Welcome to the DjaoDjin Blog!

A place to share experiences in building Software-as-a-Service.

Authentication using OpenLDAP

by Sebastien Mirolo on Sat, 8 Oct 2011

In the most part I followed the ubuntu 11.04 openldap tutorial. The wikipedia article is also useful to understand some of the basics. I later stumbled upon LDAP for Rocket Scientists which definitely helped clarify some.

$ apt-get install slapd ldap-utils

Getting the appropriate LDAP setup and running ldapadd with the appropriate command line arguments has been challenging. Depending on the combination of flags, I ran in different error messages such as:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
# Check /etc/default/slapd

ldap_sasl_interactive_bind_s: No such attribute (16)

ldap_add: Strong(er) authentication required (8)
    additional info: modifications require authentication
# Use -D and -W command line options

Ubuntu 11.04 comes with OpenLDAP 2.4. It took a while to google through to fact that /etc/ldap/sldap.conf is deprecated and the way to configure LDAP is now through the /etc/ldap/sldap.d. The major headache was that ldapadd insisted on me providing a password I never set nor was aware of. A grep for password into /etc/ldap/slapd.d/ did not help reveal what the default might be either. Finally the light came through the following article: switch to dynamic config backend.

$ slappasswd
New password:
Re-enter new password:
$ diff -u prev "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif"
  olcRootDN: cn=admin,dc=localdomain
+ olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ diff -u prev "/etc/ldap/slapd.d/cn=config/olcDatabase={0}hdb.ldif"
-olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
- ,cn=auth manage by * break
+olcAccess: {0}to *  by * none
+olcAddContentAcl: TRUE
+olcLastMod: TRUE
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcRootDN: cn=admin,cn=config
+olcRootPW: {SSHA}aWHEjvHchgtWH97Pz4PwAQu/yH+1RLnd
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
$ diff -u prev "/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif"
-creatorsName: cn=config
-modifiersName: cn=config
+creatorsName: cn=admin,cn=config
+modifiersName: cn=admin,cn=config

$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/cosine.ldif \
      -D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/nis.ldif \
      -D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/inetorgperson.ldif \
      -D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f backend.domain.ldif -D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f frontend.domain.ldif -D "cn=admin,dc=domain,dc=com" -W
$ ldapsearch -xLLL -b "dc=domain,dc=com" uid=login sn givenName cn

Adding entries as ldif files can be quite cumbersome so I hoped to make my life simpler by using addluser.py but the link to download the script is broken. I also hoped to install web2ldap but that ended with a python exception.

$ apt-get install python-weblib python-ldap python-pyasn1
# $ apt-get install python-dns python-imaging
$ wget http://www.web2ldap.de/download/web2ldap-1.1.0a41.tar.gz
$ tar zxvf web2ldap-1.1.0a41.tar.gz
$ pushd web2ldap
$ sbin/web2ldap.py
from ldap.controls import ValueLessRequestControl,AssertionControl,AuthorizationIdentityControl
ImportError: cannot import name ValueLessRequestControl

Michael Ströder pointed me to Installing web2ldap on Debian. The problem is that I had installed an outdated version of python-ldap through ubuntu package manager. Recent web2ldap versions need newer modules. So I followed the instructions and installed the latest versions of python modules through easy_install instead of apt-get as described in the previous link.

$ /usr/bin/python -V
Python 2.7.1+
$ apt-get install build-essential python-dev python-setuptools
$ apt-get install libsasl2-dev libldap-dev
$ easy_install python-ldap pyweblib pyasn1 pyasn1_modules
# Optional
$ apt-get install python-imaging
$ easy_install pydns pyexcelerator
$ wget http://www.web2ldap.de/download/web2ldap-1.1.0a51.tar.gz
$ tar zxvf web2ldap-1.1.0a51.tar.gz
$ pushd web2ldap-1.1.0a51
$ python sbin/checkinst.py
diff -u prev etc/web2ldap/web2ldapcnf/standalone.py
-#access_allowed = ['']
-access_allowed = ['']
+access_allowed = ['']
+#access_allowed = ['']
$ python sbin/web2ldap.py -l -d off

I was then able to access the web2ladp web interface and start browsing through it.

A search through ubuntu packages reports ldap-account-manager and ldaptor-webui so I might try them at some point.