How to Do an Initial Setup of Slapd Olc with Ldapmodify

How to do an initial setup of slapd OLC with ldapmodify

Ubuntu (Debian Packages)

Ubuntu and maybe other distributions with debian packages try to be super smart and set up everything for you - which really becomes a problem when you want to do a non-interactive installation, because debconf will set random admin-passwords and also configure the base-DN according to your machine name. You might be able to guess the base-DN - but you can't guess the password, and as it is deleted from the debconf-DB after installation you can not read it out.

You can however configure the passwords and DN before you install the package:

export DEBIAN_FRONTEND=noninteractive
sudo debconf-set-selections <<EOF
slapd slapd/internal/generated_adminpw password changeme
slapd slapd/password2 password changeme
slapd slapd/internal/adminpw password changeme
slapd slapd/password1 password changeme
slapd slapd/domain string example.com
slapd shared/organization string example.com
EOF

sudo apt-get install -y slapd ldap-utils

Be very careful with your spaces here: putting two spaces before the password will set the password to __changeme_ (that is: (blankspace)changeme)

Thanks to OpenStackPro for showing how to configure the selections

You can test your setup with

ldapsearch -x -D "cn=admin,dc=example,dc=com" -w "changeme"

Which should output in something like

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

This means, there is nothing in your LDAP-Database (yet), but at least you were able to log in :-)

If you get something like

ldap_bind: Invalid credentials (49)

you need to double check your admin-DN and password. You can check your admin-DN with

sudo slapcat -n0 | grep olcRootDN

CentOS 6.6 (and most likely RedHat, Fedora etc.)

Install the packages

sudo yum -y install openldap openldap-servers openldap-clients

First get a password-hash with

slappasswd -s changeme

Be aware that the CentOS-package uses my-domain.com instead of example.com, so you might need to adapt the commands accordingly.

Create an initial ldif, in a file like init.ldif:

dn: dc=my-domain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: my-domain.com
dc: my-domain

dn: cn=admin,dc=my-domain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}rX8oWGKW6B7mKY+nUJhrv4g1pPH5KtQg

To write this config to your LDAP use:

sudo slapadd -F /etc/openldap/slapd.d -b "cn=config" -l init.ldif

Again, You can test your setup with

ldapsearch -x -D "cn=admin,dc=my-domain,dc=com" -w "changeme"

(see above at "Ubuntu")

How do i use ldapmodify for the first time when i do not know any user or password for authentication?

You're hitting an OpenLDAP bug (see ITS#8998).

The solution is to either

  1. unset option SASL_NOCANON in ldap.conf or
  2. specify the full path in the LDAPI URI (with URL-quoting of slashes).

The first option might be easier but might affect binding with SASL/GSSAPI (Kerberos).

start new openldap installation

Turns out this answer solves the problem Openldap naming context issue with Apache directory studio?.

I think I appreciate that people can answer some specifics of my question or provide an example for answer. Not all people learn by worded explanations, some learn by examples and reverse engineering. Read manuals and only ask question when you don't understand, I would think that is such a prior statement, and most have gone past that stage before actually asking any questions.

Yes, I think I should ask on serverfault, since stackoverflow is more geared towards programming.

adding initial entry to the ldap directory?

You don't need to add the manager entry. It is already defined in the configuration. However you should be adding other manager entries into the DIT, with permissions defined in the config, for your admins and applications to use. Nobody should use the configured manager ID.

ldapadd / ldapmodify - adding database parameters

Finally got it:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}<pass-hash>

And execute using:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/update_rootdnpw.ldif

Related Topics

Bash Concurrent Jobs Gets Stuck

Reading Microphone Data by Polling Using Alsa [Or V4L2]

Openldap Naming Context Issue with Apache Directory Studio

Why Proc Process Faster Than Others

Parsing The File Perl

Rpm Spec to Require Specific Rhel Release

Fortran: How to Get The Node Name of a Cluster

Is There Any Way for Ioctl() in Linux to Specify Submission Queue Id for a Nvme Io Request

Various Docker Container Paths Have Started Failing with Permission Errors on Linux Mint

Cygwin Xwin Server Randomly Loses Connection

Text Encoding Between Linux and Windows

Why This Shell Won't Work If It's Called from Rc.Local But Ssh

Using Sftp to Transfer Images from HTML Form to Remote Linux Server Using Perl/Cgi.Pm

Mq Explorer - Could Not Load Swt Library

Cannot Kill Redis-Server on Linux

Fastest Way to Determine User Permissions in /Etc/Sudoer

Passing Variable with Special Characters as Password Breaks Bash Script. How to Sanitize Special Characters in Bash

Compute Average in Bash


Leave a reply



Submit