[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A strange dn

Ed Greenberg writes:
> I'm bringing up openldap, and I have almost everything working except:
> The servers have an existing ldap.conf of:

ldap.conf for pam_ldap (typically /etc/ldap.conf) and not openldap
(typically /etc/(open)ldap/ldap.conf), I presume.  OpenLDAP ldap.conf
does not have ldap_version and bindpw keywords.

> uri ldap://ldap001.example.com ldap://ldap002.example.com

I hope you use TLS as well, otherwise passwords get sent in cleartext
over the connection.  And to use TLS, the server needs a certificate -
and the clients must know the CA-certificate which signed it so they
can authenticate the server.

> base dc=example,dc=com
> binddn uid=server,cn=config
> bindpw xxxxxx

The "binddn" value is absolute, not relative to the "base".  So use:

Except it's a bad idea to spread extended access to the LDAP server to
machines all over campus.  Presumably you use binddn/bindpw so PAM can
read the users' passwords?  Instead set up PAM to authenticate users
with the LDAP Bind operation.  (Bind sends the password to the LDAP
server, which checks if is correct and returns success or error.)

> I'm having trouble figuring out how to create a user that looks like:
> uid=server,cn=config,dc=example,dc=com

Well, if you do it anyway - something like this:

Include cosine.schema after core.schema in slapd.conf, if you haven't
already.  (For the 'account' object class, used below.)

$ /usr/sbin/slappasswd -s 'the password'

Create a file server.ldif with:

dn: uid=server,cn=config,dc=example,dc=com
uid: server
objectClass: account
objectClass: simpleSecurityObject
userPassword: {SSHA}sWpsmsuoIekmk+KANtZ0RLfRfhyA24W9

bin/ldapadd it to the server, or take the server down and then
sbin/slapadd it.