Authentication using OpenLDAP
by Sebastien Mirolo on Sat, 8 Oct 2011In the most part I followed the ubuntu 11.04 openldap tutorial. The wikipedia article is also useful to understand some of the basics. I later stumbled upon LDAP for Rocket Scientists which definitely helped clarify some.
$ apt-get install slapd ldap-utils
Getting the appropriate LDAP setup and running ldapadd with the appropriate command line arguments has been challenging. Depending on the combination of flags, I ran in different error messages such as:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
# Check /etc/default/slapd
ldap_sasl_interactive_bind_s: No such attribute (16)
ldap_add: Strong(er) authentication required (8)
additional info: modifications require authentication
# Use -D and -W command line options
Ubuntu 11.04 comes with OpenLDAP 2.4. It took a while to google through to fact that /etc/ldap/sldap.conf is deprecated and the way to configure LDAP is now through the /etc/ldap/sldap.d. The major headache was that ldapadd insisted on me providing a password I never set nor was aware of. A grep for password into /etc/ldap/slapd.d/ did not help reveal what the default might be either. Finally the light came through the following article: switch to dynamic config backend.
$ slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ diff -u prev "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif"
olcRootDN: cn=admin,dc=localdomain
+ olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ diff -u prev "/etc/ldap/slapd.d/cn=config/olcDatabase={0}hdb.ldif"
-olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
- ,cn=auth manage by * break
+olcAccess: {0}to * by * none
+olcAddContentAcl: TRUE
+olcLastMod: TRUE
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcRootDN: cn=admin,cn=config
+olcRootPW: {SSHA}aWHEjvHchgtWH97Pz4PwAQu/yH+1RLnd
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
$ diff -u prev "/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif"
-creatorsName: cn=config
-modifiersName: cn=config
+creatorsName: cn=admin,cn=config
+modifiersName: cn=admin,cn=config
$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/cosine.ldif \
-D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/nis.ldif \
-D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f /etc/ldap/schema/inetorgperson.ldif \
-D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f backend.domain.ldif -D "cn=admin,cn=config" -W
$ ldapadd -x -H ldap:/// -f frontend.domain.ldif -D "cn=admin,dc=domain,dc=com" -W
$ ldapsearch -xLLL -b "dc=domain,dc=com" uid=login sn givenName cn
Adding entries as ldif files can be quite cumbersome so I hoped to make my life simpler by using addluser.py but the link to download the script is broken. I also hoped to install web2ldap but that ended with a python exception.
$ apt-get install python-weblib python-ldap python-pyasn1 # $ apt-get install python-dns python-imaging $ wget http://www.web2ldap.de/download/web2ldap-1.1.0a41.tar.gz $ tar zxvf web2ldap-1.1.0a41.tar.gz $ pushd web2ldap $ sbin/web2ldap.py from ldap.controls import ValueLessRequestControl,AssertionControl,AuthorizationIdentityControl ImportError: cannot import name ValueLessRequestControl
Michael Ströder pointed me to Installing web2ldap on Debian. The problem is that I had installed an outdated version of python-ldap through ubuntu package manager. Recent web2ldap versions need newer modules. So I followed the instructions and installed the latest versions of python modules through easy_install instead of apt-get as described in the previous link.
$ /usr/bin/python -V Python 2.7.1+ $ apt-get install build-essential python-dev python-setuptools $ apt-get install libsasl2-dev libldap-dev $ easy_install python-ldap pyweblib pyasn1 pyasn1_modules # Optional $ apt-get install python-imaging $ easy_install pydns pyexcelerator $ wget http://www.web2ldap.de/download/web2ldap-1.1.0a51.tar.gz $ tar zxvf web2ldap-1.1.0a51.tar.gz $ pushd web2ldap-1.1.0a51 $ python sbin/checkinst.py diff -u prev etc/web2ldap/web2ldapcnf/standalone.py -#access_allowed = ['0.0.0.0/0.0.0.0'] -access_allowed = ['127.0.0.0/255.0.0.0'] +access_allowed = ['0.0.0.0/0.0.0.0'] +#access_allowed = ['127.0.0.0/255.0.0.0'] $ python sbin/web2ldap.py -l 0.0.0.0:1760 -d off
I was then able to access the web2ladp web interface and start browsing through it.
A search through ubuntu packages reports ldap-account-manager and ldaptor-webui so I might try them at some point.
by Sebastien Mirolo on Sat, 8 Oct 2011
