Ubuntu 10.04 Lucid Lynx ldap configuration – the working how-to

Hi there,

Here at work I use Ubuntu 10.04 lts, and I was trying to configure openldap.
Yes, on the internet are many how-to’s but half write-d and not really tested, but the most important is that none of them seems to really work.
I have reed about the argument online (ubuntu doc’s to – not working), and from many how to’s and now here is the final script for the ldap Ubuntu configuration:

First install with :
#apt-get install slapd ldap-utils
Then create a script ie (touch script.sh) and put the following in.
[cc lang="bash"]
#!/bin/sh
passwd=pleaseeditme
dc1=pleaseeditme
dc2=pleaseeditme
hash_pw=`slappasswd -s $passwd`
tmpdir=/tmp
#————————————————————–#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
#——————————————————————-#
# database.ldif
#——————————————————————-#
cat << EOF > $tmpdir/database.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=$dc1,dc=$dc2
olcRootDN: cn=admin,dc=$dc1,dc=$dc2
olcRootPW: $hash_pw
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=$dc1,dc=$dc2″ write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=”" by * read
olcAccess: {2}to * by dn=”cn=admin,dc=$dc1,dc=$dc2″ write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
################################
# Modifications
################################

dn: cn=config
changetype: modify

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $hash_pw

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
EOF
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/database.ldif
####################################
# Mini DIT
####################################
cat << EOF > $tmpdir/dit.ldif
# Tree root

dn: dc=$dc1,dc=$dc2
objectClass: dcObject
objectclass: organization
o: $dc1.$dc2
dc: $dc1
description: Tree root

# Populating
dn: cn=admin,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: $hash_pw
description: LDAP administrator

dn: cn=aw,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: aw
userPassword: $hash_pw
description: LDAP aw

dn: ou=people,dc=$dc1,dc=$dc2
ou: people
objectClass: organizationalUnit
objectClass: top

dn: ou=groups,dc=$dc1,dc=$dc2
ou: groups
objectClass: organizationalUnit
objectClass: top

dn: ou=addressbook,dc=$dc1,dc=$dc2
ou: addressbook
objectClass: top
objectClass: organizationalUnit

#Adding user
dn: uid=ldap1,ou=people,dc=$dc1,dc=$dc2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ldap1
sn: Asdasd
givenName: ldap1
cn: ldap1 Asdasd
displayName: ldap1 asdasd
uidNumber: 1002
gidNumber: 1000
userPassword: $hash_pw
gecos: ldap1 asdasd
loginShell: /bin/bash
homeDirectory: /home/ldap1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: aw@$dc1.$dc2
postalCode: 31000
l: Mysity
o: $dc1
mobile: +33 (0)6 22 22 22 22 22
homePhone: +33 (0)5 33 22 33 22
title: System Administrator
postalAddress:
initials: LP
EOF

sudo ldapadd -x -D cn=admin,dc=$dc1,dc=$dc2 -W -f $tmpdir/dit.ldif
[/cc]

Execute the script with $sh script.sh
If you have problems, want to edit etc, use the following script, it will fully remove and reinstall ldap.

[cc lang="bash"]
#!/bin/sh
aptitude purge slapd ldap-utils
cat /dev/null > /var/log/debug
rm /var/lib/ldap/*
rm -rf /etc/ldap
apt-get install slapd ldap-utils
[/cc]

For testing if all is working fine you should try :

ldapsearch -D cn=admin,dc=yourhost,dc=yourdomain -W -x -b dc=yourhost,dc=yourdomain

Last words, for managing you can use phpldapadmin (it is in the repository).
Then visit your localhost :
http://localhost/phpldapadmin and log-in,

WARNING

1) Bee root when running the script, ldap need’s permissions
2) Use the rm script before running the ldap script, I think you used something else before this, so use the rm script first to clean the way for ldap.

3) Enjoy. And save the time to others as the time was saved for you :) , share it.

Revisions

Tags: , , ,

76 Responses to “Ubuntu 10.04 Lucid Lynx ldap configuration – the working how-to”

  1. Cameron Goble September 4, 2010 at 12:39 pm #

    Oh my god, THANK YOU.

    I’ve wrestled with this for two days and your script just worked. I’ll pour over it to see where I went wrong, but in the meantime, it’s nice to have my LDAP server up and running at last.

  2. arditi September 4, 2010 at 12:48 pm #


    Cameron Goble:

    Oh my god, THANK YOU.

    I’ve wrestled with this for two days and your script just worked. I’ll pour over it to see where I went wrong, but in the meantime, it’s nice to have my LDAP server up and running at last.

    No problem :)

    Yes in deed configuring ldap it’s really difficult, it’s just complains all the time, me to spended alot of time trying to make this thing work.
    Anyway, it’s working and it’s the final script, with phpldapadmin you also need to edit the configuration file to make it work.

  3. JetDog September 8, 2010 at 9:48 pm #

    Many thanks!

  4. Vinu September 10, 2010 at 5:56 am #

    Excellent.

    Thanks

  5. arditi September 10, 2010 at 10:56 am #

    Enjoy :)

  6. frank September 22, 2010 at 6:29 pm #

    thanks

  7. osterhansi September 22, 2010 at 8:34 pm #

    Thanx man, this script is great work!

  8. arditi September 23, 2010 at 8:57 am #

    Thank you , Enjoy :)

  9. Eddy Vanderlinden September 29, 2010 at 9:32 am #

    Thanks a lot!!!
    Also I struggled for more than a day with the setup.
    Your scripts (also the remove) helped me out.

  10. zacky October 6, 2010 at 11:14 am #

    Excellent!. Many thanks!!. It’s a nice work.

  11. arditi October 8, 2010 at 1:37 pm #

    Nice to hear that,

    enjoy

  12. sergiu October 20, 2010 at 3:35 am #

    Hi there,

    man you are the best, after a lot of time , finally, understood how it is working,

    Thank you very much !

  13. Alexandr October 22, 2010 at 8:48 am #

    thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks thanks

  14. Madprops October 28, 2010 at 6:21 am #

    Man, you just saved me so much trouble. The stinking server documentation and ubuntu wiki pages do not work, so I kept digging for answers, fortunately finding your blog. You rock sir, you rock!

  15. arditi October 28, 2010 at 5:57 pm #

    Hello Madprops,

    I’m pleased that my how to helped you :)
    Nice to know that.

    Regards,

    Arditi

  16. Jabes October 31, 2010 at 1:27 am #

    I’ve been looking all over the place and though your script gets kudos from everyone it just doesnt work. When the script runs I get to Enter LDAP Password and I enter the password and it returns ldap_bind: Invalid Credentials (49). Fresh install Ubuntu Server 10.04 with all updates and then install slapd and utils. immediately following that run your script and it fails as indicated. Any clue…been on this now for 3 weeks and still no LDAP server.

  17. Junke1990 October 31, 2010 at 5:06 pm #

    Same goes for me, many many thanks!

  18. arditi November 1, 2010 at 12:39 am #

    It’s quite unbelivable for me because for so many people (me to) works.
    Any way:
    a) Use the Remove script to remove and Install
    b) Edit the script (password/dc1/dc2)
    c) Check if your typing the right password?
    d) Copy and paste well all the script as in the example , yous should note that the space have high impact when we are talking about ldap ;)


    Jabes:

    I’ve been looking all over the place and though your script gets kudos from everyone it just doesnt work. When the script runs I get to Enter LDAP Password and I enter the password and it returns ldap_bind: Invalid Credentials (49). Fresh install Ubuntu Server 10.04 with all updates and then install slapd and utils. immediately following that run your script and it fails as indicated. Any clue…been on this now for 3 weeks and still no LDAP server.

  19. jabes November 1, 2010 at 8:03 pm #

    Thanks for taking the time to reply to my posting. While using your script I went through it line by line to fit my environment and when the password issue came up I decided to test the idea that I was typing it wrong and entered an unsecure password of asdf1234 just to test it and with that it continued to fail which is why I made my first post. Since someone else is having the same issue I think its safe to say that LDAP just does not work in Ubuntu which is a HUGE DISAPPOINTMENT considering how fast NIS is falling by the wayside. There is a HUGE need for this in the Ubuntu world and no one knows how to make it work correctly. I have literally followed 143 different links with HOWTO’s and NONE of them have worked. Thanks again for your time…I guess I’ll have to abandon Ubuntu – hate to do it but without this working and no way to get it working after 3 weeks – well that just means Ubuntu now blows chunks!!!

    • Alex December 14, 2011 at 4:39 pm #

      Jabes did you got some luck at any point ? I’m stuck in the same problem. Invalid password !!!!

  20. arditi November 1, 2010 at 8:23 pm #

    Well, I first started with openSuse when starting to use linux, I don’t know but…, never liked ubuntu.., yes it’s simple (to use) etc but in the same time to much complex for me to modify and to be at peace with it..
    I use arch linux and it’s really good.
    I’m sorry that I cannot help you more with this issue, I’m thinking to open up a forum and an no-paste service but I have allot of things to do :(

  21. jabes November 1, 2010 at 10:20 pm #

    No worries and thanks a million for the follow up!! Top notch!!

  22. Wilo November 4, 2010 at 10:17 am #

    Thanks! I didn’t use the script exactly, but the contents taught me what I needed to know to solve the problems I was facing. Everything working perfectly now on Lucid 10.04LTS :)

    • Alex December 14, 2011 at 8:30 pm #

      Wilo how do you get it working in Ubuntu 10.04 ? coud you share your configuration ?

  23. bruno November 10, 2010 at 5:24 pm #

    Thank you very much – Finally a complete working script -
    Keep on the good work !

  24. jml November 12, 2010 at 4:19 pm #

    Yes, everybody should say thanks for this script, the only one which is working, after hours of attempts!
    I wouldn’t like to abuse, but we would be very interested, by your corrected version of the replica configuration, which doesn’t work either when i follow the Ubuntu 10.04 server guide for LDAP. Or if know where i could found a working script; I spent hours on this problem, and i couldn’t find anything reliable !
    when following strictly the doc i get this error:
    ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry “olcDatabase={1}hdb,cn=config”
    ldap_modify: Insufficient access (50)

    Thank again

  25. Roal Arji November 22, 2010 at 11:24 am #

    hi
    I have a question, if I want to try this just on my computer, I can just use localhost, replacing
    dc = localhost
    instead of
    dc = example, dc = com
    thank you in advance if someone can answerme this question, or tell me how to solve it
    bye

  26. arditi November 22, 2010 at 8:04 pm #


    Roal Arji:

    hi
    I have a question, if I want to try this just on my computer, I can just use localhost, replacing
    dc = localhost
    instead of
    dc = example, dc = com
    thank you in advance if someone can answerme this question, or tell me how to solve it
    bye

    Quite a simple question to answer, :)
    I suggest you to try it your self and see if i is working.
    You will never learn without trying.
    bye

  27. Andy December 8, 2010 at 5:10 am #

    Thank you so much!!!!

  28. Someguy December 21, 2010 at 3:36 am #

    Thanks for this! The guide is superb! It worked perfectly.

    Although the database I am using is an SQL. You wouldn’t happen to know how to configure the LDIF for SQL would you? Just asking.

  29. jabes December 21, 2010 at 8:52 am #

    Can’t thank you enough. Had difficulties the first time I used this guide but a second time and everything worked great! Thanks for your time and effort!! Peace!!

  30. arditi December 23, 2010 at 11:41 am #


    Someguy:

    Thanks for this! The guide is superb! It worked perfectly.

    Although the database I am using is an SQL. You wouldn’t happen to know how to configure the LDIF for SQL would you? Just asking.

    not sure what you mean because LDIF is a standard, but this tool may help you:
    http://lsc-project.org/wiki/

    @jabes
    thank you to buddy :)

  31. Greg December 27, 2010 at 7:08 am #

    After trawling through numerous websites that were simply wrong I found this. Absolute magic! I need more thumbs to hold up to do you justice.

  32. jani December 29, 2010 at 10:03 am #

    Very useful script. Probably saved me a lot of time.
    Thank you.

  33. Qingye Jiang (John) December 29, 2010 at 1:15 pm #

    I just want to say a big thank you for the great work. I have tried numerious tutorials and how-to’s before reading yours. I hope Google could do better by putting your blog as the first search result.

  34. arditi December 30, 2010 at 1:57 pm #


    Qingye Jiang (John):

    I just want to say a big thank you for the great work. I have tried numerious tutorials and how-to’s before reading yours. I hope Google could do better by putting your blog as the first search result.

    Thank you for commenting , I really enjoyed your paper “Access USB devices from Java applications” published at IBM

  35. Jorge Carlos January 12, 2011 at 5:58 pm #

    Hey guy, you rock! Thanks!

  36. Daniel January 26, 2011 at 3:42 pm #

    man….. got it working !!!!

    tried the ubuntu howto and failed.
    In the beginning I got the Invalid Credentials (49) error, too. But realised, that I forgot to sudo the commands.
    After reinstall all worked fine.

  37. arditi February 9, 2011 at 3:11 pm #

    Thanks for the comments :)

  38. John February 9, 2011 at 10:01 pm #

    Just thought I’d post that the only problem I had with this script (initially, at least — still pending further review) was the “cat / EOF” syntax used to build the two files in /tmp.

    This didn’t work for me until I change the line:

    cat < $tmpdir/database.ldif

    to read:

    cat < $tmpdir/database.ldif

    (note I’m not pointing out the obvious issue with the HTML escape of <, but rather the cat / EOF syntax).

    Otherwise thanks for the extra HOWTO — I also found the Ubuntu 10.04 one to be lacking in clarity and possibly correctness.

    • John February 9, 2011 at 10:06 pm #

      Er, that was supposed to read changing:

      cat &lt; $tmpdir/database.ldif

      to

      cat << EOF > $tmpdir/database.ldif

  39. arditi February 10, 2011 at 9:17 pm #

    Hi John,

    modification applied :)

    I hate wordpres for the HTML escape errors :/

  40. MSS Lasers Ltd February 13, 2011 at 8:10 am #

    Funny, reading these comments. And it’s quite long. I’ve followed this link from an Ubuntu forum — the one that’s hit page one of goolge, even now. So this is a big deal in ubuntu and other distros.

    I managed to install openldap successfully in DEBIAN “Lenny” — why does nobody thought of using Debian — I mean, openLDAP is a server and Debian is by far the most stable distro when it comes to servers (my opinion). Granted a little behind of current versions but I don’t think openLDAP has changed that much. My reference is a book by Carla Schroeder, Linux Networking Cookbook, 2007.

    So if you have spare computers or you can run virtual machines. I suggest you try Debian, of which ubuntu is a derivative, for installing and testing servers.

    Thanks for the this how to, though. Had to install openldap on an ubuntu computer for testing and this should shave off some time trouble shooting the install process.

    Thanks!

  41. sagan February 13, 2011 at 8:45 am #

    Thanks for this script. Just wondering if we can incorporate TLS.

    Cheers

  42. arditi February 15, 2011 at 5:38 pm #

    @MSS Lasers

    yes I like Debian, it’s great for servers and I like Debian philosophy , but currently I’m using arch linux, it’s just THE operating system.

    From time to time you guys can suggest modification etc, I’m happy that my script helped allot of people , most of them afraid to make a comment (joking :) ).

    Thanks all.

  43. WizardFan March 13, 2011 at 11:39 am #

    Hi wizard,

    Thanks for the great script! I’ve adapted it some to include the installation step, add some more progress info and avoid the hardcoded password. Please see below:
    [cc lang="BASH"]
    #!/bin/sh
    #Script to install slapd/openldap on Ubuntu/Debian Squeeze
    # run as root. No sudo used as this must run on stock Debian, too
    # Improvements/changes from Albanian Wizard’s original:
    # http://albanianwizard.org/ubuntu-10-0-4-lucid-lynx-ldap-configuration-the-working-how-to.albanianwizard
    # – No longer uses sudo so it can run on stock Debians, too
    # – This script will try to import duplicate values in schemas and users
    # so we use ldapadd -c to continue on errors.
    # – Password not hardcoded
    # – Some progress messages
    # – Password no longer asked when adding DIT
    # – No longer insert an aw user in the root of the tree.
    # – Test of LDAP contents, thanks Jack:
    #passwd=somehardcodedpassword
    echo “Give the LDAP Administrator password (for now we use the same for all LDAP users config)”
    echo “Warning: the password will be shown on-screen. Also, don’t use spaces in the password”
    read passwd
    echo “Enter the password again:”
    read passwdcheck
    if test “$passwd” != “$passwdcheck”
    then
    echo “Passwords don’t match. Aborting.”
    exit 13
    fi
    #First domain component:
    dc1=local
    #second dc:
    dc2=lan
    #If dc1=example, dc2=org, you get example.org
    tmpdir=/tmp

    #Install ldap first:
    aptitude install -y slapd ldap-utils

    #Create password hash for use in LDIFs:
    hash_pw=`slappasswd -s $passwd`

    #————————————————————–#
    # Add schemas so we can support various uses. You could add samba, too
    #core schema is inserted by default:
    echo “Adding schemas:”
    #ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif
    ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
    ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
    ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
    #ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

    #——————————————————————-#
    # database.ldif
    #——————————————————————-#
    echo “Setting up configuration database:”
    cat < $tmpdir/database.ldif
    # Load dynamic backend modules
    dn: cn=module{0},cn=config
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb

    # Create directory database
    dn: olcDatabase={1}hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=$dc1,dc=$dc2
    olcRootDN: cn=admin,dc=$dc1,dc=$dc2
    olcRootPW: $hash_pw
    olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=$dc1,dc=$dc2″ write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base=”" by * read
    olcAccess: {2}to * by dn=”cn=admin,dc=$dc1,dc=$dc2″ write by * read
    olcLastMod: TRUE
    olcDbCheckpoint: 512 30
    # For the Debian package we use 2MB as default but be sure to update this
    # value if you have plenty of RAM:
    olcDbConfig: {0}set_cachesize 0 2097152 0
    # Number of objects that can be locked at the same time.
    olcDbConfig: {1}set_lk_max_objects 1500
    # Number of locks (both requested and granted)
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    #Indexing on these fields:
    olcDbIndex: uid pres,eq
    olcDbIndex: cn,sn,mail pres,eq,approx,sub
    olcDbIndex: objectClass eq
    ################################
    # Modifications
    ################################

    dn: cn=config
    changetype: modify

    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    delete: olcAccess

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootDN
    olcRootDN: cn=admin,cn=config

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: $hash_pw

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    delete: olcAccess
    EOF
    ldapadd -c -Y EXTERNAL -H ldapi:/// -f $tmpdir/database.ldif
    ####################################
    # Mini DIT
    ####################################
    echo “Setting up a small directory tree:”
    cat < $tmpdir/dit.ldif
    # Tree root

    dn: dc=$dc1,dc=$dc2
    objectClass: dcObject
    objectclass: organization
    o: $dc1.$dc2
    dc: $dc1
    description: Tree root

    # Populating
    dn: cn=admin,dc=$dc1,dc=$dc2
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    userPassword: $hash_pw
    description: LDAP administrator

    #We DON’T need an Albanian wizard in our LDAP ;)
    #dn: cn=aw,dc=$dc1,dc=$dc2
    #objectClass: simpleSecurityObject
    #objectClass: organizationalRole
    #cn: aw
    #userPassword: $hash_pw
    #description: LDAP aw

    dn: ou=people,dc=$dc1,dc=$dc2
    ou: people
    objectClass: organizationalUnit
    objectClass: top

    dn: ou=groups,dc=$dc1,dc=$dc2
    ou: groups
    objectClass: organizationalUnit
    objectClass: top

    dn: ou=addressbook,dc=$dc1,dc=$dc2
    ou: addressbook
    objectClass: top
    objectClass: organizationalUnit
    description: Addressbook for email programs etc

    #Adding user
    dn: uid=ldap1,ou=people,dc=$dc1,dc=$dc2
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: ldap1
    sn: Asdasd
    givenName: ldap1
    cn: ldap1 Asdasd
    displayName: ldap1 asdasd
    uidNumber: 1002
    gidNumber: 1000
    userPassword: $hash_pw
    gecos: ldap1 asdasd
    loginShell: /bin/bash
    homeDirectory: /home/ldap1
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: aw@$dc1.$dc2
    postalCode: 31000
    l: Mycity
    o: $dc1
    mobile: +33 (0)6 22 22 22 22 22
    homePhone: +33 (0)5 33 22 33 22
    title: System Administrator
    postalAddress:
    initials: LP
    EOF
    ldapadd -c -x -D cn=admin,dc=$dc1,dc=$dc2 -w $passwd -f $tmpdir/dit.ldif

    #test for success:
    echo “Testing by listing all objects in the LDAP:”
    ldapsearch -x -h localhost -b “dc=$dc1,dc=$dc2″ “(objectClass=*)”
    [/cc]

  44. arditi March 13, 2011 at 2:08 pm #

    Hi, putted the script in tags.
    thanks for the improvement, ps - I'm not a wizard, - read the about :)

    Thanks again for the script,

    Arditi.

  45. WizardFan March 15, 2011 at 8:56 am #

    Nice about ;)

    One thing about the script that bugs me is that you get a Debian configure prompt asking for the LDAP admin password. I’ve looked into debian configure stuff to see if you can assign this in advance but I haven’t seen anything obvious.

    Any tips? This would help in creating an unattended install. Of course, I could go crazy and learn to use puppet or chef but what’s the fun in that ;)

  46. arditi March 16, 2011 at 3:23 pm #

    what about:
    ldapsearch -y file Read password from file

    it will read the password from a file, you can modify your script to create an temporary file to put in the password and than remove it just after the scripts finish running.

    let me know :)

  47. masfia March 25, 2011 at 4:54 pm #

    Hi!
    Thanks for this excellent script!

    But I have a question for you…

    Does exist a GUI to modify the openldap ACL (i.e. olcAccess directive)?

  48. arditi March 25, 2011 at 8:22 pm #

    Hi ,

    you’r welcome,
    not to bee “to geek” but when it’s about openldap CLI and an editor is prefered, I tried in the past many GUI softwares that did not work. Anyway for more question I suggest to subscribe to openldap mailinglist.

    Nobody know more about openldap than his developpers. :)

  49. arditi March 25, 2011 at 8:29 pm #

    @WizardFan,
    I edited the link of ghacks as the guy didn’t mention the author;

    line 91 + ; on his pastebin paste:

    dn: cn=aw,dc=$dc1,dc=$dc2
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: aw
    userPassword: $hash_pw
    description: LDAP aw

    Anyway.

  50. Bobuntu April 11, 2011 at 6:46 pm #

    Hi everybody,

    thanks for the create script.
    It|s nearly working for me.
    But, there is one point, where I have to enter the LDAP password. > invalid credentials!

    Is there any default password for openldap?
    I haven\t set any password yet. Just a password to logon to Ubuntu.

    Bob

  51. Bobuntu April 11, 2011 at 6:49 pm #

    Sorry guys,

    I got it!

    I couldn|t see the forest anymore, because there were so much trees.

    Create work. I appreciate it.
    I spent hours with problems. With your script it was so easy

    Bob

    Bob

    • Alex December 14, 2011 at 4:29 pm #

      Hi Bobuntu, I’m having the same error of invalid password. Could you please tell me how you sort it out ?

      Thanks in advance

  52. Bobuntu April 11, 2011 at 6:59 pm #

    I don|t get it.

    When I have to enter the LDAP password for the script it works.

    But when I have to enter the password for the search, it doesn|t work > invalid credentials?

    Please help

  53. arditi April 11, 2011 at 9:17 pm #

    Once you get Ldap UP, use some tool to manage it, it’s better :) or learn to use properly LDAP command line.

  54. Bobuntu April 16, 2011 at 2:19 pm #

    I|d like to use a tool to setup and configure OpenLDAP. Do you know one, which is free

    Thank you in advance

  55. Bobuntu April 17, 2011 at 6:14 am #

    I got a decent solution for me. It|s called OpenDS. A perfect software which is great for my testing purposes. Since it is Java based I can even use it in my Windows world.

    Over and out

  56. arditi April 17, 2011 at 8:33 pm #

    Yes, OpenDS is good to, notice in the first post I suggested phpldapadmin, but there are many tools out there.

  57. shiv saxena April 21, 2011 at 4:54 am #

    sir,

    you are a genius. i am pretty amazed and went over the scripts,your tutorial saved mine life. thanks a ton.

  58. Alex December 14, 2011 at 3:49 pm #

    Still no luck after running the scripts. I get stock when running the configuration script , it ask for
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    I wrote :
    passwd=mypassword
    dc1=mydomain
    dc2=local

    What I’m doing wrong ? Please help SOS !!

  59. m0ps December 27, 2011 at 7:57 am #

    2 Alex
    Check quotes in script when copy/paste

  60. Help January 13, 2012 at 5:46 pm #

    I’m having the same problem that bobubuntu and the others including Alex are having. I can’t either the original or the “Wizard” script to work. I get the “invalid credentials (49)” or the error 50 invalid credentials….

    Bobubuntu said he fixed it on the “second time around”, but never said what he did…

    I’m using Ubuntu 10.04.r3

    Here is the output from the “WizardFan” script: (Any suggestions?)

    root@001:/home/sysmanager# sh script1.sh
    script1.sh: 1: [cc: not found
    “Warning: the password will be shown on-screen. Also, don’t use spaces in the password”
    test
    “Enter the password again:”
    test
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Reading extended state information
    Initializing package states… Done
    Writing extended state information… Done
    No packages will be installed, upgraded, or removed.
    0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    Need to get 0B of archives. After unpacking 0B will be used.
    Writing extended state information… Done
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Reading extended state information
    Initializing package states… Done

    “Adding schemas:”
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “cn=cosine,cn=schema,cn=config”

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “cn=inetorgperson,cn=schema,cn=config”

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “cn=nis,cn=schema,cn=config”

    “Setting up configuration database:”
    # Load dynamic backend modules
    dn: cn=module{0},cn=config
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb

    # Create directory database
    dn: olcDatabase={1}hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=test,dc=com
    olcRootDN: cn=admin,dc=test,dc=com
    olcRootPW: {SSHA}vcUy1laKQnb8jKttofXM/4F0x75Of3yB
    olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=test,dc=com″ write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base=”” by * read
    olcAccess: {2}to * by dn=”cn=admin,dc=test,dc=com″ write by * read
    olcLastMod: TRUE
    olcDbCheckpoint: 512 30
    olcDbConfig: {0}set_cachesize 0 2097152 0
    olcDbConfig: {1}set_lk_max_objects 1500
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    olcDbIndex: uid pres,eq
    olcDbIndex: cn,sn,mail pres,eq,approx,sub
    olcDbIndex: objectClass eq
    ################################
    # Modifications
    ################################

    dn: cn=config
    changetype: modify

    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    delete: olcAccess

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootDN
    olcRootDN: cn=admin,cn=config

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}vcUy1laKQnb8jKttofXM/4F0x75Of3yB

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    delete: olcAccess
    script1.sh: 55: dn:: not found
    script1.sh: 56: objectClass:: not found
    script1.sh: 57: cn:: not found
    script1.sh: 58: olcModulePath:: not found
    script1.sh: 59: olcModuleLoad:: not found
    script1.sh: 62: dn:: not found
    script1.sh: 63: objectClass:: not found
    script1.sh: 64: objectClass:: not found
    script1.sh: 65: olcDatabase:: not found
    script1.sh: 66: olcDbDirectory:: not found
    script1.sh: 67: olcSuffix:: not found
    script1.sh: 68: olcRootDN:: not found
    script1.sh: 69: olcRootPW:: not found
    script1.sh: 70: olcAccess:: not found
    script1.sh: 71: olcAccess:: not found
    script1.sh: 72: olcAccess:: not found
    script1.sh: 73: olcLastMod:: not found
    script1.sh: 74: olcDbCheckpoint:: not found
    script1.sh: 77: olcDbConfig:: not found
    script1.sh: 79: olcDbConfig:: not found
    script1.sh: 81: olcDbConfig:: not found
    script1.sh: 82: olcDbConfig:: not found
    script1.sh: 84: olcDbIndex:: not found
    script1.sh: 85: olcDbIndex:: not found
    script1.sh: 86: olcDbIndex:: not found
    script1.sh: 91: dn:: not found
    script1.sh: 92: changetype:: not found
    script1.sh: 94: dn:: not found
    script1.sh: 95: changetype:: not found
    script1.sh: 96: delete:: not found
    script1.sh: 98: dn:: not found
    script1.sh: 99: changetype:: not found
    script1.sh: 100: add:: not found
    script1.sh: 101: olcRootDN:: not found
    script1.sh: 103: dn:: not found
    script1.sh: 104: changetype:: not found
    script1.sh: 105: add:: not found
    script1.sh: 106: olcRootPW:: not found
    script1.sh: 108: dn:: not found
    script1.sh: 109: changetype:: not found
    script1.sh: 110: delete:: not found
    script1.sh: 111: EOF: not found
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry “cn=module{0},cn=config”

    adding new entry “olcDatabase={1}hdb,cn=config”
    ldap_add: Other (e.g., implementation specific) error (80)
    additional info: handler exited with 1

    modifying entry “cn=config”

    modifying entry “olcDatabase={-1}frontend,cn=config”

    modifying entry “olcDatabase={0}config,cn=config”

    modifying entry “olcDatabase={0}config,cn=config”

    modifying entry “olcDatabase={0}config,cn=config”

    “Setting up a small directory tree:”
    # Tree root

    dn: dc=test,dc=com
    objectClass: dcObject
    objectclass: organization
    o: test.com
    dc: test
    description: Tree root

    # Populating
    dn: cn=admin,dc=test,dc=com
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    userPassword: {SSHA}vcUy1laKQnb8jKttofXM/4F0x75Of3yB
    description: LDAP administrator

    dn: cn=aw,dc=test,dc=com
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: aw
    userPassword: {SSHA}vcUy1laKQnb8jKttofXM/4F0x75Of3yB
    description: LDAP aw

    dn: ou=people,dc=test,dc=com
    ou: people
    objectClass: organizationalUnit
    objectClass: top

    dn: ou=groups,dc=test,dc=com
    ou: groups
    objectClass: organizationalUnit
    objectClass: top

    dn: ou=addressbook,dc=test,dc=com
    ou: addressbook
    objectClass: top
    objectClass: organizationalUnit

    #Adding user
    dn: uid=ldap1,ou=people,dc=test,dc=com
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: ldap1
    sn: Asdasd
    givenName: ldap1
    cn: ldap1 Asdasd
    displayName: ldap1 asdasd
    uidNumber: 1002
    gidNumber: 1000
    userPassword: {SSHA}vcUy1laKQnb8jKttofXM/4F0x75Of3yB
    gecos: ldap1 asdasd
    loginShell: /bin/bash
    homeDirectory: /home/ldap1
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: aw@test.com
    postalCode: 31000
    l: Mysity
    o: test
    mobile: +33 (0)6 22 22 22 22 22
    homePhone: +33 (0)5 33 22 33 22
    title: System Administrator
    postalAddress:
    initials: LP
    script1.sh: 120: dn:: not found
    script1.sh: 121: objectClass:: not found
    script1.sh: 122: objectclass:: not found
    script1.sh: 123: o:: not found
    script1.sh: 124: dc:: not found
    script1.sh: 125: description:: not found
    script1.sh: 128: dn:: not found
    script1.sh: 129: objectClass:: not found
    script1.sh: 130: objectClass:: not found
    script1.sh: 131: cn:: not found
    script1.sh: 132: userPassword:: not found
    script1.sh: 133: description:: not found
    script1.sh: 143: dn:: not found
    script1.sh: 144: ou:: not found
    script1.sh: 145: objectClass:: not found
    script1.sh: 146: objectClass:: not found
    script1.sh: 148: dn:: not found
    script1.sh: 149: ou:: not found
    script1.sh: 150: objectClass:: not found
    script1.sh: 151: objectClass:: not found
    script1.sh: 153: dn:: not found
    script1.sh: 154: ou:: not found
    script1.sh: 155: objectClass:: not found
    script1.sh: 156: objectClass:: not found
    script1.sh: 157: description:: not found
    script1.sh: 160: dn:: not found
    script1.sh: 161: objectClass:: not found
    script1.sh: 162: objectClass:: not found
    script1.sh: 163: objectClass:: not found
    script1.sh: 164: uid:: not found
    script1.sh: 165: sn:: not found
    script1.sh: 166: givenName:: not found
    script1.sh: 167: cn:: not found
    script1.sh: 168: displayName:: not found
    script1.sh: 169: uidNumber:: not found
    script1.sh: 170: gidNumber:: not found
    script1.sh: 171: userPassword:: not found
    script1.sh: 172: gecos:: not found
    script1.sh: 173: loginShell:: not found
    script1.sh: 174: homeDirectory:: not found
    script1.sh: 175: shadowExpire:: not found
    script1.sh: 176: shadowFlag:: not found
    script1.sh: 177: shadowWarning:: not found
    script1.sh: 178: shadowMin:: not found
    script1.sh: 179: shadowMax:: not found
    script1.sh: 180: shadowLastChange:: not found
    script1.sh: 181: mail:: not found
    script1.sh: 182: postalCode:: not found
    script1.sh: 183: l:: not found
    script1.sh: 184: o:: not found
    script1.sh: 185: Syntax error: “(” unexpected
    root@001:/home/sysmanager#

  61. Help January 13, 2012 at 5:50 pm #

    Also, the script sets up the server right? Anyone know what has to be done to the clients to use the server to authenticate against?

    Thanks
    “Help”

  62. Help January 18, 2012 at 9:46 pm #

    Is this website still active?

  63. Help January 18, 2012 at 11:14 pm #

    These two lines need to be fixed to get the second script to work:

    cat < $tmpdir/database.ldif

    to

    cat < $tmpdir/database.ldif

    and

    cat < $tmpdir/dit.ldif

    to

    cat < $tmpdir/dit.ldif

    But I still have the Invalid Credentials (49) from the ldap_bind at the very bottom of the script, followed by and error on this line:

    ldapsearch -x -h localhost -b “dc=$dc1,dc=$dc2″ “(objectClass=*)”

    which is: Syntax error: “(” unexpected

    I tried removing both of the parenthesis, but that didn’t work.

    Still needing help….

    • someguy April 19, 2012 at 3:27 am #

      cat < $tmpdir/database.ldif
      cat < $tmpdir/dit.ldif

  64. Help January 19, 2012 at 8:26 pm #

    I got it!!!!!

    It’s the “quotes”!!!!!!

    The quotes are screwing up everything!!!!!

    The only thing that should have the “Curved” quotes around it is the if statement at the beginning to check the password.

    Everything else should have the quotes that are parallel to each other and NOT bent!!!!!

    It works now!

  65. Smoke_Nguyen February 21, 2012 at 8:40 am #

    Hi Alex!
    I have same your error and I modify the line “passwd=mypassword” to “read passwd”. it’s work!

    Thanks for great scrip!

  66. Kashif April 1, 2012 at 7:37 am #

    This article is good.
    Masfia, there is a GUI available called LdapBrowser (its a java based program)…

  67. Ben April 11, 2012 at 2:17 pm #

    Im getting this error every time i use the script to run slapd configurations:

    adding new entry “cn=module{0},cn=config”
    ldap_add: Naming violation (64)

    I have written the script word by word but i can’t get around this problem.
    (i tried other websites having similar howto’s but all in vain)

  68. Its_a_joke April 13, 2012 at 6:15 am #

    This script simply doesn’t work on Ubuntu 10.4 Lucid Lynx, period!!

    Like many others, I am consistently getting ldap_bind: Invalid credentials (49) error.

    The page header mentions these instructions are for Ubuntu 10.4, then are all these people, including myself, crazy? Or are these instructions a cruel joke. Just like how horrible OpenLDAP is…?

    Arditi – Although I appreciate ur effort for putting this page together, but since so many people are seeing the same issue, the explanation works-for-me doesn’t go too far. Sorry, but needless to say, I am a bit disappointed … :-(

    • someguy April 20, 2012 at 8:47 am #

      @Its_a_joke

      I have a 10.04 Lucid and it works(perfectly) for me. Don’t copy all of it by the letter, dude. Some of it, you can/must edit. Oh, the quotes (”), as Help said, are formatted(or some other character…?) so you need to replace it with the plain keyboard quote (“) to work as a script.

  69. someguy April 19, 2012 at 3:35 am #

    The original script worked excellent, but the enhancements made it perfect!

    Thanks:
    – albanianwizard
    – Arditi
    – Wizardfan

  70. Ave May 3, 2012 at 5:47 pm #

    I have adjusted the script (the quotes) and added the read passwd part. The script looks like http://pastebin.com/Fhb2ruFp but still does not work (Ubuntu 12.04 fresh install). I got the following log http://pastebin.com/s6SPK6db especially:

    adding new entry “cn=module{0},cn=config”
    ldap_add: Naming violation (64)

    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    I tried both passwords, even used the same in the script and initial slapd install. Could you please pastebin a wokring script, or say what is wrong with this one?
    Kind regards,

    Ave

Leave a Reply