I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
I have slapd running and I am able to authenticate with the local admin account.
What I want is for it to take requests for domain.com, ask the real domain.com LDAP server (Active Directory) to handle it, then provide the answer to the client.
I want to have an OpenLDAP server in my DMZ proxy connections to my internal network without actually storing any account information locally (except for the local admin).
I think this is the relevant configuration information (comments removed): include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database ldap lastmod off uri "ldap://server.domain.com" map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute * idassert-bind bindmethod=simple binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" credentials="<password>" method=self chase-referrals yes database bdb suffix "dc=domain,dc=com" rootdn "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by * read
Running this with: slapd -g openldap -u openldap -d 16383
Give a few errors such as: line 44 (checkpoint 512 30) /etc/ldap/slapd.conf: line 44: unknown directive <checkpoint> inside backend database definition (ignored). and /etc/ldap/slapd.conf: line 51: rewrite/remap capabilities have been moved to the "rwm" overlay; see slapo-rwm(5) for details (hint: add "overlay rwm" and prefix all directives with "rwm-").
Adding the requested overlay line and changing the map to rwm-map doesn't help. I may be adding it in the wrong place. I always get: line 31 (overlay rwm) overlay "rwm" not found /etc/ldap/slapd.conf: line 31: <overlay> handler exited with 1!
with the line number obviously different for the different places I've tried it.
Yet, the rwm files are right where they should be: root@ebizsrvb:/etc/ldap# ls -l /usr/lib/ldap/rwm* lrwxrwxrwx 1 root root 17 2007-04-16 12:18 /usr/lib/ldap/rwm-2.3.so.0 -> rwm-2.3.so.0.2.18 -rw-r--r-- 1 root root 33020 2007-03-08 23:45 /usr/lib/ldap/rwm-2.3.so.0.2.18 -rw-r--r-- 1 root root 891 2007-03-08 23:45 /usr/lib/ldap/rwm.la lrwxrwxrwx 1 root root 17 2007-04-16 12:18 /usr/lib/ldap/rwm.so -> rwm-2.3.so.0.2.18
Please tell me what simple step I am messing up?
Thank you! -Jason
DePriest, Jason R. wrote:
I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd recommend to updated to the latest (2.3.37 right now).
I have slapd running and I am able to authenticate with the local admin account.
What I want is for it to take requests for domain.com, ask the real domain.com LDAP server (Active Directory) to handle it, then provide the answer to the client.
I want to have an OpenLDAP server in my DMZ proxy connections to my internal network without actually storing any account information locally (except for the local admin).
I think this is the relevant configuration information (comments removed): include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap
moduleload rwm
sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database ldap lastmod off
^^^ not needed
uri "ldap://server.domain.com" map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute * idassert-bind bindmethod=simple binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" credentials="<password>" method=self chase-referrals yes
^^^ this might give undesired effects; only activate if strictly required, and after careful testing.
database bdb suffix "dc=domain,dc=com" rootdn "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by * read
Running this with: slapd -g openldap -u openldap -d 16383
Give a few errors such as: line 44 (checkpoint 512 30) /etc/ldap/slapd.conf: line 44: unknown directive <checkpoint> inside backend database definition (ignored). and /etc/ldap/slapd.conf: line 51: rewrite/remap capabilities have been moved to the "rwm" overlay; see slapo-rwm(5) for details (hint: add "overlay rwm" and prefix all directives with "rwm-").
Adding the requested overlay line and changing the map to rwm-map doesn't help. I may be adding it in the wrong place. I always get: line 31 (overlay rwm) overlay "rwm" not found /etc/ldap/slapd.conf: line 31: <overlay> handler exited with 1!
with the line number obviously different for the different places I've tried it.
Yet, the rwm files are right where they should be: root@ebizsrvb:/etc/ldap# ls -l /usr/lib/ldap/rwm* lrwxrwxrwx 1 root root 17 2007-04-16 12:18 /usr/lib/ldap/rwm-2.3.so.0 -> rwm-2.3.so.0.2.18 -rw-r--r-- 1 root root 33020 2007-03-08 23:45 /usr/lib/ldap/rwm-2.3.so.0.2.18 -rw-r--r-- 1 root root 891 2007-03-08 23:45 /usr/lib/ldap/rwm.la lrwxrwxrwx 1 root root 17 2007-04-16 12:18 /usr/lib/ldap/rwm.so -> rwm-2.3.so.0.2.18
Please tell me what simple step I am messing up?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
--On August 6, 2007 9:30:59 PM +0200 Pierangelo Masarati ando@sys-net.it wrote:
DePriest, Jason R. wrote:
I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd recommend to updated to the latest (2.3.37 right now).
I believe 2.3.35 is available from backports.org for Debian.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount quanah@zimbra.com writes:
I believe 2.3.35 is available from backports.org for Debian.
Not so far as I can tell. The packages we're looking at using locally have some additional patches, so I can't upload them to backports.org.
--On August 6, 2007 2:32:59 PM -0700 Russ Allbery rra@stanford.edu wrote:
Quanah Gibson-Mount quanah@zimbra.com writes:
I believe 2.3.35 is available from backports.org for Debian.
Not so far as I can tell. The packages we're looking at using locally have some additional patches, so I can't upload them to backports.org.
Oh, darn. :/ It'd be handy to have something more recent available to folks.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On 8/6/07, Quanah Gibson-Mount wrote:
--On August 6, 2007 9:30:59 PM +0200 Pierangelo Masarati wrote:
DePriest, Jason R. wrote:
I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd recommend to updated to the latest (2.3.37 right now).
I believe 2.3.35 is available from backports.org for Debian.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
I found 2.2.35 in 'testing' and 'unstable' distros, but had a problem installing the pre-reqs for it. I will work on it again tomorrow and I appreciate the suggestions.
-Jason
On 8/6/07, Pierangelo Masarati wrote:
DePriest, Jason R. wrote:
I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd recommend to updated to the latest (2.3.37 right now).
I was able to get slapd 2.3.35 from Debian's testing tree. The unstable tree has the same version. If I need to go higher, I can just compile it myself.
I have slapd running and I am able to authenticate with the local admin account.
What I want is for it to take requests for domain.com, ask the real domain.com LDAP server (Active Directory) to handle it, then provide the answer to the client.
I want to have an OpenLDAP server in my DMZ proxy connections to my internal network without actually storing any account information locally (except for the local admin).
I think this is the relevant configuration information (comments removed): include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap
moduleload rwm
Done. I thought I had tried this, but apparently not. Unless something changed between 2.3.30 and 2.3.35
sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database ldap lastmod off
^^^ not needed
deleted this line
uri "ldap://server.domain.com" map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute * idassert-bind bindmethod=simple binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" credentials="<password>" method=self chase-referrals yes
^^^ this might give undesired effects; only activate if strictly required, and after careful testing.
Commented this line out.
database bdb suffix "dc=domain,dc=com" rootdn "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by * read
[ cut out my errors from first post ]
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
slapd runs with no critical errors. I can connect and bind with with the local admin account.
I cannot seem to get it to reach out to the other LDAP server. It just searches itself and gives up when it cannot find what it is looking for.
There are no errors, it just finds 0 matches.
I don't have rootDSE set anywhere. Do I need that for this to work?
-Jason
"DePriest, Jason R." jrdepriest@gmail.com writes:
I was able to get slapd 2.3.35 from Debian's testing tree. The unstable tree has the same version. If I need to go higher, I can just compile it myself.
I've been somewhat holding off on packaging 2.3.37 at Quanah's suggestion, although mostly just due to lack of time. I'll hopefully get to that soon.
openldap-software@openldap.org
-
DePriest, Jason R. -
Pierangelo Masarati -
Quanah Gibson-Mount -
Russ Allbery