Find the answer to your Linux question:
Results 1 to 4 of 4
Messrs. I need your help to open my mind in order to resolve some outstanding issues I have a red hat server 5.7 and want to install open ldap to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    8

    Question OpenLdap + RH 5.7 64 bts


    Messrs.
    I need your help to open my mind in order to resolve some outstanding issues I have a red hat server 5.7 and want to install open ldap to centralize access to servers.
    However my doubt is not the installation is on how I can separate access eg
    the dba can only access the database servers
    The network staff can only access the servers related to networks
    Production personnel can only access the machine backup
    Finally how can I coocar access rules in ldap
    groups would be possible? or should separate this in sshd_conf in / etc / ssh
    would have some geito easier to configure this in ldap?
    or I would have to use the ACL settings?
    Would anyone have any ideas?

  2. #2
    Just Joined!
    Join Date
    Aug 2002
    Location
    Laguna Salada
    Posts
    12
    Went u meant access, u meant over what?

    SSH, samba?

    Win boxes, linux boxes?

  3. #3
    Just Joined!
    Join Date
    Apr 2012
    Posts
    8
    thanks for the help friend

    I do not understand what you mean but I'm with another pump to solve
    I appreciate the help!

    ldap server 2.4.23 in Red Hat 6.2 64-bit

    1_) ldap packages installed:

    [Root @ xxxx openldap] # rpm-qa | grep-i ^ openl
    openldap-4.2.23-20.el6.x86_64
    openldap-servers-2.4.23-20.el6.x86_64
    openldap-clients-2.4.23-20.el6.x86_64
    openldap-devel-2.4.23-20.el6.x86_64

    2_) permissions of the directory / etc / openldap:

    [Root @ xxxx openldap] # ls-l / etc / openldap

    -rw-rw---- 1 ldap ldap 845 Jul 9 16:07 DB_CONFIG.example
    -rw-rw---- 1 ldap ldap 272 Jul 10 16:02 ldap.conf
    -rw-rw---- 1 ldap ldap 245 Jul 9 16:07 ldap.conf.default
    -rw-rw---- 1 ldap ldap 2291 Jul 9 17:50 olcDatabase={2}bdb.ldif.original
    drw-rw---- 2 ldap ldap 4096 Jul 9 17:25 schema
    -rw-r--r-- 1 ldap ldap 2491 Jul 10 16:49 slapd.conf
    -rw-r--r-- 1 ldap ldap 2491 Jul 10 16:49 slapd.conf.bak
    -rw-r----- 1 ldap ldap 3419 Jul 10 16:23 slapd.conf.bak-ori
    -rw-rw---- 1 ldap ldap 2092 Jul 9 16:07 slapd.conf.default
    drw-rw---- 3 ldap ldap 4096 Jul 10 16:53 slapd.d
    -rw-r--r-- 1 ldap ldap 1470 Jul 10 16:48 slapd.ldif
    -rw-rw---- 1 ldap ldap 2577 Jul 9 16:07 slapd.ldif.default

    3_) More in slapd.conf

    [Root @ xxxx openldap] # more slapd.conf

    #
    ###### SAMPLE 1 - SIMPLE DIRECTORY ############
    #
    # NOTES: inetorgperson picks up attributes and objectclasses
    # from all three schemas
    #
    # NB: RH Linux schemas in /etc/openldap
    #
    include /usr/local/etc/openldap/schema/core.schema
    include /usr/local/etc/openldap/schema/cosine.schema
    include /usr/local/etc/openldap/schema/inetorgperson.schema


    # NO SECURITY - no access clause
    # defaults to anonymous access for read
    # only rootdn can write

    # NO REFERRALS

    # DON'T bother with ARGS file unless you feel strongly
    # slapd scripts stop scripts need this to work
    pidfile /var/run/slapd.pid

    # enable a lot of logging - we might need it
    # but generates huge logs
    loglevel -1

    # MODULELOAD definitions
    # not required (comment out) before version 2.3
    moduleload back_bdb.la

    # NO TLS-enabled connections

    # backend definition not required

    ################################################## #####################
    # bdb database definitions
    #
    # replace example and com below with a suitable domain
    #
    # If you don't have a domain you can leave it since example.com
    # is reserved for experimentation or change them to my and inc
    #
    ################################################## #####################

    database bdb
    suffix "dc=energia,dc=org,dc=br"

    # root or superuser
    rootdn "cn=manager,dc=energia,dc=org,dc=br"
    rootpw {SSHA}nqOy2+SMCkZOl/6/CUmPhlWjwy2FJ7EH
    # The database directory MUST exist prior to running slapd AND
    # change path as necessary
    directory /var/lib/ldap

    # Indices to maintain for this directory
    # unique id so equality match only
    index uid eq
    # allows general searching on commonname, givenname and email
    index cn,gn,mail eq,sub
    # allows multiple variants on surname searching
    index sn eq,sub
    # sub above includes subintial,subany,subfinal
    # optimise department searches
    index ou eq
    # if searches will include objectClass uncomment following
    # index objectClass eq
    # shows use of default index parameter
    index default eq,sub
    # indices missing - uses default eq,sub
    index telephonenumber

    # other database parameters
    # read more in slapd.conf reference section
    cachesize 10000
    checkpoint 128 15

    # before the first database definition
    database config
    # # NOTE: the suffix is hardcoded as cn=config and
    # # MUST not have a suffix directive
    # # normal rules apply - rootdn can be anything you want
    # # but MUST be under cn=config
    rootdn "cn=admin,cn=config"
    # # use any of the supported password formats e.g. {SSHA} etc
    # # or plaintext as shown
    rootpw "cn=admin,cn=config"

    4_) More slapd.ldif
    ## DEFINE DIT ROOT/BASE/SUFFIX ####
    ## uses RFC 2377 format
    ## replace example and com as necessary below
    ## or for experimentation leave as is

    ## dcObject is an AUXILLIARY objectclass and MUST
    ## have a STRUCTURAL objectclass (organization in this case)
    # this is an ENTRY sequence and is preceded by a BLANK line

    dn: dc=energia,dc=org,dc=br
    dc: energia
    description: My wonderful company as much text as you want to place
    in this line up to 32K continuation data for the line above must
    have <CR> or <CR><LF> i.e. ENTER works
    on both Windows and *nix system - new line MUST begin with ONE SPACE
    objectClass: dcObject
    objectClass: organization
    o: Energia, Inc.

    ## FIRST Level hierarchy - people
    ## uses mixed upper and lower case for objectclass
    # this is an ENTRY sequence and is preceded by a BLANK line

    dn: ou=people,dc=energia,dc=org,dc=br
    ou: people
    description: All people in organisation
    objectclass: organizationalunit

    ## SECOND Level hierarchy
    ## ADD a single entry under FIRST (people) level
    # this is an ENTRY sequence and is preceded by a BLANK line
    # the ou: Human Resources is the department name

    dn: cn=Robert Smith,ou=people,dc=energia,dc=org,dc=br
    objectclass: inetOrgPerson
    cn: Robert Smith
    cn: Robert J Smith
    cn: bob smith
    sn: smith
    uid: rjsmith
    userpassword: rJsmitH
    carlicense: HISCAR 123
    homephone: 555-111-2222
    mail: r.smith@example.com
    mail: rsmith@example.com
    mail: bob.smith@example.com
    description: swell guy
    ou: Human Resources

    5_) Creating the database

    [root @ xxxx openldap] slapadd -f slapd.conf -l slapd.ldif -F /var/lib/ldap
    4ffc87c3 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
    _#################### 100.00% eta none elapsed none fast!
    Closing DB...

    6_) permissions of the directory / var / lib / ldap

    [root @ xxxx openldap] # ls-l / var / lib / ldap

    -rw-r--r-- 1 ldap ldap * * *2048 Jul 10 17:13 alock
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 cn.bdb
    -rw------- 1 ldap ldap * * 24576 Jul 10 17:13 __db.001
    -rw------- 1 ldap ldap * 4702208 Jul 10 17:13 __db.002
    -rw------- 1 ldap ldap 125124608 Jul 10 17:13 __db.003
    -rw------- 1 ldap ldap * * 98304 Jul 10 17:13 __db.004
    -rw------- 1 ldap ldap * 1179648 Jul 10 17:13 __db.005
    -rw------- 1 ldap ldap * * 32768 Jul 10 17:13 __db.006
    -rw-rw-r-- 1 ldap ldap * * * *98 Jul *9 18:39 DB_CONFIG
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 dn2id.bdb
    -rw------- 1 ldap ldap * * 32768 Jul 10 16:51 id2entry.bdb
    -rw------- 1 ldap ldap *10485760 Jul 10 17:13 log.0000000001
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 mail.bdb
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 ou.bdb
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 sn.bdb
    -rw------- 1 ldap ldap * * *8192 Jul 10 16:51 uid.bdb

    7_) More file DB_Conf

    [root @ xxxx openldap] # more / var / lib / ldap / DB_CONFIG

    set_cachesize 0 100097152 0
    set_lk_max_objects 1500
    set_lk_max_locks 1500
    set_lk_max_lockers 1500

    8_) import file slapd.conf

    slaptest-f / etc / openldap / slapd.conf-F / etc / openldap / slapd.d /
    bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
    config file testing succeeded

    9_) Error up the service:

    [root @ xxx ldap] # / etc / init.d / slapd start
    Checking configuration files for slapd: [FAILED]
    ldif_read_file: Permission denied for "/ etc / openldap / slapd.d / cn = config.ldif"
    slaptest: bad configuration file!

    10_) Permit File / cn = config.ldif

    drwx ------ 3 ldap ldap 4096 Jul 9 18:55 cn = config
    -rw ------- 1 ldap ldap 886 Jul 9 17:39 cn = config.ldif

    11_) Test.

    [root @ xxx openldap]# slapd -d -1 -f /etc/openldap/slapd.d/cn\=config -u ldap
    @(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) $
    mockbuild@x86-010.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
    ldap_pvt_gethostbyname_a: host=lxas01, r=0
    daemon_init: <null>
    daemon_init: listen on ldap:///
    daemon_init: 1 listeners to open...
    ldap_url_parse_ext(ldap:///)
    daemon: listener initialized ldap:///
    daemon_init: 2 listeners opened
    ldap_create
    slapd init: initiated server.
    slap_sasl_init: initialized!
    bdb_back_initialize: initialize BDB backend
    bdb_back_initialize: Berkeley DB 4.7.25: (June 4, 2010)
    hdb_back_initialize: initialize HDB backend
    hdb_back_initialize: Berkeley DB 4.7.25: (June 4, 2010)
    null_back_initialize: initialize null backend
    could not stat config file "/etc/openldap/slapd.d/cn=config": Permission denied (13)
    slapd destroy: freeing system resources.
    slapd stopped.
    connections_destroy: nothing to destroy.


    Can someone help me with this error? Someone has gone through this?

    Thank you in already!!
    Last edited by pauloedusp; 07-10-2012 at 09:52 PM.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2002
    Location
    Laguna Salada
    Posts
    12

    Lightbulb

    Reading the config, the error say where is your issue, I can see is related to syntax:

    suffix "dc=energia,dc=org,dc=br"
    Why u have this?

    # before the first database definition
    database config
    # # NOTE: the suffix is hardcoded as cn=config and
    # # MUST not have a suffix directive
    # # normal rules apply - rootdn can be anything you want
    # # but MUST be under cn=config
    rootdn "cn=admin,cn=config"
    # # use any of the supported password formats e.g. {SSHA} etc
    # # or plaintext as shown
    rootpw "cn=admin,cn=config"

    rootdn "cn=admin,dc=energia,dc=org,dc=br"
    #example
    rootpw {SSHA}SAJKHDASDHSAKLDHASKDH
    My 2 cents.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •