LDAP Migration

Let's start with installing the server and client utils:

#> apt-get -t testing install slapd ldap-utils

Answer the debconf questions. This will create the root DN of the server and an administrator account.

I used my.home as domain name which creates dc=my, dc=home as root DN and thus the admin is cn=admin, dc=my, dc=home.

For testing this get the LDAP Browser\Editor from http://www.mcs.anl.gov/~gawor/ldap/ (you need java for it).

$> wget http://www.iit.edu/~gawojar/ldap/dwld/bin-dwld.cgi?fileid=282b2tar
$> tar -xzvf Browser282b2.tar.gz
$> cd ldapbrowser
$> ./lbe.sh

You should be able to login into your new LDAP Server with the above mentioned admin account and the password you gave in the debconf process. If not start again ;-)

If you don't want to install java or if you prefer to use a free software alternative there is gq, a gtk2-based LDAP client:

#> apt-get -t testing install gq
$> gq

Next step is to migrate /etc/passwd and associated files to LDAP. We use some perlscripts for that

#> apt-get install migrationtools

For using these scripts you need to edit /etc/migrationtools/migrate_common.ph I set the following values and left the rest of the script alone:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "my.home";

# Default base
$DEFAULT_BASE = "dc=my,dc=home";

# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;

# Uncomment these to avoid Debian managed system users and groups
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 1000;

# And here's the opposite for completeness
$IGNORE_UID_ABOVE = 9999;
$IGNORE_GID_ABOVE = 9999;

# Default Kerberos realm
#if ($EXTENDED_SCHEMA) {
# $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
# $DEFAULT_REALM =~ tr/a-z/A-Z/;
#}

As you can see I used the extended Schema option but commented out the Kerberos stuff.

Now we can create the appropriate LDIF files:

#> cd /usr/share/migrationtools
#> ./migrate_group.pl /etc/group /tmp/group.ldif
#> ./migrate_passwd.pl /etc/passwd |grep -v 'objectClass: account' > /tmp/passwd.ldif

Before we can feed these LDIFs into the LDAP directory we need to create two branches to store the data using this LDIF file (change 'dc=my, dc=home' to your own root DN) - I called it /tmp/base.ldif:

dn: ou=People,dc=my,dc=home
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=my,dc=home
ou: Group
objectClass: top
objectClass: organizationalUnit

Okay now put it into the LDAP Server:

#> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/base.ldif
#> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/group.ldif
#> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/passwd.ldif

These should run through without problems but if you get some errors try to fix the mentioned problems in the LDIF file and try again.

Check your Server with LDAP Browser/Editor again you should see the objects you just created. If everything is okay delete the LDIF files - they contain the (crypted) passwords and shouldn't get into wrong hands.

Now its time to let Linux use LDAP for authentication instead of the files.

#> apt-get install libnss-ldap libpam-ldap

Answer the debconf questions and then have a look at /etc/libnss-ldap.conf and /etc/pam_ldap.conf.

Now were everything is configured we change /etc/nsswitch.conf to use LDAP for passwords and groupnames by adding ldap to the authenticationmethods:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Do not change other entries than passwd, group and shadow. The order of methods is important. By adding ldap after the compat entry we make sure the local entries are always chekcked first making it possible for the local root user to login even if the LDAP is down. Note: You may need to restart services that may have cached this file eg. the SSH server.

The next thing to do is adding LDAP support to PAM by adding pam_ldap.so to the pam common files (these are included by the other files in pam.d on a Debian system.

/etc/pam.d/common-auth:

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

/etc/pam.d/common-account:

account sufficient      pam_ldap.so
account required        pam_unix.so

/etc/pam.d/common-password:

password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

Now remove a user you added to LDAP from /etc/passwd and see if you still can login as this user. Worked? Fine! Now remove all stuff you moved to LDAP from /etc/passwd, /etc/shadow and /etc/group.

If you want to add users or groups then use ldapscripts package - edit /etc/ldapscripts/ldapscripts.conf to suit your needs. You need to create file /etc/ldap.secret which should contain ldap admin passwd. Then you can use commans like ldapadduser, ldapaddgroup etc.

If you get errors like 'nss_ldap: failed to bind to LDAP server' at /var/log/auth.log something is wrong width pam_ldap.conf. Solution: Copy libnss-ldap.conf to pam_ldap.conf

used Debian Packages:

libldap2         2.1.23-1
slapd            2.1.23-1
ldap-utils       2.1.23-1
libnss-ldap      211-4
libpam-ldap      164-2
libpam-runtime   0.76-19
migrationtools   5-1