Tuesday, January 24, 2012

How to Setting LDAP (OpenLDAP) in Windows Development Environment

There are times when programmers are asked to connect to an M$ Active Directory or OpenLDAP Server for authentication process. So that all the application will connect to the same User directory (LDAP), and ofcourse the system administrator will only manage users from one application.


This tutorial is intended for programmers to install an OpenLDAP server in their computers, to grasp the essence of LDAP, and how to actually connect to one. It took me 15 articles to actually implement this, so i thought i'd share it to everyone.


This tutorial however, is not intended for system administrator because the settings used in almost every step in this tutorial is the default settings.

There you have it, you've been warned.


aaaaaand ... here are the steps ..
  • Install OpenLDAP for Windows from http://www.userbooster.de/en/download/openldap-for-windows.aspx and follow its installation instruction. Install it on "C:\App\OpenLDAP"
  • Accept all the default. Use the BDB (Berkley Database) as the Backend Engine.
  • Your LDAP Server is now running. To see the service just open your Windows Services and search for OpenLDAP Service. If you dont want the service to run automatically everytime the Windows restart, just change it to Manual from the Properties Dialog.
  • Next, install LDAPExplorerTool from http://ldaptool.sourceforge.net/. And try to connect to your LDAP Server using these settings :
    • Server Name or IP : According to your Computer Name or IP
    • LDAP Port : 389 ; check the use default checkbox
    • LDAP SSL Port : 636 ; check the use default checkbox
    • Version : 3 (LDAP ver. 3)
    • User DN : cn=Manager,dc=maxcrc,dc=com ; Uncheck the anonymous login.
    • Password : secret
    • Base DN (Just click the Guess Value button)
    • For everything else, just accept the default value
    • Click the Test Connection button. And after saving it, just click Open.
  • It should open an empty LDAP directory. Next we will try to add an actual value to it.
  • Create a file in C:\App\OpenLDAP\ldifdata, name it step1.ldif. The contents are :

## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace maxcrc and com as necessary below
## or for experimentation leave as is

## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line

dn: dc=maxcrc,dc=com
dc: maxcrc
description: My wonderful company as much text as you want to place
objectClass: dcObject
objectClass: organization
o: Maxcrc, Inc.

## FIRST Level hierarchy - people 
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=maxcrc,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources

  • Save the file. And open a command line and run these command 
    • cd C:\App\OpenLDAP\ClientTools
    • ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret 
  • From your LDAP Explorer Tool menu, select File -> Open last configuration, and you will find the LDAP Directory is no longer empty.
  • Next lets add one of our own data to the LDAP Directory. Create a file in C:\App\OpenLDAP\ldifdata, name it samz.ldif. The contents :


## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Panji Pratomo,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Panji Pratomo
cn: P Pratomo
cn: Panji P
sn: panji
uid: ppratomo
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: panji.pratomo555@gmail.com
mail: panji.pratomo555@mysamz.com
mail: panji_pratomo555@yahoo.com
description: football maniac
ou: SOA

dn: cn=Fahmi Satrio,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Fahmi Satrio
cn: F Satrio
cn: Mi
sn: fahmi
uid: fsatrio
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: f.satrio222@gmail.com
mail: f.satrio222@mysamz.com
mail: guest108222@fif.co.id
description: tukang ngulik ga jelas
ou: SOA
  • Save the file. And open a command line and run these command 
    • cd C:\App\OpenLDAP\ClientTools
    • ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\samz.ldif -w secret 
  • From your LDAP Explorer Tool menu, select File -> Open last configuration.



79 comments:

  1. Hii,
    i have allready install open LDAP and Ldapadmin.
    the first thing i want replace "dc=manager,dc=maxrc,dc=com" this credential to my credential because i want to import my data to another Linux LDAP server, and i think both server's credential should same. ok
    so i've confgured a ldap on my win7 pc, bt there is no objects and attributes so how to create object and attribus, and how to import data to LINUX LDAP to win LDAP, i am also trying to import data but there is lot of errors. so plese tell me the exact pattern to do it.

    thanks

    ReplyDelete
  2. one more thing i am using ldif database.

    ReplyDelete
  3. Thanks a lot, this was very helpful!

    ReplyDelete
  4. When I am running ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret

    I am getting this message and my LDAP Directory is still empty.

    adding new entry "dc=maxcrc,dc=com"
    ldap_add: Protocol error (2)
    additional info: no attributes provided

    ReplyDelete
    Replies
    1. Issue - due the new line between these two line
      dn: dc=maxcrc,dc=com

      dc: maxcrc

      Remove the newline and try as follows
      dn: dc=maxcrc,dc=com
      dc: maxcrc

      Again you will get the account already exist error.So you need to add the user details alone in that idlf files. make sure no new line present in that file. For Example as below

      dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
      objectclass: inetOrgPerson
      cn: Robert Smith
      cn: Robert J Smith
      cn: bob smith
      sn: smith
      uid: rjsmith
      userpassword: rJsmitH
      carlicense: HISCAR 123
      homephone: 555-111-2222
      mail: r.smith@example.com
      mail: rsmith@example.com
      mail: bob.smith@example.com
      description: swell guy
      ou: Human Resources

      Thanks kukusan ji....

      Delete
  5. Great tutorial!

    One thing to keep in mind: remove any spaces before each line. In any other case, it fails.

    Best eagrds,

    Fede

    ReplyDelete
  6. Nice one. Thanks for making this whole process easier. BTW, I was getting an invalid DN error until I checked Anonymous login. Not sure why it is working for you and not for me.

    Anyhow Thanks much.

    ReplyDelete
  7. Good one, thanks!

    How to do programmatically authentication that can be used in a program?

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Well actually this is a big topic, deserves an article for itself.

    Let us assume, you would want the authentication for a website and you would want it to use LDAP.
    Usually I started with a simple authentication (username and password already defined) using Spring Security.

    You can read the getting started page here : http://static.springsource.org/spring-security/site/start-here.html

    After I succeeded in creating the simple example, I will try to create an LDAP version of it by throwing the user and password to a LDAP server and awaits for its authenticated results.

    You can see the refference in :
    - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ldap.html
    - http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ldap.html

    An actual implementation for it :
    - https://github.com/SpringSource/spring-security/tree/9b423a7726e999b6c80e8c4a769a99dd634f56ce/samples/ldap

    This steps also assumed that you've worked with spring and spring context.

    Hope this helps.

    ReplyDelete
  10. Really its a very large topic buts its useful. Windows open ldap is a lightweight data access protocol.It is helpful to look up information from a server.

    ReplyDelete
  11. I am when i am issuing... ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret..
    I get Error: No such file or directory..
    But i have very carefully looked for the file.. and it exists in the same path..
    What is the problem then? Can anyone help?

    ReplyDelete
    Replies
    1. double check the d:\App\OpenLDAP\ldifdata\step1.ldif -w secret.. part for me. I had to change my directory to C:\

      Delete
    2. i have same problem i check it carefully but that command not work
      ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f C:\OpenLDAP\ldifdata\step1.ldif -w secret..
      i get same error: No such file or directory....plz help

      Delete
    3. Change the file extension from *.ldif.txt to *.ldif.

      http://windows.microsoft.com/en-in/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7

      It will work now

      Delete
    4. Full path should be 'c:\App\OpenLDAP\ldifdata\step1.ldif'

      Delete
  12. Great information laid out concisely. Thank you!

    ReplyDelete
  13. if you use ldif files , should you not check this option as backend upon install???

    ReplyDelete
  14. It did actually, BDB as a backend engine. Anyway the it was not meant for security or performance. Its sole purpose was for personal LDAP box in development.

    ReplyDelete
  15. Hello. Thanks for the article. I'm having trouble setting up mirror mode replication using this software. Can you give me some adivce?
    I've set it up using this link: http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master.

    I haven't got it to replicate each other.

    ReplyDelete
  16. How would I remove a user from my LDAP server?

    Let's say I wanted to remove the users inside my "step1.ldif" file.

    Thanks

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. How can I change the default port ?

    ReplyDelete
  19. Very sorry I haven't got the time to answers all the questions.

    @fabmal : I'm guessing you're trying to avoid conflict because you already have AD installed, and you need to install OpenLDAP. Then you can check out this tutorial : http://lupus.wikidot.com/install-openldap-on-win32

    Hope that helps

    ReplyDelete
  20. Very nice blog more information our sites
    telecom staffing

    ReplyDelete
  21. Ver good tutorial. I get a ldap_add: Already exists (68) when trying issuing... ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret..

    ReplyDelete
  22. Very very... good posting... actually i am new to JAVA and i mded it work done after one week..... thank you so much.....

    ReplyDelete
  23. i am not able to connect from LDAPExplorerTool2 as it is telling bad credentials. i filled in server,connection Tab as given in the tutorial but i am getting bad credentials dialog window always. i am using OpenLdap 64bit windows Service.

    ReplyDelete
  24. thank you for the article, it was really helpful. keep writing :)

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. Thanks a lot for having demonstrated nice tutorial.......

    ReplyDelete
  27. Hi Mates,

    i got this error.. what this error mean ?

    D:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f D:\OpenLDAP\ldifdata\step1.ldif -w secret
    ldap_connect_to_host: TCP localhost:389
    ldap_new_socket: 728
    ldap_prepare_socket: 728
    ldap_connect_to_host: Trying ::1 389
    ldap_pvt_connect: fd: 728 tm: -1 async: 0
    attempting to connect:
    connect success
    adding new entry "dc=maxcrc,dc=com"
    ldap_add: Protocol error (2)
    additional info: no attributes provided

    can anyone help ?

    ReplyDelete
    Replies
    1. Issue - due the new line between these two line
      dn: dc=maxcrc,dc=com

      dc: maxcrc

      Remove the newline and try as follows
      dn: dc=maxcrc,dc=com
      dc: maxcrc

      Again you will get the account already exist error.So you need to add the user details alone in that idlf files. make sure no new line present in that file. For Example as below

      dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
      objectclass: inetOrgPerson
      cn: Robert Smith
      cn: Robert J Smith
      cn: bob smith
      sn: smith
      uid: rjsmith
      userpassword: rJsmitH
      carlicense: HISCAR 123
      homephone: 555-111-2222
      mail: r.smith@example.com
      mail: rsmith@example.com
      mail: bob.smith@example.com
      description: swell guy
      ou: Human Resources

      Thanks kukusan ji.

      Delete
  28. Thank you so much for this; saved me (and sure others as well) a ton of time figuring this out in a Windows environment

    ReplyDelete
  29. how to search tree directive of particular domain with ldap explorer tool
    issue:it showing root in left pan and displays only particular dc=xyz,dc=com not full tree.

    can any one help me plz

    ReplyDelete
  30. Great tutorial. Thanks a lot! I was trying for hours to make OpenLDAP on Windows work and when I was about to quit, I found this tutorial. It is a life saver :)

    ReplyDelete
    Replies
    1. Hi,

      I am confused! I hope you can help me! The above tutorial is to read the existing LDAP server in the windows environment. Did you try to achieve the same or were you able to join the windows to the OpenLDAP domain server?

      Delete
    2. Hi sivachidambaram,

      The above tutorial only specifies the steps required for OpenLDAP to work on Windows for development purposes. Not intended as an actual working LDAP Server on windows.

      Once the OpenLDAP works, you can manage it, or you can connect it from your application, using your favorite programming language, for testing purposes.

      From there, you can extend the LDAP settings using script in a windows environment.

      If you don't want to mess with an existing LDAP server, it's advisable to have a testing environment. With this tutorial, you can test it on windows.

      Delete
  31. Hi, I got this below issue.

    ldap_bind: Server is unavailable (52)
    additional info: Proxy operation retry failed

    can any one help ?

    ReplyDelete
  32. This comment has been removed by the author.

    ReplyDelete
  33. how to configure phpldapadmin on windows?

    can any one help?

    ReplyDelete
  34. Great tutorial man. Thanks for your effort. But what about something more advanced, e.g. multiboot USB drive with Win7, WinXP and some Linux distros without any application, only from command line. Doesn’t matter whether linux or windows command line. Could you prepare some tutorial also for this? I guess it’s a sufficient challange 😉
    latest cricket news

    ReplyDelete
  35. It is very informative post. Thanks for sharing with us.

    OrangeHRM LDAP Integeration Module

    ReplyDelete
  36. i am getting this error while trying to test the connection >>> LDAP bind cant contact LDAP server

    ReplyDelete
  37. Can anyone tell me how to clear my database under windows environment? Thanks!

    ReplyDelete
  38. Thank you.Well it was nice post and very helpful information on Azure Online Training
    Azure Online Course

    ReplyDelete
  39. nice post thanks for sharing its very useful for me and informative
    mobile signal booster

    ReplyDelete
  40. really feel good and very informative after read this post thanks for sharing



    mobile signal booster delhi

    ReplyDelete
  41. I am using Mdaemon as a mail server and want to user openldap. is any one help me to send me configuration document.

    Ashok

    ReplyDelete
  42. nice post thanks for sharing its very useful for me and informative
    hire dedicated developers

    ReplyDelete
  43. Hi,

    Please let me know how to create group and how to add it to user.
    Thanks



    ReplyDelete
  44. Nice article… very useful
    thanks for sharing the information.
    servicenow implementation certification

    ReplyDelete
  45. I am having trouble with connecting to the LDAP after my windows server got restarted. Before the restart everything worked fine. I could use the LDAP with my application and connect to with apache directory studio as the cn=Manager,dc=maxcrc,dc=com. Now after the restart i cant access it.

    In the ADSI Edit program i can see the structure of the LDAP but not edit it. Using Apache directory studio or my application, which both need the cn=Manager,dc=maxcrc,dc=com with password secret login to work. Now i get error:
    The authentication failed
    - [LDAP: error code 80 - 80090304: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 20ee, v2580

    Why doesnt my manager account work anymore? :)

    ReplyDelete
  46. At first thank you for the tutorial!

    While executing
    ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret
    an error occurred. "Permission denied". The same effect comes for the 2nd file.


    Please have a look at the screenhot:
    http://prntscr.com/p2mydu

    Permission for the whole directory should be set:

    http://prntscr.com/p2n2x2

    Any suggestions?

    ReplyDelete
  47. I'm facing an issue when I checking 'Open last configuration' from LDAP Explorer Tool menu.The following command I run:

    ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\step1.ldif -w secret

    it's showing me that ldap_add:already exists (68)

    after this when check for the last configuration it's asking for the password. And after providing the password it's showing me LDAP Bind:Invalid Credentials.

    can you guys help me out of this?

    ReplyDelete
  48. I personally use them exclusively high-quality elements : you will notice these folks during: setting tools

    ReplyDelete
  49. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this azure tutorial great content to my vision, keep sharing.

    ReplyDelete
  50. Hi, I have to create Openldap server in linux system and my client system is windows 10 . How to authenticate ldap server connected to my windows 7 system.

    ReplyDelete
  51. very informative after read this post thanks for sharing

    Mobile Signal Booster

    ReplyDelete
  52. Very informative blog. I was able to create server in single attempt using the steps in the blog. Thanks for sharing information with us.

    ReplyDelete
  53. It’s a great post really very informative sharing thank you for sharing.

    Mobile Signal Booster

    ReplyDelete
  54. Tooo good article,Thank you for sharing this awesome blog.

    Keep updating...

    ServiceNow Admin Online Training

    ReplyDelete
  55. You have a very inspiring way of exploring and sharing your thoughts.
    mobile signal booster

    ReplyDelete
  56. It is so nice article thank you for sharing this valuable content.
    pega testing
    pega testing training

    ReplyDelete
  57. Thank you for sharing wonderful information with us to get some idea about it.
    pega testing
    pega testing training
    pega testing online training

    ReplyDelete


  58. That is nice article from you , this is informative stuff . Hope more articles from you . I also want to share some information about Pet Dentistry in vizag

    ReplyDelete
  59. Thank you for the information found this blog accidentally and it is a combination of information.

    mobile signal booster in gurgaon

    ReplyDelete
  60. This comment has been removed by the author.

    ReplyDelete
  61. Applying for a Vietnam e-Visa is a quick and easy process that can be done completely online. Vietnam e visa apply online- The first step is to fill the application form, which requires basic personal and travel information. Applicants must also provide a passport and a scan of the biographical page of their passport. The next step is to pay the visa fee using a credit or debit card. The e-Visa will be emailed to the applicant within 3-5 business days.

    ReplyDelete