[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fresh install on debian with cn=config and slapd.conf conversion

Le jeu. 15 dÃc. 2011 11:59:16 CET, rey sebastien a Ãcrit :

Le 15/12/2011 10:59, Raffael Sahli a Ãcrit :

On 12/15/2011 10:54 AM, reyman wrote:

On Thu, Dec 15, 2011 at 10:24 AM, Raffael Sahli
<public@raffaelsahli.com <mailto:public@raffaelsahli.com>> wrote:

On 12/15/2011 09:46 AM, rey sebastien wrote:

Le jeu. 15 dÃc. 2011 08:51:29 CET, Raffael Sahli a Ãcrit :

OK, it's work, i have a fonctionnal
slapd.d/cn=config folder, but i don't understand why
i can't access to openldap with
cn=admin,dc=parisgeo,dc=cnrs,dc=fr and good password
generated by

My slapd.conf before conversion contain the SSHA
password generated by slappasswd for rootDn :

database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxx

I try this :
ldapsearch -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W
-x 'userName=*'
Enter LDAP Password: ldap_bind: Invalid credentials (49)

Bizarre ...
Perhaps i can try to redefine the rootdn, because it
disapear with conversion ?
Do you have an idea about this ?


>Use slapadd. Again, RTFM. Everything you've asked in
the past week or so has been documented in the manpages
and the Admin Guide. Read and learn.

Yes right, @rey rtfm, and ask your question again, if
you're sure your point is not in the OpenLDAP manual.
But i'm sure you will find your answer there.

>Please trim irrelevant text from your emails. Please
update your Subject line to something relevant to the
actual discussion topic.
@Howard, please say that to the guy who ask questions,
and not me^^

Raffael Sahli wrote:

On 14.12.2011 16:54, rey sebastien wrote:

Le 13/12/2011 16:48, Raffael Sahli a Ãcrit :

It's not easy to start with zero configuration
with cn=config new
openldap administration ..
I create my bd.ldif based on the slapd.ldif
example in the
/usr/local/etc/openldap directory.
But how can i insert this ldif with

ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif

if i cannot run slapd without configuration ?
How do you start a fresh install of openldap in
this case? there is an
option to run slapd without zero configuration?
Thanks a lot,

Use slapadd. Again, RTFM. Everything you've asked in the
past week or so has been documented in the manpages and
the Admin Guide. Read and learn.

Everything ? really ... Install from sources with specific
init script installation on debian ? Also, i find nothing
about a fresh install directly with cn=config (without
conversion of slapd.conf) into the admin guide ...

I'm not a junior system administrator, i make a phd in
geography / geomatics, and i have only one week before
christmas to create and populate a new ldap in my
laboratory. I try to learn the maximum with google/debian
tutorial and a lot of false tutorial, but actually, and i'm
sorry about that, i have no time to read all the man page,
and all the admin guide ...

Thanks you again for the time you take to answer to my
question Raffael, and others.

First, change the subject, your problem has nothing to do with SSL.

And to your root password problem, if you just convert your
offline config to online config, you root password will be the
same as before.
Did it worked with the offline configuration?
Or change the olcRootPW manually in the config ldif of your

Hum i check into my config ldif and olcRootPW doesn't appear.

Sorry, but again RTFM http://www.openldap.org/doc/admin24/

Thats the global configuration, the password is in your database

# CRC32 7bbc1dd2
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf.seb
olcConfigDir: /usr/local/etc/openldap/slapd.d/
olcArgsFile: /usr/local/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: Stats
olcPidFile: /usr/local/var/run/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslHost: claroline.parisgeo.cnrs.fr
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal
entryUUID: 065b0668-632b-4573-a915-bbe2caf96586
creatorsName: cn=config
createTimestamp: 20111214212046Z
entryCSN: 20111214212046.446261Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20111214212046Z

I try to re-add the pasword with slapmodify :

changetype: modify
add: olcRootDN
olcRootDN: cn=admin,dc=parisgeo,dc=cnrs,dc=fr

dn: cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}1dWxkkRtyUJt5fDga0Pn4EAyKQ5RPI4+

root@xxxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:///
-f initSlapd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

Hum, i don't really understand why i have not access,
i change only password, rootsuffix, and rootdn into the slapd.conf
before conversion ..

I try to add manually the attribute olcRootPw, olcSuffix,olcRootDN
olcSuffix: dc=parisgeo,dc=cnrs,dc=fr
olcRootDN: cn=admin,dc=parisgeo,dc=cnrs,dc=fr
olcRootPW: {SSHA}1dWxkkRtyUJt5fDga0Pn4EAyKQ5RPI4+

I have this error at restart :
Dec 15 10:52:04 claroline slapd[11462]: olcSuffix: value #0: suffix
<DC=parisgeo,DC=cnrs,DC=fr> not allowed in frontend database.

Hum i think it's a good idea to remove all config/data file, restart
with a fresh slapd.conf and retry the conversion ..

Raffael Sahli
public@raffaelsahli.com <mailto:public@raffaelsahli.com>


Raffael Sahli

OK i find my error,
Before i convert the slapd.conf into cn=config, i launch one time
slapd with slapd.conf, so the default database already exist/created ...
I have no problem now to log or add information with ldapadd / modify
into my database.

I have one question about slapd.conf config, because in the documentation and in other site we can see different type of configuration for slapd.conf (before converting in my case); With my configuration i cannot use the cn=config,cn=admin pattern and i have an error with bad credential when i try to connect with SASL.

For example this request doesn't work : ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
The database directory section of my slapd.conf :

database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA} secret
directory /srv/openldap-data
index objectClass eq
Can i change the rootdn to cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr ?

Thanks a lot,
Best regards,