wiki:LdapTroubleshooting
Last modified 5 years ago Last modified on 03/30/12 16:10:28

There are two LDAP servers, axon and lamina, with CNAMES ldap1.biostr.washington.edu and ldap2.biostr.washington.edu. Login should work if either is up. You may need to restart nscd (the Name Service Caching Daemon).

Simple LDAP check, run ldapsearch -vvv -xLLL '(uid=joshuadf)'

If no one can log in to the LDAP server itself, you need to boot in Single User mode.

Run /etc/init.d/ldap start and check for error messages. If the database is corrupted from a crash, restore the whole /var/lib/ldap/ directory from a recent backup.

Client Setup

The LDAP client setup is done at installation time with the following commands, see KickStart for more details:

# LDAP
# openldap-clients
if [ ! -f /etc/pki/tls/certs/UW-CA-CERT ]; then
  echo 'SIGERR: This depends on UW-CA-CERT'
fi
authconfig --enableshadow --enablemd5 --enableldap --ldapserver=ldaps://ldap2.biostr.washington.edu --ldapbasedn="dc=sig,dc=biostr,dc=washington,dc=edu" --enableldapauth --enableldaptls --enablecache --disablenis --disablekrb5 --kickstart
mv /etc/ldap.conf /etc/ldap.conf.orig
cat > /etc/ldap.conf << EOF
uri                        ldaps://ldap1.biostr.washington.edu ldaps://ldap2.biostr.washington.edu
ssl                        on
tls_cacertfile             /etc/pki/tls/certs/UW-CA-CERT
tls_checkpeer              yes
ldap_version               3
scope                      one
rootbinddn                 cn=admin,dc=sig,dc=biostr,dc=washington,dc=edu
base                       dc=sig,dc=biostr,dc=washington,dc=edu
nss_base_passwd            ou=People,dc=sig,dc=biostr,dc=washington,dc=edu
nss_base_shadow            ou=People,dc=sig,dc=biostr,dc=washington,dc=edu
nss_base_group             ou=Group,dc=sig,dc=biostr,dc=washington,dc=edu
pam_password               exop
timelimit                  30
bind_timelimit             30
bind_policy                soft
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
EOF

cat > /etc/nslcd.conf << EOF
uri ldaps://ldap1.biostr.washington.edu
uri ldaps://ldap2.biostr.washington.edu
base dc=sig,dc=biostr,dc=washington,dc=edu
ssl on
tls_reqcert never
tls_cacertfile /etc/pki/tls/certs/UW-CA-CERT
EOF
cat > /etc/pam_ldap.conf << EOF
base dc=sig,dc=biostr,dc=washington,dc=edu
uri ldaps://ldap1.biostr.washington.edu
uri ldaps://ldap2.biostr.washington.edu
ssl on
tls_cacertfile /etc/pki/tls/certs/UW-CA-CERT
pam_password md5
EOF
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig
cat > /etc/openldap/ldap.conf << EOF
URI  ldaps://ldap1.biostr.washington.edu ldaps://ldap2.biostr.washington.edu
BASE dc=sig,dc=biostr,dc=washington,dc=edu
TLS_CACERT /etc/pki/tls/certs/UW-CA-CERT
TLS hard
TLS_REQCERT demand
EOF
mv /etc/sysconfig/autofs /etc/sysconfig/autofs.orig
cat > /etc/sysconfig/autofs <<EOF
DEFAULT_MASTER_MAP_NAME="auto.master"
DEFAULT_TIMEOUT=300
DEFAULT_BROWSE_MODE="no"
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
UNDERSCORETODOT=1
EOF
/etc/init.d/nscd stop
/etc/init.d/autofs restart
/etc/init.d/nslcd restart
/etc/init.d/portmap restart
# automountMap symlinks
ln -s /share/vagal-data /usr/local/data
for i in andrew brinkley detwiler bnniii jdftest joshuadf; do  ln -s /nfs/$i /home; done
#for i in andrew brinkley corina detwiler joshuadf jws kmull lober natalia onard rosse schoen shapiro wvw ; do  ln -s /nfs/$i /home; done

echo 'MailTo = logwtch@sig.biostr.washington.edu' >> /etc/logwatch/conf/logwatch.conf 

By the way, here are some common LDAP abbreviation codes:

Key	Attribute
CN	Common Name
DC      Domain Component
DN      Distinguish Name
L	Locality Name
ST	State or Province Name
O	Organization Name
OU	Organizational Unit Name
C	Country Name
STREET	Street Address

Building an openLDAP database is black magic. There are some notes and scripts on lamina at /root/rebuild-ldap.