Why having multiple LDAP servers can lock you out

Recently while setting up a new OpenLDAP server I can across an annoying problem:

ldap_bind: Invalid credentials (49)

Usually this is because of a typo when entering a password. After trying a couple of times, I knew my fingers were not failing me, so I performed some debugging steps.

  • Configurations, OK
  • Recreate the password and reload, OK
  • Run ldapsearch, Invalid credentials (49)

Next I ran ldapsearch by itself, no options to see what happens.  When I was prompted for a password, I just hit enter.  A listing from our central LDAP directory appeared. What?!

A bit of background.  My servers use a central OpenLDAP directory for users and groups. When ever a new server is provisioned, it is automatically configured to use the central directory.

So what was happening? Even though I was working on a local OpenLDAP installation, the commands I was running were by default looking at the central directory, not the local installation.

The solution turned out to be simple one.   Specify “ldap://localhost/”.  Now when I ran my ldap commands they ran against the local install and not the remote LDAP directory.

So remember:

  • Don’t use the same password everywhere. If I had, I would have ended up modifying the wrong LDAP database.
  • When possible test with a non-destructive command first. While ldapmodify would have given an error too, I know ldapsearch does not do any damage.
  • Don’t assume commands are using localhost.
  • If a host is configured to use a central LDAP directory, it becomes the default LDAP database unless you specify otherwise.

How to add a schema file to OpenLDAP 2.4

The following are the steps I used to add samba.schema to an already running OpenLDAP 2.4 installation.

  1. Create a file called convert.conf that contains a list of the of schema file(s) to be converted. To make things go smoother later on, include all the schema files already in your OpenLDAP installation. Make sure to list them in the same order they are listed in your existing setup. Add the schema file(s) to be added at the end.

For example:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema

In this example, core.schema through openldap.schema are already in the OpenLDAP server.  samba.schema is the new schema we’re adding.

  1. Create a diretory to hold the generated configuration.
mkdir /tmp/ldif_output
  1. Run slapcat(1) command passing it our convert.conf to create the ldif.
slapcat -f ./convert.conf -F /tmp/ldif_output -n0 -s 'cn={5}samba,cn=schema,cn=config' > samba.ldif

The number 5 in ‘cn={5}samba,cn=schema,cn=config’ is based on samba.schema being the 5th entry in convert.conf when you count the rows in the file starting at 0.

  1. Next, edit samba.ldif and remove the following lines from the end of the file.
structuralObjectClass: olcSchemaConfig
entryUUID: eba68f74-d586-1030-94a1-d3d0db45d1cb
creatorsName: cn=config
createTimestamp: 20120117184341Z
entryCSN: 20120117184341.297933Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120117184341Z

The field names in your file will match, but the values will be different.

You’ll note that we didn’t have to update the DN value in samba.ldif. This is because we put the schema files in the proper order in our convert.conf. If we didn’t, you would have to edit the value before running proceeding to the next step.

  1. Now add the the converted samba schema to your OpenLDAP server.
ldapadd -x -W -D 'cn=config' -W -f ./samba.ldif

If it worked you should receive the message:

adding new entry "cn={5}samba,cn=schema,cn=config"

/etc/ldap.conf vs. /etc/openldap/ldap.conf

What’s the difference between /etc/ldap.conf and /etc/openldap/ldap.conf?

On Linux systems using ldap and running and ldap server, OpenLDAP in particular, you will have noticed two files named ldap.conf:

  • /etc/ldap.conf
  • /etc/openldap/ldap.conf

So whats the difference?

/etc/openldap/ldap.conf contains the defaults for ldap clients on the host.

/etc/ldap.conf is the ldap configuration file for pam_ldap.

Note that if you installed from source, or from ports on FreeBSD, you will find these files under /usr/local/etc.

FreeBSD users can find out more at http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/index.html.

LDAP tuning – Internal error 80

ldap_modify: Internal (implementation specific) error (80)

One of OpenLDAPs clearer error messages.  After much digging, it turns our this error (80) is generated when openldap does not  have enought locks.

On a side note, I came across an article in the the Zimbra wiki on performance tuning your ldap server.  Worth the read.  The tips in the article also solved the error 80.