Ed Greenberg writes:

I'm bringing up openldap, and I have almost everything working except:

The servers have an existing ldap.conf of:

ldap.conf for pam_ldap (typically /etc/ldap.conf) and not openldap (typically /etc/(open)ldap/ldap.conf), I presume. OpenLDAP ldap.conf does not have ldap_version and bindpw keywords.

uri ldap://ldap001.example.com ldap://ldap002.example.com

I hope you use TLS as well, otherwise passwords get sent in cleartext over the connection. And to use TLS, the server needs a certificate - and the clients must know the CA-certificate which signed it so they can authenticate the server.

base dc=example,dc=com binddn uid=server,cn=config bindpw xxxxxx

The "binddn" value is absolute, not relative to the "base". So use: binddnuid=server,cn=config,dc=example,dc=com

Except it's a bad idea to spread extended access to the LDAP server to machines all over campus. Presumably you use binddn/bindpw so PAM can read the users' passwords? Instead set up PAM to authenticate users with the LDAP Bind operation. (Bind sends the password to the LDAP server, which checks if is correct and returns success or error.)

I'm having trouble figuring out how to create a user that looks like: uid=server,cn=config,dc=example,dc=com

Well, if you do it anyway - something like this:

Include cosine.schema after core.schema in slapd.conf, if you haven't already. (For the 'account' object class, used below.)

$ /usr/sbin/slappasswd -s 'the password' {SSHA}sWpsmsuoIekmk+KANtZ0RLfRfhyA24W9

Create a file server.ldif with:

dn: uid=server,cn=config,dc=example,dc=com uid: server objectClass: account objectClass: simpleSecurityObject userPassword: {SSHA}sWpsmsuoIekmk+KANtZ0RLfRfhyA24W9

bin/ldapadd it to the server, or take the server down and then sbin/slapadd it.