Date: Thu, 17 Apr 2008 14:48:07 -0400 From: "David Robillard" <david.robillard@gmail.com> To: "Da Rock" <rock_on_the_web@comcen.com.au> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Openldap server install failure - openldap client conflict Message-ID: <226ae0c60804171148j6e3e0e82h6eac8c433aa8f81d@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote:
> > > I'm trying to install OpenLDAP as a server to "attempt" to try it out
> > > for our network. The problem is the openldap client is already installed
> > > for other apps as php, apache, asterisk, etc. So my question is: is it
> > > possible to uninstall the client? Will the server include the client
> > > required for these other apps?
> >
> > You can always remove the old client and install the new version. You
> > simply need to shutdown the services which depend on the client before
> > you remove the old one and install the new one. Then start the
> > services again. Of course you should do this on a test machine and
> > make sure all your applications work as expected with the new client
> > (i.e. don't do this on your production machine AND backup before you
> > do!).
> >
> > For what it's worth, I've removed and installed the OpenLDAP client
> > from a few machines and never had any problems with Apache nor with
> > PHP. But I did have a problem with sudo(8). If you use sudo (you
> > probably should IMHO) and it was compiled with LDAP support, then the
> > minute you remove the old OpenLDAP client, sudo will be broken. It's
> > easy to work around this by using su(1) and switch to root. Of course,
> > make sure you know the root password and that you're part of the wheel
> > group before you do this.
> >
> > Here's how I proceed to update the OpenLDAP client. I use SASL also,
> > but it's not mandatory. Notice that I run a first make(1) without
> > options. This will help reduce the time required between the `make
> > deinstall` and `make install clean`.
> >
> > cd /usr/ports/net/openldap24-sasl-client
> > sudo make
> > sudo /all/your/ldap/dependent/applications/rc.d/scripts stop
> > sudo make deinstall
> > sudo make install clean
> > sudo /all/your/ldap/dependent/applications/rc.d/scripts start
> >
> > Also, on a side note, I would suggest adding a few lines to
> > make.conf(5) so that all your applications will require the same
> > OpenLDAP versions (and the same Berkeley DB too). That change did help
> > me quite a lot. The downside of this is that if you have many hosts,
> > you may have to edit quite a few make.conf(5) files when either
> > OpenLDAP or BDB changes versions. Using rsync, rdist
> >
> > WANT_OPENLDAP_VER= 24
> > WITH_BDB_VER= 46
> >
> > Good luck with OpenLDAP. Should you need help with it, SASL and
> > Kerberos integration, feel free to contact me.
>
> I did just get it worked out, but those other apps were worrying me (see
> last post). At least I know where to look now...
Indeed. I've never used Asterisk myself so you'll have to test it. I'd
be surprised if a change in the LDAP client breaks anything, but you
never know. Better test it first on a non-production system.
> I am very interested in kerberos integration if you could provide some
> hints. I looked into before for another reason and set it aside in the
> too hard basket for a while... I posted back to the list to help others
> if they're interested too.
I've successfully integrated OpenLDAP with SASL and Kerberos along
with nss_ldap, pam_ldap, sudo and ssh on FreeBSD. I agree with you
that it's not very easy to find good documentation on this subject on
the web. So I'll try to post my own setup online in case it can help
anyone.
But before I do, I still need to clean up my notes :) I'd also like to
publish documentation on these items:
- Setup the OpenLDAP replication with a Kerberos user.
- Describe a backup and recovery plan.
- Configure Apache to use mod_auth_kerb to achieve Single Sign-On.
- Describe how to replace NIS with OpenLDAP.
- Configure the OpenLDAP/Kerberos setup in HA using Open Source tools.
- Test some web based applications to manage the OpenLDAP accounts (so
that I can give the user management to a junior admin or first level
support teams)
So unless you really need my docs right away, I would suggest waiting
a bit for me to clean the whole thing. I'd like to have all that up
and running around the first week of May.
> One thing, I installed the lam webapp for administration (and I did also
> try this manually too) but when I'm asked for a password I have no idea
> what password its looking for (I do feel rather stupid!).
Hummm, I've never used LAM before. But my (wild) guess would be that
it's looking for your rootdn user's password. Or any other user in
which you've granted full read/write access in your OpenLDAP acls.
> This was something I was going to try to solve next time I get back to this
> project- it was late at night and I had only just got it installed and
> running. It says in the install guide that it will ask for the secret
> once you add a ldif file, so I assumed it would set it then- I was
> wrong...
Well, the first password you setup is the rootdn's password. You
generate the Salted-SHA1 hashed password with slappasswd(8C). Simply
copy the ouput of `slappasswd -v` into your
/usr/local/etc/openldap/slapd.conf file. That's in the rootpw
configuration such as this:
# Specify the rootdn's passwd. See slappasswd(8).
rootpw {SSHA}k+bY44tTwH6kSCvpFQhDIiFaibigrRjm
That's also the password LAM was asking for. Unless you've linked your
OpenLDAP server with Kerberos that is (in which case the rootpw isn't
used anymore :)
> Thanks for the help.
Sure, no problem, that's the whole point of mailing lists ;)
Should you need more LDAP related help, I'd also suggest the mailing
lists at http://www.openldap.org/lists/
Cheers!
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60804171148j6e3e0e82h6eac8c433aa8f81d>