Re: Openldap server install failure - openldap client conflict
> On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote: > > > I'm trying to install OpenLDAP as a server to "attempt" to try it out > > > for our network. The problem is the openldap client is already installed > > > for other apps as php, apache, asterisk, etc. So my question is: is it > > > possible to uninstall the client? Will the server include the client > > > required for these other apps? > > > > You can always remove the old client and install the new version. You > > simply need to shutdown the services which depend on the client before > > you remove the old one and install the new one. Then start the > > services again. Of course you should do this on a test machine and > > make sure all your applications work as expected with the new client > > (i.e. don't do this on your production machine AND backup before you > > do!). > > > > For what it's worth, I've removed and installed the OpenLDAP client > > from a few machines and never had any problems with Apache nor with > > PHP. But I did have a problem with sudo(8). If you use sudo (you > > probably should IMHO) and it was compiled with LDAP support, then the > > minute you remove the old OpenLDAP client, sudo will be broken. It's > > easy to work around this by using su(1) and switch to root. Of course, > > make sure you know the root password and that you're part of the wheel > > group before you do this. > > > > Here's how I proceed to update the OpenLDAP client. I use SASL also, > > but it's not mandatory. Notice that I run a first make(1) without > > options. This will help reduce the time required between the `make > > deinstall` and `make install clean`. > > > > cd /usr/ports/net/openldap24-sasl-client > > sudo make > > sudo /all/your/ldap/dependent/applications/rc.d/scripts stop > > sudo make deinstall > > sudo make install clean > > sudo /all/your/ldap/dependent/applications/rc.d/scripts start > > > > Also, on a side note, I would suggest adding a few lines to > > make.conf(5) so that all your applications will require the same > > OpenLDAP versions (and the same Berkeley DB too). That change did help > > me quite a lot. The downside of this is that if you have many hosts, > > you may have to edit quite a few make.conf(5) files when either > > OpenLDAP or BDB changes versions. Using rsync, rdist > > > > WANT_OPENLDAP_VER= 24 > > WITH_BDB_VER= 46 > > > > Good luck with OpenLDAP. Should you need help with it, SASL and > > Kerberos integration, feel free to contact me. > > I did just get it worked out, but those other apps were worrying me (see > last post). At least I know where to look now... Indeed. I've never used Asterisk myself so you'll have to test it. I'd be surprised if a change in the LDAP client breaks anything, but you never know. Better test it first on a non-production system. > I am very interested in kerberos integration if you could provide some > hints. I looked into before for another reason and set it aside in the > too hard basket for a while... I posted back to the list to help others > if they're interested too. I've successfully integrated OpenLDAP with SASL and Kerberos along with nss_ldap, pam_ldap, sudo and ssh on FreeBSD. I agree with you that it's not very easy to find good documentation on this subject on the web. So I'll try to post my own setup online in case it can help anyone. But before I do, I still need to clean up my notes :) I'd also like to publish documentation on these items: - Setup the OpenLDAP replication with a Kerberos user. - Describe a backup and recovery plan. - Configure Apache to use mod_auth_kerb to achieve Single Sign-On. - Describe how to replace NIS with OpenLDAP. - Configure the OpenLDAP/Kerberos setup in HA using Open Source tools. - Test some web based applications to manage the OpenLDAP accounts (so that I can give the user management to a junior admin or first level support teams) So unless you really need my docs right away, I would suggest waiting a bit for me to clean the whole thing. I'd like to have all that up and running around the first week of May. > One thing, I installed the lam webapp for administration (and I did also > try this manually too) but when I'm asked for a password I have no idea > what password its looking for (I do feel rather stupid!). Hummm, I've never used LAM before. But my (wild) guess would be that it's looking for your rootdn user's password. Or any other user in which you've granted full read/write access in your OpenLDAP acls. > This was something I was going to try to solve next time I get back to this > project- it was late at night and I had only just got it installed and > running. It says in the install guide that it will ask for the secret > once you add a ldif file, so I assumed it would set it then- I was > wrong... Well, the first password you setup is the rootdn's password. You generate the Salted-SHA1 hashed password with slappasswd(8C). Simply copy the ouput of `slappasswd -v` into your /usr/local/etc/openldap/slapd.co
Re: Openldap server install failure - openldap client conflict
On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote: > > I'm trying to install OpenLDAP as a server to "attempt" to try it out > > for our network. The problem is the openldap client is already installed > > for other apps as php, apache, asterisk, etc. So my question is: is it > > possible to uninstall the client? Will the server include the client > > required for these other apps? > > You can always remove the old client and install the new version. You > simply need to shutdown the services which depend on the client before > you remove the old one and install the new one. Then start the > services again. Of course you should do this on a test machine and > make sure all your applications work as expected with the new client > (i.e. don't do this on your production machine AND backup before you > do!). > > For what it's worth, I've removed and installed the OpenLDAP client > from a few machines and never had any problems with Apache nor with > PHP. But I did have a problem with sudo(8). If you use sudo (you > probably should IMHO) and it was compiled with LDAP support, then the > minute you remove the old OpenLDAP client, sudo will be broken. It's > easy to work around this by using su(1) and switch to root. Of course, > make sure you know the root password and that you're part of the wheel > group before you do this. > > Here's how I proceed to update the OpenLDAP client. I use SASL also, > but it's not mandatory. Notice that I run a first make(1) without > options. This will help reduce the time required between the `make > deinstall` and `make install clean`. > > cd /usr/ports/net/openldap24-sasl-client > sudo make > sudo /all/your/ldap/dependent/applications/rc.d/scripts stop > sudo make deinstall > sudo make install clean > sudo /all/your/ldap/dependent/applications/rc.d/scripts start > > Also, on a side note, I would suggest adding a few lines to > make.conf(5) so that all your applications will require the same > OpenLDAP versions (and the same Berkeley DB too). That change did help > me quite a lot. The downside of this is that if you have many hosts, > you may have to edit quite a few make.conf(5) files when either > OpenLDAP or BDB changes versions. Using rsync, rdist > > WANT_OPENLDAP_VER= 24 > WITH_BDB_VER= 46 > > Good luck with OpenLDAP. Should you need help with it, SASL and > Kerberos integration, feel free to contact me. I did just get it worked out, but those other apps were worrying me (see last post). At least I know where to look now... I am very interested in kerberos integration if you could provide some hints. I looked into before for another reason and set it aside in the too hard basket for a while... I posted back to the list to help others if they're interested too. One thing, I installed the lam webapp for administration (and I did also try this manually too) but when I'm asked for a password I have no idea what password its looking for (I do feel rather stupid!). This was something I was going to try to solve next time I get back to this project- it was late at night and I had only just got it installed and running. It says in the install guide that it will ask for the secret once you add a ldif file, so I assumed it would set it then- I was wrong... Thanks for the help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Openldap server install failure - openldap client conflict
> I'm trying to install OpenLDAP as a server to "attempt" to try it out > for our network. The problem is the openldap client is already installed > for other apps as php, apache, asterisk, etc. So my question is: is it > possible to uninstall the client? Will the server include the client > required for these other apps? You can always remove the old client and install the new version. You simply need to shutdown the services which depend on the client before you remove the old one and install the new one. Then start the services again. Of course you should do this on a test machine and make sure all your applications work as expected with the new client (i.e. don't do this on your production machine AND backup before you do!). For what it's worth, I've removed and installed the OpenLDAP client from a few machines and never had any problems with Apache nor with PHP. But I did have a problem with sudo(8). If you use sudo (you probably should IMHO) and it was compiled with LDAP support, then the minute you remove the old OpenLDAP client, sudo will be broken. It's easy to work around this by using su(1) and switch to root. Of course, make sure you know the root password and that you're part of the wheel group before you do this. Here's how I proceed to update the OpenLDAP client. I use SASL also, but it's not mandatory. Notice that I run a first make(1) without options. This will help reduce the time required between the `make deinstall` and `make install clean`. cd /usr/ports/net/openldap24-sasl-client sudo make sudo /all/your/ldap/dependent/applications/rc.d/scripts stop sudo make deinstall sudo make install clean sudo /all/your/ldap/dependent/applications/rc.d/scripts start Also, on a side note, I would suggest adding a few lines to make.conf(5) so that all your applications will require the same OpenLDAP versions (and the same Berkeley DB too). That change did help me quite a lot. The downside of this is that if you have many hosts, you may have to edit quite a few make.conf(5) files when either OpenLDAP or BDB changes versions. Using rsync, rdist WANT_OPENLDAP_VER= 24 WITH_BDB_VER= 46 Good luck with OpenLDAP. Should you need help with it, SASL and Kerberos integration, feel free to contact me. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SOLVED] Re: Openldap server install failure - openldap client conflict
On Wed, 2008-04-16 at 11:44 +1000, Da Rock wrote: > I sent this to ports but then reconsidered this- I thought ports was for > ports errors, but a quick look back and it mostly seems to be just for > testing. Anyway, I hope I rectified this sufficiently... > > I'm trying to install OpenLDAP as a server to "attempt" to try it out > for our network. The problem is the openldap client is already installed > for other apps as php, apache, asterisk, etc. So my question is: is it > possible to uninstall the client? Will the server include the client > required for these other apps? > > And while I'm here... I tried installing the odbc backend, but it > conflicts with other apps as well. How can I have both the libiodbc and > unixodbc at the same time for openldap server (requires libiodbc), php5, > etc? > > Cheers For reference, my fears were unfounded- the ports guys did help me out, it is in their jurisdiction. Secondly, when installing the server the client options need to match. Plus the versions need to match. I had 2.3.38 client, the server was 2.3.40. Plus I had just the client, the server I was installing had sasl support so it was installing sasl-ldap client. In the process of my investigations and experiments I think I managed to stuff some of my installed ports, but I will cross that bridge when I get to it... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Openldap server install failure - openldap client conflict
I sent this to ports but then reconsidered this- I thought ports was for ports errors, but a quick look back and it mostly seems to be just for testing. Anyway, I hope I rectified this sufficiently... I'm trying to install OpenLDAP as a server to "attempt" to try it out for our network. The problem is the openldap client is already installed for other apps as php, apache, asterisk, etc. So my question is: is it possible to uninstall the client? Will the server include the client required for these other apps? And while I'm here... I tried installing the odbc backend, but it conflicts with other apps as well. How can I have both the libiodbc and unixodbc at the same time for openldap server (requires libiodbc), php5, etc? Cheers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
