Rootmanual:ldap

Från Lysators datorhandbok, den ultimata referensen.
Version från den 12 februari 2016 kl. 16.41 av Net4all (diskussion | bidrag)
Hoppa till navigering Hoppa till sök

Useful documentation

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

Bootstrap slapd

First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
 ldap slapd[XXX]: Starting OpenLDAP: slapd.

Purgin the database

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

Configure slapd

The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Configure more extensive indexing

Configure slapd to use more indexing to improve performance. Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

Configure SASL/SSL

First, generate official certificates. There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif 

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: never

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Import NIS User schema

Import nis schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

 ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Import AUTOFS schema

Import autofs schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Allow chsh and chfn

Importing data from NIS

  • Import from nis scripts.
  • Autofs conversion.

Character conversion

Check encoding from output when converting from nis to ldap

 file -bi <file>

Convert to utf-8

 iconv -f <current-encoding> -t utf-8  <file> > <file>-utf8.ldif

Check top tree nodes in ldap database

Before we import data into the database, we should verify that some structures exist. Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

Configure migrationtools

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

Importing into ldap database

Remember to convert the output of the migration scripts. Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

Errors & Hell

Implementation Specific Error (80)

This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.