Setting up an LDAP server?

[mattias.hedman]

This article [url=https://www.afp548.com/Articles/Jaguar/emailsharing.html]Using your Mac OS X Server Open Directory Database to share e-mail addresses[/url] tells me how to set an LDAP server.

Has anyone got it to work by following this article?
I havn’t.
I changed the .cong file. Restarted my server. Added with Netinfo Manager a new subfolder called “contacts”. In there I have added to posts. Two names (adding the email address don’t work I can write @ inside the value).
I add teh server IP to my addressbook. Nothing happens. It doesn’t find anything. I tried to add the searchbase. Nothing.

Help! 🙂

This is from the slapd in debug mode.
[code:1:dc49a7daa3]

>> dnPrettyNormal: <cn=contacts, dn=server.lan, dc=se>
=> ldap_bv2dn(cn=contacts, dn=server.lan, dc=se,0)
<= ldap_bv2dn(cn=contacts, dn=server.lan, dc=se,0)=0
do_search: invalid dn (cn=contacts, dn=server.lan, dc=se)
send_ldap_result: conn=1 op=1 p=2
send_ldap_response: msgid=2 tag=101 err=34
ber_flush: 24 bytes to sd 9
connection_get(9): got connid=1
connection_read(9): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 9 failed errno=0 (Undefined error: 0)
connection_read(9): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=9 for close
connection_close: deferring conn=1 sd=9
do_unbind
connection_resched: attempting closing conn=1 sd=9
connection_close: conn=1 sd=9
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 7 failed errno=0 (Undefined error: 0)
connection_read(7): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=7 for close
connection_close: deferring conn=0 sd=7
do_unbind
connection_resched: attempting closing conn=0 sd=7
connection_close: conn=0 sd=7
[/code:1:dc49a7daa3]

[brossow]

If I run slapd using the network database, I at least get some results back using an empty search base. When I switch to the local database per the instuctions, I get absolutely nothing despite the fact I have 100-odd local users. Here is the entire output of debug mode starting up using local:

[quote:504f3ae0af][www:~] admin% sudo /usr/libexec/slapd -d 1
@(#) $OpenLDAP: slapd 2.1.X (Sun Jul 28 15:04:21 PDT 2002) $
root@nikon:/private/var/tmp/OpenLDAP/OpenLDAP-15.obj~1/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open…
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
/etc/openldap/slapd.conf: line 14: schema checking disabled! your mileage may vary!
==> netinfo_back_db_init
<== netinfo_back_db_init

>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
(DSSTORE_FLAGS_ACCESS_READONLY: OFF)
(DSSTORE_FLAGS_ACCESS_READWRITE: ON)
(DSSTORE_FLAGS_SERVER_CLONE: ON)
(DSSTORE_FLAGS_SERVER_MASTER: OFF)
(DSSTORE_FLAGS_CACHE_ENABLED: ON)
(DSSTORE_FLAGS_CACHE_DISABLED: OFF)
(DSSTORE_FLAGS_REMOTE_NETINFO: OFF)
(DSSTORE_FLAGS_OPEN_BY_TAG: OFF)
(DSENGINE_FLAGS_NETINFO_NAMING: ON)
(DSENGINE_FLAGS_X500_NAMING: OFF)
(DSENGINE_FLAGS_POSIX_NAMING: OFF)
(DSENGINE_FLAGS_DEREFERENCE_IDS: OFF)
(DSENGINE_FLAGS_NATIVE_AUTHORIZATION: ON)
<=> ad_to_dsdata_type attribute=uid type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=cn type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=uidNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=gidNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=homeDirectory type=DataTypeCStr
<=> ad_to_dsdata_type attribute=loginShell type=DataTypeCStr
<=> ad_to_dsdata_type attribute=shadowExpire type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=shadowLastChange type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-user-class type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-user-homeurl type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-user-homequota type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-user-mailattribute type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-printattribute type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-adminlimits type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-picture type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-authenticationhint type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=authAuthority type=DataTypeCStr
<=> ad_to_dsdata_type attribute=sn type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=givenName type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=st type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=postalCode type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=street type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=telephoneNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=memberUid type=DataTypeCStr
<=> ad_to_dsdata_type attribute=gidNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-group-realname type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-group-homeurl type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-group-homeowner type=DataTypeCStr
<=> ad_to_dsdata_type attribute=cn type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=ipHostNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=macAddress type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=bootFile type=DataTypeCStr
<=> ad_to_dsdata_type attribute=bootParameter type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-machine-serves type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-machine-suffix type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=apple-machine-hardware type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-machine-software type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=ipProtocolNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=oncRpcNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=ipServicePort type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=ipServiceProtocol type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=ipNetworkNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=ipNetmaskNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=mountDirectory type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=mountType type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=mountOption type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=mountDumpFrequency type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=mountPassNo type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-printer-attributes type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=rfc822MailMember type=DataTypeCaseCStr
schemamap_add_oc: Could not add objectClass mapping for directory /computers: Invalid Path
schemamap_add_at: Could not add attribute mapping for NetInfo attribute comment: Invalid Path
schemamap_add_at: Could not add attribute mapping for NetInfo attribute en_address: Invalid Path
schemamap_add_at: Could not add attribute mapping for NetInfo attribute groups: Invalid Path
schemamap_add_oc: Could not add objectClass mapping for directory /computer_lists: Invalid Path
schemamap_add_at: Could not add attribute mapping for NetInfo attribute computers: Invalid Path
schemamap_add_at: Could not add attribute mapping for NetInfo attribute groups: Invalid Path
<=> ad_to_dsdata_type attribute=apple-password-server-location type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-config-realname type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-data-stamp type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-group-realname type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=gidNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=apple-group-homeurl type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-group-homeowner type=DataTypeCStr
<=> ad_to_dsdata_type attribute=memberUid type=DataTypeCStr
<=> ad_to_dsdata_type attribute=gidNumber type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=homeDirectory type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-user-homequota type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-user-mailattribute type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-printattribute type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-adminlimits type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-user-picture type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=loginShell type=DataTypeCStr
<=> ad_to_dsdata_type attribute=shadowLastChange type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=shadowExpire type=DataTypeCaseCStr
<=> ad_to_dsdata_type attribute=authAuthority type=DataTypeCStr
<=> ad_to_dsdata_type attribute=apple-preset-user-is-admin type=DataTypeCStr
schemamap_add_oc: Could not add objectClass mapping for directory /people: Invalid Path
<=> ad_to_dsdata_type attribute=userPassword type=DataTypeBlob
<=> ad_to_dsdata_type attribute=cn type=DataTypeCaseUTF8Str
<=> ad_to_dsdata_type attribute=apple-mcxflags type=DataTypeUTF8Str
<=> ad_to_dsdata_type attribute=apple-mcxsettings type=DataTypeUTF8Str
slapd startup: initiated.
==> netinfo_back_db_open
==> netinfo_back_get_ditinfo
>> dnPrettyNormal: <ou=www,dc=cesa12,dc=k12,dc=wi,dc=us>
=> ldap_bv2dn(ou=www,dc=cesa12,dc=k12,dc=wi,dc=us,0)
<= ldap_bv2dn(ou=www,dc=cesa12,dc=k12,dc=wi,dc=us,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=www,dc=cesa12,dc=k12,dc=wi,dc=us,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(ou=www,dc=cesa12,dc=k12,dc=wi,dc=us,16)=0
<<< dnPrettyNormal: <ou=www,dc=cesa12,dc=k12,dc=wi,dc=us>, <ou=www,dc=cesa12,dc=k12,dc=wi,dc=us>
>> dnPrettyNormal: <dc=cesa12,dc=k12,dc=wi,dc=us>
=> ldap_bv2dn(dc=cesa12,dc=k12,dc=wi,dc=us,0)
<= ldap_bv2dn(dc=cesa12,dc=k12,dc=wi,dc=us,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=cesa12,dc=k12,dc=wi,dc=us,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(dc=cesa12,dc=k12,dc=wi,dc=us,16)=0
<<< dnPrettyNormal: <dc=cesa12,dc=k12,dc=wi,dc=us>, <dc=cesa12,dc=k12,dc=wi,dc=us>
<== netinfo_back_get_ditinfo
(Canonical suffix ou=www,dc=cesa12,dc=k12,dc=wi,dc=us)
(Parent naming context dc=cesa12,dc=k12,dc=wi,dc=us referred to cldap://broadcasthost/)
<== netinfo_back_db_open
slapd starting
[/quote:504f3ae0af]

Look at all the errors (e.g. “schemamap_add_oc: Could not add objectClass mapping for directory /computers: Invalid Path”.) Another thing that concerns me is this line: “(Parent naming context dc=cesa12,dc=k12,dc=wi,dc=us referred to cldap://broadcasthost/)” — when running with the network DB, I get this line instead, which makes more sense (to me): “(Child naming context ou=www,dc=cesa12,dc=k12,dc=wi,dc=us referred to ldap://www/)”. I don’t know enough about this to know what’s important, but it seems odd that it would be referring to ‘broadcasthost’ instead of ‘www’.

When I do a search from Address Book, here’s what debug mode ouputs:

[quote:504f3ae0af]sasl_server_new failed: -7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next: tag 0x30 len 353 contents:
deferring operation
ber_get_next
ber_get_next on fd 7 failed errno=35 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:

>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=2 dn=”” method=128
send_ldap_result: conn=0 op=0 p=2
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 7
do_bind: v2 anonymous bind
do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <cn=users,dc=cesa12,dc=k12,dc=wi,dc=us>
=> ldap_bv2dn(cn=users,dc=cesa12,dc=k12,dc=wi,dc=us,0)
<= ldap_bv2dn(cn=users,dc=cesa12,dc=k12,dc=wi,dc=us,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=users,dc=cesa12,dc=k12,dc=wi,dc=us,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(cn=users,dc=cesa12,dc=k12,dc=wi,dc=us,16)=0
<<< dnPrettyNormal: <cn=users,dc=cesa12,dc=k12,dc=wi,dc=us>, <cn=users,dc=cesa12,dc=k12,dc=wi,dc=us>
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> netinfo_back_referrals dn=cn=users,dc=cesa12,dc=k12,dc=wi,dc=us ndn=cn=users,dc=cesa12,dc=k12,dc=wi,dc=us
<== netinfo_back_referrals
==> netinfo_back_search base=cn=users,dc=cesa12,dc=k12,dc=wi,dc=us nbase=cn=users,dc=cesa12,dc=k12,dc=wi,dc=us scope=2
==> dnMakeLocal dn=cn=users,dc=cesa12,dc=k12,dc=wi,dc=us
<== dnMakeLocal (not local to store)
<== netinfo_back_search
==> netinfo_back_op_result dsstatus=2007 rc=10 msg=DSA2007: Path Not Local to Datastore
send_ldap_result: conn=0 op=1 p=2
send_ldap_response: msgid=2 tag=101 err=9
ber_flush: 82 bytes to sd 7
<== netinfo_back_op_result
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 7 failed errno=35 (Resource temporarily unavailable)
do_unbind
connection_closing: readying conn=0 sd=7 for close
connection_resched: attempting closing conn=0 sd=7
connection_close: conn=0 sd=7[/quote:504f3ae0af]

I know this is a ton of info, but I don’t know what’s important and what’s not. If anyone could help, I’d appreciate it. I could really use this functionality!

[brossow]

[quote:dad345be3a=”MacTroll”]With server I would highly recommend that you use the Network database. Certainly that is what Apple would recommend also.[/quote:dad345be3a]

Any easy way to move all my users over from local to network? What I have is working just fine right now (with the exception of the LDAP issue here) so I hate to mess anything up. I was in a time crunch when I set up the server and didn’t have a lot of time to research. I admittedly haven’t read the manual (still waiting for a printed copy to arrive) and was flying by the seat of my pants when I set it up. If it’s major work, I’ll just get by without LDAP. Just would be convenient to have available.

THANKS!

[Cabbage]

still waiting for a printed copy to arrive
I mailed it this week 😳

[brossow]

[quote:43eee70fe5=”Cabbage”]>>still waiting for a printed copy to arrive
I mailed it this week :oops:[/quote:43eee70fe5]

D’oh! That wasn’t intended as a complaint; just an excuse for my not having RTFM. 😉

[Cabbage]

Well it should be a complaint…it took forever. I tried to get them before Xmas but he couldn’t get them done. Then he has a 3 week vacation and then it took another couple weeks. At least you’re getting the color one…i only got B & W.

Well onto this LDAP stuff.
Why did you add a new directory called contacts? When I did this I just added new properties inside the users directory. Here are a couple emails from the MAc Server Mailing List. I did get it to display all 100+ users on the server in Workgroup Manager….then I started added more stuff to mine…i have to go back and play some more with it.

[quote:d7ddf170f7=”Cabbage from the Apple Mac OS X Server Mailing List”]
Your message peaked my interest in this again so I tried to set it up and have gotten a little further than last time. I still have many questions though which are in parenthesis.

I have a G4 running OS X Server 10.2.3 with Open Directory enabled. There are about 125 users already on the machine. I open up Directory Access, check LDAPv3 and click configure.
I click New and give it a name, put in the IP address of the server, then click on the Search & Mappings tab. Here I choose Open Directory Server (am I suppose to use this or From Server??). I leave the search base blank (am I suppose to put something here?). I do NOT click on Write to Server (am I supposed to click it?) I click OK then quit Directory Assistant.

Now over to a G4 running OS X 10.2.3.
I open Address Book go to Preferences > LDAP.
I click add, give it a name, server I set to the IP address of the above G4. Search Base I leave blank since I don’t know what that is. Port is 389 and Scope is Subtree (I find that none of the other scopes give me any results in my searches). I click Save and close the preferences.

Now in address book I click Directories > All. In the search I type my first name Craig

The results are
Name | Email | Phone
Craig Kabis | |
Craig Vectrum | |

I go back to the G4 running server and open up NetInfo Manager and go to Users > ckabis. I add a few new properties.

Property | Value(s)
mail | [email protected]
o | Imtech Graphics
street | 890 Arcade Way
postalAddress | East Rutherford, NJ
postalCode | 07077
telephonenumber | 212-534-4564 x456
apple-user-picture | /Library/User Pictures/Animals/Butterfly.tif
givenName | Craig
sn | Kabis

OK to update the copy and quit NetInfo Manager. I go back to the client G4 and do the search again in Address Book.

The results are
Name | Email | Phone
Kabis Craig | [email protected] | 212-534-4564 x456
Craig Vectrum | |

I drag me over on top of All under Group and I get sucked into there.
It says
Kabis Craig
Imtech Graphics

work: 212-534-4564 x456
work: [email protected]
work: 890 Arcade Way
07072

My picture is not displayed, neither is the city and state and my name is backwards (Why didn’t these get grabbed from the LDAP server?)[/quote:d7ddf170f7]

Then mactroll answered with this…i still don’t get the Will Robinson thing…i’m guess i’m too young to understand it 😕

[quote:d7ddf170f7=”The Brain of afp548.com from the Apple Mac OS X Server Mailing List”]
Ohh, Danger Will Robinson!!

Don’t use Directory Access, instead use Open Directory Assistant to set your server up as an LDAP server. Directory Access is used for directory services and really isn’t related to setting up a shared address book. However it seems that your server was already correctly configured.

>>Now over to a G4 running OS X 10.2.3.
>>I open Address Book go to Preferences > LDAP.
Now you are back on the right track.

>>My picture is not displayed, neither is the city and state and my name
>>is backwards (Why didn’t these get grabbed from the LDAP server?)
I’m not sure what AddressBook actually pulls back from the LDAP server. I was happy enough with telepone number and e-mail and didn’t go farther than that. If AddressBook actually asks for it but doesn’t get it then it’s probably just a simple schema mapping issue to get ironed out.

I’m currently toying with some of the web interfaces to LDAP that will allow you to add/remove addresses from the database. I haven’t had enough time to get anything to work as well as I would like it yet, but all the pieces seem to be there.
[/quote:d7ddf170f7]

[Anonymous]

I’m trying this on 10.2.4 Client, without success.

I could browse the local Netinfo database using the 3rd-party LDAP app “LDapper”, but the local Addressbook application didn’t work. (I tried both adding properties in the /users CN, and making a separate /addressbook).

From another computer on the subnet, neither the LDapper nor the Addressbook worked, though the debug showed an attempted connection.

Has anyone worked this out? Is there any reason to think I can get it going on Client without too much difficulty?

[Anonymous]

Hi,

I actually got this to work last night after some tinkering. I had to leave out the ‘dc=’ bits from the Address Book setup. Just ‘cn=users’ made it work, as long as there was a ‘mail=’ entry in the netinfo db. I made a /contacts folder in the netinfo db with a folder in there with a ‘mail=’ and ‘telephonenumber=’ entry and it also worked as long as I left out the ‘cn=’ entries in address book LDAP config.

cn= mabye doesn’t work with local netinfo dbs? That’s all I could think of.
hope that helps,
Dan

[Anonymous]

I meant “dc=” may not work with the local netinfo db. also, there has to be a mail= entry under the username in the netinfo db, which didn’t come out as clearly as I thought when I typed the other post, sorry, Dan

[Author]

Posts