Date Created: Sat 09-Feb-2008

Related Document Categories:

Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/


How to configure your own LDAP database for use with WebSphere.

This article is still a work in progress, and covers some of my experiences on getting OpenLDAP 2 working on Fedora 6.
Please read this article right through as it is not a list of instructions, it is more a running log of problems and eperiences I found during my adventure into OpenLDAP and how I resolved them. I will tidy it up into a full article once I feel I have covered all the configuration, set-up and tests, to ensure OpenLDAP can work with WebSphere.

http://www.openldap.org/software/download/

Downloaded OpenLDAP-2.4.7

sftp to my Linux box

[root@websphere openldap]# gunzip ./openldap-2.4.7.tgz
[root@websphere openldap]# tar -xvf ./openldap-2.4.7.tar

create a folder called openldap-2.4.7




[root@websphere openldap-2.4.7]# cat INSTALL
Making and Installing the OpenLDAP Distribution
===============================================

This file provides brief instructions on how to build and install
OpenLDAP on UNIX (and UNIX-like) system. More detailed information
and instructions can be found in The OpenLDAP Administrator's Guide
(available from http://www.openldap.org/doc/).

It is recommended that you read, or at least skim through, ALL of the
instructions in this file before attempting to build the software.

It is also recommended you review the Frequently Asked Questions
(http://www.openldap.org/faq/) pages, in particular the Installation
section (http://www.openldap.org/faq/index.cgi?file=8) and Platform
Hints (http://www.openldap.org/faq/index.cgi?file=9) should be
examined.

Making and Installing the OpenLDAP Distribution
-----------------------------------------------

1. Unpack the distribution and change directory:

% tar xfz openldap-VERSION.tgz
% cd openldap-VERSION

(replacing VERSION with the appropriate version string). If you
are reading this file, you probably have already done this!

2. Type:

% ./configure --help

to list available configuration options.

Note also that the configure script uses environmental variables
for determining compiler/linker options including:

Variable Description Example
CC C compiler gcc
CFLAGS C flags -O -g
CPPFLAGS cpp flags -I/path/include -DFOO=42
LDFLAGS ld flags -L/usr/local/lib
LIBS libraries -llib
PATH command path /usr/local/bin:/usr/bin:/bin

See doc/install/configure for generic configure documentation.

3. Configure the build system:

% [env settings] ./configure [options]

If all goes well, the configure script will automatically detect
the appropriate settings. If the configure script fails, you
should read the config.log file that it generated to see what it
was trying to do and exactly what failed. You may need to specify
additional options and/or environment variables besides those
listed above to obtain desired results, depending on your operating
system. The Platform Hints section of the FAQ provides help for
operating system related problems.

4. Build dependencies:

% make depend

5. Build the system:

% make

If all goes well, the system will build as configured. If not,
return to step 3 after reviewing the configuration settings. You
may want to consult the Platform Hints subsection of the FAQ if
you have not done so already.

6. Test the standalone system:

This step requires the standalone LDAP server, slapd(8), with
BDB or HDB support.

% make test

If all goes well, the system has been built as configured. If
not, return to step 2 after reviewing your configuration
settings. You may want to consult the Installation section of
the FAQ if you have not done so already.

7. Install the software. You may need to be come the super-user
(e.g. root) to do this (depending on where you are installing
things):

% su root -c 'make install'

8. That's it. Enjoy!

See the OpenLDAP Administrator's Guide and the manual pages for the
individual applications for configuration and use information. You may
also want to edit the configuration files used by the various
components. These configuration files are located in the OpenLDAP
configuration directory (normally /usr/local/etc/openldap).

ldap.conf client defaults
slapd.conf Standalone LDAP daemon
schema/*.schema Schema Definitions

---
$OpenLDAP: pkg/openldap-guide/release/install.sdf,v 1.16 2002/02/18
17:09:26 kurt Exp $

This work is part of OpenLDAP Software <http://www.openldap.org/>.

Copyright 1998-2007 The OpenLDAP Foundation.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.

A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

-------------------------------------------------------------

If you do not set the environment correctly you will get:

[root@websphere openldap-2.4.7]# ./configure
Configuring OpenLDAP 2.4.7-Release ...
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking configure arguments... done
checking for cc... no
checking for gcc... no
configure: error: Unable to locate cc(1) or suitable replacement. Check PATH or set CC.

Install gcc using yum

First we need to list what we need to install

[root@websphere openldap-2.4.7]# yum search gcc > gcc_search.txt

found gcc.i386

yum install gcc

[root@websphere openldap-2.4.7]# yum install gcc
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for gcc to pack into transaction set.
gcc-4.1.2-13.fc6.i386.rpm 100% |=========================| 64 kB 00:00
---> Package gcc.i386 0:4.1.2-13.fc6 set to be updated
--> Running transaction check
--> Processing Dependency: libgomp.so.1 for package: gcc
--> Processing Dependency: libgomp = 4.1.2-13.fc6 for package: gcc
--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for libgomp to pack into transaction set.
libgomp-4.1.2-13.fc6.i386 100% |=========================| 54 kB 00:00
---> Package libgomp.i386 0:4.1.2-13.fc6 set to be updated
---> Downloading header for glibc-devel to pack into transaction set.
glibc-devel-2.5-18.fc6.i3 100% |=========================| 108 kB 00:00
---> Package glibc-devel.i386 0:2.5-18.fc6 set to be updated
--> Running transaction check
--> Processing Dependency: glibc-headers for package: glibc-devel
--> Processing Dependency: glibc-headers = 2.5-18.fc6 for package: glibc-devel
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for glibc-headers to pack into transaction set.
glibc-headers-2.5-18.fc6. 100% |=========================| 142 kB 00:00
---> Package glibc-headers.i386 0:2.5-18.fc6 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
gcc i386 4.1.2-13.fc6 updates 5.2 M
Installing for dependencies:
glibc-devel i386 2.5-18.fc6 updates 2.0 M
glibc-headers i386 2.5-18.fc6 updates 608 k
libgomp i386 4.1.2-13.fc6 updates 75 k

Transaction Summary
=============================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 7.9 M
Is this ok [y/N]:

--------------------------------------------------------------------------------------------------------------------------------------------------------------
Description of libraries:

libgomp
This package contains GCC shared support library which is needed for OpenMP 2.5 support
glibc-devel
These libraries are needed to develop programs which use the standard C library

glibc-headers
The glibc-headers package contains the header files necessary for developing programs which use the standard C libraries (which are used by nearly all programs). If you are developing programs which will use the standard C libraries, your system needs to have these standard header files available in order to create the executables. Install glibc-headers if you are going to develop programs which will use the standard C libraries.

Test gcc:

[root@websphere openldap-2.4.7]# gcc -v
Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux
Thread model: posix
gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)
[root@websphere openldap-2.4.7]#


run ./configure

configure: WARNING: Could not locate TLS/SSL package
configure: WARNING: TLS data protection not supported!
configure: error: BDB/HDB: BerkeleyDB not available

[root@websphere openldap-2.4.7]# yum search BerkeleyDB

BerkeleyDB is a module that allows Perl programs to make use of the
facilities provided by Berkeley DB. Berkeley DB is a C library that
provides a consistent interface to a number of database formats.
BerkeleyDB provides an interface to all four of the database types
(hash, btree, queue and recno) currently supported by Berkeley DB.
http://search.cpan.org/dist/BerkeleyDB/

yum install perl-BerkeleyDB

---------------------------------------------------------------------

Didn't help, so I did some searching and found that Sleepycat now seems to be owned by Oracle?

The OpenLDAP team strongly recommends using Sleepycat Software's Berkeley DB as the data storage mechanism for an OpenLDAP deployment

http://www.oracle.com/technology/software/products/berkeley-db/index.html

Berkeley DB 4.6.21NC.tar.gz , without encryption (11.3M)

----------------------------------------------------------------------

I did a yom search and found that OpenLDAP was already installed on my Fedora 6 VMware appliance. so lesson to beginers first rty yum search <packagename> e.g.

# yum search OpenLDAP

---------------------------------------------------------------------

I then went to the OpenLDAP site to read the admin guide.

[root@websphere apps]# find / -name openldap
/usr/share/openldap
/etc/openldap


-----------------------------------------------------------------
Verify we have installed all the good bits for OpenLDAP
yum -y install openldap openldap-clients openldap-devel openldap-servers

Edit ldap.conf
nano /etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

HOST websphere.fedora6.com
BASE dc=webpshere,dc=fedora6,dc=com

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

--------------------------------------------------------------------------------

Edit database definitions

nano /etc/openldap/slapd.conf


#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=websphere,dc=fedora6,dc=com"
rootdn "cn=manager,dc=websphere,dc=fedora6,dc=com"


Create an openLDAP password

run

slappasswd

[root@websphere apps]# slappasswd
New password:
Re-enter new password:

{SSHA}NqTKLWabmCrnxmI9XanpyTMtKPG50wIg

Add password key to slap

nano /etc/openldap/slapd.conf

database bdb
suffix "dc=websphere,dc=fedora6,dc=com"
rootdn "cn=manager,dc=websphere,dc=fedora6,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}4hW31Tak3SKp/84TD3C5Mzzx27SEnMzn

Now we have to create a file in the /root folder called fedora6.ldif

nano /root/fedora6.ldif

dn: dc=websphere,dc=fedora6,dc=com
objectclass: dcobject
objectClass: organization
o: WebSphere Tools
dc: WebSphere

Finally we just run this command to add your root account in LDAP:

/usr/bin/ldapadd -x -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -W -f /root/fedora6.ldif

[root@websphere ~]# /usr/bin/ldapadd -x -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -W -f /root/fedora6.ldif
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)


If there is an error like this:

ldap_bind: Can't contact LDAP server (-1)

don't panic and keep smiling, just edit your /etc/hosts.allow and add:

nano /etc/hosts.allow

localhost
127.0.0.1

Check ldap status:

[root@websphere ~]# service ldap status
slapd is stopped

move the sample db to /var/lib.ldap
mv /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

service ldap start

[root@websphere ~]# service ldap start
Checking configuration files for slapd: slaptest: bad configuration file!
[FAILED]

The prblem was I hade added to ,, (comas) in my slapd.conf file by accident

[root@websphere ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
-------------------------------------------------------------------------------------

Add a new user

fedora6.ldif

[root@websphere ~]# /usr/bin/ldapadd -x -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -W -f /root/fedora6.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@websphere ~]#


I was using root, but I had declared manager as the rootdn in my .etc/openldap/slpad.conf file

I edited /etc/openldap/slapd line

rootdn "cn=manager,dc=websphere,dc=fedora6,dc=com"

and changed to:

rootdn "uid=root,dc=websphere,dc=fedora6,dc=com"

Note: Another thins is that there are several different ways to use a common name either by uid or cn, I have found that during my use of WebSphere Global security configurations on client sites that Tivoli and Active Directory are different by default. I suspect there are different standards?


---------------------------------------------------


if you still get errors, double check that you have indeed moved the sample database to /var/lib/ldap

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

I restarted LDAP service again

[root@websphere ~]# service ldap stop
[root@websphere ~]# service ldap start




----------------------------------

If openldap stil ldoesn't run then it could be that another process is listening on 389

test by running

slapd -d -1


---------------------------------------------------



Success:

[root@websphere ~]# /usr/bin/ldapadd -x -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -W -f /root/fedora6.ldif
Enter LDAP Password:
adding new entry "dc=websphere,dc=fedora6,dc=com"

----------------------------------------------------




A good test to see if LDAP is running is to type

ps -ef | grep slap

Result:

[root@websphere ~]# ps -ef | grep slap ldap 29160 1 0 15:42 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap

or

[root@websphere ~]# ldapsearch x

Result:

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database


Try adding -x to your ldapsearch command to use simple authentication
instead of SASL, i.e;

ldapsearch -x -D "uid=root,dc=websphere,dc=fedora,,dc=com" -W

-x = Use simple authentication instead of SASL.
-D = binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
-W = Prompt for simple authentication. This is used instead of spec-
ifying the password on the command line.


ldap_bind: Invalid DN syntax (34)
additional info: invalid DN

This was due to the above line having an extra comma

ldapsearch -x -D "uid=root,dc=websphere,dc=fedora,dc=com" -W

Result:

ldap_bind: Invalid credentials (49)

ldapsearch -x -D "uid=root,dc=websphere,dc=fedora,dc=com" -W

[root@websphere ~]# ldapsearch -x -D "uid=root,dc=websphere,dc=fedora6,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# websphere.fedora6.com
dn: dc=websphere,dc=fedora6,dc=com
objectClass: dcObject
objectClass: organization
o: WebSphere Tools
dc: WebSphere

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-----------------------------------------------------------------------------------------

[root@websphere ~]# /usr/bin/ldapmodify -x -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -W -f /root/fedora6.ldif
Enter LDAP Password:
modifying entry "dc=websphere,dc=fedora6,dc=com"

Result:

[root@websphere ~]# ldapsearch -x -D "uid=root,dc=websphere,dc=fedora6,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# websphere.fedora6.com
dn: dc=websphere,dc=fedora6,dc=com
objectClass: dcObject
objectClass: organization
o: WebSphere Tools
dc: websphere

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
------------------------------------------------------------------------------------------

[root@websphere ~]# ldapsearch -D "uid=root,dc=websphere,dc=fedora6,dc=com" -LLL "(dc=websphere)-x -W


[root@websphere ~]# ldapsearch -D "uid=root,dc=websphere,dc=fedora6,dc=com" -LLL "(dc=websphere)" dc -x -W
Enter LDAP Password:
dn: dc=websphere,dc=fedora6,dc=com
dc: websphere

------------------------------------------------------------------------------------------

ldapuser.txt

[root@websphere ~]# ldapadd -W -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -f ./ldapuser.txt
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database


[root@websphere ~]# ldapadd -W -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -f ./ldapuser.txt -x
Enter LDAP Password:
adding new entry "cn=steve robinson, dc=websphere, dc=fedora6, dc=com"
ldap_add: Object class violation (65)
additional info: attribute 'title' not allowed

------------------------------------------------------------------------------------------


[root@websphere ~]# ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5


------------------------------------------------------------------------------------------

l= Location
ou= Organisational Unit
o= Organisation
dc= Domain Component
st= State
c= Country


------------------------------------------------------------------------------------------

More seaching:

[root@websphere ~]# ldapsearch -x -b 'dc=websphere,dc=fedora6,dc=com' 'objectclass=*'
# extended LDIF
#
# LDAPv3
# base <dc=websphere,dc=fedora6,dc=com> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# websphere.fedora6.com
dn: dc=websphere,dc=fedora6,dc=com
objectClass: dcObject
objectClass: organization
o: WebSphere Tools
dc: websphere

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



-----------------------------------------------------------------------------------------

default.ldif
dn: dc=websphere,dc=fedora6,dc=com
dc: websphere
objectClass: top
objectClass: organization
o: WebSphere Tools

description: Top level LDAP for webSphere.fedora6.com
dn: ou=Group,dc=websphere,dc=fedora6,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=websphere,dc=fedora6,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=websphere,dc=fedora6,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit


[root@websphere ~]# ldapadd -W -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -f ./default.ldif -x
Enter LDAP Password:
adding new entry "dc=websphere,dc=fedora6,dc=com"
ldap_add: Object class violation (65)
additional info: attribute 'dc' not allowed

remove dc: webpshere

default.ldif
dn: dc=websphere,dc=fedora6,dc=com
objectClass: top
objectClass: organization
o: WebSphere Tools

description: Top level LDAP for webSphere.fedora6.com
dn: ou=Group,dc=websphere,dc=fedora6,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=websphere,dc=fedora6,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=websphere,dc=fedora6,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit



[root@websphere ~]# ldapadd -W -D 'uid=root,dc=websphere,dc=fedora6,dc=com' -f ./default.ldif -x
Enter LDAP Password:
adding new entry "dc=websphere,dc=fedora6,dc=com"
ldap_add: Naming violation (64)
additional info: naming attribute 'dc' is not present in entry



-----------------------------------------------------------------------------------------

Command line for ldapsearch
http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.0-Release&format=html

----------------------------------------------------------------------------------------

Exporting my LDAP database as an LDIF file:

[root@websphere ~]# slapcat -f slapd.conf -b "dc=example,dc=com"
could not stat config file "slapd.conf": No such file or directory (2)
slapcat: bad configuration file!
[root@websphere ~]# slapcat -f /etc/openldap/slapd.conf -b "dc=websphere,dc=fedora6,dc=com"
dn: dc=websphere,dc=fedora6,dc=com
structuralObjectClass: organization
entryUUID: 6b4be7c6-6b71-102c-97f8-b5d1a82527f0
creatorsName: uid=root,dc=websphere,dc=fedora6,dc=com
createTimestamp: 20080209154252Z
objectClass: dcObject
objectClass: organization
o: WebSphere Tools
dc: websphere
entryCSN: 20080209161949Z#000000#00#000000
modifiersName: uid=root,dc=websphere,dc=fedora6,dc=com
modifyTimestamp: 20080209161949Z

[root@websphere ~]# slapcat -f /etc/openldap/slapd.conf -b "dc=websphere,dc=fedora6,dc=com" > export.ldif


---------------------------------------------------------------------------------------

Some useful commands I used to start and stop services:

Check if a service is running:
service servicename status

Starting a service:
service servicename start

Stopping a service:
service servicename stop

------------------------------------------------------------------------------------------

References:
http://www.ibm.com/developerworks/library/l-openldap/index.html
http://gentoo-wiki.com/HOWTO_LDAPv3
http://www.bayour.com/LDAPv3-HOWTO.html#4.5.4.2.Testing%20OpenLDAP,%20simple/anonymous%20bind,%20with%20SSL/TLS|outline

Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/


Steve Robinson - IBM Champion 2013

About Me

Steve Robinson has been working in IT for over 20 years and has provided solutions for many large-enterprise corporate companies across the world. Steve specialises in Java and Middleware.

In January 2013, I was awarded the prestigous 'IBM Champion' accolade.


  • Linked In
  • Twitter
  • About Me
  • My Blog
  • Contact Me

Read my books?

IBM WebSphere Application Server 8.0 Administration Guide

IBM WebSphere Application Server 8.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Categories

Other Categories