Pages : 1
#1 Le 03/11/2009, à 17:21
- thomine
[Résolu] Pb LDAP : no global superior knowledge
Bonjour,
Ca fait des heures que je me casse la tête sur la conf d'un pauvre LDAP et je commence à devenir fou, alors avant de détruire mon PC, je m'en remets à vous !
J'ai essayé de suivre pas mal de tuto et quelques posts :
http://doc.ubuntu-fr.org/slapd
https://help.ubuntu.com/8.10/serverguid … erver.html
http://www.openldap.org/doc/admin24/quickstart.html
http://forum.ubuntu-fr.org/viewtopic.php?id=341511
http://forum.ubuntu-fr.org/viewtopic.php?id=315048
Mais ça ne marche pas et je suis complètement paumé... Je lis à des endroits que le fichier ldap.conf ne sert à rien, à d'autre qu'il est indispensable... Qu'en est-il ?
Quelques infos :
Je suis sous Karmic
J'ai installé les paquets suivants : slapd ldap-utils libnss-ldap
J'ai fait des : sudo dpkg-reconfigure slapd
J'ai fait des : sudo dpkg-reconfigure ldap-auth-config
J'ai essayé de désinstaller et purger plusieurs fois le paquet slapd, rien n'y fait.
J'essaie de faire un (en utilisant le mot de passe "secret" défini dans le fichier /etc/ldap.secret :
ldapadd -x -D "cn=admin,dc=chezmoi,dc=com" -W -f schema.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Je vous mets le fichier /etc/ldap.conf (généré il me semble par sudo dpkg-reconfigure ldap-auth-config) :
###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##
#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=chezmoi,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://localhost/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=chezmoi,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,debian-tor,games,gdm,gnats,haldaemon,hplip,irc,kernoops,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,openldap,polkituser,privoxy,proxy,pulse,root,saned,speech-dispatcher,sshd,svn,sync,sys,syslog,tomcat6,uucp,vboxadd,www-data
Ainsi que mon fichier schema.ldif :
version: 1
## version not strictly necessary but good practice to include for future
## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## dcObject is an AUXILIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line
dn: dc=chezmoi,dc=com
dc: chezmoi
description: chezmoi
objectClass: dcObject
objectClass: organization
o: chezmoi
## FIRST Level hierarchy - people
# this is an ENTRY sequence and is preceded by a BLANK line
# Administrateur
dn: cn=admin,dc=chezmoi,dc=com
cn: admin
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: secret
dn: ou=people, dc=chezmoi,dc=com
ou: people
description: All people in organisation
objectClass: organizationalUnit
## SECOND Level hierarchy - people entries
# this is an ENTRY sequence and is preceded by a BLANK line
dn: cn=Thomas,ou=people,dc=chezmoi,dc=com
objectclass: inetOrgPerson
cn: Thomas
sn: moi
uid: thomas
mail: thomas@chezmoi.com
ou: IT
Que dois je faire pour me connecter à mon LDAP et le modifier ?
Par avance, merci pour votre aide précieuse !
Dernière modification par thomine (Le 17/11/2009, à 15:11)
Hors ligne
#2 Le 03/11/2009, à 20:02
- thomine
Re : [Résolu] Pb LDAP : no global superior knowledge
:(:( Je n'y arrive toujours pas.
J'ai essayé de reprendre le tuto http://doc.ubuntu-fr.org/slapd depuis le début en zappant le fichier /etc/ldap/ldap.conf.
Lorsque je fais :
sudo slapadd -l Documents/LDAP/test.ldif
j'obtiens :
Available database(s) do not allow slapadd
Si quelqu'un a des connaissances LDAP, il peut m'être d'un grand secours ! Par avance, merci !
Hors ligne
#3 Le 03/11/2009, à 22:27
- thomine
Re : [Résolu] Pb LDAP : no global superior knowledge
J'ai trouvé cette nouvelle page, qui contient une doc plus à jour : http://doc.ubuntu.com/ubuntu/serverguid … erver.html.
Mon véritable problème de base est : comment changer le mot de passe de l'admin LDAP ?
J'ai beau essayé tous les mots de passe que j'aurais pu mettre, ils sont tous refusés. Si je réinstalle le paquet ou essaie un dkpg-reconfigure, on ne me demande jamais de setter le mot de passe admin, comment faire ???
Hors ligne
#4 Le 04/11/2009, à 10:04
- thomine
Re : [Résolu] Pb LDAP : no global superior knowledge
J'ai enfin passé l'étape du mot de passe grace à cette page : http://www.openldap.org/doc/admin24/slapdconf2.html.
J'ai ajouté la ligne "olcRootPW: secret" au fichier : /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif.
J'ai cependant un nouveau problème, j'ai l'impression que le schéma est vide et que je ne peux rien ajouter.
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex
ne me renvoie rien
slapadd -v -l workspace/proto/schema.ldif
ldif_read_file: Permission denied for "/etc/ldap/slapd.d/cn=config.ldif"
slapadd: bad configuration file!
Avec un sudo :
sudo slapadd -v -l workspace/proto/schema.ldif
Available database(s) do not allow slapadd
Différemment :
ldapadd -x -D cn=admin,cn=config -W -f workspace/proto/schema.ldif
Enter LDAP Password:
adding new entry "dc=chezmoi,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
J'ai aussi essayé avec Apache Directory Studio d'ajouter une entry de type dcObject et organization, j'ai l'erreur suivante :
#!ERROR [LDAP: error code 53 - no global superior knowledge]
Est-ce que quelqu'un pourrait m'aider svp ?
Merci !
Dernière modification par thomine (Le 04/11/2009, à 10:15)
Hors ligne
#5 Le 17/11/2009, à 15:01
- franckydevil
Re : [Résolu] Pb LDAP : no global superior knowledge
Si cela peut vous aider :
Regardez peut être de ce coté : http://ubuntuforums.org/showthread.php?t=1313472
Un tuto assez simple et fonctionnel
Hors ligne
#6 Le 17/11/2009, à 15:10
- thomine
Re : [Résolu] Pb LDAP : no global superior knowledge
Effectivement, merci pour le lien, ça confirme qu'installer OpenLdap n'est pas trivial !
Pour info, j'ai abandonné OpenLDAP au profit d'Apache Directory Server, plus simple à configurer (en cas tout vu mon besoin basique...).
Hors ligne
Pages : 1