ldap
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ldap [2006/07/11 19:16] – old revision restored andi | ldap [2008/08/04 12:21] (current) – old revision restored - fixed link andi | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== LDAP Migration ====== | ||
+ | Let's start with installing the server and client utils: | ||
+ | |||
+ | #> apt-get -t testing install slapd ldap-utils | ||
+ | |||
+ | Answer the debconf questions. This will create the root DN of the server and an administrator account. | ||
+ | |||
+ | I used '' | ||
+ | |||
+ | For testing this get the LDAP Browser\Editor from http:// | ||
+ | |||
+ | $> wget http:// | ||
+ | $> tar -xzvf Browser282b2.tar.gz | ||
+ | $> cd ldapbrowser | ||
+ | $> ./lbe.sh | ||
+ | |||
+ | You should be able to login into your new LDAP Server with the above mentioned admin account and the password you gave in the debconf process. If not start again ;-) | ||
+ | |||
+ | If you don't want to install java or if you prefer to use a free software alternative there is gq, a gtk2-based LDAP client: | ||
+ | |||
+ | #> apt-get -t testing install gq | ||
+ | $> gq | ||
+ | |||
+ | Next step is to migrate ''/ | ||
+ | |||
+ | #> apt-get install migrationtools | ||
+ | |||
+ | For using these scripts you need to edit ''/ | ||
+ | |||
+ | < | ||
+ | # Default DNS domain | ||
+ | $DEFAULT_MAIL_DOMAIN = " | ||
+ | |||
+ | # Default base | ||
+ | $DEFAULT_BASE = " | ||
+ | |||
+ | # turn this on to support more general object clases | ||
+ | # such as person. | ||
+ | $EXTENDED_SCHEMA = 1; | ||
+ | |||
+ | # Uncomment these to avoid Debian managed system users and groups | ||
+ | $IGNORE_UID_BELOW = 1000; | ||
+ | $IGNORE_GID_BELOW = 1000; | ||
+ | |||
+ | # And here's the opposite for completeness | ||
+ | $IGNORE_UID_ABOVE = 9999; | ||
+ | $IGNORE_GID_ABOVE = 9999; | ||
+ | |||
+ | # Default Kerberos realm | ||
+ | #if ($EXTENDED_SCHEMA) { | ||
+ | # $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN; | ||
+ | # $DEFAULT_REALM =~ tr/ | ||
+ | #} | ||
+ | </ | ||
+ | |||
+ | As you can see I used the extended Schema option but commented out the Kerberos stuff. | ||
+ | |||
+ | Now we can create the appropriate LDIF files: | ||
+ | |||
+ | #> cd / | ||
+ | #> ./ | ||
+ | #> ./ | ||
+ | |||
+ | Before we can feed these LDIFs into the LDAP directory we need to create two branches to store the data using this LDIF file (change ' | ||
+ | |||
+ | < | ||
+ | dn: ou=People, | ||
+ | ou: People | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | |||
+ | dn: ou=Group, | ||
+ | ou: Group | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | </ | ||
+ | |||
+ | Okay now put it into the LDAP Server: | ||
+ | |||
+ | #> ldapadd -D ' | ||
+ | #> ldapadd -D ' | ||
+ | #> ldapadd -D ' | ||
+ | |||
+ | These should run through without problems but if you get some errors try to fix the mentioned problems in the LDIF file and try again. | ||
+ | |||
+ | Check your Server with LDAP Browser/ | ||
+ | |||
+ | Now its time to let Linux use LDAP for authentication instead of the files. | ||
+ | |||
+ | #> apt-get install libnss-ldap libpam-ldap | ||
+ | |||
+ | Answer the debconf questions and then have a look at ''/ | ||
+ | |||
+ | Now were everything is configured we change ''/ | ||
+ | |||
+ | passwd: | ||
+ | group: | ||
+ | shadow: | ||
+ | |||
+ | Do not change other entries than passwd, group and shadow. The order of methods is important. By adding ldap after the compat entry we make sure the local entries are always chekcked first making it possible for the local root user to login even if the LDAP is down. **Note:** You may need to restart services that may have cached this file eg. the SSH server. | ||
+ | |||
+ | The next thing to do is adding LDAP support to PAM by adding '' | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | auth sufficient | ||
+ | auth required | ||
+ | </ | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | account sufficient | ||
+ | account required | ||
+ | </ | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | password | ||
+ | password | ||
+ | </ | ||
+ | |||
+ | Now remove a user you added to LDAP from ''/ | ||
+ | |||
+ | If you want to add users or groups then use ldapscripts package - edit ''/ | ||
+ | |||
+ | If you get errors like ' | ||
+ | Solution: Copy libnss-ldap.conf to pam_ldap.conf | ||
+ | |||
+ | used Debian Packages: | ||
+ | |||
+ | libldap2 | ||
+ | slapd 2.1.23-1 | ||
+ | ldap-utils | ||
+ | libnss-ldap | ||
+ | libpam-ldap | ||
+ | libpam-runtime | ||
+ | migrationtools |