Openldap goals and lessons learned:

Title:Openldap goals and lessons learned:
Author:Douglas O’Leary <>
Description:Miscellaneous lessons learned regarding ldap
Date created:10/19/2013
Date updated:05/23/2014
Disclaimer:Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me...

Lessons learned:

  • posixgroup vs groupofnames: Short version, both of these classes are structural so can’t be used in the same group... by default. Issue is that posixgroup is required for linux use but groupofnames is require for pam based access restrictions. Answer is to use rfc2307bis schema in directory. There’ll be a much longer version of this entry in due course.

  • Line length on ldapsearch wraps lines at 79 characters w/o an option to make it stop. To avoid it:

    ldapsearch ... | perl -00pe 's/\n //g' | \
    perl -ne 'print unless (m{^$})'
  • Initial access to directory - something that’s confused the hell out of me:

    • via SASL
    • Right answer in the installation guide. Short version: jumpstart the slapd.d with /usr/share/openldap-servers/slapd.conf.obsolete. Edit it, then slaptest it into the slapd.d directory.
  • Despite cautions to the contrary, the schema files under /etc/openldap/slap.d can be edited; but, as indicated, you have to be very careful.

  • The slapd.conf.bak file that’s often referenced, under rhel6, is /usr/share/openldap-servers/slapd.conf.obsolete

  • ldap_tls_reqcert = allow in /etc/sssd/sssd.conf enables the use of certificates that the client can’t authenticate.

  • ldap related files and their uses:

File/dir Purpose
/etc/openldap/ldap.conf Client configuration
/etc/sysconfig/ldap ldap daemon configuration
/etc/sysconfig/authconfig Python script which configures authentication based on cli argsUpdates all required files.
/etc/openldap/slap.d New format configuration directory
/etc/sssd/sssd.conf Conf file for system security services daemon rhel6 authentication
/etc/nslcd.conf Conf file for ldap name service daemon; nss-pam-ldapd/legacy auth
  • LDIF to update ACLs is incredibly twitchy:

    • Create access.ldif:

      ## BDB access control list
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      add: olcAccess
      olcAccess: {0}to attrs=userpassword,shadowlastchange by self write by anonymous auth by * none
      olcAccess: {1}to * by self write by  * read
    • Apply it:

      # ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/working/ldap/access.ldif
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      modifying entry "olcDatabase={2}bdb,cn=config"
    • To delete, use:

      ## BDB access control list
      dn: olcDatabase={2}bdb,cn=config
      changetype: modify
      delete: olcAccess
      olcAccess: {0}

    After hours of messing around with it, I finally found the syntax error when I was adding it. I never did find out what was wrong with the delete. The version above is copy/pasted from a google search. As far as I could tell, it looks exactly like what I had; however, the one above works and my original one didn’t.... Go figure.

  • TLS: host provided in the URI must match the CN used in the certificate. If it doesn’t, you’ll get bind errors:

    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    Use ldapsearch -d 5 -LLL ... to help identify the cause.

  • authconfig explained:

    authconfig --enableldap --enableldapauth \
        --ldapserver=ldaps:// \
        --ldapbasedn="dc=oci,dc=com" --enablemkhomedir \
        --ldaploadcacert=  --update
    • enableldap, enableldapauth, ldapbasedn are self explanatory
    • ldapserver must match the cn used in the signed cert. If it doesn’t, you’ll get bind errors.
    • enablemkhomedir adds the appropriate entry to /etc/pam.d/system-auth to automatically create home directories upon access. Verify proper settings.
    • ldaploadcacert defines the url from which to get the Certificate Authority’s (not the ldap server’s) public key. It will use the proper commands so that tls_cacertdir entries are honored.
  • Identify if an account is locked (assuming everygthing is set up correctly):

    # ldapsearch -LLLxD cn=admin,dc=oci,dc=com -w "${pwd}" \
        -b dc=oci,dc=com uid=aaaa pwdaccountlockedtime
    dn: uid=aaaa,ou=users,dc=oci,dc=com
    pwdAccountLockedTime: 20140118190653Z

    Note: the pwdAccountLockedTime entry does not show up in the normal uid display:

    ldapsearch -LLLxD cn=admin,dc=oci,dc=com -w "${pwd}" \
        -b dc=oci,dc=com uid=aaaa
    dn: uid=aaaa,ou=users,dc=oci,dc=com
    cn: aaaa
    gecos: aaaa test user
    objectClass: top
    objectClass: account
    objectClass: posixAccount
    objectClass: shadowAccount
    shadowMin: 0
    shadowMax: 90
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 604
    gidNumber: 614
    homeDirectory: /home/aaaa
    uid: aaaa
    userPassword:: [[snipped]]
  • Eventually, there will be an ldapsearch ll entry on it’s own, but in the meantime, in order to get rid of the folded lines on col 78 of openldap ldapsearch, you can do the following:

    ldapsearch -xLLLD ${dn} -w ${pwd} -b ${base} ${filter} ${attrs} | \
        perl -p -0040 's/\n //g'

    Short version: that searches for newlines followed by a space (ldif continuation) and removes them. Nice! Thank you, Dave Horsfall of Australia for posting that on on/about 03/11/2003. You’d think openldap would have an option for no line wrap by now...


lightweight directory access protocol.
directory information tree.
LDAP directory interchange format.
Simple Authentication and Security Layer.