Datorhandbok - Användarbidrag [sv]

Rouk

2017-03-29T13:56:09Z

Net4all:

{| style="border: 0px"
! Funktion
| Tjänsteserver
|-
! Specialfunktion
| Head / management for Procurve 5412 router
|-
! Operativsystem
| [[:Kategori:Debian 8]]
|-
! Arkitektur
| x86_64
|-
! valign="top" | SSH-fingeravtryck
| <pre>
</pre>
|-
! Placering
| [[FOO-hallen]]
|-
! Ansvarig root
| net4all
|-
! Driftstatus
| I drift
|-
|}

[[Kategori:Maskiner i drift]]
[[Kategori:Tjänsteservrar]]
[[Kategori:Debian 8.0]]

Testmachine

2017-03-13T19:05:52Z

Net4all: Skapade sidan med '{| style="border: 0px" ! Funktion | CPU-server |- ! Specialfunktion | Testklient för LDAP konfiguration. Det är normalt att denna maskin är offline. |- ! Operativsystem | [...'

{| style="border: 0px"
! Funktion
| CPU-server
|-
! Specialfunktion
| Testklient för LDAP konfiguration. Det är normalt att denna maskin är offline.
|-
! Operativsystem
| [[:Kategori:Debian 8.0| Debian 8.0]]
|-
! SSH-fingeravtryck
|-
! Modell
| Virtuell Proxmox kluster.
|-
! Placering
| [[Proxmox]]
|-
! Foto
|-
! Ansvarig root
| [[Användare:net4all|Jon Dybeck][Användare:baafen|Joakim Baafen]
|-
! Driftstatus
| I drift till och från.
|-
! Nagios-status
| {{Nagios}}
|-
! LysINV
| {{LysINV}}
|}

[[Kategori:Debian]]
[[Kategori:Debian 8.0]]
[[Kategori:Maskiner i drift]]

Rootmanual:ldap

2017-03-09T18:22:34Z

Net4all: /* Importing data from NIS */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

'''NOTE''': Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh, chfn and root to modify anything ==

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
by self write
by * read
olcAccess: {1}to *
by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage
by * read

Then run the following:

ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}mdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=loginShell,gecos by self write by * read
olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi
d & user/uid" manage by * read
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.

== Add uid counter ==

Place the following in nextUid.ldif:

dn: cn=nextUid,dc=lysator,dc=liu,dc=se
changetype: add
objectClass: top
objectClass: organizationalRole
objectClass: uidObject
cn: nextUid
uid: 10000

Run:

ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif

Should print:

TODO

To verify run:

ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)"

Should print:

SASL/GSSAPI authentication started
SASL username: net4all@LYSATOR.LIU.SE
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=lysator,dc=liu,dc=se> with scope subtree
# filter: (objectClass=uidObject)
# requesting: ALL
#
# nextUid, lysator.liu.se
dn: cn=nextUid,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: organizationalRole
objectClass: uidObject
cn: nextUid
uid: 10000
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1

== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.\

=== Database config change doesn't take effetct ===
Try restarting slapd. Some changes doesn't take effect immediately.

Rootmanual:ldap

2017-03-09T18:14:00Z

Net4all: /* Allow chsh and chfn */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

'''NOTE''': Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh, chfn and root to modify anything ==

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
by self write
by * read
olcAccess: {1}to *
by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage
by * read

Then run the following:

ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}mdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=loginShell,gecos by self write by * read
olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi
d & user/uid" manage by * read
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.\

=== Database config change doesn't take effetct ===
Try restarting slapd. Some changes doesn't take effect immediately.

Fia

2017-03-09T10:03:30Z

Net4all: Skapade sidan med '{| style="border: 0px" ! Funktion | Inhysning FIA (Föreningen för Intelligenta Autonoma System). | Webbserver för fiarobotics.se och robocupjunior.se. |- ! Operativsystem...'

{| style="border: 0px"
! Funktion
| Inhysning FIA (Föreningen för Intelligenta Autonoma System).
| Webbserver för fiarobotics.se och robocupjunior.se.
|-
! Operativsystem
| [[:Kategori:CentOS 7| CentOS 7.3]]
|-
! Arkitektur
| x86-64
|-
! valign="top" | SSH-fingeravtryck
| <pre>PLACEHOLDER</pre>
|-
! Placering
| Proxmoxklustret
|-
! Ansvarig root
| net4all
|-
! Kontaktperson
| Jon Dybeck (net4all@lysator.liu.se)
|-
! Driftstatus
| I drift.
|-

[[Kategori:Inhysningar]]
[[Kategori:CentOS 7]]
[[Kategori:Maskiner i drift]]
[[Kategori:Virtuella servrar]]
[[Kategori:Proxmox]]

Rootmanual:ldap

2017-02-02T19:48:36Z

Net4all: /* Allow chsh and chfn */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

'''NOTE''': Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
by self write
by * read
olcAccess: {1}to *
by * read

Then run the following:

ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess

It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}mdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=loginShell,gecos by self write by * read
olcAccess: {1}to * by * read
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.\

=== Database config change doesn't take effetct ===
Try restarting slapd. Some changes doesn't take effect immediately.

Rootmanual:ldap

2016-11-22T18:20:57Z

Net4all:

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-11-22T18:17:16Z

Net4all: /* Certficates */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

== Configure SASL/SSL v2 ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-11-22T18:09:29Z

Net4all: /* Import AUTOFS schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

== Configure SASL/SSL v2 ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-11-22T18:08:50Z

Net4all: /* Import AUTOFS schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
# auto.master, automount, lysator.liu.se
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

== Configure SASL/SSL v2 ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-11-22T18:07:46Z

Net4all: /* Import AUTOFS schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=aorganizationalUnit)"

Following should be in the output
# auto.master, automount, lysator.liu.se
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

== Configure SASL/SSL v2 ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-11-22T17:56:10Z

Net4all: /* Import NIS User schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=automountMap)"

Following should be in the output
# auto.master, automount, lysator.liu.se
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

== Configure SASL/SSL v2 ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rouk

2016-11-22T17:08:58Z

Net4all: Skapade sidan med '{| style="border: 0px" ! Funktion | Tjänsteserver |- ! Specialfunktion | Head / management for Procurve 5412 router |- ! Operativsystem | :Kategori:Debian 8 |- ! Arkitekt...'

Ldap

2016-11-21T17:21:30Z

Net4all: Skapade sidan med '{| style="border: 0px" ! Funktion | Tjänsteserver |- ! Specialfunktion | LDAP Master |- ! Operativsystem | Debian 8 |- ! Arkitektur | x86/PC |- ! SSH...'

{| style="border: 0px"
! Funktion
| Tjänsteserver
|-
! Specialfunktion
| LDAP Master
|-
! Operativsystem
| [[:Kategori:Debian 8 | Debian 8]]
|-
! Arkitektur
| x86/PC
|-
! SSH-fingeravtryck
| <pre>
PLACEHOLDER
</pre>
|-
! Placering
| [[FOO-hallen]], [[:Kategori:Rack B10 | rack B10]]
|-
! Ansvarig root
| [[User:net4all|net4all]] [[User:baafen|baafen]]
|-
! Driftstatus
| I drift
|}

[[Category:Tjänsteservrar]]
[[Category:Maskiner i drift]]

Rootmanual:ldap

2016-09-07T16:35:22Z

Net4all: /* Configure slapd */

Rootmanual:ldap

2016-02-12T15:41:16Z

Net4all:

Rootmanual:ldap

2016-02-12T15:37:59Z

Net4all:

Rootmanual:ldap

2016-02-12T14:47:52Z

Net4all: /* Check top tree nodes in ldap database */

Rootmanual:ldap

2016-02-05T17:57:26Z

Net4all: /* Configure SASL/SSL */

Rootmanual:ldap

2016-02-05T17:46:45Z

Net4all: /* Configure SASL/SSL */

Rootmanual:ldap

2016-02-05T17:41:57Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Check top tree nodes in ldap database ===

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:36:10Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Check top tree nodes in ldap database ===

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:19:37Z

Net4all: /* Add top tree nodes in ldap database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Check top tree nodes in ldap database ===

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:11:02Z

Net4all: /* Purgin the database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: dcObject
objectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SHA}hash

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:08:04Z

Net4all: /* Add top tree nodes in ldap database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: dcObject
objectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SHA}hash

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:07:07Z

Net4all: /* Add top tree nodes in ldap database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: dcObject
objectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SHA}wUE4VnZMBzNid4wQkUBl1cFSpfo=

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T17:03:34Z

Net4all: /* Add top tree nodes in ldap database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: dcObject
objectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T16:42:28Z

Net4all: /* Add top tree nodes in ldap database */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: dcObject
objectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.

Rootmanual:ldap

2016-02-05T15:23:03Z

Net4all: /* Importing data from NIS */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.
Add the following:

dn: dc=lysator,dc=liu,dc=se
objectClass: top
objectclass: dcObject
objectclass: organization
structuralObjectClass: organization
o: Lysator
dc: lysator

dn: cn=admin,dc=lysator,dc=liu,dc=se
objectclass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
structuralObjectClass: organizationalRole

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

Rootmanual:ldap

2016-01-29T17:12:30Z

Net4all: /* Import AUTOFS schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T17:03:59Z

Net4all: /* Import NIS User schema */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T17:02:47Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Check that it is in the config:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T16:42:07Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

== Import NIS User schema ==

Import nis schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T15:47:41Z

Net4all:

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm /etc/ldap/slapd.d/*

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

(Also install the certificates.)

== Import NIS User schema ==

Import nis schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

TODO: Make sure this file is installed by puppet

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T15:33:32Z

Net4all: /* Configure more extensive indexing */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

(Also install the certificates.)

== Import NIS User schema ==

Import nis schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

== Import AUTOFS schema ==

Import autofs schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

TODO: Make sure this file is installed by puppet

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T15:13:19Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2016-01-29T15:09:16Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2015-12-11T19:34:15Z

Net4all: /* Useful documentation */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}hdb,cn=config
changetype: replace
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2015-12-11T19:33:39Z

Net4all:

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}hdb,cn=config
changetype: replace
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

Rootmanual:ldap

2015-12-11T19:32:17Z

Net4all: /* Import POSIX User schema ? */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}hdb,cn=config
changetype: replace
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

=== Add top tree nodes in ldap database ===

Before we import data into the database, some structures must be constructed inside the database.

TODO

=== Configure migrationtools ===

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

Rootmanual:ldap

2015-12-11T19:17:32Z

Net4all: /* Configure SASL/SSL */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}hdb,cn=config
changetype: replace
replace: olcSecurity
olcSecurity: tls=1

Specify certificate.

dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

(Also install the certificates.)

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

Rootmanual:ldap

2015-12-11T19:10:32Z

Net4all: /* Configure slapd */

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

olcSecurity: tls=1
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

== Allow chsh and chfn ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

Rootmanual:ldap

2015-12-11T19:00:26Z

Net4all:

= Useful documentation =

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

= Bootstrap slapd =

First install debian, configure the network and run puppet.
Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password).
Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Configure slapd =

The OpenLDAP server (slapd) is configured by making changes to a database call
ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
== Configure more extensive indexing ==

Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

== Configure SASL/SSL ==

== Import POSIX User schema ? ==

== Import AUTOFS schema ==

= Importing data from NIS =

* Import from nis scripts.
* Autofs conversion.
* Character conversion.

Rootgruppen

2015-11-10T12:52:04Z

Net4all: /* net4all */

Rootgruppen är de som administrerar Lysators datorsystem. Här följer en kort presentation av dem, i den mån de vill avslöja sig själva.

Vill du kontakta rootgruppen kan du skicka ett inlägg till LysKOM-mötet <code>Root (@) Lysator</code> eller ett e-brev till <code>root (hos) lysator.liu.se</code>.

== [[User:pettson|pettson]] ==
{| style="border: 0px"
!align="right" | Namn
| Andreas Pettersson
|-
!align="right" | Medlem sedan
| 2005
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Foto
| | [[Bild:Pettson.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Ur drift
|-
!align="right" | Jobb
| Senior sysadmin på Klarna AB
|-
!align="right" | Övrigt
| Superroot 2008-2009
|-
!align="right" | OS
| Spelar {Net, Free, Open}BSD och Solaris
|-
!align="right" | Kontaktinfo
| IRC: pettson@{IRCNet, Freenode, EFNet, GIMPNet}
|-
!
| Jabber: pettson@lysator.liu.se 
|-
!
| LysLysKOM: Andreas Petersson, Lysator/Klarna 
|-
!
| Telefon: 070-565 93 86
|-
|}

== [[User:derfian|derfian]] ==
{| style="border: 0px"
!align="right" | Namn
| Karl Mikaelsson
|-
!align="right" | Medlem sedan
| 2004
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Foto
| | [[Bild:Derfian.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Ur drift.
|-
!align="right" | Jobb
| Utvecklare/tekniker, Cendio AB
|-
!align="right" | OS
| Använder Gentoo, Fedora och RHEL/CentOS. Linux, alltså.
|-
!align="right" | Hackar i
| Mycket, men föredrar Python.
|-
!align="right" | Kontaktinfo
| Epost: derfian@lysator.liu.se 
|-
!
| LysKOM: derfian (Karl Mikaelsson) 
|-
!
| Telefon: 070-320 84 44
|-
|}

== [[User:blambi|blambi]] ==
{| style="border: 0px"
!align="right" | Namn
| Patrik Lembke
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Driftstatus
| På drift i exil, eller något sådant
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| Allt som smakar GNU:ish och ibland annat som är fritt.
|-
!align="right" | Hackar i
| {e,c}Lisp, C (då helst C99 alt GNU99), Python, Ruby, Bash, GNU Emacs
|-
!align="right" | Kontaktinfo
| IRC: blambi@{Freenode, Mythos}
|-
!
| Jabber: blambi@lysator.liu.se 
|-
|}

== [[User:joakim_tosteberg|joakim_tosteberg]] ==
{| style="border: 0px"
!align="right" | Namn
| Joakim Tosteberg
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2008
|-
!align="right" | Foto
| | [[Bild:joakim.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Övrigt
| Superroot 2009-2010
|-

!align="right" | Kontaktinfo
| IRC: joakim_tosteberg@Freenode
|-
!
| Jabber: joakim_tosteberg@lysator.liu.se 
|-
!
| LysLysKOM: Joakim Tosteberg 
|-
!
| Telefon: 0702 - 253 153
|-
|}

== [[User:busk|busk]] ==
{| style="border: 0px"
!align="right" | Namn
| Johan Busk Eriksson
|-
!align="right" | Medlem sedan
| 2003
|-
!align="right" | Root sedan
| 2009
|-
!align="right" | Driftstatus
| På drift
|-
!align="right" | Jobb
| Systemförvaltare, teknisk webmaster, Liu-IT
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| GNU/Linux, om katten själv får välja
|-
!align="right" | Hackar i
| Java, C#
|-
!align="right" | Kontaktinfo
| IRC: kodein@freenode (och EFNet)
|-
!
| Epost: <användarnamn> at lysator liu se
|-
!
| PGP/GPG-nyckel: 75079558 
|}

== [[User:tobbez|tobbez]] ==
{| style="border: 0px"
!align="right" | Namn
| Torbjörn Lönnemark
|-
!align="right" | Medlem sedan
| 2006
|-
!align="right" | Root sedan
| 2010
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: tobbez @ freenode
|-
!
| Mail: tobbez@lysator...
|-
|}

== [[User:zeising|zeising]] ==
{| style="border: 0px"
!align="right" | Namn
| Niclas Zeising
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2010
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| Spelar helst {Free,Open}BSD men även Linux och Solaris kan gå.
|-
!align="right" | Kontakt
| IRC: Erandir @ EFnet, IRCnet samt Zeising @ freenode
|-
!
| LysLysKOM: zeising
|-
!
| Telefon: 070-532 10 11
|-
|}

== [[User:tias|tias]] ==
{| style="border: 0px"
!align="right" | Namn
| Mattias Dandanell
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2011
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: tias @ freenode
|-
!
| Mail: tias@lysator...
|-
|}

== [[User:sebth|sebth]] ==
{| style="border: 0px"
!align="right" | Namn
| Sebastian Thorarensen
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2012
|-
!align="right" | Driftstatus
| Driver på alla hjul
|-
!align="right" | Övrigt
| Superroot 2014-
|-
!align="right" | OS
| Har prövat på diverse GNU/Linux, FreeBSD, NetBSD och Solaris
|-
!align="right" | Hackar i
| C, Python, Java, Lisp och diverse skalverktyg, m.m
|-
!align="right" | Kontakt
| E-post: sebth@lysator.liu.se
|-
!
| LysLysKOM: Sebastian Thorarensen
|-
!
| IRC: Sebban @ Freenode
|-
!
| Telefon: 0733-56 78 50
|-
|}

== [[User:baafen|baafen]] ==
{| style="border: 0px"
!align="right" | Namn
| Joakim Braaf
|-
!align="right" | Medlem sedan
| 2011
|-
!align="right" | Root sedan
| 2012
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: baafen @ freenode
|-
!
| Mail: baafen@lysator...
|-
|}

== [[User:petterl|petterl]] ==
{| style="border: 0px"
!align="right" | Namn
| Petter Larsson
|-
!align="right" | Medlem sedan
| 2000
|-
!align="right" | Root sedan
| 2003
|-
!align="right" | Driftstatus
| I långsam drift
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| De flesta linuxsmaker.
|-
!align="right" | Hackar i
| Erlang, Pike, C, Lisp, Java, C++, Bash etc.
|-
!align="right" | Kontaktinfo
| LysLysKOM: Petter Larsson 
|-
!
| Epost: petterl@lysator.liu.se
|-
|}

== [[User:pen|pen]] ==

{| style="border: 0px"
!align="right"| Namn
| Peter Eriksson
|-

!align="right"| Medlem sedan
| 1989
|-
!align="right"| Root sedan
| 1990
|-
!align="right"| Foto
| [[Bild:Peter2003.jpg|none|thumb]]
|-
!align="right"| Jobb
| IT-chef, IFM.
|-
!align="right"| Rum
| Fysikhuset, rum F203
|-
!align="right"| Telefon
| 0705-182786
|-
|}

== [[User:bellman|bellman]] ==
{| style="border: 0px"
!align="right" | Namn
| Thomas Bellman
|-
!align="right" | Medlem sedan
| 1988
|-
!align="right" | Root sedan
| 1990
|-
!align="right" | Driftstatus
| Avdankad gammelroot; ägnar sig mest åt att klaga på ungrötterna.
|-
!align="right" | Jobb
| Låter handdockor blåsa rökringar i bunkern. Borde även valla LHC- och iskubsdata.
|-
!align="right" | OS
| Gentoo, CentOS
|-
!align="right" | Hackar i
| Python, C, Puppet, sh, GNU Emacs
|-
!align="right" | Kontaktinfo
| LysLysKOM: Bellman -- The Recursive Hacker
|-
|}

== [[User:poj|poj]] ==
{| style="border: 0px"
!align="right" | Namn
| Per Jonsson
|-
!align="right" | Medlem sedan
| 2003
|-
!align="right" | Root sedan
| 2006
|-
!align="right" | Foto
| | [[Bild:Poj_datorhandbok.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Sporadiskt.
|-
!align="right" | Jobb
| Ja
|-
!align="right" | OS
| Det mesta, men vissa saker bara när jag får betalt för det. Men gärna lite OpenBSD
|-
!align="right" | Hackar i
| Python om jag får välja, det mesta mot betalning
|-
!align="right" | Favoriteditor
| Emacs
|-
!align="right" | Kontaktinfo
| LysLysKOM: Per O Jonsson
|-
!
| Epost: inses lätt!
|-

|}

== [[User:zino|zino]] ==

{| style="border: 0px"
!align="right"| Namn
| Peter Bortas
|-

!align="right"| Medlem sedan
| 1994
|-
!align="right"| Root sedan
| 1995
|-
!align="right" | Driftstatus
| Selektiv
|-
!align="right"| Jobb
| Utvecklare, Opera.
|-
!align="right"| Rum
| Övre tornrummet
|-
|}

== [[User:grubba|grubba]] ==
{| style="border: 0px"
!align="right" | Namn
| Henrik Grubbström
|-
!align="right" | Medlem sedan
| 1991
|-
!align="right" | Root sedan
| 1993
|-
!align="right" | Driftstatus
| Selektiv, mestadels Xenofarm.
|-
!align="right" | Jobb
| Utvecklare, Roxen Internet Software.
|-
!align="right" | OS
| De flesta SVR4 och POSIX, ju obskyrare desto bättre. Undviker dock gärna OpenBSD.
|-
!align="right" | Hackar i
| Pike, C, sh, m4, assembler
|-
!align="right" | Kontaktinfo
| LysLysKOM: Henrik Grubbström
|-
!
| Epost: <grubba@grubba.org>
|-
|}

== [[User:hx|hx]] ==
{| style="border: 0px"
!align="right" | Namn
| Henrik Henriksson
|-
!align="right" | Medlem sedan
| 2013
|-
!align="right" | Root sedan
| 2014
|-
!align="right" | Driftstatus
| Ganska hög uptime.
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Manjaro
|-
!align="right" | Hackar i
| Haskell
|-
!align="right" | Kontaktinfo
| Epost: <hx@hx.ax>
|-
!
| Epost: <hx@lysator.liu.se>
|-
|}

== [[User:net4all|net4all]] ==
{| style="border: 0px"
!align="right" | Namn
| Jon Dybeck
|-
!align="right" | Medlem sedan
| 2012
|-
!align="right" | Root sedan
| 2014
|-
!align="right" | Driftstatus
| "Aktiv", besöker ~ och fixar med LDAP.
|-
!align="right" | Jobb
| Systemadministratör, Liu-IT / TUS.
|-
!align="right" | OS
| Mest Arch Linux och Debian (derivat).
|-
!align="right" | Hackar i
| C, Python, Scheme, Common Lisp, C++.
|-
!align="right" | Kontaktinfo
| Epost: <net4all@lysator.liu.se>
|-
!
| Epost: <jon.dybeck@liu.se>
|-
!
| Epost: <jon@dybeck.se>
|-
!
| IRC: net4all @ Freenode
|-
|}

== [[User:knase|knase]] ==
{| style="border: 0px"
!align="right" | Namn
| Rasmus Holm
|-
!align="right" | Medlem sedan
| 2014
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| FreeBSD och diverse Debian derivat.
|-
!align="right" | Hackar i
| C, Python, C++, Bash.
|-
!align="right" | Kontaktinfo
| Epost: <knase@lysator.liu.se>
|-
!
| IRC: knase @ freenode
|-
|}

== [[User:dandan|dandan]] ==
{| style="border: 0px"
!align="right" | Namn
| Daniel Dandanell
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: dandan @ freenode
|-
!
| Mail: dandan@lysator...
|-
|}

== [[User:jiffe|jiffe]] ==
{| style="border: 0px"
!align="right" | Namn
| Johan Frisk
|-
!align="right" | Medlem sedan
| 2013
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Debian, men allt går.
|-
!align="right" | Hackar i
| Valet av pensel är oviktigt vid skapandet av tavlan.
|-
!align="right" | Kontaktinfo
| IRC: jiffe__ @ freenode
|-
!
| Mail: jiffe@lysator.liu.se
|-
|}

== [[User:tokkugawa|tokkugawa]] ==
{| style="border: 0px"
!align="right" | Namn
| Tony Magnusson
|-
!align="right" | Medlem sedan
| 2012
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Jobb
| LiU-IT
|-
!align="right" | OS
| OSX, Debian, FreeBSD.
|-
!align="right" | Hackar i
| C++, Python, perl, Swift
|-
!align="right" | Kontaktinfo
| IRC: tokkugawa @ freenode
|-
!
| Mail: tokkugawa@lysator.liu.se
|-
|}

== [[User:miiza|miiza]] ==
{| style="border: 0px"
!align="right" | Namn
| Simon Keisala
|-
!align="right" | Medlem sedan
| 2014
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Diverse Debian derivat.
|-
!align="right" | Hackar i
| C-familjen, Python, Bash.
|-
!align="right" | Kontaktinfo
| Epost: <miiza@lysator.liu.se>
|-
!
| IRC: miiza @ freenode
|-
|}

Rootgruppen

2015-11-10T12:51:17Z

Net4all: /* net4all */

Rootgruppen är de som administrerar Lysators datorsystem. Här följer en kort presentation av dem, i den mån de vill avslöja sig själva.

Vill du kontakta rootgruppen kan du skicka ett inlägg till LysKOM-mötet <code>Root (@) Lysator</code> eller ett e-brev till <code>root (hos) lysator.liu.se</code>.

== [[User:pettson|pettson]] ==
{| style="border: 0px"
!align="right" | Namn
| Andreas Pettersson
|-
!align="right" | Medlem sedan
| 2005
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Foto
| | [[Bild:Pettson.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Ur drift
|-
!align="right" | Jobb
| Senior sysadmin på Klarna AB
|-
!align="right" | Övrigt
| Superroot 2008-2009
|-
!align="right" | OS
| Spelar {Net, Free, Open}BSD och Solaris
|-
!align="right" | Kontaktinfo
| IRC: pettson@{IRCNet, Freenode, EFNet, GIMPNet}
|-
!
| Jabber: pettson@lysator.liu.se 
|-
!
| LysLysKOM: Andreas Petersson, Lysator/Klarna 
|-
!
| Telefon: 070-565 93 86
|-
|}

== [[User:derfian|derfian]] ==
{| style="border: 0px"
!align="right" | Namn
| Karl Mikaelsson
|-
!align="right" | Medlem sedan
| 2004
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Foto
| | [[Bild:Derfian.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Ur drift.
|-
!align="right" | Jobb
| Utvecklare/tekniker, Cendio AB
|-
!align="right" | OS
| Använder Gentoo, Fedora och RHEL/CentOS. Linux, alltså.
|-
!align="right" | Hackar i
| Mycket, men föredrar Python.
|-
!align="right" | Kontaktinfo
| Epost: derfian@lysator.liu.se 
|-
!
| LysKOM: derfian (Karl Mikaelsson) 
|-
!
| Telefon: 070-320 84 44
|-
|}

== [[User:blambi|blambi]] ==
{| style="border: 0px"
!align="right" | Namn
| Patrik Lembke
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2007
|-
!align="right" | Driftstatus
| På drift i exil, eller något sådant
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| Allt som smakar GNU:ish och ibland annat som är fritt.
|-
!align="right" | Hackar i
| {e,c}Lisp, C (då helst C99 alt GNU99), Python, Ruby, Bash, GNU Emacs
|-
!align="right" | Kontaktinfo
| IRC: blambi@{Freenode, Mythos}
|-
!
| Jabber: blambi@lysator.liu.se 
|-
|}

== [[User:joakim_tosteberg|joakim_tosteberg]] ==
{| style="border: 0px"
!align="right" | Namn
| Joakim Tosteberg
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2008
|-
!align="right" | Foto
| | [[Bild:joakim.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Övrigt
| Superroot 2009-2010
|-

!align="right" | Kontaktinfo
| IRC: joakim_tosteberg@Freenode
|-
!
| Jabber: joakim_tosteberg@lysator.liu.se 
|-
!
| LysLysKOM: Joakim Tosteberg 
|-
!
| Telefon: 0702 - 253 153
|-
|}

== [[User:busk|busk]] ==
{| style="border: 0px"
!align="right" | Namn
| Johan Busk Eriksson
|-
!align="right" | Medlem sedan
| 2003
|-
!align="right" | Root sedan
| 2009
|-
!align="right" | Driftstatus
| På drift
|-
!align="right" | Jobb
| Systemförvaltare, teknisk webmaster, Liu-IT
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| GNU/Linux, om katten själv får välja
|-
!align="right" | Hackar i
| Java, C#
|-
!align="right" | Kontaktinfo
| IRC: kodein@freenode (och EFNet)
|-
!
| Epost: <användarnamn> at lysator liu se
|-
!
| PGP/GPG-nyckel: 75079558 
|}

== [[User:tobbez|tobbez]] ==
{| style="border: 0px"
!align="right" | Namn
| Torbjörn Lönnemark
|-
!align="right" | Medlem sedan
| 2006
|-
!align="right" | Root sedan
| 2010
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: tobbez @ freenode
|-
!
| Mail: tobbez@lysator...
|-
|}

== [[User:zeising|zeising]] ==
{| style="border: 0px"
!align="right" | Namn
| Niclas Zeising
|-
!align="right" | Medlem sedan
| 2007
|-
!align="right" | Root sedan
| 2010
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| Spelar helst {Free,Open}BSD men även Linux och Solaris kan gå.
|-
!align="right" | Kontakt
| IRC: Erandir @ EFnet, IRCnet samt Zeising @ freenode
|-
!
| LysLysKOM: zeising
|-
!
| Telefon: 070-532 10 11
|-
|}

== [[User:tias|tias]] ==
{| style="border: 0px"
!align="right" | Namn
| Mattias Dandanell
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2011
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: tias @ freenode
|-
!
| Mail: tias@lysator...
|-
|}

== [[User:sebth|sebth]] ==
{| style="border: 0px"
!align="right" | Namn
| Sebastian Thorarensen
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2012
|-
!align="right" | Driftstatus
| Driver på alla hjul
|-
!align="right" | Övrigt
| Superroot 2014-
|-
!align="right" | OS
| Har prövat på diverse GNU/Linux, FreeBSD, NetBSD och Solaris
|-
!align="right" | Hackar i
| C, Python, Java, Lisp och diverse skalverktyg, m.m
|-
!align="right" | Kontakt
| E-post: sebth@lysator.liu.se
|-
!
| LysLysKOM: Sebastian Thorarensen
|-
!
| IRC: Sebban @ Freenode
|-
!
| Telefon: 0733-56 78 50
|-
|}

== [[User:baafen|baafen]] ==
{| style="border: 0px"
!align="right" | Namn
| Joakim Braaf
|-
!align="right" | Medlem sedan
| 2011
|-
!align="right" | Root sedan
| 2012
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: baafen @ freenode
|-
!
| Mail: baafen@lysator...
|-
|}

== [[User:petterl|petterl]] ==
{| style="border: 0px"
!align="right" | Namn
| Petter Larsson
|-
!align="right" | Medlem sedan
| 2000
|-
!align="right" | Root sedan
| 2003
|-
!align="right" | Driftstatus
| I långsam drift
|-
!align="right" | Övrigt
|
|-
!align="right" | OS
| De flesta linuxsmaker.
|-
!align="right" | Hackar i
| Erlang, Pike, C, Lisp, Java, C++, Bash etc.
|-
!align="right" | Kontaktinfo
| LysLysKOM: Petter Larsson 
|-
!
| Epost: petterl@lysator.liu.se
|-
|}

== [[User:pen|pen]] ==

{| style="border: 0px"
!align="right"| Namn
| Peter Eriksson
|-

!align="right"| Medlem sedan
| 1989
|-
!align="right"| Root sedan
| 1990
|-
!align="right"| Foto
| [[Bild:Peter2003.jpg|none|thumb]]
|-
!align="right"| Jobb
| IT-chef, IFM.
|-
!align="right"| Rum
| Fysikhuset, rum F203
|-
!align="right"| Telefon
| 0705-182786
|-
|}

== [[User:bellman|bellman]] ==
{| style="border: 0px"
!align="right" | Namn
| Thomas Bellman
|-
!align="right" | Medlem sedan
| 1988
|-
!align="right" | Root sedan
| 1990
|-
!align="right" | Driftstatus
| Avdankad gammelroot; ägnar sig mest åt att klaga på ungrötterna.
|-
!align="right" | Jobb
| Låter handdockor blåsa rökringar i bunkern. Borde även valla LHC- och iskubsdata.
|-
!align="right" | OS
| Gentoo, CentOS
|-
!align="right" | Hackar i
| Python, C, Puppet, sh, GNU Emacs
|-
!align="right" | Kontaktinfo
| LysLysKOM: Bellman -- The Recursive Hacker
|-
|}

== [[User:poj|poj]] ==
{| style="border: 0px"
!align="right" | Namn
| Per Jonsson
|-
!align="right" | Medlem sedan
| 2003
|-
!align="right" | Root sedan
| 2006
|-
!align="right" | Foto
| | [[Bild:Poj_datorhandbok.jpg|none|thumb]]
|-
!align="right" | Driftstatus
| Sporadiskt.
|-
!align="right" | Jobb
| Ja
|-
!align="right" | OS
| Det mesta, men vissa saker bara när jag får betalt för det. Men gärna lite OpenBSD
|-
!align="right" | Hackar i
| Python om jag får välja, det mesta mot betalning
|-
!align="right" | Favoriteditor
| Emacs
|-
!align="right" | Kontaktinfo
| LysLysKOM: Per O Jonsson
|-
!
| Epost: inses lätt!
|-

|}

== [[User:zino|zino]] ==

{| style="border: 0px"
!align="right"| Namn
| Peter Bortas
|-

!align="right"| Medlem sedan
| 1994
|-
!align="right"| Root sedan
| 1995
|-
!align="right" | Driftstatus
| Selektiv
|-
!align="right"| Jobb
| Utvecklare, Opera.
|-
!align="right"| Rum
| Övre tornrummet
|-
|}

== [[User:grubba|grubba]] ==
{| style="border: 0px"
!align="right" | Namn
| Henrik Grubbström
|-
!align="right" | Medlem sedan
| 1991
|-
!align="right" | Root sedan
| 1993
|-
!align="right" | Driftstatus
| Selektiv, mestadels Xenofarm.
|-
!align="right" | Jobb
| Utvecklare, Roxen Internet Software.
|-
!align="right" | OS
| De flesta SVR4 och POSIX, ju obskyrare desto bättre. Undviker dock gärna OpenBSD.
|-
!align="right" | Hackar i
| Pike, C, sh, m4, assembler
|-
!align="right" | Kontaktinfo
| LysLysKOM: Henrik Grubbström
|-
!
| Epost: <grubba@grubba.org>
|-
|}

== [[User:hx|hx]] ==
{| style="border: 0px"
!align="right" | Namn
| Henrik Henriksson
|-
!align="right" | Medlem sedan
| 2013
|-
!align="right" | Root sedan
| 2014
|-
!align="right" | Driftstatus
| Ganska hög uptime.
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Manjaro
|-
!align="right" | Hackar i
| Haskell
|-
!align="right" | Kontaktinfo
| Epost: <hx@hx.ax>
|-
!
| Epost: <hx@lysator.liu.se>
|-
|}

== [[User:net4all|net4all]] ==
{| style="border: 0px"
!align="right" | Namn
| Jon Dybeck
|-
!align="right" | Medlem sedan
| 2012
|-
!align="right" | Root sedan
| 2014
|-
!align="right" | Driftstatus
| "Aktiv", besöker ~ och fixar med LDAP.
|-
!align="right" | Jobb
| Systemadministratör, Liu-IT / TUS.
|-
!align="right" | OS
| Mest Arch Linux och Debian (derivat).
|-
!align="right" | Hackar i
| C, Python, Scheme, Common Lisp, C++.
|-
!align="right" | Kontaktinfo
| Epost: <net4all@lysator.liu.se>
|-
!
| Epost: <jon.dybeck@liu.se>
|-
!
| Epost: <jon@dybeck.se>
|-
|}

== [[User:knase|knase]] ==
{| style="border: 0px"
!align="right" | Namn
| Rasmus Holm
|-
!align="right" | Medlem sedan
| 2014
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| FreeBSD och diverse Debian derivat.
|-
!align="right" | Hackar i
| C, Python, C++, Bash.
|-
!align="right" | Kontaktinfo
| Epost: <knase@lysator.liu.se>
|-
!
| IRC: knase @ freenode
|-
|}

== [[User:dandan|dandan]] ==
{| style="border: 0px"
!align="right" | Namn
| Daniel Dandanell
|-
!align="right" | Medlem sedan
| 2009
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Kontaktinfo
| IRC: dandan @ freenode
|-
!
| Mail: dandan@lysator...
|-
|}

== [[User:jiffe|jiffe]] ==
{| style="border: 0px"
!align="right" | Namn
| Johan Frisk
|-
!align="right" | Medlem sedan
| 2013
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Debian, men allt går.
|-
!align="right" | Hackar i
| Valet av pensel är oviktigt vid skapandet av tavlan.
|-
!align="right" | Kontaktinfo
| IRC: jiffe__ @ freenode
|-
!
| Mail: jiffe@lysator.liu.se
|-
|}

== [[User:tokkugawa|tokkugawa]] ==
{| style="border: 0px"
!align="right" | Namn
| Tony Magnusson
|-
!align="right" | Medlem sedan
| 2012
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Driftstatus
| I drift
|-
!align="right" | Jobb
| LiU-IT
|-
!align="right" | OS
| OSX, Debian, FreeBSD.
|-
!align="right" | Hackar i
| C++, Python, perl, Swift
|-
!align="right" | Kontaktinfo
| IRC: tokkugawa @ freenode
|-
!
| Mail: tokkugawa@lysator.liu.se
|-
|}

== [[User:miiza|miiza]] ==
{| style="border: 0px"
!align="right" | Namn
| Simon Keisala
|-
!align="right" | Medlem sedan
| 2014
|-
!align="right" | Root sedan
| 2015
|-
!align="right" | Jobb
| Student
|-
!align="right" | OS
| Diverse Debian derivat.
|-
!align="right" | Hackar i
| C-familjen, Python, Bash.
|-
!align="right" | Kontaktinfo
| Epost: <miiza@lysator.liu.se>
|-
!
| IRC: miiza @ freenode
|-
|}

Sharelatex

2015-09-12T20:55:40Z

Net4all: Skapade sidan med '{| style="border: 0px" ! Funktion | Sharelatex-server | Sharelatex är en webbplatform för att redigera latex dokument. | Liknande Google docs. |- ! Operativsystem | [[:Kateg...'

{| style="border: 0px"
! Funktion
| Sharelatex-server
| Sharelatex är en webbplatform för att redigera latex dokument.
| Liknande Google docs.
|-
! Operativsystem
| [[:Kategori:Ubuntu 14.04| Ubuntu 14.04]]
|-
! Arkitektur
| Virtuell
|-
! CPU
| 2 cores
|-
! Minne
| 2048 - 4096 MB
|-
! Ip
| 130.236.254.52
|-
! SSH-fingeravtryck
| -
|-
! Ansvarig root
| Jon Dybeck (<tt>net4all</tt>)
|-
! Driftstatus
| I drift
|}

[[Kategori:Ubuntu]]
[[Kategori:Ubuntu 14.04]]
[[Kategori:Maskiner i drift]]

SOF fysisk

2015-04-01T07:14:32Z

Net4all:

Maskinen har lämnats över till Kårservice.

SOF agerade tidigare server åt studentorkesterfestivalen.

SOFs webb har flyttat till Sarin5. (Även nagios övervakningen av SOF.)

Kobra (Kårservice medlemsregister) körs fortfarande här.

Villervallas webb och mail körs inte längre här.

Både Kobra och Villervalla bör kunna flyttas till virtuella maskiner,
antingen hos Lysator eller LiTHeBlås.

Villervalla har flyttat ut från Lysator (molnlösning).

Kobra och den fysiska maskinen kommer lämnas ut till Kårservice.

(Kobra flyttas alltså ut ur Lysator.)

Maskinen bör pensioneras efter det.

Ansvarig root är inte [mailto:emil@lysator.liu.se Emil Styrke].

Foto: [[Bild:lisse,sof,nazgul.jpg|none|thumb]]

Nagiosövervakning: {{Nagios}}. {{Hosted}}.

Ansvarig kontaktperson på SOF-sidan var i alla fall 2014-04-22 avhandlad i inlägg 20782369

Absvarig kontaktperson hos sof 2015-02-11 är (Olle Vidner, oller120, 070-7306376, olle@vidner.se).

Kontaktperson för Villervalla saknas.

Kontaktperson för Kårservice 2015-03-26 är (Erik Eklöv, 073-3455902, it@karservice.se)

[[Kategori:Maskiner ur drift]]
[[Kategori:Inhysningar]]

SOF fysisk

2015-03-26T13:43:57Z

Net4all:

SOF agerade tidigare server åt studentorkesterfestivalen.

SOFs webb har flyttat till Sarin5.

Kobra (Kårservice medlemsregister) körs fortfarande här.

Villervallas webb och mail körs inte längre här.

Både Kobra och Villervalla bör kunna flyttas till virtuella maskiner,
antingen hos Lysator eller LiTHeBlås.

Villervalla har flyttat ut från Lysator (molnlösning).

Kobra och den fysiska maskinen kommer lämnas ut till Kårservice.

(Kobra flyttas alltså ut ur Lysator.)

Maskinen bör pensioneras efter det.

Ansvarig root är inte [mailto:emil@lysator.liu.se Emil Styrke].

Foto: [[Bild:lisse,sof,nazgul.jpg|none|thumb]]

Nagiosövervakning: {{Nagios}}. {{Hosted}}.

Ansvarig kontaktperson på SOF-sidan var i alla fall 2014-04-22 avhandlad i inlägg 20782369

Absvarig kontaktperson hos sof 2015-02-11 är (Olle Vidner, oller120, 070-7306376, olle@vidner.se).

Kontaktperson för Villervalla saknas.

Kontaktperson för Kårservice 2015-03-26 är (Erik Eklöv, 073-3455902, it@karservice.se)

[[Kategori:Rack B9]]
[[Kategori:Maskiner i drift]]
[[Kategori:Inhysningar]]

Sarin5

2015-02-14T12:37:27Z

Net4all:

Sarin5 är host för [[SOF]]s biljettsystem (kör proxmox).

{| style="border: 0px"
! Funktion
| Proxmox / Webb / Databas
|-
! Placering
| [[FOO-hallen]], [[:Kategori: Rack B3|rack B3]]
|-
! Driftstatus
| I drift
|-
! Nagios-status
| Ej i Nagios
|-
! LysINV
| {{Hosted}}
|-
! Ansvarig root
| -
|-
! Kontaktperson
| Olle Vidner, oller120, 070-7306376, olle@vidner.se (2015-02-11)
|-
|}

Ipv6: 2001:6b0:17:f0a0:1::5

[[Kategori:Rack B3]]
[[Kategori:Maskiner i drift]]
[[Kategori:Inhysningar]]

Sarin4

2015-02-14T12:37:08Z

Net4all:

Sarin4 är en av [[LiTHeBlås]] maskiner som kör proxmox men var tom vid skrivande stund.

{| style="border: 0px"
! Funktion
| Proxmox
|-
! Placering
| [[FOO-hallen]], [[:Kategori: Rack B3|rack B3]]
|-
! Driftstatus
| I drift
|-
! Nagios-status
| Ej i Nagios
|-
! LysINV
| {{Hosted}}
|-
! Ansvarig root
| -
|-
! Kontaktperson
| Olle Vidner, oller120, 070-7306376, olle@vidner.se (2015-02-11)
|-
|}

Ipv6: 2001:6b0:17:f0a0:1::4

[[Kategori:Rack B3]]
[[Kategori:Maskiner i drift]]
[[Kategori:Inhysningar]]