NotesOnOpenLDAP

From Sfvlug

(Difference between revisions)
(Adding Users With Migration Scripts)
(Adding Users With Migration Scripts)
Line 41: Line 41:
<pre>
<pre>
-
./migrate_passwd.pl <(  
+
./migrate_passwd.pl <( grep juser
-
./migrate_group.pl  
+
./migrate_group.pl <(
</pre>
</pre>

Revision as of 07:42, 18 June 2009

Contents

Basic LDAP Queries

First of all, there are two files named ldap.conf. The first, which I'll cover in a moment, is /etc/ldap.conf, and it is used by pam_ldap and nss_ldap. It is described by the pam_ldap(5) and nss_ldap(5) man pages. In order to use the OpenLDAP command line utilities, you need to configure /etc/openldap/ldap.conf, which is described in the ldap.conf(5) man page.

There are only a few lines needed in /etc/openldap/ldap.conf. Here is a working example:

URI ldap://auth/ BASE dc=reachlocal,dc=com TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow

Without this file, you would have to specify all these parameters on the command line when using ldapsearch and other tools. You can override the contents of /etc/openldap/ldap.conf in your $HOME/.ldaprc file. You can also specify alternative configuration files with the environment variables LDAPCONF and LDAPRC.

Adding Users With Migration Scripts

The migragion scripts are included in the openldap-servers package. They are initially located in /usr/share/openldap/migration/. I never edit anything installed via a package that resides in /usr, so I copied these scripts to /root/migration/. Then the path in the scripts needs to be edited to point to the new location, and organization specific information added to migrate_common.ph.

As root, do:

mkdir ~/migration cd ~/migration for FILE in /usr/share/openldap/migration/* ; do

   sed 's=/usr/share/openldap=/root=' $FILE > `basename $FILE`

done

cat <<EOF | ed migrate_common.ph /DEFAULT_MAIL_DOMAIN/s/padl.com/reachlocal.com/ /DEFAULT_BASE/s/dc=padl,dc=com/dc=reachlocal,dc=com/ /EXTENDED_SCHEMA/s/0/1/ w EOF

Now that you have this configured, you can begin adding users to LDAP.

Begin by adding a normal user with the regular shadow utilities. Note that if you do not include the GECOS information (with the -c flag) then a bunch of fields will not be filled in when we migrate to LDAP.

useradd -c 'Joe User' -s /sbin/nologin juser passwd juser

Then use the migration tools to build an LDIF file of the user's data.

./migrate_passwd.pl <( grep juser
./migrate_group.pl <( 

Authentication and Identification

Logins are handled by PAM (for Pluggable Authentication Modules), whereas user identification (and many other number-to-name resolutions) are handled by NSS (for Name Services Switching). PAM is configured via /etc/pam.conf and NSS is configured by /etc/nsswitch.conf. The LDAP settings for both these services are configured via /etc/ldap.conf.

On a typical RedHat system, /etc/pam.conf is not used, instead individual services are configured by files in /etc/pam.d. Within that directory, most services include the file system-auth to consolidate PAM configuration into a single point of modification. Curious individuals are directed to the pam(8) man page for further information.

If you look at /etc/nsswitch.conf, you will see the name of a lookup type service, followed by a list of sources from which translations can be made. We need passwd, shadow, and group to be looked up via files, followed by ldap. None of the other services need ldap.

To quickly configure a server to authenticate and identify with LDAP, use the following command:

authconfig --enableldap{,auth} --ldapserver=ldap://auth/ --ldapbasedn=dc=reachlocal,dc=com \\

          --enableldaptls --ldaploadcacert=file://`pwd`/cacert.pem --update

However, this will configure protocols, services, netgroup, and automount in /etc/nsswitch.conf to also use ldap for lookups. This may generate more network traffic than desired if you are not using LDAP for these services. Use the following to strip those entries:

sed -ri '/^(passwd|shadow|group):/s/(files) (ldap)/\\1 [UNAVAIL=return] \\2/;

        /^(protocols|services|netgroup|automount):/s/ ldap//' /etc/nsswitch.conf

Also, the default behavior is for the NSS libraries to continue trying to bind to the server indefinitely if it is unavailable. This means it can take up to half an hour before giving up. Add the following to make sure the libraries give up when the server is unavailable:

echo 'bind_policy soft' >> /etc/ldap.conf

And finally, to perform operations which require root access, such as getent shadow or passwd, the libraries can not bind anonymously. Include the manager password in /etc/ldap.secret (mode 0400), and use the following to bind as the administrator:

echo 'rootbinddn cn=Manager,dc=reachlocal,dc=com' >> /etc/ldap.conf

LDAP Replication

GUI Tools

libuser Tools

Personal tools