Rootmanual:ldap: Skillnad mellan sidversioner
Net4all (diskussion | bidrag) |
Net4all (diskussion | bidrag) |
||
Rad 170: | Rad 170: | ||
=== |
=== Check top tree nodes in ldap database === |
||
Before we import data into the database, |
Before we import data into the database, we should verify that some structures exist. |
||
Also, that admin can login. |
|||
Add the following: |
|||
ldapsearch -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W |
|||
objectClass: top |
|||
objectClass: dcObject |
|||
objectClass: organization |
|||
o: Lysator |
|||
dc: lysator |
|||
Use the password specified during the package configuration. |
|||
dn: cn=admin,dc=lysator,dc=liu,dc=se |
|||
objectClass: organizationalRole |
|||
objectClass: simpleSecurityObject |
|||
cn: admin |
|||
description: LDAP administrator |
|||
userPassword: {SHA}hash |
|||
=== Configure migrationtools === |
=== Configure migrationtools === |
Versionen från 5 februari 2016 kl. 18.19
Useful documentation
https://wiki.debian.org/LDAP/OpenLDAPSetup
http://www.openldap.org/doc/admin22/index.html
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
https://wiki.debian.org/LDAP/MigrationTools
Bootstrap slapd
First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.
Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:
dpkg-reconfigure -plow slapd
Example answers, note the password <ldap-admin>.
Omit OpenLDAP server configuration? no DNS nomain name: lysator.liu.se Organization name: lysator.liu.se Administrator password: <ldap-admin> Database backend to use: MDB Remove database when slapd is purged: no Move old database: yes Allow ldapv2 protocol: no
Last, make sure slapd is running:
service slapd start
You should see this in /var/log/syslog:
<date> ldap slapd[XXX]: slapd starting ldap slapd[XXX]: Starting OpenLDAP: slapd.
Purgin the database
To start from scratch:
service slapd stop rm -r /var/lib/ldap/* rm -r /etc/ldap/slapd.d/*
Configure slapd
The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".
We need to make a number of changes before we are ready to initialize the normal database with user data.
We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.
ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif
For viewing changes we use the following:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Configure more extensive indexing
Configure slapd to use more indexing to improve performance. Put this into indexing.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: cn pres,sub,eq - add: olcDbIndex olcDbIndex: sn pres,sub,eq - add: olcDbIndex olcDbIndex: uid pres,sub,eq - add: olcDbIndex olcDbIndex: displayName pres,sub,eq - add: olcDbIndex olcDbIndex: default sub - add: olcDbIndex olcDbIndex: uidNumber eq - add: olcDbIndex olcDbIndex: gidNumber eq - add: olcDbIndex olcDbIndex: mail,givenName eq,subinitial - add: olcDbIndex olcDbIndex: dc eq
Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif
Configure SASL/SSL
First, generate official certificates. There should be three files, in our case:
/etc/ldap/cert/chain-lysator.liu.se.pem /etc/ldap/cert/ldap.lysator.liu.se.pem /etc/ldap/cert/ldap.lysator.liu.se.key
Make sure that the openldap user has the rights to read these files.
chown -R openldap:openldap /etc/ldap/cert/* chmod -R 0400 /etc/ldap/cert*
Put the following in ldif files and apply.
Only use tls.
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSecurity olcSecurity: tls=1
Check that it is in the config:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | egrep
Specify certificate.
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key - add: olcTLSVerifyClient olcTLSVerifyClient: never
Import NIS User schema
Import nis schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Verify that you can find posixAccount
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount
Import AUTOFS schema
Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif
Verify that you can find automount
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount
Allow chsh and chfn
Importing data from NIS
- Import from nis scripts.
- Autofs conversion.
- Character conversion.
Check top tree nodes in ldap database
Before we import data into the database, we should verify that some structures exist. Also, that admin can login.
ldapsearch -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W
Use the password specified during the package configuration.
Configure migrationtools
Run this:
apt-get install migrationtools
This installs a number of scripts and configuration tools for converting NIS to ldap.
Configuration files can be found here:
/usr/share/migrationtools
Cruically in :
/etc/migrationtools/migrate_common.ph
Change to the following:
$DEFAULT_MAIL_DOMAIN = "lysator.liu.se"; $DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";
Errors & Hell
Implementation Specific Error (80)
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.