Re: [SLE] SUSe 9.3 and LDAP Docu?

23 May 2005

      On 5/23/05, Markus Natter <markus.natter@gmail.com> wrote:
...
On 5/23/05, Jerry Westrick <jerry@westrick.com> wrote:
...
On Monday 23 May 2005 09:29, Markus Natter wrote:
...
On 5/22/05, Jerry Westrick <jerry@westrick.com> wrote:
...
Is there a step by step docu on
how to get SuSE 9.3 to use openldap
for authorization....
I worked my way through the Admin Guide...
but All I get is connection failures....
anybody seen a decent how to?
Jerry
--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
Hi Jerry,
YaST could do this for you ( see chapter 29.5 SuSE Admin. Guide )..
but on the other hand you need a working LDAP - configuration and and
a working database first.
Have you already tried to connect and made a successful request with any
cmd-line ldap tools ( ldapsearch ... ) or any ldap client?
Markus
Thanks for the answer Markus...
Yes I got ldap running by following the instructions
at /usr/share/doc/packages/openldap2/admin-guide/quickstart.html
There I issued:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
ldapadd -x -D "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>" -W -f example.ldif
ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
all of which worked.
I guess is that either the User (as setup by quick installation guide) is not
yast compatible, or that the security method is not the one that yast
expects?
Jerry
well,
there could be some caveats..
could you post your /etc/openldap/slapd.conf & /etc/ldap.conf? (e.g.
did you include the required .schema files, like
yast.schema [as I remember, yast uses member entries instead of
memberUID per default (you could change this behavior-> extended
settings)..])
the idea behind this all is, that yast would help you setting up the
other configs correctly..
(some hints: /etc/pam.d, nss_ldap / pam_ldap, /etc/security,
/etc/nsswitch.conf )
another idea is to let yast create the standard objects etc.. [
extended settings ], if your
setup does not fit into the yast expectations.
And also try one thing after another.. [ e.g. do not start with
TLS/SSL related stuff
 before you have fixed the other problems ]
Markus
well I just tried this by setting up a very simple base.. (only the
root-dir, and
configured a rootdn and rootpw using slapadd, for setting things up..
then I configured a basic /etc/ldap.conf to point to the new slapd
running on the localhost)
and yast configured the rest for me.. it was not that difficult..

here are the lines I used for this test:

/etc/slapd.conf:
============

# this should be the schema section as it was shipped..
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema

suffix          "dc=test,dc=example,dc=com"
rootdn          "cn=Manager,dc=test,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret

base.ldif ( note: be careful with empty spaces at the end of a line,
if you copy/paste! )
=======

##
##      TEST.EXAMPLE.COM
##
## Basis of the LDAP-tree test.example.com
##
dn: dc=test,dc=example,dc=com
dc: test
o: example
objectClass: organization
objectClass: dcObject
structuralObjectClass: organization

=======

install this ldiff.. 
you should remove your old database before that.. 
please, keep your DB_CONFIG!!!

rcldap stop

cd /var/lib/ldap
rm *.bdb log.* __db.*

cd /etc/openldap/ # or wherever your base.ldif is
slapadd -p -w -l base.ldif

rcldap start

/etc/ldap.conf
==========
# Your LDAP server. Must be resolvable without using LDAP.
# if you want tls / ssl later on, you should replace localhost with
your fq. hostname
host    localhost

# The distinguished name of the search base.
base    dc=test,dc=example,dc=com

# this could be your anonymous-bind substitute later.. 
#binddn cn=pam,dc=test,dc=example,dc=com
#bindpw another_secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn      cn=Manager,dc=natter,dc=itellium,dc=net

nss_base_passwd dc=natter,dc=itellium,dc=net?sub
nss_base_shadow dc=natter,dc=itellium,dc=net?sub
nss_base_group  dc=natter,dc=itellium,dc=net?sub

===================

then I called YaST -> Nw -> LDAP-Client

(x) use LDAP

Addresses of LDAP Servers
localhost

LDAP base DN
dc=test,dc=example,dc=com

[Advanced Configuration] <= choose this one!

---------------------------------------------------------------

check

[x] Create Default Configuration Objects

=> Continue 
(enter the rootdn password ) and you're done.

puh.. it's a lot to write.. 

I hope this helps..

Markus

Markus Natter

tags

participants (1)