LDAP Migration
Let's start with installing the server and client utils:
#> apt-get -t testing install slapd ldap-utils
Answer the debconf questions. This will create the root DN of the server and an administrator account.
I used my.home
as domain name which creates dc=my, dc=home
as root DN and thus the admin is cn=admin, dc=my, dc=home
.
For testing this get the LDAP Browser\Editor from http://www.mcs.anl.gov/~gawor/ldap/ (you need java for it).
$> wget http://www.iit.edu/~gawojar/ldap/dwld/bin-dwld.cgi?fileid=282b2tar $> tar -xzvf Browser282b2.tar.gz $> cd ldapbrowser $> ./lbe.sh
You should be able to login into your new LDAP Server with the above mentioned admin account and the password you gave in the debconf process. If not start again
If you don't want to install java or if you prefer to use a free software alternative there is gq, a gtk2-based LDAP client:
#> apt-get -t testing install gq $> gq
Next step is to migrate /etc/passwd
and associated files to LDAP. We use some perlscripts for that
#> apt-get install migrationtools
For using these scripts you need to edit /etc/migrationtools/migrate_common.ph
I set the following values and left the rest of the script alone:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "my.home"; # Default base $DEFAULT_BASE = "dc=my,dc=home"; # turn this on to support more general object clases # such as person. $EXTENDED_SCHEMA = 1; # Uncomment these to avoid Debian managed system users and groups $IGNORE_UID_BELOW = 1000; $IGNORE_GID_BELOW = 1000; # And here's the opposite for completeness $IGNORE_UID_ABOVE = 9999; $IGNORE_GID_ABOVE = 9999; # Default Kerberos realm #if ($EXTENDED_SCHEMA) { # $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN; # $DEFAULT_REALM =~ tr/a-z/A-Z/; #}
As you can see I used the extended Schema option but commented out the Kerberos stuff.
Now we can create the appropriate LDIF files:
#> cd /usr/share/migrationtools #> ./migrate_group.pl /etc/group /tmp/group.ldif #> ./migrate_passwd.pl /etc/passwd |grep -v 'objectClass: account' > /tmp/passwd.ldif
Before we can feed these LDIFs into the LDAP directory we need to create two branches to store the data using this LDIF file (change 'dc=my, dc=home' to your own root DN) - I called it /tmp/base.ldif:
dn: ou=People,dc=my,dc=home ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=my,dc=home ou: Group objectClass: top objectClass: organizationalUnit
Okay now put it into the LDAP Server:
#> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/base.ldif #> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/group.ldif #> ldapadd -D 'cn=admin, dc=my, dc=home' -c -x -W -f /tmp/passwd.ldif
These should run through without problems but if you get some errors try to fix the mentioned problems in the LDIF file and try again.
Check your Server with LDAP Browser/Editor again you should see the objects you just created. If everything is okay delete the LDIF files - they contain the (crypted) passwords and shouldn't get into wrong hands.
Now its time to let Linux use LDAP for authentication instead of the files.
#> apt-get install libnss-ldap libpam-ldap
Answer the debconf questions and then have a look at /etc/libnss-ldap.conf
and /etc/pam_ldap.conf
.
Now were everything is configured we change /etc/nsswitch.conf
to use LDAP for passwords and groupnames by adding ldap
to the authenticationmethods:
passwd: compat ldap group: compat ldap shadow: compat ldap
Do not change other entries than passwd, group and shadow. The order of methods is important. By adding ldap after the compat entry we make sure the local entries are always chekcked first making it possible for the local root user to login even if the LDAP is down. Note: You may need to restart services that may have cached this file eg. the SSH server.
The next thing to do is adding LDAP support to PAM by adding pam_ldap.so
to the pam common files (these are included by the other files in pam.d on a Debian system.
/etc/pam.d/common-auth
:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass
/etc/pam.d/common-account
:
account sufficient pam_ldap.so account required pam_unix.so
/etc/pam.d/common-password
:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Now remove a user you added to LDAP from /etc/passwd
and see if you still can login as this user. Worked? Fine! Now remove all stuff you moved to LDAP from /etc/passwd
, /etc/shadow
and /etc/group
.
If you want to add users or groups then use ldapscripts package - edit /etc/ldapscripts/ldapscripts.conf
to suit your needs. You need to create file /etc/ldap.secret
which should contain ldap admin passwd. Then you can use commans like ldapadduser, ldapaddgroup etc.
If you get errors like 'nss_ldap: failed to bind to LDAP server' at /var/log/auth.log something is wrong width pam_ldap.conf. Solution: Copy libnss-ldap.conf to pam_ldap.conf
used Debian Packages:
libldap2 2.1.23-1 slapd 2.1.23-1 ldap-utils 2.1.23-1 libnss-ldap 211-4 libpam-ldap 164-2 libpam-runtime 0.76-19 migrationtools 5-1