I meant in terms of the LDIF file:
objectClass: top objectClass: account objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson
The above doesn't work. It says that top/account isn't a valid chain.
-Toby
-----Original Message----- From: Kline, Sara [mailto:SKline@tnsi.com] Sent: Tuesday, April 17, 2012 8:45 AM To: Richards, Toby Subject: RE: ldapd vs. slapd
1. This is the order mine are in, you can ignore solaris and DUA as those are for the solaris boxes, also you can ignore policy that is for the password policy overlay. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/DUAConfigProfile.schema include /etc/openldap/schema/solaris.schema
2. What do you have in your slapd.conf? TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/pki/tls/certs/slapd-cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd-key.pem TLSCACertificateFile /etc/pki/tls/certs/slapd-cert.pem TLSVerifyClient never
security update_ssf=1 update_ssf=112 simple_bind=64
Thanks, Sara Kline
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Richards, Toby Sent: Tuesday, April 17, 2012 8:25 AM To: Brandon Hume; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
OK got it. I realized that ldapd is a different product after some more research this morning. I've got slapd running & responding; however:
1. I cannot figure out the correct order of objectClass statements to reach inetOrgPerson. I do have the core, cosine, nis, and inetorgperson schemas included in slapd.conf.
2. slapd won't run on port 636 even though I put "TLS_CACERT /path/to/cert.crt" and "URI ldaps://toby.org.org" into ldap.conf
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 7:58 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/16/12 11:02 PM, Richards, Toby wrote:
For those of you wondering, I'm running OpenBSD 5.0.
openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636.
"ldapd" is a service that comes with OpenBSD, and it definitely is not OpenLDAP. It will start and sit on the same ports, however, making it impossible for you to start slapd.
So don't start ldapd. Kill it if it's already running, then you might be able to start OpenLDAP.
Also, this might have been a typo, but the non-SSL port for LDAP is 389/tcp, not 349.
This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--On Tuesday, April 17, 2012 8:47 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I meant in terms of the LDIF file:
objectClass: top objectClass: account objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson
Never add top, it is implied.
As I noted, just put objectClass: inetOrgPerson
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
So I've followed the suggestion to have only the objectClass inetOrgPerson. Now I'm told that there's no such object. My LDIF file:
dn: uid=trichards,dc=toby,dc=org,dc=org cn: Toby Richards givenName: Toby sn: Richards uid: trichards mail: trichards@toby.org.org objectClass: inetOrgPerson password: {CRYPT}*
Result: ldap_add: No such object (32)
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 9:16 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
--On Wednesday, April 18, 2012 08:19:29 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
So I've followed the suggestion to have only the objectClass inetOrgPerson. Now I'm told that there's no such object. My LDIF file:
dn: uid=trichards,dc=toby,dc=org,dc=org
Did you really mean to have dc=org twice?
Bill
cn: Toby Richards givenName: Toby sn: Richards uid: trichards mail: trichards@toby.org.org objectClass: inetOrgPerson password: {CRYPT}*
Result: ldap_add: No such object (32)
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 9:16 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
Yes. I have one of those free subdomains (org.org), so mine is toby.org.org.
Something is definitely wrong. I've been scouring the Internet for documentation and tutorials. I finally broke down, and downloaded a GUI LDAP tool. Actually, I've tried several including jxplorer and LDAP Administration Tool, but I like the one by Jarek Gawor best:
http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browseredi tor-v282
Anyway, the GUI isn't even working. It gives me errors that it can't read dc=toby,dc=org,dc=org. It errors and fails when I try to add a user. I'm not sure what could be wrong with my conf files. They're pretty much set up with all the defaults except with my own realm instead of dc=example,dc=com.
Am I supposed to do something between editing the conf files/starting slapd and adding users?
-Toby
-----Original Message----- From: Bill MacAllister [mailto:whm@stanford.edu] Sent: Wednesday, April 18, 2012 8:52 AM To: Richards, Toby; Brandon Hume; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
--On Wednesday, April 18, 2012 08:19:29 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
So I've followed the suggestion to have only the objectClass
inetOrgPerson.
Now I'm told that there's no such object. My LDIF file:
dn: uid=trichards,dc=toby,dc=org,dc=org
Did you really mean to have dc=org twice?
Bill
cn: Toby Richards givenName: Toby sn: Richards uid: trichards mail: trichards@toby.org.org objectClass: inetOrgPerson password: {CRYPT}*
Result: ldap_add: No such object (32)
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 9:16 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
--On Wednesday, April 18, 2012 08:57:20 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
Yes. I have one of those free subdomains (org.org), so mine is toby.org.org.
Something is definitely wrong. I've been scouring the Internet for documentation and tutorials. I finally broke down, and downloaded a GUI LDAP tool. Actually, I've tried several including jxplorer and LDAP Administration Tool, but I like the one by Jarek Gawor best:
http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browseredi tor-v282
Anyway, the GUI isn't even working. It gives me errors that it can't read dc=toby,dc=org,dc=org. It errors and fails when I try to add a user. I'm not sure what could be wrong with my conf files. They're pretty much set up with all the defaults except with my own realm instead of dc=example,dc=com.
Am I supposed to do something between editing the conf files/starting slapd and adding users?
-Toby
What do you get when you try a base dn search, i.e.
% ldapsearch -h your-host -x -b '' -s base +
Bill
-----Original Message----- From: Bill MacAllister [mailto:whm@stanford.edu] Sent: Wednesday, April 18, 2012 8:52 AM To: Richards, Toby; Brandon Hume; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
--On Wednesday, April 18, 2012 08:19:29 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
So I've followed the suggestion to have only the objectClass
inetOrgPerson.
Now I'm told that there's no such object. My LDIF file:
dn: uid=trichards,dc=toby,dc=org,dc=org
Did you really mean to have dc=org twice?
Bill
cn: Toby Richards givenName: Toby sn: Richards uid: trichards mail: trichards@toby.org.org objectClass: inetOrgPerson password: {CRYPT}*
Result: ldap_add: No such object (32)
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 9:16 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
# ldapsearch -h localhost -x -b '' -s base + # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + #
# dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=toby,dc=org,dc=org supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: OTP supportedSASLMechanisms: NTLM supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 entryDN: subschemaSubentry: cn=Subschema
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 #
-Toby
-----Original Message----- From: Bill MacAllister [mailto:whm@stanford.edu] Sent: Wednesday, April 18, 2012 9:25 AM To: Richards, Toby; Brandon Hume; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
--On Wednesday, April 18, 2012 08:57:20 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
Yes. I have one of those free subdomains (org.org), so mine is
toby.org.org.
Something is definitely wrong. I've been scouring the Internet for documentation and tutorials. I finally broke down, and downloaded a GUI LDAP tool. Actually, I've tried several including jxplorer and LDAP Administration Tool, but I like the one by Jarek Gawor best:
http://www.novell.com/communities/node/8652/gawors-excellent-ldap-brow seredi tor-v282
Anyway, the GUI isn't even working. It gives me errors that it can't read dc=toby,dc=org,dc=org. It errors and fails when I try to add a user. I'm not sure what could be wrong with my conf files. They're pretty much set up with all the defaults except with my own realm instead
of dc=example,dc=com.
Am I supposed to do something between editing the conf files/starting slapd and adding users?
-Toby
What do you get when you try a base dn search, i.e.
% ldapsearch -h your-host -x -b '' -s base +
Bill
-----Original Message----- From: Bill MacAllister [mailto:whm@stanford.edu] Sent: Wednesday, April 18, 2012 8:52 AM To: Richards, Toby; Brandon Hume; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
--On Wednesday, April 18, 2012 08:19:29 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
So I've followed the suggestion to have only the objectClass
inetOrgPerson.
Now I'm told that there's no such object. My LDIF file:
dn: uid=trichards,dc=toby,dc=org,dc=org
Did you really mean to have dc=org twice?
Bill
cn: Toby Richards givenName: Toby sn: Richards uid: trichards mail: trichards@toby.org.org objectClass: inetOrgPerson password: {CRYPT}*
Result: ldap_add: No such object (32)
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 9:16 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/17/12 12:47 PM, Richards, Toby wrote:
The above doesn't work. It says that top/account isn't a valid chain.
What happens if you leave out "account"? It's a structural objectclass and is likely conflicting with inetOrgPerson.
If you check cosine.schema, you'll see the objectclass "account" as being meant for a computer account. You're essentially adding an entry that says it's for a person *and* a computer. (A cyborg, maybe?) LDAP wants clear lines of inheritance.
--On Wednesday, April 18, 2012 8:57 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
Yes. I have one of those free subdomains (org.org), so mine is toby.org.org.
Something is definitely wrong. I've been scouring the Internet for documentation and tutorials. I finally broke down, and downloaded a GUI LDAP tool. Actually, I've tried several including jxplorer and LDAP Administration Tool, but I like the one by Jarek Gawor best:
http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browser edi tor-v282
Anyway, the GUI isn't even working. It gives me errors that it can't read dc=toby,dc=org,dc=org. It errors and fails when I try to add a user. I'm not sure what could be wrong with my conf files. They're pretty much set up with all the defaults except with my own realm instead of dc=example,dc=com.
Am I supposed to do something between editing the conf files/starting slapd and adding users?
Yes, you have to create the database, starting from the top and working your way down.
My DB starts at "", so I have to create the entire structure starting at dc=com. Adjust accordingly for your db:
dn: dc=com objectClass: organization objectClass: dcObject o: com domain dc: com
dn: dc=vmware,dc=com objectClass: organization objectClass: dcObject o: vmware domain dc: vmware
dn: dc=eng,dc=vmware,dc=com objectClass: organization objectClass: dcObject o: eng domain dc: eng
dn: ou=people,dc=eng,dc=vmware,dc=com objectClass: organizationalRole ou: people cn: people
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Okay. I did that. I must be missing something else:
adding new entry "dc=org" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge
Google says that means I'm adding something to a domain that doesn't exist yet. Of course it doesn't exist yet. That's why I'm adding it.
-Toby
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Wednesday, April 18, 2012 10:38 AM To: Richards, Toby; openldap-technical@openldap.org Subject: RE: ldapd vs. slapd
--On Wednesday, April 18, 2012 8:57 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
Yes. I have one of those free subdomains (org.org), so mine is toby.org.org.
Something is definitely wrong. I've been scouring the Internet for documentation and tutorials. I finally broke down, and downloaded a GUI LDAP tool. Actually, I've tried several including jxplorer and LDAP Administration Tool, but I like the one by Jarek Gawor best:
http://www.novell.com/communities/node/8652/gawors-excellent-ldap-brow ser edi tor-v282
Anyway, the GUI isn't even working. It gives me errors that it can't read dc=toby,dc=org,dc=org. It errors and fails when I try to add a user. I'm not sure what could be wrong with my conf files. They're pretty much set up with all the defaults except with my own realm instead of dc=example,dc=com.
Am I supposed to do something between editing the conf files/starting slapd and adding users?
Yes, you have to create the database, starting from the top and working your way down.
My DB starts at "", so I have to create the entire structure starting at dc=com. Adjust accordingly for your db:
dn: dc=com objectClass: organization objectClass: dcObject o: com domain dc: com
dn: dc=vmware,dc=com objectClass: organization objectClass: dcObject o: vmware domain dc: vmware
dn: dc=eng,dc=vmware,dc=com objectClass: organization objectClass: dcObject o: eng domain dc: eng
dn: ou=people,dc=eng,dc=vmware,dc=com objectClass: organizationalRole ou: people cn: people
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Wednesday, April 18, 2012 12:17 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
Okay. I did that. I must be missing something else:
adding new entry "dc=org" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge
Google says that means I'm adding something to a domain that doesn't exist yet. Of course it doesn't exist yet. That's why I'm adding it.
a) Please stop top posting.
b) Please re-read what I wrote about this. Clearly, you can only create a DB for what your server knows about. Look at your value for olcSuffix. That is the first entry you need to create. For example, if your olcSuffix is dc=org,dc=org, then the first entry you need to create is for dc=org,dc=org, and NOT dc=org.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Bill MacAllister -
Brandon Hume -
Quanah Gibson-Mount -
Richards, Toby