0

I have installed openLDAP on a Centos 7 server that is already running FreeIPA for user authentication. http://www.tecmint.com/setup-ldap-server-and-configure-client-authentication

The purpose of openLDAP is for a Nodejs application to manage users for the app. and will be running on separate server.

I can see that slapd is running (ps -ef | grep slapd):

ldap      1287     1  0 06:40 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

So I was trying to change the defaults using the ldapadd command and I suspect to be connecting to the FreeIPA LDAP that is configured on the box (on some coammands using -x -h it is asking for a password which hasn't been set yet):

sudo ldapadd -H ldapi:/// -f ldaprootpasswd.ldif

SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

If I run an ldapsearch then I seem to be able to connect to openLDAP:

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=co

I thought maybe that I could connect externally using a Windows LDAP tool but I get a connection error. I did confirm that the port is open and visible externally.

nmap -p 389 10.18.16.243

Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-28 11:25 GMT Daylight Time
Nmap scan report for 10.18.16.243
Host is up (0.00s latency).
PORT    STATE    SERVICE
389/tcp filtered ldap
MAC Address: BB:BB:BB:BB:BB:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds

I tried using -h instead of -H:

sudo ldapadd -a -x -h localhost -p 389 -D cn=Manager,dc=my-domain,dc=com -W -f ldaprootpasswd.ldif

This prompts me for a password but I have only just installed openLDAP and not set a password yet (olcRootPW is in the ldif file I am trying to apply).

Does anyone have experience with openLDAP for user authentication or have any ideas what config needs changing to get this up an running?

Improve this question

1 Answer 1

Reset to default
0

The secret incantation was:

sudo ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

Since "-a" forces add new entries when using ldapmodify this would be the same as above:

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

"-Q" -- Enable SASL Quiet mode. Never prompt.

"-Y" -- Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.