Search code examples
openldapconfigure

start new openldap installation

I am installing openldap from scratch on a Centos7

I followed the quick start guide on the openldap.org website http://www.openldap.org/doc/admin24/quickstart.html

Everything worked fine up until step 7, I installed openldap in a customized directory without problem

below are the command I ran

cd /usr/local/src
mkdir openldap
cd openldap
cp /home/user/openldap/src/* . //copied everything in the tar ball to the directory
yum install gcc openssl libdb-devel libtool-ltdl-devel.x86_64 openssl-devel.x86_64 cyrus-sasl-devel.x86_64
//yum installed every required package, including devel package for make
./configure --prefix=/usr/local/src/openldap-install   //configure to install in custom location
make depend
make
make test //all successful
make install

Then I tried to follow step 8, editing the slapd.ldif to put in my own domain, dc=adomain,dc=com , in my case, was in /usr/local/src/openldap-install/etc/openldap/slapd.ldif

I then added the /usr/local/src/openldap-install/sbin/ directory to the PATH environment, by inserting a openldap_path.sh in the profile.d dir, verified that it worked.

then I followed step 9, (I was running everything by root)

slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif

but it returned "available database(s) do not allow slapadd new server"

I don't understand, I am not migrating (as suggested in some other stackoverflow post), its a brand new server, but it just doesn't allow me to continue.

Any help would be appreciated, I just don't know what to do next.

@EJP

File as follow

#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /usr/local/src/openldap-install/var/run/slapd.args
olcPidFile: /usr/local/src/openldap-install/var/run/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral:   ldap://root.openldap.org
#
# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/local/src/openldap-install/libexec/openldap
#olcModuleload: back_bdb.la
#olcModuleload: back_hdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la


dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///usr/local/src/openldap-install/etc/openldap/schema/core.ldif

# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#


#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
**olcSuffix: dc=ldap,dc=domain,dc=com**
**olcRootDN: cn=Manager,dc=ldap,dc=domain,dc=com**
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
**olcRootPW: {SSHA}strong**
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
**olcDbDirectory:   /usr/local/src/openldap-install/var/openldap-data**
# Indices to maintain
olcDbIndex: objectClass eq

only the last few lines were changed from the slapd.ldif.default file

and below is the file tree in the installation path output by ls -R

.:
bin  etc  include  lib  libexec  sbin  share  var

./bin:
ldapadd      ldapdelete  ldapmodify  ldappasswd  ldapurl
ldapcompare  ldapexop    ldapmodrdn  ldapsearch  ldapwhoami

./etc:
openldap

./etc/openldap:
ldap.conf          schema      slapd.conf.default  slapd.ldif.default
ldap.conf.default  slapd.conf  slapd.ldif

./etc/openldap/schema:
collective.ldif    cosine.schema         java.ldif      openldap.schema
collective.schema  duaconf.ldif          java.schema    pmi.ldif
corba.ldif         duaconf.schema        misc.ldif      pmi.schema
corba.schema       dyngroup.ldif         misc.schema    ppolicy.ldif
core.ldif          dyngroup.schema       nis.ldif       ppolicy.schema
core.schema        inetorgperson.ldif    nis.schema     README
cosine.ldif        inetorgperson.schema  openldap.ldif

./include:
lber.h        ldap_cdefs.h     ldap.h         ldap_utf8.h  slapi-plugin.h
lber_types.h  ldap_features.h  ldap_schema.h  ldif.h

./lib:
liblber-2.4.so.2       libldap-2.4.so.2       libldap_r-2.4.so.2.10.7
liblber-2.4.so.2.10.7  libldap-2.4.so.2.10.7  libldap_r.a
liblber.a              libldap.a              libldap_r.la
liblber.la             libldap.la             libldap_r.so
liblber.so             libldap_r-2.4.so.2     libldap.so

./libexec:
slapd

./sbin:
slapacl  slapauth  slapdn     slappasswd  slaptest
slapadd  slapcat   slapindex  slapschema

./share:
man

./share/man:
man1  man3  man5  man8

./share/man/man1:
ldapadd.1      ldapdelete.1  ldapmodify.1  ldappasswd.1  ldapurl.1
ldapcompare.1  ldapexop.1    ldapmodrdn.1  ldapsearch.1  ldapwhoami.1

./share/man/man3:
ber_alloc_t.3                ldap_free_urldesc.3
blablablablabla
blablablablabla
blablablablabla

./share/man/man5:
ldap.conf.5       slapd-mdb.5       slapd-sql.5         slapo-ppolicy.5
blablablablabla
blablablablabla
blablablablabla

./share/man/man8:
blablablablabla
blablablablabla

./var:
run

./var/run:

EDIT

@EJP I sort of get what you mean. you are saying the default LDIF file is actually the cn=config database?

I am nearly giving up, 1 week of my time and not getting an ldap server starting. I don't see what is the problem, Perhaps cleaning up some concept of mine can actually solve the situation here?

  • How to define my own database? I thought I had already done that by changing the olcsuffix?
  • how is the cn=config database different from a "configuration database"?
  • what file do I edit / create to define my own database?
  • What does it mean in step 8 of the openldap quickstart guide contain a MDB database definition of the form ?
  • What does it mean in step 9 of the openldap quickstart guide import your configuration database? does it mean the installed openldap server had no configuration?
  • What does the slapd.conf file that came along with the installation do? does it contain "definition" or "configuration"?
  • I have tried to skip step 8 and 9 and directly tried to start SLAPD, but it always failed, should SLAPD be able to start on its own without me "importing my own configuration database?

Thankyou EJP for your great patience with me, I know I am missing something extremely trivial, but believe me I have dug through the internet for days (and book store for one day) failing to find definitive answer. Would be really great if you can clarify with me some concepts by answer my questions or perhaps your own explanation, or provide me with just a dummy ldif file that I can do slapadd then I can figure out whats wrong.

I attribute my difficulty to I reckon poorly done openldap guidance documentation:

  • They have stated that slapd.d is the new way to go, but the compiled source make does not generate the slapd.d/ directory, nor did I find options in the ./configure to switch to such
  • bdb and hdb seems fading out and replaced by mdb, but ./configure defaults enabled those two, requiring some extra libdb-devel package to correctly make them (I am using Centos 7).
  • the sub directory required by example setup files slapd.conf slapd.ldif(and until today I don't know if they are example files or working files) is not setup by make install, even /var/openldap-data
  • not even sub directory required by the quickstart guide command was created by make install script
  • I am not sure if that should be the right, but I believe SLAPD should be shipped at least "working out of the box" and subsequent configuration should be issued by ldapmodify / add / del command.
Solution

  • Turns out this answer solves the problem Openldap naming context issue with Apache directory studio?.

    I think I appreciate that people can answer some specifics of my question or provide an example for answer. Not all people learn by worded explanations, some learn by examples and reverse engineering. Read manuals and only ask question when you don't understand, I would think that is such a prior statement, and most have gone past that stage before actually asking any questions.

    Yes, I think I should ask on serverfault, since stackoverflow is more geared towards programming.