapd restart
List the content by request from client:
ldapsearch -x -b 'dc=example,dc=com'
This is Command For adding ldap Entry of ( ou & Users )
ldapadd -x -D 'cn=root,dc=sms,dc=com' -W –f ou.ldif
ldapadd -x -D 'cn=root,dc=sms,dc=com' -W -f users.ldif
List again
ldapsearch -x -b 'dc=example,dc=com'
I cant start slapd service. its shows error like this..
#service slapd start
Checking configuration file or slapd:
bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
Performing database recovery to activate new settings.
bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
config file testing succeeded
Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits
I cant start slapd service. its shows error like this..
#service slapd start
Checking configuration file or slapd:
bdb_db_open: DB_CONFIG for suffix "dc=rehat,dc=com" has changed.
Performing database recovery to activate new settings.
bdb_db_open: database "redhat,dc=com": recovery skipped in read-only mode. Run manual recovery if errors encountered.
config file testing succeeded
Starting slapd: creating symbolic link '/var/run/slapd.pid: File exits
Please solve this problem
tell me how to login ldap user in xp client mechine.. please give the nice documents ....
I cant start slapd service. its shows FAILD.please reply me
Dear Sir, When I put this Cooand ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f base.ldif >>>>>>>> Asking LDAP Password Which password will put hear pls help
Post a Comment