Tuesday, January 24, 2012

How to Setting LDAP (OpenLDAP) in Windows Development Environment

There are times when programmers are asked to connect to an M$ Active Directory or OpenLDAP Server for authentication process. So that all the application will connect to the same User directory (LDAP), and ofcourse the system administrator will only manage users from one application.


This tutorial is intended for programmers to install an OpenLDAP server in their computers, to grasp the essence of LDAP, and how to actually connect to one. It took me 15 articles to actually implement this, so i thought i'd share it to everyone.


This tutorial however, is not intended for system administrator because the settings used in almost every step in this tutorial is the default settings.

There you have it, you've been warned.


aaaaaand ... here are the steps ..
  • Install OpenLDAP for Windows from http://www.userbooster.de/en/download/openldap-for-windows.aspx and follow its installation instruction. Install it on "C:\App\OpenLDAP"
  • Accept all the default. Use the BDB (Berkley Database) as the Backend Engine.
  • Your LDAP Server is now running. To see the service just open your Windows Services and search for OpenLDAP Service. If you dont want the service to run automatically everytime the Windows restart, just change it to Manual from the Properties Dialog.
  • Next, install LDAPExplorerTool from http://ldaptool.sourceforge.net/. And try to connect to your LDAP Server using these settings :
    • Server Name or IP : According to your Computer Name or IP
    • LDAP Port : 389 ; check the use default checkbox
    • LDAP SSL Port : 636 ; check the use default checkbox
    • Version : 3 (LDAP ver. 3)
    • User DN : cn=Manager,dc=maxcrc,dc=com ; Uncheck the anonymous login.
    • Password : secret
    • Base DN (Just click the Guess Value button)
    • For everything else, just accept the default value
    • Click the Test Connection button. And after saving it, just click Open.
  • It should open an empty LDAP directory. Next we will try to add an actual value to it.
  • Create a file in C:\App\OpenLDAP\ldifdata, name it step1.ldif. The contents are :

## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace maxcrc and com as necessary below
## or for experimentation leave as is

## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line

dn: dc=maxcrc,dc=com
dc: maxcrc
description: My wonderful company as much text as you want to place
objectClass: dcObject
objectClass: organization
o: Maxcrc, Inc.

## FIRST Level hierarchy - people 
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=maxcrc,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources

  • Save the file. And open a command line and run these command 
    • cd C:\App\OpenLDAP\ClientTools
    • ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret 
  • From your LDAP Explorer Tool menu, select File -> Open last configuration, and you will find the LDAP Directory is no longer empty.
  • Next lets add one of our own data to the LDAP Directory. Create a file in C:\App\OpenLDAP\ldifdata, name it samz.ldif. The contents :


## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Panji Pratomo,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Panji Pratomo
cn: P Pratomo
cn: Panji P
sn: panji
uid: ppratomo
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: panji.pratomo555@gmail.com
mail: panji.pratomo555@mysamz.com
mail: panji_pratomo555@yahoo.com
description: football maniac
ou: SOA

dn: cn=Fahmi Satrio,ou=people,dc=maxcrc,dc=com
objectclass: inetOrgPerson
cn: Fahmi Satrio
cn: F Satrio
cn: Mi
sn: fahmi
uid: fsatrio
userpassword: SomePassword
carlicense: HISCAR 123
homephone: 555-111-2222
mail: f.satrio222@gmail.com
mail: f.satrio222@mysamz.com
mail: guest108222@fif.co.id
description: tukang ngulik ga jelas
ou: SOA
  • Save the file. And open a command line and run these command 
    • cd C:\App\OpenLDAP\ClientTools
    • ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\samz.ldif -w secret 
  • From your LDAP Explorer Tool menu, select File -> Open last configuration.



36 comments:

  1. Hii,
    i have allready install open LDAP and Ldapadmin.
    the first thing i want replace "dc=manager,dc=maxrc,dc=com" this credential to my credential because i want to import my data to another Linux LDAP server, and i think both server's credential should same. ok
    so i've confgured a ldap on my win7 pc, bt there is no objects and attributes so how to create object and attribus, and how to import data to LINUX LDAP to win LDAP, i am also trying to import data but there is lot of errors. so plese tell me the exact pattern to do it.

    thanks

    ReplyDelete
  2. one more thing i am using ldif database.

    ReplyDelete
  3. Thanks a lot, this was very helpful!

    ReplyDelete
  4. When I am running ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret

    I am getting this message and my LDAP Directory is still empty.

    adding new entry "dc=maxcrc,dc=com"
    ldap_add: Protocol error (2)
    additional info: no attributes provided

    ReplyDelete
    Replies
    1. Issue - due the new line between these two line
      dn: dc=maxcrc,dc=com

      dc: maxcrc

      Remove the newline and try as follows
      dn: dc=maxcrc,dc=com
      dc: maxcrc

      Again you will get the account already exist error.So you need to add the user details alone in that idlf files. make sure no new line present in that file. For Example as below

      dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
      objectclass: inetOrgPerson
      cn: Robert Smith
      cn: Robert J Smith
      cn: bob smith
      sn: smith
      uid: rjsmith
      userpassword: rJsmitH
      carlicense: HISCAR 123
      homephone: 555-111-2222
      mail: r.smith@example.com
      mail: rsmith@example.com
      mail: bob.smith@example.com
      description: swell guy
      ou: Human Resources

      Thanks kukusan ji....

      Delete
  5. Great tutorial!

    One thing to keep in mind: remove any spaces before each line. In any other case, it fails.

    Best eagrds,

    Fede

    ReplyDelete
  6. Nice one. Thanks for making this whole process easier. BTW, I was getting an invalid DN error until I checked Anonymous login. Not sure why it is working for you and not for me.

    Anyhow Thanks much.

    ReplyDelete
  7. Good one, thanks!

    How to do programmatically authentication that can be used in a program?

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Well actually this is a big topic, deserves an article for itself.

    Let us assume, you would want the authentication for a website and you would want it to use LDAP.
    Usually I started with a simple authentication (username and password already defined) using Spring Security.

    You can read the getting started page here : http://static.springsource.org/spring-security/site/start-here.html

    After I succeeded in creating the simple example, I will try to create an LDAP version of it by throwing the user and password to a LDAP server and awaits for its authenticated results.

    You can see the refference in :
    - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ldap.html
    - http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ldap.html

    An actual implementation for it :
    - https://github.com/SpringSource/spring-security/tree/9b423a7726e999b6c80e8c4a769a99dd634f56ce/samples/ldap

    This steps also assumed that you've worked with spring and spring context.

    Hope this helps.

    ReplyDelete
  10. Really its a very large topic buts its useful. Windows open ldap is a lightweight data access protocol.It is helpful to look up information from a server.

    ReplyDelete
  11. I am when i am issuing... ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret..
    I get Error: No such file or directory..
    But i have very carefully looked for the file.. and it exists in the same path..
    What is the problem then? Can anyone help?

    ReplyDelete
    Replies
    1. double check the d:\App\OpenLDAP\ldifdata\step1.ldif -w secret.. part for me. I had to change my directory to C:\

      Delete
    2. i have same problem i check it carefully but that command not work
      ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f C:\OpenLDAP\ldifdata\step1.ldif -w secret..
      i get same error: No such file or directory....plz help

      Delete
    3. Change the file extension from *.ldif.txt to *.ldif.

      http://windows.microsoft.com/en-in/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7

      It will work now

      Delete
  12. Great information laid out concisely. Thank you!

    ReplyDelete
  13. if you use ldif files , should you not check this option as backend upon install???

    ReplyDelete
  14. It did actually, BDB as a backend engine. Anyway the it was not meant for security or performance. Its sole purpose was for personal LDAP box in development.

    ReplyDelete
  15. Hello. Thanks for the article. I'm having trouble setting up mirror mode replication using this software. Can you give me some adivce?
    I've set it up using this link: http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master.

    I haven't got it to replicate each other.

    ReplyDelete
  16. How would I remove a user from my LDAP server?

    Let's say I wanted to remove the users inside my "step1.ldif" file.

    Thanks

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. How can I change the default port ?

    ReplyDelete
  19. Very sorry I haven't got the time to answers all the questions.

    @fabmal : I'm guessing you're trying to avoid conflict because you already have AD installed, and you need to install OpenLDAP. Then you can check out this tutorial : http://lupus.wikidot.com/install-openldap-on-win32

    Hope that helps

    ReplyDelete
  20. Very nice blog more information our sites
    telecom staffing

    ReplyDelete
  21. Ver good tutorial. I get a ldap_add: Already exists (68) when trying issuing... ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f d:\App\OpenLDAP\ldifdata\step1.ldif -w secret..

    ReplyDelete
  22. Very very... good posting... actually i am new to JAVA and i mded it work done after one week..... thank you so much.....

    ReplyDelete
  23. i am not able to connect from LDAPExplorerTool2 as it is telling bad credentials. i filled in server,connection Tab as given in the tutorial but i am getting bad credentials dialog window always. i am using OpenLdap 64bit windows Service.

    ReplyDelete
  24. thank you for the article, it was really helpful. keep writing :)

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. Thanks a lot for having demonstrated nice tutorial.......

    ReplyDelete
  27. Hi Mates,

    i got this error.. what this error mean ?

    D:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,dc=maxcrc,dc=com" -f D:\OpenLDAP\ldifdata\step1.ldif -w secret
    ldap_connect_to_host: TCP localhost:389
    ldap_new_socket: 728
    ldap_prepare_socket: 728
    ldap_connect_to_host: Trying ::1 389
    ldap_pvt_connect: fd: 728 tm: -1 async: 0
    attempting to connect:
    connect success
    adding new entry "dc=maxcrc,dc=com"
    ldap_add: Protocol error (2)
    additional info: no attributes provided

    can anyone help ?

    ReplyDelete
    Replies
    1. Issue - due the new line between these two line
      dn: dc=maxcrc,dc=com

      dc: maxcrc

      Remove the newline and try as follows
      dn: dc=maxcrc,dc=com
      dc: maxcrc

      Again you will get the account already exist error.So you need to add the user details alone in that idlf files. make sure no new line present in that file. For Example as below

      dn: cn=Robert Smith,ou=people,dc=maxcrc,dc=com
      objectclass: inetOrgPerson
      cn: Robert Smith
      cn: Robert J Smith
      cn: bob smith
      sn: smith
      uid: rjsmith
      userpassword: rJsmitH
      carlicense: HISCAR 123
      homephone: 555-111-2222
      mail: r.smith@example.com
      mail: rsmith@example.com
      mail: bob.smith@example.com
      description: swell guy
      ou: Human Resources

      Thanks kukusan ji.

      Delete
  28. Thank you so much for this; saved me (and sure others as well) a ton of time figuring this out in a Windows environment

    ReplyDelete
  29. how to search tree directive of particular domain with ldap explorer tool
    issue:it showing root in left pan and displays only particular dc=xyz,dc=com not full tree.

    can any one help me plz

    ReplyDelete
  30. Great tutorial. Thanks a lot! I was trying for hours to make OpenLDAP on Windows work and when I was about to quit, I found this tutorial. It is a life saver :)

    ReplyDelete