Installing Openldap 2.4 on Redhat

Besides the wonderful Oracle LDAP servers OUD and OID, there is the open source LDAP server OpenLDAP.  For a project that lacked the money to pay for the Oracle beauties, I had to install and configure OpenLDAP on Linux.

I’m not much into Open Source so I’d have to do with Google…

Installing the software and creating an initial LDAP server is fairly straightforward:

  • yum install openldap-server
  • service slapd start

And I have a running LDAP server on port 389.

Making sure the server will restart on reboot of the server:

  • chkconfig –levels 235 slapd on

Then comes the hard part.  I want to define my domain (dc=xx,dc=local) and I want to use a tool like ldapadmin (on Windows…) to connect to my server, so I need a user account and password.

No problem (according to some folks on the internet). Just edit the file /etc/openldap/slapd.d/cn=config and add/edit some values. But wait…. what’s on top in the file?

# CRC32 5061e392

which at least suggests that we can not edit this file by hand. But as the documents suggested, I still did and changed the domain and added a password (generated with slappaswd)

olcSuffix: dc=xx,dc=local
olcRootDN: cn=Manager,dc=xx,dc=local
olcRootPW: {SSHA}R+r/c9gbudNXUa01AbpjvQtGX0DB9IPM

This works but: I get logs with checksum errors!

Advise: DO NOT EDIT THE FILE!!!! Use ldapadd/ldapmodify!!!

Next article: HOW do we use ldapadd/ldapmodify?


Oracle 12c EPG (XDB) uses digest authentication in stead of basic.

After an upgrade from 11g to 12c, an application using the external procedural gateway (EPG) and basic authentication got a 401: not authorized.

It appears that in 12c, the EPG uses digest authentication in stead of basic authentication by default. You won’t notice this using a browser or WGET, but applications using CURL will fail.

Digest is a two-step way of authenticating, returning a so called nonce first to be used to encrypt the username and password in the request.

Using CURL, this can be solved by adding – -digest before the request.

An other option is to reset EPG (actually XDB) to use basic again by editing xdbconfig.xml (a row in the table XDB$CONFIG).

This can be done using this call:

call dbms_xdb.cfg_update(updateXML(
, ‘/xdbconfig/sysconfig/protocolconfig/httpconfig/authentication/allow-mechanism/text()’
, ‘basic’))

followed by


Don’t forget to commit…