OpenLDAP doc page is horrible

This web page has some very useful info which highlights what's wrong with the doc page:

http://blog.khax.net/2009/04/03/notes-on-ubuntu-810-serverguide-openldap/

Also, although the doc does correctly state that the client ldap config is placed in /etc/ldap.conf, it says nothing about /etc/ldap/ldap.conf which must be updated manually. I also think it's important to explain what ldap user attributes are important - for example, loginShell being changed to /bin/bash.

Not as good as the first link, but some good info in http://www.linux.com/feature/114074 as well.

Hello,

Thank you for reporting this bug and helping make Ubuntu better. Can you
take a look at the development docs here:
http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html

They should address the most issues you have with the client authentication
portion.

On Sun, Apr 5, 2009 at 12:40 AM, David Dana <email address hidden> wrote:

> Also, although the doc does correctly state that the client ldap config
> is placed in /etc/ldap.conf, it says nothing about /etc/ldap/ldap.conf
> which must be updated manually.

That file should probably be mentioned more prominently, but to configure a
client for LDAP authentication it isn't strictly necessary.

> I also think it's important to explain
> what ldap user attributes are important - for example, loginShell being
> changed to /bin/bash.
>

I'm not sure I agree. Explaining details certain attributes may give the
impression that they are required for in order to use OpenLDAP. For example
if someone intends to create a simple LDAP Address Book the loginShell
attribute wouldn't be important to them.

Thanks again.

--
Party On,
Adam

Thanks for your reply, Adam. The draft version of the documentation is certainly much better, and I noticed a few updates which solved problems I had. I am kind of surprised though that there is a separate draft copy - I think a wiki would work much, much better.

I copied down what I had to do to make client user authentication with LDAP work for logons. I will definitely try following the new docs the next time I reload a client, but I think there is probably a lot still unclear.

This is what I used:

Note: ldapsearch looks at /etc/ldap/ldap.conf, but the config goes to /etc/ldap.conf

0: Install ldap-utils
    apt-get install ldap-utils

1: Install LDAP Client
    apt-get install libnss-ldap
        (nonstandard) Yes when prompted to use debconf
        (nonstandard) Exop used for local password crypt (no idea what's right here)
        Enter ldap://auth.example.com/ for the server.
        Enter the base DN like dc=example,dc=com
        Select ldap v3
        No for 'Make local root db admin' (no idea what this does)
        No for 'db requires login'

        Note: if not prompted for some options, enter dpkg-reconfigure ldap-auth-config

2: Manual LDAP Config
   (only if you want) nano /etc/ldap.conf

3: Copy Config
    cp /etc/ldap.conf /etc/ldap/ldap.conf

4: Use the auth-client-config script to add config settings:
    nano /etc/auth-client-config/profile.d/ldap-auth-config

     (replace all with the following text)

    [open_ldap]
    nss_passwd=passwd: files ldap
    nss_group=group: files ldap
    nss_shadow=shadow: files ldap
    nss_netgroup=netgroup: files ldap
    pam_auth=auth required pam_env.so
        auth sufficient pam_unix.so likeauth nullok
    #the following line (containing pam_group.so) must be placed before pam_ldap.so
    #for ldap users to be placed in local groups such as fuse, plugdev, scanner, etc ...
            auth required pam_group.so use_first_pass
            auth sufficient pam_ldap.so use_first_pass
            auth required pam_deny.so
    pam_account=account sufficient pam_unix.so
            account sufficient pam_ldap.so
            account required pam_deny.so
    pam_password=password sufficient pam_unix.so nullok md5 shadow
            password sufficient pam_ldap.so use_first_pass
            password required pam_deny.so
    pam_session=session required pam_limits.so
            session required pam_mkhomedir.so skel=/etc/skel/
            session required pam_unix.so
            session optional pam_ldap.so

    (then run the following command)

    auth-client-config -a -p open_ldap

    (only run this once! otherwise configs look messy with backups.)

5: Add LDAP users to necessary groups.
    nano /etc/security/group.conf

    (add the following line at the end)

    *; *; *; Al0000-2400;audio,cdrom,floppy,plugdev,video,fuse,scanner,dip

    (not sure why, but didn't seem to need this in testing)

6: Enable cached credentials:
    apt-get install nss-updatedb libnss-db libpam-ccreds
    nss_updatedb ldap
    nano /etc/nsswitch.conf

        (edit the passwd and group en...

On Mon, Apr 6, 2009 at 11:33 PM, David Dana <email address hidden> wrote:

> Thanks for your reply, Adam. The draft version of the documentation is
> certainly much better, and I noticed a few updates which solved problems
> I had. I am kind of surprised though that there is a separate draft copy
> - I think a wiki would work much, much better.
>

Sorry, I should have explained doc.ubuntu.com better. That version of the
documentation is created from the development branch for the next Ubuntu
release. It is on the web mostly to ease review of new content.

Because these docs are for the development release not all instructions may
apply to a stable release of Ubuntu. In the case of OpenLDAP section they
happen to apply nicely to Intrepid as well as Jaunty, but that may not be
the case in the future.

It may help to check the development instructions if the released docs don't
have an answer, but I highly recommend using the released version first.

> 3: Copy Config
> cp /etc/ldap.conf /etc/ldap/ldap.conf
>

Not sure why you would do this since these are seperate config files and
have different options? /etc/ldap/ldap.conf is part of the libldap package
which totally separate from libnss-ldap which supplies the /etc/ldap.conf
file.

> 6: Enable cached credentials:
> apt-get install nss-updatedb libnss-db libpam-ccreds
> nss_updatedb ldap
> nano /etc/nsswitch.conf
>
> (edit the passwd and group entries to the following)
>
> passwd: files ldap [NOTFOUND=return] db
> group: files ldap [NOTFOUND=return] db
>
> (create a cron job to update the db daily)
>
> echo '#!/bin/sh' | sudo tee /etc/cron.daily/upd-local-nss-db
> echo `which nss_updatedb` ldap | sudo tee -a
> /etc/cron.daily/upd-local-nss-db
> sudo chmod +x /etc/cron.daily/upd-local-nss-db
>
>
> nano /etc/pam.d/common-auth
>
> (replace with the following text)
>
> auth [success=done default=ignore] pam_unix.so nullok_secure
> try_first_pass
> # If LDAP is unavailable, go to next line. If authentication via
> LDAP is successful, skip 1 line.
> # If LDAP is available, but authentication is NOT successful, skip 2
> lines.
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
> use_first_pass
> auth [default=done] pam_ccreds.so action=validate use_first_pass
> auth [default=done] pam_ccreds.so action=store
> auth [default=bad] pam_ccreds.so action=update
>

Cached credentials are a good idea, I'll be sure to add that to the Karmic
docs.

--
Party On,
Adam

Adam, thank you again for your help. I have found the draft docs to be a very good resource.

In regards to copying the ldap config: I realize they are separate configs, but the options needed in /etc/ldap/ldap.conf are the same ones already in /etc/ldap.conf. Copying is simply an easy way to ensure the settings are the same.

In the config section:

 Edit the /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif file, changing the following attributes:

dn: cn=misc,cn=schema,cn=config
...
cn: misc

CHANGE TOO WHAT? THIS COMMENT IS A LITTLE AMBIGUOUS

I too have been having a terrible time install openLDAP - first on a brand new 8.04 LTS server and now on another one (it's a development box).

I do

sudo apt-get install slapd ldap-utils

then

sudo dpkg-reconfigure slapd

Saying "No" to Omit OpenLDAP server configuration? (which is confusing - why not Continue openLDAP server configuration? then have the answer default to "Yes")

DNS Domain Name as

imparisystems.local

Organization name as (What is this? What should it be?)

admin

Password / twice (my supersecret password)

Database backend to use HDB

Do you want the database to be removed when slapd is purged? No

Move old database? Yes

Allow LDAPv2 protocol? No

The configuration then comes back with

Stopping OpenLDAP: slapd.
  Moving old database directory to /var/backups:
  - directory unknown... done.
  Creating initial slapd configuration... done.
  Creating initial LDAP directory... done.
Reloading AppArmor profiles : done.
Starting OpenLDAP: slapd.

And then the first step is to configure your LDAP by typing

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
Enter LDAP Password:

And everytime I get

ldap_bind: Invalid credentials (49)

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb

Matt, I don't know enough about OpenLDAP to see what's wrong, but the ldapsearch command doesn't look right. You wouldn't use ldapsearch to configure the directory, and your Bind DN should probably be cn=admin,dc=imparisystems,dc=local (depends on your configuration, but it would be this if your LDAP domain matches your DNS domain). Your organization name is simply a text name for your directory, so ImpariSystems might be good for you.

Also, I strongly agree that the 'omit configuration' prompt is confusing to say the least. I believe they just changed the package to say this, and the question used to be reversed and made more sense. What were they thinking?

I wrote my own documentation for installing OpenLDAP with settings specific to my company, but it may help you:
http://www.danacomputing.com/wiki/doku.php?id=ubuntu_9.04_server_openldap_setup

I am by no means an LDAP expert, so please take the time to ask around and learn what works for you.

After almost a full week - I've discovered a few of the things that are wrong with the documentation.

First, it talks about using the cn=config tree which is NOT automagically created for you with the installation. You need to go to http://www.zytrax.com/books/ldap/ch6/slapd-config.html to create and populate the tree. It's been available since openLDAP 2.3 and should be used for that

Since I didn't have the cn=config tree, I didn't have the credentials set up to access them - probably should have gotten a different error message.

I'm just going to continue adding items until I get this working!

Hello,

On Thu, May 21, 2009 at 9:42 AM, Matt Burkhardt <email address hidden>wrote:

> After almost a full week - I've discovered a few of the things that are
> wrong with the documentation.
>
> First, it talks about using the cn=config tree which is NOT
> automagically created for you with the installation. You need to go to
> http://www.zytrax.com/books/ldap/ch6/slapd-config.html to create and
> populate the tree. It's been available since openLDAP 2.3 and should be
> used for that
>

Which Ubuntu release are you using? Since Ubuntu 8.10 (Intrepid) OpenLDAP
has been configured to use the cn=config configuration scheme. If you are
using Ubuntu 8.04 LTS (Hardy) OpenLDAP still uses the slapd.conf file for
configuration.

Can you post some specific errors you are having?

--
Party On,
Adam

Yeah - noticed that after I got a few more steps into it. I'm using 8.04 LTS and I found somewhere deep down that Intrepid automagically installs the cn=config. I'm trying to find some documentation that helps set up the openLDAP with Samba being the PDC. I might go to 9.04 because this is a new server install and that might be easier to do.

Thanks

On Thu, May 21, 2009 at 11:37 AM, Matt Burkhardt <email address hidden>wrote:

> Yeah - noticed that after I got a few more steps into it. I'm using
> 8.04 LTS and I found somewhere deep down that Intrepid automagically
> installs the cn=config. I'm trying to find some documentation that
> helps set up the openLDAP with Samba being the PDC. I might go to 9.04
> because this is a new server install and that might be easier to do.
>

There is information in the Server Guide for setting up Samba with OpenLDAP
for Ubuntu 8.10 and 9.04. The instructions should mostly work for 8.04,
once you have LDAP setup. Also, the step of adding the Samba LDAP schema
will be different for 8.04.

So unless you need the 5 year support of an LTS release it may be easier to
run 9.04. From my expereince upgrading non-LTS releases has been painless,
but I usually do a lot of testing when upgrading production systems.

If you find any additional bugs, errors, unclear text, etc with the Samba
LDAP sections please file a new bug so it will be easier to track.

--
Party On,
Adam

Hello,

It's been a long time since this bug was filed, and there have been improvements to the OpenLDAP section of the Server Guide. Can you take a look at the development version:

  http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html

And provide any additional feedback that is pertinent to this bug?

Thanks,
Adam

From https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html

"The installation process will prompt you for the LDAP directory admin password and confirmation.

By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure."

This is wrong. Confirmed here http://ubuntuforums.org/showthread.php?t=1295934 and https://lists.ubuntu.com/archives/ubuntu-server/2009-August/003179.html

From http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html - follow these instructions under Karmic and you will get an error:

# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1

The Ubuntu forums post has more info, filed as bug #459403 which appears to be fixed for Lucid but not Karmic

Also see bug #463684 - openldap sections in ubuntu server guide not updated for packages in karmic

Hello Chris,

I just ran through the instructions at http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html on clean 9.10 (Karmic) installs and the instructions worked fine. Not sure why you received that error, but checking /var/log/syslog may give more details.

Since Lucid release is so close translators are concentrating on the Lucid docs. I will contact the doc list about an SRU for Karmic that will incorporate the changes for Lucid. This will apply to Bugs 459403 and 463684, so there is no need to cross post.

Thanks for your feedback it is greatly appreciated,
Adam

I just ran through (4x) the instructions at http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html on clean ubuntu 10.04.01 (64bit) (client and server) and the instructions not work.

On ubuntu 10.04.01 (32bit) (client and server) work fine.

On Thu, Sep 16, 2010 at 10:37 AM, nat <email address hidden> wrote:

> I just ran through (4x) the instructions at
> http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html on
> clean ubuntu 10.04.01 (64bit) (client and server) and the instructions
> not work.
>
> On ubuntu 10.04.01 (32bit) (client and server) work fine.
>
>

Thanks for commenting nat, but can you tell me which part didn't work on the
64bit version that did work on the 32?

Thanks again.

--
Party On,
Adam

The Ubuntu Documentation team has moved the serverguide out of the ubuntu-docs package, it is now under the serverguide project. Moving this bug accordingly.

The LDAP section has undergone some changes in 11.10 and the serverguide should be available on help.ubuntu.com shortly. Can you please let us know if you are still having problems with this section? Thanks in advance.

[Expired for Ubuntu Server Guide because there has been no activity for 60 days.]