OpenLDAP Error: entry -1 has no dn Slaptest won't work

5.6k views Asked by At

I am trying to configure OPENLDAP on centOS 6.6, I have installed it via the yum installer, and downloaded the version 2.4.39-8 of openldap-server openldap-client openldap.

I had followed the tutorials at http://www.thegeekstuff.com/2015/01/openldap-linux/ http://dopensource.com/openldapforlinuxauth/

I had went ahead and added added a password by typing in slappasswd, and it gave returned me a olcRootPW: {SSHA} to which I added under the /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

I have also changed the olcsuffix:dc=my-domain,dc=com to olcsuffix:dc=mycompanyname,dc=com

olcRootDN:cn=Manager,dc=my-domain,dc=com to olcRootDN:cn=Manager,dc=mycompanyname,dc=com

I run the ldaptest -u to test the connection but it is giving me below error: 5577050f ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif" 5577050f str2entry: entry -1 has no dn slaptest: bad configuration file!

I have googled the above error with no luck.

Below are my cn=config.ldif and my olcDatabase={2}bdb.ldif

/etc/openldap/slapd.d/cn=cconfig.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3db96e4e
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /usr/share/openldap-servers/slapd.conf.obsolete
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcListenerThreads: 1
olcLocalSSF: 71
olcLogLevel: 0
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcTLSProtocolMin: 0.0
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal
entryUUID: 9b0553c8-9ffb-1034-96cd-7ddcc9b7a61f
creatorsName: cn=config
createTimestamp: 20150605182245Z
entryCSN: 20150605182245.037496Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150605182245Z

and my /etc/openldap/slapd/cn=config/olcDatabase={2}bdb.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b7acf931
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcSuffix: dc=mycompany,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=mycompany,dc=com
olcRootPW: {SSHA}XIThNMsDcLUdHPBsVQcr6P6Qn8lDr+9B
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 9b06a840-9ffb-1034-96de-7ddcc9b7a61f
creatorsName: cn=config
createTimestamp: 20150605182245Z
entryCSN: 20150605182245.037496Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150605182245Z
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=mycompany,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=mycompany,dc=com" write by self write by * read 
1

There are 1 answers

2
larsks On

If you find yourself following instructions that ask you to manually modify files that start with:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.

Consider that you may be persuing a less than optimal path.


A default openldap install on CentOS 6 includes the following ACL, defined in slapd.d/cn=config/olcDatabase={0}config.ldif:

olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,
  cn=auth" manage  by * none
olcAddContentAcl: TRUE

This permits you to access cn=config without as password as UID 0 ("root") using external authentication. That looks like:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

With this access you can do pretty much everything you need to do, including modifying the suffix and root dn for your directory tree. Put the following into access.ldif:

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mycompanyname,dc=com
-
replace: olcRootDN
olcRootDN: cn=manager,dc=mycompanyname,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}ZvsONlpgNnLlAqKDRQBFup/W+0/LXm5q

And then use that to modify the configuration:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif

Now that you have modified the directory suffix and password, you can put the following in toplevel.ldif:

dn: dc=mycompanyname,dc=com
objectclass: dcObject
objectclass: organization
dc: mycompanyname
o: my company name

And then add it:

# ldapadd -D cn=manager,dc=mycompanyname,dc=com -w admin -f toplevel.ldif
adding new entry "dc=mycompanyname,dc=com"

And now you can search for it:

# ldapsearch -x -b dc=mycompanyname,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=mycompanyname,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# mycompanyname.com
dn: dc=mycompanyname,dc=com
objectClass: dcObject
objectClass: organization
dc: mycompanyname
o: my company name

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1