====== LDAP Migration ======

Let's start with installing the server and client utils:

  #> apt-get -t testing install slapd ldap-utils

Answer the debconf questions. This will create the root DN of the server and an administrator account.

I used ''my.home'' as domain name which creates ''dc=my, dc=home'' as root DN and thus the admin is ''cn=admin, dc=my, dc=home''.

For testing this get the LDAP Browser\Editor from http://www.mcs.anl.gov/~gawor/ldap/ (you need java for it).

  $> wget http://www.iit.edu/~gawojar/ldap/dwld/bin-dwld.cgi?fileid=282b2tar
  $> tar -xzvf Browser282b2.tar.gz
  $> cd ldapbrowser
  $> ./lbe.sh

You should be able to login into your new LDAP Server with the above mentioned admin account and the password you gave in the debconf process. If not start again ;-)

If you don't want to install java or if you prefer to use a free software alternative there is gq, a gtk2-based LDAP client:

  #> apt-get -t testing install gq
  $> gq

Next step is to migrate ''/etc/passwd'' and associated files to LDAP. We use some perlscripts for that

  #> apt-get install migrationtools

For using these scripts you need to edit ''/etc/migrationtools/migrate_common.ph'' I set the following values and left the rest of the script alone:

<file>
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "my.home";

# Default base
$DEFAULT_BASE = "dc=my,dc=home";

# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;

# Uncomment these to avoid Debian managed system users and groups
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 1000;

# And here's the opposite for completeness
$IGNORE_UID_ABOVE = 9999;
$IGNORE_GID_ABOVE = 9999;

# Default Kerberos realm
#if ($EXTENDED_SCHEMA) {
# $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
# $DEFAULT_REALM =~ tr/a-z/A-Z/;
#}
</file>

As you can see I used the extended Schema option but commented out the Kerberos stuff.

Now we can create the appropriate LDIF files:

  #> cd /usr/share/migrationtools
  #> ./migrate_group.pl /etc/group /tmp/group.ldif
  #> ./migrate_passwd.pl /etc/passwd |grep -v 'objectClass: account' > /tmp/passwd.ldif

Before we can feed these LDIFs into the LDAP directory we need to create two branches to store the data using this LDIF file (change 'dc=my, dc=home' to your own root DN) - I called it /tmp/base.ldif:

<file>
dn: ou=People,dc=my,dc=home
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=my,dc=home
ou: Group
objectClass: top
objectClass: organizationalUnit
</file>

Okay now put it into the LDAP Server:

  #> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/base.ldif
  #> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/group.ldif
  #> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/passwd.ldif

These should run through without problems but if you get some errors try to fix the mentioned problems in the LDIF file and try again.

Check your Server with LDAP Browser/Editor again you should see the objects you just created. If everything is okay delete the LDIF files - they contain the (crypted) passwords and shouldn't get into wrong hands.

Now its time to let Linux use LDAP for authentication instead of the files.

  #> apt-get install libnss-ldap libpam-ldap

Answer the debconf questions and then have a look at ''/etc/libnss-ldap.conf'' and ''/etc/pam_ldap.conf''.

Now were everything is configured we change ''/etc/nsswitch.conf'' to use LDAP for passwords and groupnames by adding ''ldap'' to the authenticationmethods:

  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap

Do not change other entries than passwd, group and shadow. The order of methods is important. By adding ldap after the compat entry we make sure the local entries are always chekcked first making it possible for the local root user to login even if the LDAP is down. **Note:** You may need to restart services that may have cached this file eg. the SSH server.

The next thing to do is adding LDAP support to PAM by adding ''pam_ldap.so'' to the pam common files (these are included by the other files in pam.d on a Debian system.

''/etc/pam.d/common-auth'':
<file>
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass
</file>

''/etc/pam.d/common-account'':
<file>
account sufficient      pam_ldap.so
account required        pam_unix.so
</file>

''/etc/pam.d/common-password'':
<file>
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5
</file>

Now remove a user you added to LDAP from ''/etc/passwd'' and see if you still can login as this user. Worked? Fine! Now remove all stuff you moved to LDAP from ''/etc/passwd'', ''/etc/shadow'' and ''/etc/group''.

If you want to add users or groups then use ldapscripts package - edit ''/etc/ldapscripts/ldapscripts.conf'' to suit your needs. You need to create file ''/etc/ldap.secret'' which should contain ldap admin passwd. Then you can use commans like ldapadduser, ldapaddgroup etc.

If you get errors like 'nss_ldap: failed to bind to LDAP server' at /var/log/auth.log something is wrong width pam_ldap.conf.
Solution: Copy libnss-ldap.conf to pam_ldap.conf

used Debian Packages:

  libldap2         2.1.23-1
  slapd            2.1.23-1
  ldap-utils       2.1.23-1
  libnss-ldap      211-4
  libpam-ldap      164-2
  libpam-runtime   0.76-19
  migrationtools   5-1