Phpldapadmin does not work for an unknown reason - ldap

I'm trying to install LDAP. I've installed slapd and the PhpLDAPAdmin tool on Debian, but when I'm logged in, I cannot do anything. Despite I've logged in as 'cn=admin,dc=barbucha', I see on the right side instead of the tree:
Logged in as: dc=example,dc=com
This base cannot be created with PLA.
I tried Google, but this error seems to be a rare one. I've created a database there is the 'cn=admin,dc=barbucha' in. (Otherwise I could not use the name to log in.)

This happens quite rarely. From an unknown reason the configuring process didn't get data from the LDAP server and didn't set proper values in the /etc/phpldapadmin/config.php script. Somewhere near by line 300 were two important lines generated erroneously:
$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
These settings uses PhpLDAPAdmin to access LDAP datatase regardless to the login name you've been logged in with. To update these lines helped:
$servers->setValue('server','base',array('dc=barbucha'));
$servers->setValue('login','bind_id','cn=admin,dc=barbucha');

probably you should add a LDAP root first:
create a file in /etc/openldap/
vim /etc/openldap/base.ldif
then input:
dn: dc=em,dc=com
o: RDCenter
objectclass: dcobject
objectclass: organization
and run this command in the directory:
ldapadd -f base.ldif -x -D cn=Admin,dc=em,dc=com -W
Input your own password,and the root node would be added.
Reopen the phpldapadmin,you will find everything is well

Related

Problems getting OpenLDAP memberOf working

I'm not very familiar with OpenLDAP, but I'm trying to get a local instance working in order to test a client in development, which needs the memberOf attribute.
I've downloaded and installed OpenLDAP on a Centos 7 VM, per the instructions at http://www.openldap.org/doc/admin24/guide.html#A Quick-Start Guide. I did not use package management to install it. Since I'm using 2.4.45, it's using the cn=config OLC config and not the slapd.conf configuration scheme
At step 4 above, I used the --enable-memberof and --enable-refint flag to the configure script. When I ran the pre-install tests, it did run the memberof tests, and they passed, so I know the overlay can be applied somehow.
I've tried the directions found at https://adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/ and, with slight variants, many other places. I've run into the following issues with this...
Errors about an invalid objectClass oldModuleList during ldapadd
Insufficient access errors during ldapadd
I don't have a local directory that corresponds to the module path found in any of the examples. I don't seem to have the memberof.la file anywhere on the machine.
Is this even on the right track? Or will the process be different because I installed from source or used the --enable-memberof flag?
Let me know if there's any info I need to provide.
Update:
Currently, I am trying to add the entry with dn dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config as found in the linked instructions above. I get
# ldapadd -x -D "cn=Manager,dc=aaron,dc=com" -W -f member.ldif
Enter LDAP Password:
adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
ldap_add: Insufficient access (50)
Another update:
Progress!
I added an olcRootPW to the cn=config database by editing
etc/slapd.d/cn=config/olcDatabase={0}config.ldif
then used that dn to run the ldapadd:
ldapadd -x -D "cn=config" -W -f member.ldif
I had to put the {0} and {1} back.
Trying to add the first refint ldif failed, but I think I don't need that since these aren't modules, but compiled directly into slapd based on how I configured it.
Now I'm trying to add the second refint entry and getting
[root#openldap openldap]# ldapadd -x -D "cn=config" -W -f refint2.ldif
Enter LDAP Password:
adding new entry "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcRefintAttribute <manager>: attribute type undefined
So here's everything I had to do to get it working from my original issue:
Add an olcRootPW entry to the olcDatabase={0}config.ldif config entry. As EJP says, this is bad form, but since this is a local testing directory only, and I only want it to allow me to test a client...
Without the {0} and {1} items in the file, the load still failed. I but both back and it worked. I did not go back to check EJP's suggestion to only have the {1}.
Then the ldapadd command needs to be run with bind dn 'cn=config'. At that point the entry to enable the memberof config would add successfully.
I tried to add the first refint file, the one that does the module. This did not work, I got an error about the olcModuleList attribute. I think since I compiled the overlays directly into OpenLDAP via the --enable-memberof and --enable-refint I didn't need this part?
For the second refint file, the one to add the overlay, I just needed to remove the 'manager owner' part of the attributes, since my directory does not have those attributes. At this point the ldif added successfully.
Then I went into the directory and added users, groups, and assigned users to groups, and (once I told it to fetch the operational attributes) lo and behold my users had the appropriate memberOf attributes!

How to add rights to an user with olcAccess, in an OpenLDAP 2.4

I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication.
The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
I found this in the Documentation
access to attrs=jpegPhoto
by self =xw
by * read
I don't know how to use theses lines. What command to use or something else.
If someone could help me in the way to process it could be great.
Thanks
The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:
The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.
as stated in the OpenLDAP documentation.
1) cn=config layout
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:
tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.
The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-f /path/to/yourfile is your configuration file (see below);
-x is Simple Authentication, it is needed if you are not using SASL;
-D "cn=config" is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently called Manager), and a global super-user. The user named cn=config is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;
-W asks you to type the password for the user cn=config.
The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.
You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.
2) slapd.conf layout
If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.
Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.
If you need further examples and/or clarifications, please consider:
A cn=config configuration example;
Access Control for OpenLDAP databases;
the OpenLDAP site, with the whole
documentation.

Change default admin password in ApacheDS

Am new to ApacheDS - am using apacheds-2.0.0-M17.
The default password for admin is secret.
Does anyone know where I can change the value to something else?
Inside:
apacheds/instances/default/conf/config.ldif
Found the following entry:
ads-pwdattribute: userPassword
When googling it, there are a lot of examples that mention doing it using Apache Directory Studio but the particular instance I am trying to configure is running in a Linux shell in a headless (no UI) mode.
Tried using the following command with ldapmodify and the cursor hangs (keeps blinking) after pressing enter. I even tried prepending it with sudo and the same thing happens.
ldapmodify -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret
Does anyone know why it hangs?
What am I possibly doing wrong?
Thanks again,
James
Changing the admin account password is documented in the ApacheDS documentation.
ldapmodify, if not given a file to process with -f parameter, waits for input from standard input, on which it expects a LDIF formatted file with modifications to perform.
In your case such a LDIF file would look something like:
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
BTW, you can still use Apache Directory Studio (or any other graphical LDAP client) to make this change, even if your directory is running on a headless server. LDAP is, after all, a network protocol. Just run the LDAP client on a local machine and connect over the network to your server. (Of course, I leave it to you to figure out if you have to open up some firewall rules or whatever.)
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
-
After each modification, you need to add the end of "-"!!!

Howto make editing OpenLDAP Schema possible with cn=config Backend and without ldapmodify?

I try to setup an openLDAP server to manage a central addressbook which will primarily be used in MS Outlook. Still wondering, why there still is no out-of-the-box scheme implemented which provides all necessary fields, im stuck by the new cn=config backend.
I have no slapd.conf as all information is stored in the new backend. It's said, that I have to use ldapmodify to make changes to the configuration and schema-files. It is very inconvenient to me to do all the changes on CLI, I want to know, how to change the standard configuraion, to be able to make such modification with an LDAP tool of my choice on a remote machine.
At the moment, the only ways to modify the configuration are:
editing the data files while slapd is not executed
using ldapmodify with external authentication (e.g. ldapmodify -Y EXTERNAL -H ldapi:/// -f modifications.ldif)
Both methods are not what I want.
I tried to modify the config-backend-files to make it possible, but simply adding a RootPW didn't do the trick. Any help is appreciated!
It isn't
said [you] have to use ldapmodify
at all. You can use any LDAP client to modify the configuration. There are many:
JXplorer,
Userbooster,
...
Adding the olcRootPW to the entry dn: olcDatabase={0}config,cn=config should work.
If it still does not work, try to
slapcat the cn=config database to /path/to/file/slapd.conf.ldif (for example)
Modify the entry dn: olcDatabase={0}config,cn=config to add the attribute olcRootPW: YourPassword
slapadd the modified LDIF : slapadd -F /etc/ldap/slapd.d -b cn=config -l /path/to/file/slapd.conf.ldif
Every thing need to be done while slapd is stopped.

change distinguished name format in OpenLDAP

i have the following problem: i have installed and OpenLDAP server in which in the people/users tree the distinguished name have the following format:
Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
The problem is i wish to replace it using the uid (a.k.a. the account username) instead of the CN in order to have something like this
Distinguished Name: uid=lrossi,ou=people,dc=prisma,dc=local
I need this because i'm configuring ldap authentication for Alfresco Community 4.0.d and it need the username
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=prisma,dc=local
Any help?
It's an old post but I ran into this myself. The answer was actually pretty simple. If you're using phpldapadmin to create accounts, you need to edit the posixAccount template. Look for the <rdn></rdn> tags. Replace the cn with uid and save. Your accounts will now be created with a DN in the "uid=%s,dc=example,dc=com" form instead of "cn=%s,dc=example,dc=com"
http://phpldapadmin.sourceforge.net/wiki/index.php/Templates#Template_Header_Configuration
Use the modify DN LDAP request (in this case using the legacy OpenLDAP ldapmodify tool):
The uid attribute may need to be added:
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: modify
add: uid
uid: lrossi
!
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: moddn
newrdn: uid=lrossi,ou=people,dc=prisma,dc=local
deleteoldrdn: 1
!
see also
LDAP: modify DN
How to do this per object (not changing the format globally) in phpLDAPadmin:
click on the object in the hierarchy on the left to show up on the right
the title of the object is shown as: cn=Luigi Rossi
the subtitle just below contains "Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local"
now click on "Rename" link just 4 lines below
change value "cn=Luigi Rossi" to "uid=lrossi"
that's it.
Worth mentioning is the ldapmodrdn tool, which e.g. in Debian is part of the ldap-utils package. It can read in a simple file where on first line is the old CN as a DN, and on the second line the new CN as an RDN. If there are many users to change, they can be all included in the same file, separated with empty lines.
With that tool its quite easy to process all the existing accounts and change their DNs.