I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
1. What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does.
2. When using commands & configuring ldap.conf, can I use an IP address instead of an FQDN for the host URI?
3. Do self-signed certificates break ldapadd?
4. I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities).
Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and For the County of San Luis Obispo (805) 781-4150
--On Monday, April 16, 2012 03:00:48 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
First, it would be helpful to know what version of OpenLDAP you are attempting to use and on what OS.
- What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does.
The LDAP server provided with OpenLDAP is slapd. I don't know what you are referring to when you talk about ldapd.
The executive summary of the difference between slapadd and ldapadd is slapadd operates directly on the database and ldapadd operates over protocol. Or in other words you can slapadd entries to the database without having the slapd daemon running. The best documentation for these commands are the man pages that are delivered with OpenLDAP, i.e. 'man slapadd' and 'man ldapadd'.
- When using commands & configuring ldap.conf, can I use an IP address
instead of an FQDN for the host URI?
Yes.
- Do self-signed certificates break ldapadd?
No.
- I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities).
You probably should drop back and get a working ldap server first with a minimum amount of data. It will make the changes that you make to support secure connections to the directory simpler to test. It is also useful to run the server interactively in debug mode so you can see what is happening. On a debian system you would use the command:
/usr/sbin/slapd -d 1
When you are testing it makes a lot of sense to use ldapsearch as your first client.
Bill
For those of you wondering, I'm running OpenBSD 5.0. openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636.
Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and for the County of San Luis Obispo (805) 781-4150 ________________________________________ From: Bill MacAllister [whm@stanford.edu] Sent: Monday, April 16, 2012 3:31 PM To: Richards, Toby; openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
--On Monday, April 16, 2012 03:00:48 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
First, it would be helpful to know what version of OpenLDAP you are attempting to use and on what OS.
- What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does.
The LDAP server provided with OpenLDAP is slapd. I don't know what you are referring to when you talk about ldapd.
The executive summary of the difference between slapadd and ldapadd is slapadd operates directly on the database and ldapadd operates over protocol. Or in other words you can slapadd entries to the database without having the slapd daemon running. The best documentation for these commands are the man pages that are delivered with OpenLDAP, i.e. 'man slapadd' and 'man ldapadd'.
- When using commands & configuring ldap.conf, can I use an IP address
instead of an FQDN for the host URI?
Yes.
- Do self-signed certificates break ldapadd?
No.
- I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities).
You probably should drop back and get a working ldap server first with a minimum amount of data. It will make the changes that you make to support secure connections to the directory simpler to test. It is also useful to run the server interactively in debug mode so you can see what is happening. On a debian system you would use the command:
/usr/sbin/slapd -d 1
When you are testing it makes a lot of sense to use ldapsearch as your first client.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
--On Monday, April 16, 2012 07:02:09 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
For those of you wondering, I'm running OpenBSD 5.0. openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636.
If you have questions about ldapd you need to find another list. OpenLDAP does not include ldapd.
If you have questions about OpenLDAP then you need to get some sort of log message that would give us a ghost of a change at responding to you. You will get lots of logging if you start up the slapd binary with the '-d 1' switch.
Bill
Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and for the County of San Luis Obispo (805) 781-4150 ________________________________________ From: Bill MacAllister [whm@stanford.edu] Sent: Monday, April 16, 2012 3:31 PM To: Richards, Toby; openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
--On Monday, April 16, 2012 03:00:48 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
First, it would be helpful to know what version of OpenLDAP you are attempting to use and on what OS.
- What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does.
The LDAP server provided with OpenLDAP is slapd. I don't know what you are referring to when you talk about ldapd.
The executive summary of the difference between slapadd and ldapadd is slapadd operates directly on the database and ldapadd operates over protocol. Or in other words you can slapadd entries to the database without having the slapd daemon running. The best documentation for these commands are the man pages that are delivered with OpenLDAP, i.e. 'man slapadd' and 'man ldapadd'.
- When using commands & configuring ldap.conf, can I use an IP address
instead of an FQDN for the host URI?
Yes.
- Do self-signed certificates break ldapadd?
No.
- I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities).
You probably should drop back and get a working ldap server first with a minimum amount of data. It will make the changes that you make to support secure connections to the directory simpler to test. It is also useful to run the server interactively in debug mode so you can see what is happening. On a debian system you would use the command:
/usr/sbin/slapd -d 1
When you are testing it makes a lot of sense to use ldapsearch as your first client.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
On 04/16/12 11:02 PM, Richards, Toby wrote:
For those of you wondering, I'm running OpenBSD 5.0. openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636.
"ldapd" is a service that comes with OpenBSD, and it definitely is not OpenLDAP. It will start and sit on the same ports, however, making it impossible for you to start slapd.
So don't start ldapd. Kill it if it's already running, then you might be able to start OpenLDAP.
Also, this might have been a typo, but the non-SSL port for LDAP is 389/tcp, not 349.
OK got it. I realized that ldapd is a different product after some more research this morning. I've got slapd running & responding; however:
1. I cannot figure out the correct order of objectClass statements to reach inetOrgPerson. I do have the core, cosine, nis, and inetorgperson schemas included in slapd.conf.
2. slapd won't run on port 636 even though I put "TLS_CACERT /path/to/cert.crt" and "URI ldaps://toby.org.org" into ldap.conf
-Toby
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 7:58 AM To: openldap-technical@openldap.org Subject: Re: ldapd vs. slapd
On 04/16/12 11:02 PM, Richards, Toby wrote:
For those of you wondering, I'm running OpenBSD 5.0.
openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636.
"ldapd" is a service that comes with OpenBSD, and it definitely is not OpenLDAP. It will start and sit on the same ports, however, making it impossible for you to start slapd.
So don't start ldapd. Kill it if it's already running, then you might be able to start OpenLDAP.
Also, this might have been a typo, but the non-SSL port for LDAP is 389/tcp, not 349.
--On Tuesday, April 17, 2012 8:25 AM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
OK got it. I realized that ldapd is a different product after some more research this morning. I've got slapd running & responding; however:
- I cannot figure out the correct order of objectClass statements to
reach inetOrgPerson. I do have the core, cosine, nis, and inetorgperson schemas included in slapd.conf.
This is to vague to know really how to help you. My *guess* is that you are talking about adding an entry with inetOrgPerson. Just put
dn: <whatever> objectClass: inetOrgPerson
- slapd won't run on port 636 even though I put "TLS_CACERT
/path/to/cert.crt" and "URI ldaps://toby.org.org" into ldap.conf
Define "won't run". Did you tell slapd to listen on port 636? I.e., -h "ldap:/// ldaps:///" as the options to slapd?
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, April 16, 2012 3:00 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
There is no process named "ldapd" that comes with OpenLDAP.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Bill MacAllister -
Brandon Hume -
Quanah Gibson-Mount -
Richards, Toby