I'm having trouble getting openldap through its initial setup.
I created a /etc/openldap/slap.conf file with a default rootdn and rootpw, and they didn't seem to take effect. After much wailing and gnashing of teeth I found that if there is a config directory at /etc/openldap/slapd.d, it will ignore slapd.conf. I can't figure out how to translate slapd.conf into the (new?) standard of slapd.d because all the examples I can find still use slapd.conf.
Am I better off just deleting (or renaming) slapd.d? Does anybody know the proper format for slapd.d entries?
Thanks, -- Mitch Patenaude
On Wed, Aug 17, 2011 at 07:03:28PM +0000, Mitch Patenaude wrote:
I'm having trouble getting openldap through its initial setup.
I created a /etc/openldap/slap.conf file with a default rootdn and rootpw, and they didn't seem to take effect. After much wailing and gnashing of teeth I found that if there is a config directory at /etc/openldap/slapd.d, it will ignore slapd.conf. I can't figure out how to translate slapd.conf into the (new?) standard of slapd.d because all the examples I can find still use slapd.conf.
Am I better off just deleting (or renaming) slapd.d? Does anybody know the proper format for slapd.d entries?
I might as well spam my own page (where I suggest deleting it) for LDAP.
http://home.roadrunner.com/~computertaijutsu/ldap.html
I don't know of anyone who got it working with that slap.d, nor have I seen any documentation on it--on the other hand, I didn't look very hard. I would almost guarantee it adds no new advantages.
On Wed, 2011-08-17 at 15:10 -0400, Scott Robbins wrote:
On Wed, Aug 17, 2011 at 07:03:28PM +0000, Mitch Patenaude wrote:
I'm having trouble getting openldap through its initial setup.
I created a /etc/openldap/slap.conf file with a default rootdn and rootpw, and they didn't seem to take effect. After much wailing and gnashing of teeth I found that if there is a config directory at /etc/openldap/slapd.d, it will ignore slapd.conf. I can't figure out how to translate slapd.conf into the (new?) standard of slapd.d because all the examples I can find still use slapd.conf.
Am I better off just deleting (or renaming) slapd.d? Does anybody know the proper format for slapd.d entries?
I might as well spam my own page (where I suggest deleting it) for LDAP.
http://home.roadrunner.com/~computertaijutsu/ldap.html
I don't know of anyone who got it working with that slap.d, nor have I seen any documentation on it--on the other hand, I didn't look very hard. I would almost guarantee it adds no new advantages.
---- I can't say that I see any advantages to dynamic configuration but perhaps in time, they will dawn on me.
In the meantime, if upstream and thus CentOS 6 are using dynamic configuration (and I assume that is what it is by reference to slapd.d directory), then your page is rather outdated and useful only for earlier releases.
The last time you pimped your page, I noted that it wasn't bad but it completely had everything wrong on the topic of TLS. Your page talks about using TLS but TLS doesn't use port 636. LDAP SSL uses port 636. LDAP SSL is costly in terms of computing power, deprecated and not recommended which is why it ships 'off'. If you can turn off LDAP SSL (and port 636) and connect to port 389 and use -ZZ option, then you will know that you are using TLS.
example... ldapsearch -ZZ -h srv2 '(uid=craig)' -D 'uid=craig,ou=people,dc=azapple,dc=com' -W uid, cn -b 'ou=people,dc=azapple,dc=com'
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=people,dc=azapple,dc=com> with scope subtree # filter: (uid=craig) # requesting: uid, cn #
# craig, people, azapple.com dn: uid=craig,ou=people,dc=azapple,dc=com cn: Craig White
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
Craig
On Wed, Aug 17, 2011 at 07:05:34PM -0700, Craig White wrote:
On Wed, 2011-08-17 at 15:10 -0400, Scott Robbins wrote:
I can't say that I see any advantages to dynamic configuration but perhaps in time, they will dawn on me.
In the meantime, if upstream and thus CentOS 6 are using dynamic configuration (and I assume that is what it is by reference to slapd.d directory), then your page is rather outdated and useful only for earlier releases.
The last time you pimped your page, I noted that it wasn't bad but it completely had everything wrong on the topic of TLS. Your page talks about using TLS but TLS doesn't use port 636. LDAP SSL uses port 636.
Which is clearly stated there.
I'll add a note soon that the page is outdated, but not tonight.
On 08/17/2011 12:03 PM, Mitch Patenaude wrote: ...
I created a /etc/openldap/slap.conf file with a default rootdn and rootpw, and they didn't seem to take effect. After much wailing and gnashing of teeth I found that if there is a config directory at /etc/openldap/slapd.d, it will ignore slapd.conf. I can't figure out how to translate slapd.conf into the (new?) standard of slapd.d because all the examples I can find still use slapd.conf.
Am I better off just deleting (or renaming) slapd.d? Does anybody know the proper format for slapd.d entries?
...
You'd be best off learning the new method of configuration as I've heard rumors that the slapd.conf file will be deprecated at some point.
Here you can find some additional information: http://www.zytrax.com/books/ldap/ch6/slapd-config.html
Basically, any slap* command which can reference a file will perform the conversion.
HTH,
On Aug 17, 2011, at 12:03 PM, Mitch Patenaude wrote:
I'm having trouble getting openldap through its initial setup.
I created a /etc/openldap/slap.conf file with a default rootdn and rootpw, and they didn't seem to take effect. After much wailing and gnashing of teeth I found that if there is a config directory at /etc/openldap/slapd.d, it will ignore slapd.conf. I can't figure out how to translate slapd.conf into the (new?) standard of slapd.d because all the examples I can find still use slapd.conf.
Am I better off just deleting (or renaming) slapd.d? Does anybody know the proper format for slapd.d entries?
---- presuming what you are referring to is dynamic configuration - flat files are not used any more.
Haven't tried with CentOS 6 because I switched my newer setups to Ubuntu but Ubuntu 10.04 also uses dynamic configuration methods and if that is the case...
/etc/openldap/slapd.conf is meaningless - at least in Ubuntu
renaming or deleting /etc/openldap/slapd.d would be a self-defeating act... that's where the results of dynamic configuration will end up.
start over, baby steps... script everything you do so it's repeatable
start by adding your schema's
then define the backend
then define the base
then define your ACL's
then you can pull in the DSA
Craig