Wednesday, March 13, 2013

LDAP Troubleshooting Tips



Before go to this post you need to view How to configure LDAP server and client configuration click here


Lost LDAP Manager Password

·         The manager password can be reset anytime by the root user running the slappasswd command. Take the SSHA hash from slappasswd and replace the rootpw directive in /etc/openldap/slapd.conf with it. Then, restart ldap, i.e. service ldap restart.

Problems and errors when using ldapadd

·         Check the LDIF file. Check the LDIF file again. LDAP is extremely strict about the format of LDIF files. A COMPLETELY BLANK, EMPTY line must separate entries. A line that looks blank, but has whitespace, e.g. a tab or a space, will cause LDAP to throw an error.

·         Some typical errors that usually indicate something is incorrect in LDIF entries are:

ldap_add: Undefined attribute type (17)
        additional info: dn: attribute type undefined
ldap_add: No such object (32)
        additional info: parent does not exist
ldap_add: Constraint violation
        additional info: shadowLastChange: multiple value provided

Server is unwilling to perform

·         Check the LDIF file in question to make sure the dc entries match the suffix specified in /etc/openldap/slapd.conf.

·         For example, suppose I specified suffix "dc=example,dc=org" in my /etc/openldap/slapd.conf file and was working with an LDIF file that indicated dn: dc=example,dc=com in it. These two entries don't match and the LDAP server would not know what to make of dc=example,dc=com, hence the error.

ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge

Enable Logging

·         Edit /etc/syslog.conf. Add line:

# ldap logging
local4.*                                               /var/log/ldap

·         Edit /etc/openldap/slapd.conf. The following line will create extensive output. It should only be used while actively troubleshooting. Add line:

loglevel -1

·         Restart syslog and ldap

Use tethereal

·         This command will print the traffic from the source host NAME to either the ldap (389) or ldaps (636) ports.

# tethereal src host NAME and port ldap or port ldaps

Check ACLs

·         OpenLDAP has many mechanisms for allowing and restricting access to many parts of the database. Ensure that the ACLs are set up correctly in /etc/openldap/slapd.conf. For TLS/SSL, ensure the proper permission for accessing the password exists. For example:

access to attr=userPassword
     by self write
     by users read
     by anonymous auth

Copy CA certificate to clients for TLS/SSL

·         The CA certificate file (if self-signed or not recognized as a root authority) must be copied to the client host so it trusts the authority explicitly.

·         Edit /etc/openldap/ldap.conf

URI ldap://baskar.example.org
BASE dc=example,dc=org
TLS_CACERT /path/to/certificate/file.pem

·         Edit /etc/ldap.conf for NSS_LDAP authentication.

host baskar.example.org
ssl start_tls
password md

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.