Join Log in
Score:0
Aaron Williams avatar Server

How to get ldap working on OpenSUSE 15.4

py flag
Aaron Williams

I am at my wits end in trying to get openldap working on OpenSUSE 15.4. I don't need directory services or user management, but it would be helpful for configuration for my DHCP and DNS servers.

I upgraded the system from 15.1 to 15.4 and everything related to ldap just seems broken. In an attempt to restore some sanity, I blew away all of the LDAP configuration, i.e. /etc/openldap/* /etc/dirsrv/, /var/lib/ldap/, /var/lib/dirsrv/*. Next I restored the configuration files to the default as if it's a cleanly installed system. I might add that even with 15.1 I had a nightmare of a time getting it to work. I've also had the same problem with every other OpenSUSE system I've tried to use ldap on, though arguably I've only really tried on OpenSUSE.

I found using the yast directory server tool to be as broken as it's always been, where it seems to be unable to create a sane basic configuration.

Next, I made some minor modifications to the slapd.conf file and used slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -d 255

This created the basic configuration.

For the password, I used the slappasswd command and copied and pasted the output.

Here is my file, with my domain name and a couple other things changed:

# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
#
# OpenLDAP daemon (slapd.service) supports two configuration styles:
# - Simple configuration with this file
# - Online configuration (OLC)
#
# You may choose the configuration style by setting it in:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
# If the value is set to "files", this configuration file will be used.
# If the value is set to "ldap", this configuration file will be entirely ignored, and
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
#
# If you decide to use online configuration, please read the additional instructions in:
# /etc/openldap/slapd.conf.olctemplate
#
# Feel free to customise this file according to your needs, and start OpenLDAP
# server daemon by executing:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts

#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#

pidfile     /run/slapd/slapd.pid
argsfile    /run/slapd/slapd.args

# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/dhcp.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/ldapns.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/suse-mailserver.schema

# Load backend modules such as databas engines
#modulepath /usr/lib64/openldap
moduleload back_mdb.la
#moduleload back_hdb.la
#moduleload back_bdb.la

# Very important: define ACL to authorise client access
# The default settings permit rootdn to read and write, while other users
# may read the entire database or change their own password.
# If no ACL is present, everyone will be allowed to read the database.
# rootdn can always read and write everything.
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by self write
        by dn.base="cn=Admin,dc=my-domain,dc=com" write
        by * read

#database config
#access to *
#    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
#    by * read

# Define a LDAP database
database     mdb
#database     hdb
#database     bdb
suffix       "dc=my-domain,dc=com"
rootdn       "cn=Manager,dc=my-domain,dc=com"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw       {SSHA}XXXXXXXXXXXXXX

# The database directory must exist prior to the start of OpenLDAP daemon
# The directory should be owned by ldap user and permission 0700 is recommended
directory    /var/lib/ldap
# Indices to maintain
index        objectClass eq
access to * by users read

# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
# write down their paths below, make sure the files are readable by user "ldap".
# The server will then support StartTLS on standard port 389.
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
#TLSCACertificateFile /my/ca.crt
#TLSCertificateFile /my/tls.crt
#TLSCertificateKeyFile /my/tls.key

Despite slapd starting, it doesn't work. Whenever I attempt to access the configuration, i.e. ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" I get the following:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I can clearly see that the objects should be present when I look under /etc/openldap/slapd.d

Now, I also reinstalled openldap and all other packages that contain data under /etc/openldap and all other directories I nuked.

With these settings I am getting nowhere. When I try and configure dhcp in YAST it complains with:

2022-10-15 07:09:13 <1> my-host(7581) [Perl] modules/DhcpServer.pm(DhcpServer::LdapInit):2302 Initializing LDAP support
2022-10-15 07:09:13 <1> my-host(7581) [Perl] modules/DhcpServer.pm(DhcpServer::LdapInit):2358 ldap-dhcp-server-cn not defined
2022-10-15 07:09:13 <1> my-host(7581) [Perl] modules/DhcpServer.pm(DhcpServer::LdapInit):2361 DHCP configured LDAP: 0
2022-10-15 07:09:13 <1> my-host(7581) [Perl] modules/DhcpServer.pm(DhcpServer::LdapInit):2373 YaPI specified to use LDAP: 1
2022-10-15 07:09:13 <1> my-host(7581) [Perl] modules/DhcpServer.pm(DhcpServer::LdapInit):2423 LDAP not configured - can't read LDAP domain
2022-10-15 07:09:13 <3> my-host(7581) [Ruby] yast/yast.rb(call_yast_function):204 Invalid LDAP configuration. Cannot use LDAP.

I don't know what I did wrong here in my configuration. Any help would be greatly appreciated. I am utterly frustrated with ldap, and especially with the YaST tools, for example, the directory server is just an utter failure all the way around. I have read countless guides on LDAP but so far have had no luck with any of them. LDAP looks like it would be great for many things, if I could just get basic functionality to work. This has been extremely frustrating for me. And before anyone thinks I'm a noob, I've been a software developer on Linux for over 20 years and some of my code is in the kernel and numerous high-end embedded devices.

428
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.