Re: help troubleshooting

[Quanah Gibson-Mount <quanah@symas.com>]

--On Tuesday, February 07, 2017 5:01 PM -0700 scar <scar@drigon.com> wrote:


> Well it's kind of a mess here and my lack of experience with LDAP isn't
> helping much.  There is no slapd-config program although there is a
> manual page entry for it.  "yum whatprovides */slapd-config" returns no
> packages.

slapd-config is not a program.  It's a database format. Please read the man 
page for slapd-config(5).

> I was able to enable users to change their passwords by directly
> modifying /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif and
> adding these lines to the bottom:

As noted at the top of those files, you should never, ever, manually modify 
them by hand.  You should be using the correct ldap client operations.  You 
can do this via ldapadd, ldapmod, etc.

> I know that's not proper but i needed users to be able to change their
> password.  Thanks for the info about ACLs.  the "next to last ACL"
> mentioned is for the "database monitor" (see slapd.conf below) and i'm
> not sure why "by * read" should be granted that access, perhaps you can
> shed some light on why that exists in our config?  maybe i don't need
> ACLs for that so only rootdn has access?

That would be a separate block of ACLs that only applies to the monitor 
backend.  There is no requirement that by * read have access to the 
monitoring backend.  Who/what should have access to it depends on your 
requirements.

> We have a new LDAP server that I am setting up, so I'd like to focus on
> moving the database and getting the new server into production, and we
> can iron out the wrinkles in this mess at the same time.  My
> understanding is that I can use slapcat/slapadd to do the export/import...
>
> I used "slapcat > /tmp/ldif" on current server, then moved ldif and
> updated [slapd.conf] (see below) file to the new server, then ran
> "slapadd -l /tmp/ldif -l /etc/openldap/slapd.conf -F
> /etc/openldap/slapd.d/" but i get an error when trying to start slapd:
> "ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif: No
> such file or directory"  so how am i supposed to get the slapd.d/* files?
> If I am to just copy those over from the current server then I'd like to
> figure out why I had to modify the ldif file directly...

Your first slapcat exports the binary database, it has zero to do with the 
slapd-config database.  Please read the manpage for slapcat on the proper 
way to export your slapd-config database.  You don't use slapd.conf, you 
should stop doing anything with it, as it is immaterial.  You will need to 
export/import your slapd-config database prior to importing your binary 
database.

> The current LDAP server is running RHEL 6.8 with kernel
> 2.6.32-642.11.1.el6.x86_64.  The new LDAP server is running CentOS 6.8
> with kernel 2.6.32-642.13.1.el6.x86_64.  The nss/pam configuration for
> one of our clients is this (i hope this is what Michael Wandel meant):

The RHEL build of OpenLDAP is known to be problematic, outdated, and it 
links to the insecure MozNSS libraries.  I personally would recommend 
against using it.  If you want to use a 3rd party OpenLDAP build, such as 
RedHat's, you may find the LTB project build a better bet.  If you require 
support for your LDAP deployment, Symas offers supported builds for RHEL.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>