--On Tuesday, February 07, 2017 5:01 PM -0700 scar scar@drigon.com wrote:
Well it's kind of a mess here and my lack of experience with LDAP isn't helping much. There is no slapd-config program although there is a manual page entry for it. "yum whatprovides */slapd-config" returns no packages.
slapd-config is not a program. It's a database format. Please read the man page for slapd-config(5).
I was able to enable users to change their passwords by directly modifying /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif and adding these lines to the bottom:
As noted at the top of those files, you should never, ever, manually modify them by hand. You should be using the correct ldap client operations. You can do this via ldapadd, ldapmod, etc.
I know that's not proper but i needed users to be able to change their password. Thanks for the info about ACLs. the "next to last ACL" mentioned is for the "database monitor" (see slapd.conf below) and i'm not sure why "by * read" should be granted that access, perhaps you can shed some light on why that exists in our config? maybe i don't need ACLs for that so only rootdn has access?
That would be a separate block of ACLs that only applies to the monitor backend. There is no requirement that by * read have access to the monitoring backend. Who/what should have access to it depends on your requirements.
We have a new LDAP server that I am setting up, so I'd like to focus on moving the database and getting the new server into production, and we can iron out the wrinkles in this mess at the same time. My understanding is that I can use slapcat/slapadd to do the export/import...
I used "slapcat > /tmp/ldif" on current server, then moved ldif and updated [slapd.conf] (see below) file to the new server, then ran "slapadd -l /tmp/ldif -l /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/" but i get an error when trying to start slapd: "ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif: No such file or directory" so how am i supposed to get the slapd.d/* files? If I am to just copy those over from the current server then I'd like to figure out why I had to modify the ldif file directly...
Your first slapcat exports the binary database, it has zero to do with the slapd-config database. Please read the manpage for slapcat on the proper way to export your slapd-config database. You don't use slapd.conf, you should stop doing anything with it, as it is immaterial. You will need to export/import your slapd-config database prior to importing your binary database.
The current LDAP server is running RHEL 6.8 with kernel 2.6.32-642.11.1.el6.x86_64. The new LDAP server is running CentOS 6.8 with kernel 2.6.32-642.13.1.el6.x86_64. The nss/pam configuration for one of our clients is this (i hope this is what Michael Wandel meant):
The RHEL build of OpenLDAP is known to be problematic, outdated, and it links to the insecure MozNSS libraries. I personally would recommend against using it. If you want to use a 3rd party OpenLDAP build, such as RedHat's, you may find the LTB project build a better bet. If you require support for your LDAP deployment, Symas offers supported builds for RHEL.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org