NotesOnOpenLDAP
From Sfvlug
Contents |
Basic LDAP Queries
First of all, there are two files named ldap.conf. The first, which I'll cover in a moment, is /etc/ldap.conf, and it is used by pam_ldap and nss_ldap. It is described by the pam_ldap(5) and nss_ldap(5) man pages. In order to use the OpenLDAP command line utilities, you need to configure /etc/openldap/ldap.conf, which is described in the ldap.conf(5) man page.
There are only a few lines needed in /etc/openldap/ldap.conf. Here is a working example:
URI ldap://auth/ BASE dc=reachlocal,dc=com TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
Without this file, you would have to specify all these parameters on the command line when using ldapsearch and other tools. You can override the contents of /etc/openldap/ldap.conf in your $HOME/.ldaprc file. You can also specify alternative configuration files with the environment variables LDAPCONF and LDAPRC.
Adding Users With Migration Scripts
The migragion scripts are included in the openldap-servers package. They are initially located in /usr/share/openldap/migration/. I never edit anything installed via a package that resides in /usr, so I copied these scripts to /root/migration/. Then the path in the scripts needs to be edited to point to the new location, and organization specific information added to migrate_common.ph.
As root, do:
mkdir ~/migration cd ~/migration for FILE in /usr/share/openldap/migration/* ; do
sed 's=/usr/share/openldap=/root=' $FILE > `basename $FILE`
done
cat <<EOF | ed migrate_common.ph /DEFAULT_MAIL_DOMAIN/s/padl.com/reachlocal.com/ /DEFAULT_BASE/s/dc=padl,dc=com/dc=reachlocal,dc=com/ /EXTENDED_SCHEMA/s/0/1/ w EOF
Now that you have this configured, you can begin adding users to LDAP.
Begin by adding a normal user with the regular shadow utilities. Note that if you do not include the GECOS information (with the -c flag) then a bunch of fields will not be filled in when we migrate to LDAP.
useradd -c 'Joe User' -s /sbin/nologin juser passwd juser
Authentication and Identification
Logins are handled by PAM (for Pluggable Authentication Modules), whereas user identification (and many other number-to-name resolutions) are handled by NSS (for Name Services Switching). PAM is configured via /etc/pam.conf and NSS is configured by /etc/nsswitch.conf. The LDAP settings for both these services are configured via /etc/ldap.conf.
On a typical RedHat system, /etc/pam.conf is not used, instead individual services are configured by files in /etc/pam.d. Within that directory, most services include the file system-auth to consolidate PAM configuration into a single point of modification. Curious individuals are directed to the pam(8) man page for further information.
If you look at /etc/nsswitch.conf, you will see the name of a lookup type service, followed by a list of sources from which translations can be made. We need passwd, shadow, and group to be looked up via files, followed by ldap. None of the other services need ldap.
To quickly configure a server to authenticate and identify with LDAP, use the following command:
authconfig --enableldap{,auth} --ldapserver=ldap://auth/ --ldapbasedn=dc=reachlocal,dc=com \\
--enableldaptls --ldaploadcacert=file://`pwd`/cacert.pem --update
However, this will configure protocols, services, netgroup, and automount in /etc/nsswitch.conf to also use ldap for lookups. This may generate more network traffic than desired if you are not using LDAP for these services. Use the following to strip those entries:
sed -ri '/^(passwd|shadow|group):/s/(files) (ldap)/\\1 [UNAVAIL=return] \\2/;
/^(protocols|services|netgroup|automount):/s/ ldap//' /etc/nsswitch.conf
Also, the default behavior is for the NSS libraries to continue trying to bind to the server indefinitely if it is unavailable. This means it can take up to half an hour before giving up. Add the following to make sure the libraries give up when the server is unavailable:
echo 'bind_policy soft' >> /etc/ldap.conf
And finally, to perform operations which require root access, such as getent shadow or passwd, the libraries can not bind anonymously. Include the manager password in /etc/ldap.secret (mode 0400), and use the following to bind as the administrator:
echo 'rootbinddn cn=Manager,dc=reachlocal,dc=com' >> /etc/ldap.conf
