Step-by-step OpenLDAP Installation and Configuration

Want to support HowtoForge? Become a subscriber!
 
Submitted by ganesh35 (Contact Author) (Forums) on Fri, 2007-02-16 16:41. :: Linux

Step-by-step OpenLDAP Installation and Configuration

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client.

Step by Step Installation and Configuration OpenLDAP Server

Software:  OS-Cent OS 4.4, openldap 2.2.13-6.4E
System name:   ldap.adminmart.com
Domain name:   adminmart.com
System IP:     192.168.1.212

Note: Use your domain name and IP instead of adminmart.

Easy steps for adding users:
    1. Create unix user
    2. Create unix user's ldap passwd file
    3. Convert passwd.file to ldif file
    4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E
    openldap-clients.i386 0:2.2.13-6.4E
    openldap-devel.i386 0:2.2.13-6.4E
    openldap-servers.i386 0:2.2.13-6.4E
    openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

 

Step #2. Start the service

[root@ldap ~]# chkconfig --levels 235 ldap on
[root@ldap ~]# service ldap start 

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd
    New password:
    Re-enter new password:
    {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW
[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb
    #69 suffix          "dc=adminmart,dc=com"
    #70 rootdn          "cn=Manager,dc=adminmart,dc=com"
    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW 

Step #5. Apply Changes

[root@ldap ~]# service ldap restart 

Step #6. Create test users

[root@ldap ~]# useradd test1
[root@ldap ~]# passwd test1
    Changing password for user test1.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]# useradd test2
[root@ldap ~]# passwd test2
    Changing password for user test2.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]#

Note: Repeat the same for the rest of users 

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root
[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1
[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

 Note: Repeat the same for the rest of users

Step #8. Update default settings on file /usr/share/openldap/migration/migrate_common.ph

    #71 $DEFAULT_MAIL_DOMAIN = "adminmart.com";
    #74 $DEFAULT_BASE = "dc=adminmart,dc=com";

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file 

[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users

Step #10. Update root.ldif file for the "Manager" of LDAP Server 

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=adminmart,dc=com
    #2 uid: root
    #3 cn: Manager
    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/adminmart.com.ldif)

[root@ldap ~]# cat /etc/openldap/adminmart.com.ldif

    dn: dc=adminmart,dc=com
    dc: adminmart
    description: LDAP Admin
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: rootobject 
    dn: ou=People, dc=adminmart,dc=com
    ou: People
    description: Users of adminmart
    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file 

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/adminmart.com.ldif
    Enter LDAP Password:
    adding new entry "dc=adminmart,dc=com"
    adding new entry "ou=People, dc=adminmart,dc=com"
[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/root.ldif
    Enter LDAP Password:
    adding new entry "uid=root,ou=People,dc=adminmart,dc=com"
    adding new entry "uid=operator,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test1.ldif
    Enter LDAP Password:
    adding new entry "uid=test1,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test2.ldif
    Enter LDAP Password:
    adding new entry "uid=test2,ou=People,dc=adminmart,dc=com"
 [root@ldap ~]#

 Note: Repeat the same for the rest of users

Step #13. Apply Changes 

[root@ldap ~]# service ldap restart 

Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b 'dc=adminmart,dc=com' '(objectclass=*)' 


Copyright © 2007 Ganesh Kumar Butcha
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s)
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Second Entry
Submitted by Anonymous (not registered) on Sun, 2012-11-18 12:38.
I am not able to adding my second entry. Anyone Could you please help me.
[root@client ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f /etc/openldap/test1.ldif
Enter LDAP Password:
adding new entry "uid=test1,ou=People,dc=adminmart,dc=com"
ldap_add: No such object (32)
        matched DN: dc=adminmart,dc=com

[root@client ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f /etc/openldap/test2.ldif
Enter LDAP Password:
adding new entry "uid=test2,ou=People,dc=adminmart,dc=com"
ldap_add: No such object (32)
        matched DN: dc=adminmart,dc=com

reply | view as pdf view as pdf
error reading information on service ldap: No such file or direc
Submitted by MacPhotoBiker (not registered) on Wed, 2012-08-29 16:04.

Hi,

I did the installation from step one (on CentOS 6), and all went well. But already in step 2, I get an error message: root@vps [~]# chkconfig --levels 235 ldap on

error reading information on service ldap: No such file or directory

Could somebody please guide me how to proceed from here? Any help would be greatly appreciated!

reply | view as pdf view as pdf
I don't have ldap service
Submitted by maryam (not registered) on Tue, 2012-03-13 07:59.
I don't have any thing to ldap service in step 2,can I do slapd service instead of ldap?
reply | view as pdf view as pdf
Really Great DOC... Thanks a
Submitted by Anonymous (not registered) on Thu, 2011-06-16 05:59.
Really Great DOC... Thanks a lot
reply | view as pdf view as pdf
Re: Really Great DOC... Thanks a
Submitted by RogierDikkes (not registered) on Thu, 2012-03-29 11:02.
Yeah good document, had some problems with the configuration. Followed all steps but got the error that username and password was incorrect when trying to login with phpadmin environment, after changing cn "Manager" to admin it worked perfect. Thanks for the guide!
reply | view as pdf view as pdf
Great tutorial, got me up
Submitted by Anonymous (not registered) on Mon, 2010-04-19 14:05.

Great tutorial, got me up and running in a few hours, after looking for over a week for a decent document to follow...

There is a typo error above that I should highlight. In /etc/openldap/adminmart.com.ldif example above, you need to insert a blank line between each "dn" text area. The result should be:

dn: dc=adminmart,dc=com
dc: adminmart
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject 
dn: ou=People, dc=adminmart,dc=com
ou: People
description: Users of adminmart
objectClass: organizationalUnit

 

enjoy

reply | view as pdf view as pdf
Password problem
Submitted by vinu (not registered) on Sat, 2009-02-14 04:34.

When i entered the password while importing the domain ldif file to LDAP, there was an error

 

ldap_bind: Invalid credentials (49)

 

What might be the problem. The password i entered was same as the one created using slappasswd.  

reply | view as pdf view as pdf
Re: Password problem
Submitted by zaza (not registered) on Tue, 2009-09-08 08:37.

have u solve the problem with the  "ldap_bind: Invalid credentials (49)"??

 

im facing the same too....

reply | view as pdf view as pdf
Re: Re: Password problem
Submitted by Anonymous (not registered) on Wed, 2011-07-13 14:53.

Hi, In the configuration file the line starting with a space is considered a continuation of the previous line so guys check in the slapd.conf for the "rootpw" line.if there is a space at the starting of the line then remove it and restart the server it will resolve your problem.

reply | view as pdf view as pdf
Yes, It worked
Submitted by Vkram (not registered) on Thu, 2012-03-29 07:03.
U rocks..... bro... It worked for me space before rootpw.......
reply | view as pdf view as pdf
Re: Re: Password problem
Submitted by Anonymous (not registered) on Tue, 2011-02-15 20:06.

I know I'm late to the thread for this, but hopefully this will be of value to future readers.

For the password problem, I was confusing the root password for the user's password.  When doing the ldapadd, I used the root user's password, and that fixed the credentials problem.  Don't use the password of the user you are adding.

For the problem with not finding the server, specify "-h 127.0.0.1" to resolve to localhost.  It doesn't default to any server in the add or search, not even localhost.

reply | view as pdf view as pdf
I can't add the domain ldif
Submitted by Ken (not registered) on Fri, 2008-09-19 20:02.

I can't add the domain ldif file - I get prompted for the password, I enter the password used in the slapd.conf (tried both encrypted and plaintext) but still get the error below:

ldap_bind: Can't contact LDAP server (-1)

Thoughts?

reply | view as pdf view as pdf
Re: I can't add the domain ldif
Submitted by Anonymous (not registered) on Wed, 2011-07-13 14:48.

 ldap_bind: Can't contact LDAP server (-1)This is when your server is not reachable  Start the LDAP server and try add the user :) 

reply | view as pdf view as pdf
ldap installation related error
Submitted by ashadeep nagar (not registered) on Fri, 2009-04-03 14:02.
          ldap_bind: Invalid credentials (49)
reply | view as pdf view as pdf
Re: ldap installation related error
Submitted by anand pavithran (not registered) on Thu, 2011-01-27 07:44.
Check for free space in the ldif file.(Some times there will be unwanted space  in the line).
reply | view as pdf view as pdf
Groups and shadow
Submitted by Revantine (registered user) on Mon, 2007-03-12 20:22.
I had to add a blank line to fix an error in /etc/openldap/adminmart.com.ldif, and I added for groups : 
dn: dc=adminmart,dc=com
dc: adminmart
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=adminmart,dc=com
ou: People
description: Users of adminmart
objectClass: organizationalUnit

dn: ou=Group, dc=adminmart,dc=com
ou: Group
description: Groups of adminmart
objectClass: organizationalUnit
I copied all of my groups that I wanted in ldap from /etc/groups to /etc/openldap/groups.txt and then ran:
/usr/share/openldap/migration/migrate_groups.pl /etc/openldap/groups.txt /etc/openldap/groups.ldif
After I imported users, and groups, I used phpldapadmin to import shadow passwords. I opened /etc/shadow and copied the password field:
username:$1$0oDpBoKc$qw6grPT4jqgfqkc5Kzd/G.:_____:_:_____:_:::
as {crypt}$1$0oDpBoKc$qw6grPT4jqgfqkc5Kzd/G.
And selected clear in the drop down so it would not try to re-encrypt (mangle) the password.

There is likely a scripted solution for shadow passwords, but I only had about 15 users and it was faster to just do it.
reply | view as pdf view as pdf
Replication
Submitted by nicolargo (registered user) on Mon, 2007-02-19 17:39.

Thanks for the tuto.

Here is a link to  help you configure a backup server (slave server) and another one to configure ProFTPD to use LDAP for authentication (french link but you can google translate ;)).

Nicolargo 

reply | view as pdf view as pdf
Re: Replication
Submitted by Anonymous (not registered) on Tue, 2010-05-04 07:02.
Can i have document to configure secure replication.
reply | view as pdf view as pdf