The problem with SourceRebels’ answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1). From man slapcat (from OpenLDAP 2.3) : The LDIF generated by this tool is suitable for use with slapadd(8). As the entries are in database order, not superior first order, they cannot be loaded with ldapadd(1) without … Read more
The short answer is “yes”. A sample ldapsearch command to query an Active Directory server is: ldapsearch \ -x -h ldapserver.mydomain.example \ -D “mywindowsuser@mydomain.example” \ -W \ -b “cn=users,dc=mydomain,dc=com” \ -s sub “(cn=*)” cn mail sn This would connect to an AD server at hostname ldapserver.mydomain.example as user mywindowsuser@domain.example, prompt for the password on the … Read more
An note to add to this for google searchers – we had the same issue where no matter what we did, the nfs mount would not map the user ids correctly. The issue was idmapd had cached the incorrect ids from the faulty configuration, and no fixing of the configuration would sort it. The command … Read more
It’s unsatisfying, but su – leopetr4 and ssh leopetr4@my_hostname started working soon after I set the bounty on the question. I spent some time thinking about why that was without coming to a clear conclusion, as it would be bad for it to stop working as suddenly as it started. One change I recall making … Read more
Using the pre-configured OpenLDAP system of about any Linux distribution will do most of the work of configuring OpenLDAP for you. Creating a very basic LDAP system in i.e. Ubuntu should not take more than 30 min and there are easy to follow guides available for this.
You will need to use the new cn=config configuration method, where the LDAP server will be configured via a separate data tree in the directory (which is usually represented as LDIF files under /etc/ldap/slapd.d.
I was following the same guide and had the same issue. It will work if you do the steps to “Tighten up ownership and permissions” listed after the offending ldapmodify command first–namely: sudo adduser openldap ssl-cert sudo chgrp ssl-cert /etc/ssl/private sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem sudo chmod g+X /etc/ssl/private sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem and sudo systemctl … Read more
I haven’t tried olcLogFile but by default, OpenLDAP log all information to rsyslog’s local4 facility. Add the following line to /etc/rsyslog.conf or /etc/rsyslog.d/ldap.conf: local4.* /var/log/ldap.log Restart the rsyslog service and check out this log.
Don’t have reputation to add comments, but to debug PAM auth problems you are looking on the wrong side, you need to do that on server side. To do so ssh into the server and run: sshd -d -D -p 4000 That will start an ssh daemon on port 4000 (-p 4000) with debug enabled … Read more
RHEL does not in fact provide anything that can be used as a ‘certificate directory’ for CA trust purposes. For OpenSSL, a certificate directory – a ‘CApath’ – is a directory containing individual certificate files (in PEM format or OpenSSL’s extended ‘trusted certificate’ format), with names in a specific format based on a hash of … Read more