X

Glenn Faden's Blog

  • April 9, 2013

Getting Started with OpenLDAP

Guest Author

I decided to try out the OpenLDAP server that is bundled with Oracle Solaris 11.1 after reading Paul Johnson's blog entry Configuring a Basic LDAP Server + Client in Solaris 11. Paul's instructions were helpful, but he didn't explain how to configure OpenLDAP so that it could be used with the Solaris commands which accept the option:

-S files | ldap.

That option is interpreted by the following commands:

In addition, the passwd(1) command accepts -r files | ldap and the User Manager GUI has a Filter Users dialog which has radio buttons for files and ldap. All of these commands depend on LDAP schema extensions that are not configured in OpenLDAP by default. The various schema are documented in Working with Naming and Directory Services and Trusted Extensions Configuration and Administration:

I combined these into a single file called solaris.schema, and copied it into the /etc/openldap/schema directory. I also created and installed another file called automap.schema which contains just the attributes and object classes for the automount service. These are missing from the existing nis.schema file, which is apparently a subset of RFC 2307bis Network Information Service Schema.

Then I modified the configuration file /etc/openldap/slapd.conf to include the required schema, and changed the domain name to gfaden.com

a6,11
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/solaris.schema
> include         /etc/openldap/schema/automap.schema
54,55c60,61
< suffix                "dc=my-domain,dc=com"
< rootdn                "cn=Manager,dc=my-domain,dc=com"
---
> suffix                "dc=gfaden,dc=com"
> rootdn                "cn=admin,dc=gfaden,dc=com"

Following Paul's advice, I did the following:

root# chown -R openldap:openldap /var/openldap/
root# svcadm enable ldap/server

Then I wrote two scripts and ran them to create the various containers in the directory. The following script creates empty containers corresponding to the top-level directory object and the organizational units for the object classes.

  1 #!/bin/ksh
2
3 ME=gfaden
4 LDAP_BASEDN="dc=${ME},dc=com"
5 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
6
7 TMP_LDIF=$(mktemp /tmp/toplevels.XXXX)
8
9 ( cat << EOF
10 dn: ${LDAP_BASEDN}
11 objectClass: dcObject
12 objectClass: organization
13 o: ${ME}.com
14 dc: ${ME}
15
16 EOF
17 )> ${TMP_LDIF}
18
19 for ou in users groups rpc protocols networks netgroup \
20 aliases hosts services ethers projects \
21 SolarisAuthAttr SolarisProfAttr ipTnet; do
22
23 ( cat << EOF
24 dn: ou=${ou},${LDAP_BASEDN}
25 ou: ${ou}
26 objectClass: top
27 objectClass: organizationalUnit
28
29 EOF
30 )>> ${TMP_LDIF}
31 done
32
33 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
34 rm ${TMP_LDIF}
 

I'm not sure I got all the spelling right in lines 19-21, but it seems to work. There are some subtle differences between what OpenLDAP uses compared to ODSEE. I wrote a similar script to create the automap containers:


  1 #!/bin/ksh
2
3 LDAP_BASEDN="dc=gfaden,dc=com"
4 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
5
6 TMP_LDIF=$(mktemp /tmp/automap.XXXX)
7
8 for automap in auto_home auto_direct auto_master;do
9
10 ( cat << EOF
11 dn: automountMapName=${automap},${LDAP_BASEDN}
12 automountMapName: ${automap}
13 objectClass: top
14 objectClass: automountMap
15
16 EOF
17 )>> ${TMP_LDIF}
18 done
19
20 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
21 rm ${TMP_LDIF}

The next step was to switch the nameservice configuration so that the host is a client of this ldap server. Since I needed to specify explicit (not anonymous) credentials, I could not use the Automatic Network Configuration Profile (NCP) that is enabled by default for Solaris GUI installations. Instead,  the DefaultFixed NCP must be enabled, and the IP networking must be configured.

root# netadm enable -p ncp DefaultFixed
root# ipadm create-ip net0
root# ipadm create-addr -T dhcp net0/v4

Then I used a modified version of Paul's ldapaddclient(1M) command to make my system an LDAP client of itself:

  1 #!/bin/ksh
2 ldapclient manual \
3 -a credentialLevel=proxy \
4 -a authenticationMethod=simple \
5 -a defaultSearchBase=dc=gfaden,dc=com \
6 -a domainName=gfaden.com \
7 -a defaultServerList=127.0.0.1 \
8 -a proxyDN=cn=admin,dc=gfaden,dc=com \
9 -a adminDN=cn=admin,dc=gfaden,dc=com \
10 -a proxyPassword=secret \
11 -a enableShadowUpdate=true \
12 -a objectClassMap=shadow:shadowAccount=posixaccount \
13 -a serviceSearchDescriptor=passwd:ou=users,dc=gfaden,dc=com \
14 -a serviceSearchDescriptor=shadow:ou=users,dc=gfaden,dc=com \
15 -a serviceSearchDescriptor=group:ou=groups,dc=gfaden,dc=com

Since I was doing this on my laptop, I just used localhost for the IP address (line 7). However, I needed to add the admin distinguished name (line 9), and enable shadow update (line 11). Together, these two settings allow the client to make updates without re-authenticating if it is running as root or with all privileges.

Again, following Paul's blog, I enabled DNS, and restarted the name service:

root# svccfg -s name-service/switch setprop config/host = astring: "files dns ldap"
root# svccfg  -s name-service/switch:default refresh
root# svcadm restart name-service/cache

Now I can specify the ldap option for any of the commands listed above. For example:

root# groupadd -S ldap -g 1001 world
root# ldapaddent -d group
world:*:1001:

Join the discussion

Comments ( 20 )
  • Carlos Azevedo Tuesday, April 9, 2013

    Thank you!


  • guest Wednesday, April 10, 2013

    Too bad ISC's dhcpd isn't build with LDAP support, otherwise you could move that info into LDAP as well


  • Volker A. Brandt Thursday, April 11, 2013

    Hi Glenn!

    Just a nit, to help our cutting-and-pasting friends. :-)

    It's "passwd -r files" with the trailing s, just like the other commands.

    Cheers -- Volker


  • Glenn Faden Thursday, April 11, 2013

    Volker,

    I fixed the "passwd -r files" typo. I also removed some unnecessary objectClassMap settings from the ldapclient command. Probably this could be further simplified.


  • Abhsihek Friday, July 19, 2013

    can we get support from Oracle ?


  • guest Friday, July 19, 2013

    If you have a Solaris support contract you can file bugs against OpenLDAP since it is delivered via the IPS repository. However, community software issues may be better discussed at http://www.openldap.org


  • guest Tuesday, August 20, 2013

    Appreciate this post - and Paul's. Wish there were more like it - with greater detail/explanation.

    I've tried to implement this verbatim on a fresh Solaris 11.1 install (in a fresh zone) with only partial success. It seems that some basic things are working (ldapadds worked and I can login and see them in Apache Directory Studio).

    ldaplist errors with "Object not found (Session error no available conn". getent fails as well. slapd debug shows "err=49" which I believe is authentication error. I suspect that the Solaris client side is the problem.

    Sadly it seems that many people have problems getting LDAP to work. There is a lot of black magic - for example, what exactly does Solaris expect? No doubt if I ever get it working completely on Solaris my next obstacle would be more black magic trying to add OS X to the mix.

    After all this time it's just strange that there is still not a definitive (ie bulletproof) multi-platform guide for implementing OpenLDAP.


  • guest Thursday, August 22, 2013

    I posted previous comment.

    When I change rootpw (and proxyPassword) to be simple text ldaplist works! Both {SSHA}... and {MD5}... fail.

    I've turned on full debug on slapd and I see the login packet and it is correct.

    Any ideas?


  • guest Thursday, August 22, 2013

    I used simple text authentication in my testing. My focus was on determining whether the RBAC commands (with -S ldap) worked correctly.

    The ldapclient(1M) man page lists the following authentication methods as being supported:

    none

    simple

    sasl/CRAM-MD5

    sasl/DIGEST-MD5

    sasl/GSSAPI

    tls:simple

    tls:sasl/CRAM-MD5

    tls:sasl/DIGEST-MD5

    But I suspect that these may only been verified with Oracle's Directory Server Enterprise Edition. Which of these did you try?


  • venkat Sunday, September 22, 2013

    Kindly Find the below error...

    root@ldapcnt:/etc/openldap# useradd -S ldap foo

    UX: useradd: ERROR: group 10 does not exist. Choose another.

    root@ldapcnt:/etc/openldap# useradd -D

    group=staff,10 project=default,3 basedir=/export/home

    skel=/etc/skel shell=/usr/bin/bash inactive=365

    expire=1/17/2038 auths= profiles= roles=

    limitpriv= defaultpriv= lock_after_retries=


  • guest Monday, September 23, 2013

    Before adding a user to LDAP, the user's primary group must be added to LDAP. For example:

    # groupadd -S ldap -g 10 staff


  • guest Thursday, December 12, 2013

    any ideas why i cant add entries?

    groupadd -S ldap -g 1001 world

    UX: groupadd: ERROR: Cannot update system files - group cannot be created.


  • guest Friday, December 13, 2013

    Try running:

    echo $?

    after the command to get the exit status. There are several error codes listed in the man page. But if the exit code is a negative value, it probably corresponds to one of these:

    -1

    /* Password database busy */

    -2

    /* stat of password file failed */

    -3

    /* password file open failed */

    -4

    /* can't write to password file */

    -5

    /* close returned error */

    -6

    /* user not found in database */

    -7

    /* couldn't update password file */

    -8

    /* Not enough memory */

    -9

    /* server errors */

    -10

    /* local configuration problem */

    -11

    /* update denied */

    -12

    /* Data hasn't changed */

    -13

    /* Cannot call repository */

    -14

    /* invalid args passed */

    -15

    /* operation not supported */


  • guest Sunday, April 20, 2014

    Attempting this on OmniOS which is an Illumos derivative which is an Open Solaris derivative. Granted that's a bit of a stretch but most administrative guides for the current Solaris map quite accurately. Unfortunately this feature which is quite significant has little representation in the relevant community. Most things up until this point have gone well but the server itself won't initialize. Any thoughts?

    root@OmniOS:/# svcadm enable ldap/server

    svcadm: Pattern 'ldap/server' doesn't match any instances

    Thanks in advance.


  • Glenn Faden Sunday, April 20, 2014

    In Oracle Solaris 11 the OpenLDAP server is delivered as an SMF service. If OmniOS doesn't provide an SMF manifest for the OpenLDAP server, you could create your own manifest file to launch OpenLDAP as a new service. Of course you could also use a legacy rc file. Try a Google search for "openldap rc file"


  • guest Wednesday, June 18, 2014

    Thank Glen for taking the time to post this invaluable walkthrough as it is a very sparse subject to Solaris based systems.

    I seem to have ran into a problem when I include your solaris.schema lookup in the slapd.conf file. When i start the ldap/server i get a maintenance error and will not comeup online. When i take this out it starts up fine. I have tried copying the solaris.schema numerous times just in case I had a typo, but that did not seem to work. Any ideas are greatly appreciated. Thanks again


  • Glenn Faden Thursday, June 19, 2014

    Maybe your download didn't preserve line breaks. The solaris.schema file should have 152 lines. Here's the output from sum:

    sum solaris.schema

    14582 5 solaris.schema


  • guest Friday, September 19, 2014

    Hello Glen,

    Running Solaris 11 SRU 20.0.5.0 which came with opendlap 2.4.3

    I was looking for the ldap backend functionality and the output of /usr/lib/slapd -VVV does not show ldap as a static back end. Also get errors when defining an ldap backend on slapd.conf.

    Could you please confirm that this version released by Oracle does not provide the ldap backend functionality?

    Thank you

    JA


  • Glenn Faden Friday, September 19, 2014

    I don't work in Oracle's name service group, so I can't confirm what is supported. However, we do deliver the man page slapd-ldap(5olap), so there may be a way to configure it.

    Oracle's directory for the enterprise is Oracle Unified Directory.


  • sean Thursday, July 2, 2015

    Hi Glenn,

    I noticed you have used admin as the proxyDN which is overly powerful. Any possibility having an updated blog entry with a proper proxyAgent and TLS setup?

    Thx,

    Sean


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.