Getting Started with OpenLDAP

I decided to try out the OpenLDAP server that is bundled with Oracle Solaris 11.1 after reading Paul Johnson's blog entry Configuring a Basic LDAP Server + Client in Solaris 11. Paul's instructions were helpful, but he didn't explain how to configure OpenLDAP so that it could be used with the Solaris commands which accept the option:

-S files | ldap.

That option is interpreted by the following commands:

In addition, the passwd(1) command accepts -r files | ldap and the User Manager GUI has a Filter Users dialog which has radio buttons for files and ldap. All of these commands depend on LDAP schema extensions that are not configured in OpenLDAP by default. The various schema are documented in Working with Naming and Directory Services and Trusted Extensions Configuration and Administration:

I combined these into a single file called solaris.schema, and copied it into the /etc/openldap/schema directory. I also created and installed another file called automap.schema which contains just the attributes and object classes for the automount service. These are missing from the existing nis.schema file, which is apparently a subset of RFC 2307bis Network Information Service Schema.

Then I modified the configuration file /etc/openldap/slapd.conf to include the required schema, and changed the domain name to gfaden.com

a6,11
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/solaris.schema
> include         /etc/openldap/schema/automap.schema
54,55c60,61
< suffix                "dc=my-domain,dc=com"
< rootdn                "cn=Manager,dc=my-domain,dc=com"
---
> suffix                "dc=gfaden,dc=com"
> rootdn                "cn=admin,dc=gfaden,dc=com"

Following Paul's advice, I did the following:

root# chown -R openldap:openldap /var/openldap/
root# svcadm enable ldap/server

Then I wrote two scripts and ran them to create the various containers in the directory. The following script creates empty containers corresponding to the top-level directory object and the organizational units for the object classes.

  1 #!/bin/ksh
  2 
  3 ME=gfaden
  4 LDAP_BASEDN="dc=${ME},dc=com"
  5 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
  6 
  7 TMP_LDIF=$(mktemp /tmp/toplevels.XXXX)
  8 
  9 ( cat << EOF
 10 dn: ${LDAP_BASEDN}
 11 objectClass: dcObject
 12 objectClass: organization
 13 o: ${ME}.com
 14 dc: ${ME}
 15 
 16 EOF
 17 )>  ${TMP_LDIF}
 18 
 19 for ou in users groups rpc protocols networks netgroup \
 20     aliases hosts services ethers projects \
 21     SolarisAuthAttr SolarisProfAttr ipTnet; do
 22 
 23     ( cat << EOF
 24 dn: ou=${ou},${LDAP_BASEDN}
 25 ou: ${ou}
 26 objectClass: top
 27 objectClass: organizationalUnit
 28 
 29 EOF
 30 )>>  ${TMP_LDIF}
 31 done
 32 
 33 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
 34 rm ${TMP_LDIF}
 

I'm not sure I got all the spelling right in lines 19-21, but it seems to work. There are some subtle differences between what OpenLDAP uses compared to ODSEE. I wrote a similar script to create the automap containers:


  1 #!/bin/ksh
  2 
  3 LDAP_BASEDN="dc=gfaden,dc=com"
  4 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
  5 
  6 TMP_LDIF=$(mktemp /tmp/automap.XXXX)
  7 
  8 for automap in auto_home auto_direct auto_master;do
  9 
 10     ( cat << EOF
 11 dn: automountMapName=${automap},${LDAP_BASEDN}
 12 automountMapName: ${automap}
 13 objectClass: top
 14 objectClass: automountMap
 15 
 16 EOF
 17 )>>  ${TMP_LDIF}
 18 done
 19 
 20 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
 21 rm ${TMP_LDIF}

The next step was to switch the nameservice configuration so that the host is a client of this ldap server. Since I needed to specify explicit (not anonymous) credentials, I could not use the Automatic Network Configuration Profile (NCP) that is enabled by default for Solaris GUI installations. Instead,  the DefaultFixed NCP must be enabled, and the IP networking must be configured.

root# netadm enable -p ncp DefaultFixed
root# ipadm create-ip net0
root# ipadm create-addr -T dhcp net0/v4

Then I used a modified version of Paul's ldapaddclient(1M) command to make my system an LDAP client of itself:

  1 #!/bin/ksh
  2 ldapclient manual \
  3 -a credentialLevel=proxy \
  4 -a authenticationMethod=simple \
  5 -a defaultSearchBase=dc=gfaden,dc=com \
  6 -a domainName=gfaden.com \
  7 -a defaultServerList=127.0.0.1 \
  8 -a proxyDN=cn=admin,dc=gfaden,dc=com \
  9 -a adminDN=cn=admin,dc=gfaden,dc=com \
 10 -a proxyPassword=secret \
 11 -a enableShadowUpdate=true \
 12 -a objectClassMap=shadow:shadowAccount=posixaccount \
 13 -a serviceSearchDescriptor=passwd:ou=users,dc=gfaden,dc=com \
 14 -a serviceSearchDescriptor=shadow:ou=users,dc=gfaden,dc=com \
 15 -a serviceSearchDescriptor=group:ou=groups,dc=gfaden,dc=c

Since I was doing this on my laptop, I just used localhost for the IP address (line 7). However, I needed to add the admin distinguished name (line 9), and enable shadow update (line 11). Together, these two settings allow the client to make updates without re-authenticating if it is running as root or with all privileges.

Again, following Paul's blog, I enabled DNS, and restarted the name service:

root# svccfg -s name-service/switch setprop config/host = astring: "files dns ldap"
root# svccfg  -s name-service/switch:default refresh
root# svcadm restart name-service/cache

Now I can specify the ldap option for any of the commands listed above. For example:

root# groupadd -S ldap -g 1001 world
root# ldapaddent -d group
world:*:1001:

Comments:

Thank you!

Posted by Carlos Azevedo on April 09, 2013 at 03:42 AM PDT #

Too bad ISC's dhcpd isn't build with LDAP support, otherwise you could move that info into LDAP as well

Posted by guest on April 10, 2013 at 12:53 AM PDT #

Hi Glenn!

Just a nit, to help our cutting-and-pasting friends. :-)

It's "passwd -r files" with the trailing s, just like the other commands.

Cheers -- Volker

Posted by Volker A. Brandt on April 11, 2013 at 02:22 AM PDT #

Volker,

I fixed the "passwd -r files" typo. I also removed some unnecessary objectClassMap settings from the ldapclient command. Probably this could be further simplified.

Posted by Glenn Faden on April 11, 2013 at 09:14 AM PDT #

can we get support from Oracle ?

Posted by Abhsihek on July 18, 2013 at 09:16 PM PDT #

If you have a Solaris support contract you can file bugs against OpenLDAP since it is delivered via the IPS repository. However, community software issues may be better discussed at http://www.openldap.org

Posted by guest on July 19, 2013 at 09:58 AM PDT #

Appreciate this post - and Paul's. Wish there were more like it - with greater detail/explanation.

I've tried to implement this verbatim on a fresh Solaris 11.1 install (in a fresh zone) with only partial success. It seems that some basic things are working (ldapadds worked and I can login and see them in Apache Directory Studio).

ldaplist errors with "Object not found (Session error no available conn". getent fails as well. slapd debug shows "err=49" which I believe is authentication error. I suspect that the Solaris client side is the problem.

Sadly it seems that many people have problems getting LDAP to work. There is a lot of black magic - for example, what exactly does Solaris expect? No doubt if I ever get it working completely on Solaris my next obstacle would be more black magic trying to add OS X to the mix.

After all this time it's just strange that there is still not a definitive (ie bulletproof) multi-platform guide for implementing OpenLDAP.

Posted by guest on August 20, 2013 at 01:24 PM PDT #

I posted previous comment.

When I change rootpw (and proxyPassword) to be simple text ldaplist works! Both {SSHA}... and {MD5}... fail.

I've turned on full debug on slapd and I see the login packet and it is correct.

Any ideas?

Posted by guest on August 22, 2013 at 09:50 AM PDT #

I used simple text authentication in my testing. My focus was on determining whether the RBAC commands (with -S ldap) worked correctly.

The ldapclient(1M) man page lists the following authentication methods as being supported:
none
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5

But I suspect that these may only been verified with Oracle's Directory Server Enterprise Edition. Which of these did you try?

Posted by guest on August 22, 2013 at 10:43 AM PDT #

Kindly Find the below error...

root@ldapcnt:/etc/openldap# useradd -S ldap foo
UX: useradd: ERROR: group 10 does not exist. Choose another.

root@ldapcnt:/etc/openldap# useradd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=365
expire=1/17/2038 auths= profiles= roles=
limitpriv= defaultpriv= lock_after_retries=

Posted by venkat on September 22, 2013 at 03:59 AM PDT #

Before adding a user to LDAP, the user's primary group must be added to LDAP. For example:

# groupadd -S ldap -g 10 staff

Posted by guest on September 22, 2013 at 10:17 PM PDT #

any ideas why i cant add entries?

groupadd -S ldap -g 1001 world
UX: groupadd: ERROR: Cannot update system files - group cannot be created.

Posted by guest on December 12, 2013 at 12:14 PM PST #

Try running:
echo $?
after the command to get the exit status. There are several error codes listed in the man page. But if the exit code is a negative value, it probably corresponds to one of these:

-1 /* Password database busy */
-2 /* stat of password file failed */
-3 /* password file open failed */
-4 /* can't write to password file */
-5 /* close returned error */
-6 /* user not found in database */
-7 /* couldn't update password file */
-8 /* Not enough memory */
-9 /* server errors */
-10 /* local configuration problem */
-11 /* update denied */
-12 /* Data hasn't changed */
-13 /* Cannot call repository */
-14 /* invalid args passed */
-15 /* operation not supported */

Posted by guest on December 12, 2013 at 04:55 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks