---------- Forwarded message ----------
From: Naufal Sheikh <naufalzamir@gmail.com>
Date: Oct 30, 2007 1:16 PM
Subject: Re: setting up admin password on openldap
To: Michael Ströder <michael@stroeder.com>

please find the embedded answers.

On 10/30/07, Michael Ströder <michael@stroeder.com > wrote:
Naufal Sheikh wrote:
>
> I compiled and installed openldap version 2.2.20

Why the hell are you using such an ancient version?

If you're already building yourself why didn't you use recent stable
version 2.3.3x?


I have already had a discussion on this. My boss does not allow me to change versions, and I cannot help it!

> The only catch being that I was never asked to
> supply any password during the installation,

It does not work like that.

Ok I thought So as well. 

> which some of the posts in the mailing list suggested.

I doubt that anyone here claimed that 'make install' asks for a password.

> I have a running version of 2.2.20 on Solaris 8.0.

So watch out for rootdn and rootpw in the file slapd.conf.

rootpw line is hashed on the production system and I am using the same rootDN on my linux server as it is on my production.

> I first copied all of the slapd.conf from solaris server file to my red
> hat server, but the slapd gave errors and was not able to start initially.

If you don't provide the exact error message noone will be able to help.

AS I said I have been able to resolve that already and that is no more a problem.

> I then used slapcat on my production system to generate an ldif which I
> imported on red hat server using slapadd. I had few errors about the
> syntax of "clientOrg" attribute being not correct, but those entries
> contained the extended character set in their values and I deleted them
> from the ldif file till I was able to import all the ldif from the
> production system to red hat server.

Do you really know what you're doing? I bet "clientOrg" is a custom
schema. Who defined that? Isn't the data therein important for you?


there was a custom schema on the production system, and I did inlcuded it in  my new installation as well. Umm yeah I am not really sure till now how openldap works and I am more of trying to replicate what I have on my old server.

> Now as Piotr suggested that
> after creating a password I can hash the rootpw line again, so that the
> authentication can be done using only the passwords in the database. So
> using slappasswd i generated a hash value of the password and copied it
> into the slapd.conf. While slapd starts fine it still cannot connect to
> ldap using the supplied credentials saying invalid credentials.

Does your LDIF contain an entry with attribute "userPassword" for the
"rootdn" in slapd.conf? Maybe try changing rootdn in slapd.conf to
something else and try with that one.


The ldiff I have genrated using slapcat on my new server in order to keep it as backup has the hashed entry of password in the entry of the administrator. ldap browser has the plain text password in the uid of the administrator.

Here is my slapd.conf from my new server :

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/core.schem
a
include /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/cosine.schema
include /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/inetorgperson.sche
ma
include /main/soft/openldap/TRAC/tracweb/etc/openldap/schema/trac.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /main/soft/openldap/TRAC/tracweb//var/run/slapd.pid
argsfile        /main/soft/openldap/TRAC/tracweb//var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /main/soft/openldap/TRAC/tracweb//libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#

#access to * \
#       by peername.regex="IP=128\.230\.156\."     read stop
#       by *                                       none stop


# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

allow bind_v2

backend bdb

database monitor

database        bdb
suffix          "o=trac"
rootdn          "cn=nsadmin,o=trac"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  test



# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /main/soft/openldap/TRAC/tracweb//var/openldap-data

# Performance
cachesize   1000
#dbnosync
#threads 1
#dbnosync
#threads 16
#timelimit 3600
#sizelimit 9999
sizelimit unlimited
mode 600

#dbcachesize 10000000

# Indices to maintain
index   uid                  eq
index   cn              pres,eq,sub
index   sn              pres,eq,sub
index   mail                 eq
index   default                 sub
index   objectClass          eq
#index   uniqueMember         eq
#index   affiliation          eq
#index   mailPreferenceOption eq
#index   keyWords             eq
index   telephoneNumber pres,eq,sub
#index   cn,sn,mail   pres,eq,approx,sub

database bdb
suffix   ""
rootdn   "cn=nsadmin"
directory       /main/soft/openldap/TRAC/tracweb//var/openldap-data2
index   uid                  eq
index   cn              pres,eq,sub
index   sn              pres,eq,sub
index   mail                 eq
index   default                 sub
index   objectClass          eq


The only custom schema I have which I copied from my old server and inlcuded is trac.schema as following:

# TRAC's Extended Schema


objectIdentifier TracOID  1.3.6.1.4.1.25088
objectIdentifier TracSNMP TracOID:1
objectIdentifier TracLDAP TracOID:2
objectIdentifier TracAttributeType        TracLDAP:1
objectIdentifier TracObjectClass  TracLDAP:2

attributetype ( TracAttributeType:1  NAME 'contactinfo'
        DESC 'Information about the contact'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
        )

attributetype ( TracAttributeType:2  NAME 'regsite'
        DESC 'Registered site'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
        )

attributetype ( TracAttributeType:3  NAME 'tracfedquota'
        DESC 'Quota tracfed'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:4  NAME 'clientorg'
        DESC 'Client organization'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
        )

attributetype ( TracAttributeType:5  NAME 'clearpassword'
        DESC 'Clear text password'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:6  NAME 'regdate'
        DESC 'Date of registration'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:7  NAME 'keyWords'
        DESC 'keywords'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:8  NAME 'affiliation'
        DESC 'Affiliation'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
        )

attributetype ( TracAttributeType:9 NAME 'billpostaladdress'
        DESC 'Bill postal address'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:10 NAME 'billpostalcode'
        DESC 'Billing postal code'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:11 NAME 'middlename'
        DESC 'Middle name'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:12 NAME 'regip'
        DESC 'IP address during registration'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:13 NAME 'siteip'
        DESC 'IP address of the site'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:14 NAME 'sitemaxlocker'
        DESC 'Maximum number of locker data per site'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:15 NAME 'sitemaxusers'
        DESC 'Maximum number of users at the site'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:16 NAME 'siteuid'
        DESC 'Site User ID'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
        )

attributetype ( TracAttributeType:17 NAME 'maxqueries'
        DESC 'Maximum number of queries'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:18 NAME 'userflags'
        DESC 'Maximum number of queries'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:19 NAME 'termsagree'
        DESC 'Maximum number of queries'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:20 NAME 'morequeries'
        DESC 'Maximum number of queries'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:21 NAME 'overusemethod'
        DESC 'Overuse handling method'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:22 NAME 'queryfee'
        DESC 'Query fee'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:23 NAME 'licenddate'
        DESC 'Date of license end'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:24 NAME 'licstartdate'
        DESC 'Date of start of license'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:25 NAME 'subscribedate'
        DESC 'Date of subscription'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

#attributetype ( TracAttributeType:9  NAME 'mailpreferenceoption'
#       DESC 'Mail preference option'
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
#       )

attributetype ( TracAttributeType:26 NAME 'lastModifiedBy'
        DESC 'The user who last modified the entry'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )

attributetype ( TracAttributeType:27 NAME 'lastModifiedTime'
        DESC 'The time the entry was last modified'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768}
        )



objectclass ( TracObjectClass:1  NAME 'tracperson'
        DESC 'RFC2256: a person'
        SUP inetOrgPerson STRUCTURAL
        MUST ( sn $ cn )
        MAY ( contactinfo $ regsite $ tracfedquota $
                clientorg $ clearpassword $ regdate $
                keyWords $ affiliation $ mailPreferenceOption $
                billpostaladdress $ billpostalcode $ middlename $
                regip $ siteip $ sitemaxlocker $
                sitemaxusers $ siteuid $ maxqueries $
                userflags $ termsagree $ morequeries $
                overusemethod $ queryfee $ licenddate $ licstartdate $
                subscribedate $ lastModifiedBy $ lastModifiedTime  ))


ldif entry for cn=nsadmin is as following:

dn: uid=nsadmin,o=trac
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: SuiteSpot Administrator
sn: Administrator
givenName: SuiteSpot
uid: nsadmin
creatorsName: cn=nsadmin
createTimestamp: 19980218204619Z
userPassword:: e1NIQX12bm4rOFpBNFNzdzJJMnlQOVZ2clBJVFlGRzg9
modifiersName: uid=nsadmin,o=trac
modifyTimestamp: 19980722182149Z
structuralObjectClass: inetOrgPerson
entryUUID: 8179b9a2-74d7-102a-9988-90f8caf384a9
entryCSN: 20060511011623Z#000003#00#000000


I am not sure where the problem is, everything is in order but I cannot connect using the credentials. I will try your suggestion about changing the rootdn and will let you know.





Ciao, Michael.