On 15/09/11 18:18 +0100, Tim Watts wrote:
Hi,
Sorry - this will sound really dumb... For people who aren't very LDAP savvy, what the cleanest way to rig an LDAP server that I have root access to to:
allow unprompted ldap* commands (eg ldapmodify).
GoSA has got confused creating a user and I need to manually force some ldif files with minor changes through...
MIT Kerberos has a kdamin.local command that does not care about authentication because it has direct access to the database files.
Is there something similar for OpenLDAP? This is a files based ldap server, not using SQL.
I have located an ldap.secret file but am having trouble authenticating with its content. I'm fairly confused because LDAP appears to have many many ways to handle authentication...
You could use slapcat(8) to add entries.
What I prefer to do instead is use SASL EXTERNAL authentication over ldapi:///, which allows me to use all the standard command line utilities (e.g. ldapsearch). This following is from an older server using a slapd.conf config:
# Map the root user to the rootdn authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=example,dc=net"
See slapd.conf(5)/slapd-config(5). Then configure default parameters in your ldap.conf, such as:
BASE dc=example,dc=net URI ldapi:///
And set your /root/.ldaprc to:
SASL_MECH EXTERNAL
See ldap.conf(5).
You'll need to configure your slapd server to listen on ldapi:///, which might be configured in your init.d startup script or, on some Linux distributions, in /etc/default/slapd.
After doing so, I can add entries with:
ldapadd -f entries.ldif
When connecting from remote servers, I use a similar setup using SASL GSSAPI authentication.