Rootmanual:ldap: Skillnad mellan sidversioner
Baafen (diskussion | bidrag) |
Net4all (diskussion | bidrag) |
||
(22 mellanliggande sidversioner av 2 användare visas inte) | |||
Rad 18: | Rad 18: | ||
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls |
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls |
||
= Before you start = |
|||
Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process. |
|||
= Create certs and keytabs = |
|||
== Certficates == |
|||
First, generate official certificates. |
|||
There should be three files, in our case: |
|||
/etc/ldap/cert/chain-lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.key |
|||
Make sure that the openldap user has the rights to read these files. |
|||
chown -R openldap:openldap /etc/ldap/cert |
|||
chmod 0500 /etc/ldap/cert |
|||
chmod -R 0400 /etc/ldap/cert/* |
|||
== Kerberos == |
|||
The ldap server needs two keytabs, one for the server itself and one specific to ldap. |
|||
The host principal should be located under /etc as with all other machines. |
|||
The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap. |
|||
/etc/default/slapd should be updated with (should already have been configured by puppet) |
|||
export KRB5_KTNAME=/etc/ldap/ldap.keytab |
|||
= Bootstrap slapd = |
= Bootstrap slapd = |
||
Rad 97: | Rad 130: | ||
olcLogLevel: -1 |
olcLogLevel: -1 |
||
== Configure more extensive indexing == |
== Configure more extensive indexing (To be removed)== |
||
Configure slapd to use more indexing to improve performance. |
Configure slapd to use more indexing to improve performance. |
||
Rad 144: | Rad 177: | ||
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount |
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount |
||
Modify NIS schema, change |
Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi |
||
ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config |
ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config |
||
Rad 170: | Rad 203: | ||
Verify using |
Verify using |
||
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass= |
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)" |
||
Following should be in the output |
Following should be in the output |
||
dn: ou=automount,dc=lysator,dc=liu,dc=se |
|||
ou: automount |
|||
ou: auto.master |
|||
objectClass: top |
objectClass: top |
||
objectClass: |
objectClass: organizationalUnit |
||
== Kerberos Auth == |
== Kerberos Auth == |
||
Rad 183: | Rad 215: | ||
Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login. |
Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login. |
||
'''NOTE''': Double check if schema uses ou People or users. If users is used then replace People with users bellow. |
|||
Add the following to sasl.ldif |
|||
Add the following to kerb.ldif |
|||
dn: cn=config |
dn: cn=config |
||
changetype: modify |
changetype: modify |
||
add: olcAuthzRegexp |
add: olcAuthzRegexp |
||
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou= |
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se |
||
dn: cn=config |
dn: cn=config |
||
Rad 201: | Rad 235: | ||
Run this: |
Run this: |
||
ldapmodify -Y EXTERNAL -H ldapi:/// -f |
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif |
||
Verify by running |
Verify by running |
||
Rad 212: | Rad 246: | ||
SASL SSF: 0 |
SASL SSF: 0 |
||
dn: cn=config |
dn: cn=config |
||
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou= |
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se |
||
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost |
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost |
||
Rad 238: | Rad 272: | ||
== Configure SASL/SSL == |
== Configure SASL/SSL == |
||
First, generate official certificates. |
|||
There should be three files, in our case: |
|||
/etc/ldap/cert/chain-lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.key |
|||
Make sure that the openldap user has the rights to read these files. |
|||
chown -R openldap:openldap /etc/ldap/cert/* |
|||
chmod -R 0400 /etc/ldap/cert* |
|||
Put the following in ldif files and apply. |
Put the following in ldif files and apply. |
||
Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included) |
|||
Only use tls. |
|||
dn: olcDatabase={1}mdb,cn=config |
|||
changetype: modify |
|||
replace: olcSecurity |
|||
olcSecurity: tls=1 |
|||
Add it like so: |
|||
ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif |
|||
Should print: |
|||
SASL/EXTERNAL authentication started |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
modifying entry "olcDatabase={1}mdb,cn=config" |
|||
Check that it is in the config: |
|||
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity |
|||
Should output: |
|||
SASL/EXTERNAL authentication started |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
olcSecurity: tls=1 |
|||
Specify certificate. |
|||
dn: cn=config |
dn: cn=config |
||
Rad 297: | Rad 290: | ||
add: olcTLSVerifyClient |
add: olcTLSVerifyClient |
||
olcTLSVerifyClient: allow |
olcTLSVerifyClient: allow |
||
Add using: |
Add using: |
||
Rad 339: | Rad 331: | ||
description: LDAP administrator |
description: LDAP administrator |
||
Only allow encrypted connections when accessing the database |
|||
== Configure SASL/SSL v2 == |
|||
First, generate official certificates. |
|||
There should be three files, in our case: |
|||
/etc/ldap/cert/chain-lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.pem |
|||
/etc/ldap/cert/ldap.lysator.liu.se.key |
|||
Make sure that the openldap user has the rights to read these files. |
|||
chown -R openldap:openldap /etc/ldap/cert/* |
|||
chmod -R 0400 /etc/ldap/cert* |
|||
Put the following in ldif files and apply. |
|||
Only use tls. |
|||
dn: olcDatabase={1}mdb,cn=config |
dn: olcDatabase={1}mdb,cn=config |
||
Rad 384: | Rad 360: | ||
olcSecurity: tls=1 |
olcSecurity: tls=1 |
||
Specify certificate. |
|||
== Allow chsh, chfn and root to modify anything == |
|||
dn: cn=config |
|||
In order to allow users to change their shell, an acl rule is required. |
|||
Place the following text in shell.ldif: |
|||
dn: olcDatabase={1}mdb,cn=config |
|||
changetype: modify |
changetype: modify |
||
replace: olcAccess |
|||
add: olcTLSCACertificateFile |
|||
olcAccess: {0}to attrs=loginShell |
|||
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem |
|||
by self write |
|||
- |
|||
by * read |
|||
add: olcTLSCertificateFile |
|||
olcAccess: {1}to * |
|||
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem |
|||
by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage |
|||
- |
|||
by * read |
|||
add: olcTLSCertificateKeyFile |
|||
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key |
|||
- |
|||
add: olcTLSVerifyClient |
|||
olcTLSVerifyClient: allow |
|||
Then run the following: |
|||
Add using: |
|||
ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif |
|||
Should output: |
|||
It should print: |
|||
SASL/EXTERNAL authentication started |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
modifying entry "cn=config" |
|||
SASL/EXTERNAL authentication started |
|||
Check it using: |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
modifying entry "olcDatabase={1}mdb,cn=config" |
|||
Verify by running: |
|||
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient |
|||
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess |
|||
Should output: |
|||
It should print: |
|||
SASL/EXTERNAL authentication started |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
dn: cn=config |
|||
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem |
|||
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem |
|||
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key |
|||
olcTLSVerifyClient: allow |
|||
SASL/EXTERNAL authentication started |
|||
Check that admin can login using tls: |
|||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
|||
SASL SSF: 0 |
|||
# extended LDIF |
|||
# |
|||
# LDAPv3 |
|||
# base <olcDatabase={1}mdb,cn=config> with scope subtree |
|||
# filter: (objectclass=*) |
|||
# requesting: olcAccess |
|||
# |
|||
# {1}mdb, config |
|||
dn: olcDatabase={1}mdb,cn=config |
|||
olcAccess: {0}to attrs=loginShell,gecos by self write by * read |
|||
olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi |
|||
d & user/uid" manage by * read |
|||
# search result |
|||
search: 2 |
|||
result: 0 Success |
|||
# numResponses: 2 |
|||
# numEntries: 1 |
|||
= Importing data from NIS = |
|||
ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description |
|||
* Import from nis scripts. |
|||
Should first query for password, like so: |
|||
* Autofs conversion. |
|||
== Add uid counter == |
|||
Enter LDAP Password: |
|||
Place the following in nextUid.ldif: |
|||
It is the password entered during package configuration. |
|||
dn: cn=nextUid,dc=lysator,dc=liu,dc=se |
|||
Then it should print the following: |
|||
changetype: add |
|||
objectClass: top |
|||
objectClass: organizationalRole |
|||
objectClass: uidObject |
|||
cn: nextUid |
|||
uid: 10000 |
|||
Run: |
|||
dn: cn=admin,dc=lysator,dc=liu,dc=se |
|||
description: LDAP administrator |
|||
ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif |
|||
== Allow chsh and chfn == |
|||
Should print: |
|||
= Importing data from NIS = |
|||
TODO |
|||
To verify run: |
|||
ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)" |
|||
Should print: |
|||
SASL/GSSAPI authentication started |
|||
SASL username: net4all@LYSATOR.LIU.SE |
|||
SASL SSF: 56 |
|||
SASL data security layer installed. |
|||
# extended LDIF |
|||
# |
|||
# LDAPv3 |
|||
# base <dc=lysator,dc=liu,dc=se> with scope subtree |
|||
# filter: (objectClass=uidObject) |
|||
# requesting: ALL |
|||
# |
|||
# nextUid, lysator.liu.se |
|||
dn: cn=nextUid,dc=lysator,dc=liu,dc=se |
|||
objectClass: top |
|||
objectClass: organizationalRole |
|||
objectClass: uidObject |
|||
cn: nextUid |
|||
uid: 10000 |
|||
# search result |
|||
search: 5 |
|||
result: 0 Success |
|||
# numResponses: 2 |
|||
# numEntries: 1 |
|||
* Import from nis scripts. |
|||
* Autofs conversion. |
|||
== Character conversion == |
== Character conversion == |
||
Rad 562: | Rad 586: | ||
=== Implementation Specific Error (80) === |
=== Implementation Specific Error (80) === |
||
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. |
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. |
||
Implementation Specific Error seems to be a catch all kind of error. |
Implementation Specific Error seems to be a catch all kind of error.\ |
||
=== Database config change doesn't take effetct === |
|||
Try restarting slapd. Some changes doesn't take effect immediately. |
Nuvarande version från 9 mars 2017 kl. 19.22
Useful documentation
https://wiki.debian.org/LDAP/OpenLDAPSetup
http://www.openldap.org/doc/admin22/index.html
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
https://wiki.debian.org/LDAP/MigrationTools
http://www.openldap.org/doc/admin24/sasl.html
http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/
http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
Before you start
Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.
Create certs and keytabs
Certficates
First, generate official certificates. There should be three files, in our case:
/etc/ldap/cert/chain-lysator.liu.se.pem /etc/ldap/cert/ldap.lysator.liu.se.pem /etc/ldap/cert/ldap.lysator.liu.se.key
Make sure that the openldap user has the rights to read these files.
chown -R openldap:openldap /etc/ldap/cert chmod 0500 /etc/ldap/cert chmod -R 0400 /etc/ldap/cert/*
Kerberos
The ldap server needs two keytabs, one for the server itself and one specific to ldap.
The host principal should be located under /etc as with all other machines.
The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.
/etc/default/slapd should be updated with (should already have been configured by puppet)
export KRB5_KTNAME=/etc/ldap/ldap.keytab
Bootstrap slapd
First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.
Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:
dpkg-reconfigure -plow slapd
Example answers, note the password <ldap-admin>.
Omit OpenLDAP server configuration? no DNS nomain name: lysator.liu.se Organization name: lysator.liu.se Administrator password: <ldap-admin> Database backend to use: MDB Remove database when slapd is purged: no Move old database: yes Allow ldapv2 protocol: no
Last, make sure slapd is running:
service slapd start
You should see this in /var/log/syslog:
<date> ldap slapd[XXX]: slapd starting ldap slapd[XXX]: Starting OpenLDAP: slapd.
Purgin the database
To start from scratch:
service slapd stop rm -r /var/lib/ldap/* rm -r /etc/ldap/slapd.d/*
Configure slapd
The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".
We need to make a number of changes before we are ready to initialize the normal database with user data.
We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.
ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif
For viewing changes we use the following:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Configure debug logging
Put this in debug.ldif
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: -1
Run this to change log level.
ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif
Verify using this.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel
Borde skriva ut.
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcLogLevel: -1
Configure more extensive indexing (To be removed)
Configure slapd to use more indexing to improve performance. Put this into indexing.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: cn pres,sub,eq - add: olcDbIndex olcDbIndex: sn pres,sub,eq - add: olcDbIndex olcDbIndex: uid pres,sub,eq - add: olcDbIndex olcDbIndex: displayName pres,sub,eq - add: olcDbIndex olcDbIndex: default sub - add: olcDbIndex olcDbIndex: uidNumber eq - add: olcDbIndex olcDbIndex: gidNumber eq - add: olcDbIndex olcDbIndex: mail,givenName eq,subinitial - add: olcDbIndex olcDbIndex: dc eq
Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif
Import NIS User schema
Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Verify that you can find posixAccount
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount
Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi
ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config
Import AUTOFS schema
Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif
Verify that you can find automount
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount
Add top ou for automount to automount.ldif
dn: ou=automount,dc=lysator,dc=liu,dc=se ou: automount objectClass: top objectClass: organizationalUnit
Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif
Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"
Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se ou: automount objectClass: top objectClass: organizationalUnit
Kerberos Auth
Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.
NOTE: Double check if schema uses ou People or users. If users is used then replace People with users bellow.
Add the following to kerb.ldif
dn: cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se dn: cn=config changetype: modify add: olcSaslHost olcSaslHost: ldap.lysator.liu.se dn: cn=config changetype: modify add: olcSaslRealm olcSaslRealm: LYSATOR.LIU.SE
Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif
Verify by running
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp
Should output
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost
Should output
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcSaslHost: ldap.lysator.liu.se
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm
Should output
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcSaslRealm: LYSATOR.LIU.SE
Verify that the output matches the same as configured above
Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)
Configure SASL/SSL
Put the following in ldif files and apply.
Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key - add: olcTLSVerifyClient olcTLSVerifyClient: allow
Add using:
ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif
Should output:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
Check it using:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
Should output:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key olcTLSVerifyClient: allow
Check that admin can login using tls:
ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description
Should first query for password, like so:
Enter LDAP Password:
It is the password entered during package configuration.
Then it should print the following:
dn: cn=admin,dc=lysator,dc=liu,dc=se description: LDAP administrator
Only allow encrypted connections when accessing the database
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSecurity olcSecurity: tls=1
Add it like so:
ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif
Should print:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config"
Check that it is in the config:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity
Should output:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcSecurity: tls=1
Allow chsh, chfn and root to modify anything
In order to allow users to change their shell, an acl rule is required.
Place the following text in shell.ldif:
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=loginShell by self write by * read olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage by * read
Then run the following:
ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif
It should print:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config"
Verify by running:
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess
It should print:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}mdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess # # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=loginShell,gecos by self write by * read olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi d & user/uid" manage by * read # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Importing data from NIS
- Import from nis scripts.
- Autofs conversion.
Add uid counter
Place the following in nextUid.ldif:
dn: cn=nextUid,dc=lysator,dc=liu,dc=se changetype: add objectClass: top objectClass: organizationalRole objectClass: uidObject cn: nextUid uid: 10000
Run:
ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif
Should print:
TODO
To verify run:
ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)"
Should print:
SASL/GSSAPI authentication started SASL username: net4all@LYSATOR.LIU.SE SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=lysator,dc=liu,dc=se> with scope subtree # filter: (objectClass=uidObject) # requesting: ALL # # nextUid, lysator.liu.se dn: cn=nextUid,dc=lysator,dc=liu,dc=se objectClass: top objectClass: organizationalRole objectClass: uidObject cn: nextUid uid: 10000 # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1
Character conversion
Check encoding from output when converting from nis to ldap
file -bi <file>
Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif
Check top tree nodes in ldap database
Before we import data into the database, we should verify that some structures exist. Also, that admin can login.
ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W
Use the password specified during the package configuration.
Should display:
# admin, lysator.liu.se dn: cn=admin,dc=lysator,dc=liu,dc=se objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: <password-hash> # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2
Configure migrationtools
Run this:
apt-get install migrationtools
This installs a number of scripts and configuration tools for converting NIS to ldap.
Configuration files can be found here:
/usr/share/migrationtools
Cruically in :
/etc/migrationtools/migrate_common.ph
Change to the following:
$DEFAULT_MAIL_DOMAIN = "lysator.liu.se"; $DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";
Importing into ldap database
Remember to convert the output of the migration scripts. Then run this.
ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif
It will display many lines similar to this:
adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"
And the command may take several seconds to complete (depending on the dataset size).
Migrating autofs
NOTE: Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.
NOTE: Data should be in utf-8 before importing. Don't forget to convert.
Following needs to be converted: auto.master auto.home auto.pkg auto.lysator
auto.master
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se ou: auto.master objectClass: top objectClass: automountMap
Indirect mounts
Next is to add entries for /home, /mp and /pkg Template follows:
dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se objectClass: top objectClass: automount cn: /<dir> automountInformation: auto.<file> <mount info>
where dir is mount point e.g /home. File is home for auto.home
For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se ou: auto.<file> objectClass: top objectClass: automountMap
Entry Template
dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se cn: <name> objectClass: automount objectClass: top automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>
Errors & Hell
Implementation Specific Error (80)
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.\
Database config change doesn't take effetct
Try restarting slapd. Some changes doesn't take effect immediately.