1834441 Members
2488 Online
110067 Solutions
New Discussion

Re: LDAP-UX client

 
Sak
Occasional Advisor

LDAP-UX client

Hi,

I create LDAP server on linux RHEL4 use openldap-2.3.32 the slapd.conf like the following.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database bdb
suffix "dc=stooges,dc=com"
rootdn "cn=StoogeAdmin,dc=stooges,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}P0J4pU+ZlF7V3U3bi66pnFLOPVGOR0n+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
defaultaccess read
schemacheck on
lastmod on
# Indices to maintain
index cn,sn,st eq,sub

access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by * read

##############################################

I install LDAP-UX Client at HPUX11i and follow the step Quick Configuration on LDAP-UX Client Configuration.
When i see the following message I press Enter

Would you like to extend the schema in this directory server? [Yes]:

When i see the following message I insert the password as config at slapd.conf on LDAP server.

Enter the distinguished name (DN) of the directory user allowed
to extend the schema.

To accept the default shown in brackets, press the Return key.

User DN [cn=Directory Manager]: cn=StoogeAdmin,dc=stooges,dc=com

Password:

Then it got the following error.

PFMERR 43: Can't extend LDAP-UX Configuration profile schema on the Directory Server
nis.tha.hp.com = 16.151.232.191
with user cn=StoogeAdmin,dc=stooges,dc=com
Please check the /tmp/ldapux_schema.log file for errors.

I go to check the error log at /tmp/ldapux_schema.log file then it display the following message.

ldap_modify: Invalid syntax
ldap_modify: additional info: objectclasses: value #0 invalid per syntax
modifying entry cn=Subschema

How should me do to configuration LDAP Client?
Am I do something wrong?
If it wrong please guide me how to fix it.

Thank you and Best Regards,

Somsak
2 REPLIES 2
Joshua M. Miller
Frequent Advisor

Re: LDAP-UX client

I don't know if you have fixed this issue yet, but I'm working through it and have been able to get past this point by creating the schema manually that this operation is attempting to create.

Download this schema and include it in your slapd.conf:
http://sapiens.wustl.edu/~sysmain/info/openldap/schemas/DUAConfig.schema

Also, model the following LDIF and import it:

dn: cn=uxprofile,ou=Profiles,dc=example,dc=com
cn: uxprofile
objectClass: DUAConfigProfile
defaultserverlist:
defaultsearchbase: dc=example,dc=com
defaultSearchScope: one
servicesearchdescriptor: passwd:OU=People,DC=example,DC=com
servicesearchdescriptor: group:OU=People,DC=example,DC=com
profilettl: 3600
credentiallevel: anonymous

...and that should get you beyond the point you refer to above.

I am able to get through the setup and have the client download the profile. The client then works if I dont use SSL/TLS, but as soon as I enable SSL/TLS it breaks.

Btw, I'm using OpenLDAP 2.3.34 and LDAP-UX 4.10.
Joshua M. Miller
Frequent Advisor

Re: LDAP-UX client

I have at least one error in my above post. The LDIF should have the following line for the group search:

servicesearchdescriptor: group:OU=Group,DC=example,DC=com