Table of Contents

LDAP Study Group

This group meets on the first Tuesday and third Wednesday of each month. Location is difficult to find, so request map from Carl Fitch. Note: You must fix the included email address before actually sending it.

The ultimate goal is to set up LDAP for use on our newer Unix-like boxes and have enough volunteers understand LDAP so that we can maintain what we build.

Original notes on learning and installing LDAP by Carl Fitch

Migration Tools

Obtain Tools

Migration tools were not installed by default on debian

apt-get install migrationtools

Edit

Make the following changes to migrate_common.ph cd /etc/migrationtools/ sudo vi /etc/migrationtools/migrate_common.ph

# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "hickorydale.no-ip.com";

# Default base
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=hickorydale,dc=no-ip,dc=com";

# turn this on to support more general object clases
# such as person.
#$EXTENDED_SCHEMA = 0;
$EXTENDED_SCHEMA =1;

# Uncomment these to exclude Debian-managed system users and groups
#$IGNORE_UID_BELOW = 1000;
#$IGNORE_GID_BELOW = 100;
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 100;

Perform Migration

cd /usr/share/migrationtools/
export ETC_SHADOW=/etc/shadow
./migrate_base.pl > /tmp/base.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

Now we have the data in the format understood by LDAP server. Now open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.

ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/base.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/group.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/passwd.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/hosts.ldif

Command Lines

ldapsearch -x -b "dc=hickorydale,dc=no-ip,dc=com" "(objectclass=*)"

Base Name

- To find the base dn of your ldap database ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts Results in: <pre> dn: namingContexts: dc=hickorydale,dc=no-ip,dc=com </pre>

Dump Directory

- To dump the entire directory nisMapName=auto_users ldapsearch -x -b 'dc=aoc,dc=nrao,dc=edu' -z 0 '(objectclass=*)'

Lookup User

- To lookup a specific user (use -C to chase referrals) ldapsearch -x -b 'ou=People,dc=aoc,dc=nrao,dc=edu' -z 0 '(uid=krowe)'

Next Steps

Install LAM (LDAP Account Manager) [http://lam.sourceforge.net] Possibly in a virtual machine?

Install LDAP

Applications

phpldapadmin at http://phpadmin.sourceforge.net

apt-get install phpldapadmin

slapd Use SLUUG convention for admin password ie ldap"X".162

apt-get install slapd

libpamldap and libnssldap

apt-get install libpam-ldap libnss-ldap

For the URI ldap:///localhost

dc=sluup.org,dc=org

Version

3

LDAP Account for Root nss requests

cn=manager,dc=sluug,dc=org

LDAP root account password

wouldn't you like to know! Same as root x lc

example file for nssswitch.conf

/usr/share/doc/libnss-ldap/examples/nssswitch.ldap

Password utilities to use pam = yes

Does the LDAP database require login? = No # Allows anonymous bind

LDAP account for root:

cn=manager,dc=sluug,dc=org

libpam-ldap LDAP root account password:

same as the others

ldap-utils

apt-get install ldap-utils

test installs

After install the services should be running. Test this with:

ps ax | grep slapd
netstat -an | grep 389

configure

vi /etc/default/slapd
find SLAPD_SERVICES and uncomment
uncomment line and remove ldapi:///

Force external users to come over secure connection (ldaps)

Load Data

We have a custom SLUUG schema that needs to be copied over.

mv /home/jmuse/sluug.schema /etc/ldap/schema

Edit /etc/ldap/slapd.conf Add : <pre> include /etc/ldap/schema/sluug.schema </code>

Test by running slaptest

restart ldap

/etc/init.s/splapd restart

Configure phpldapadmin

Put link to phpldapadmin

ln -s /usr/share/phpldapadmin /home/www/www.sluug.org/public/phpldapadmin

At this point you should be able to go to http://www.sluug.org/phpldapadmin and see the admin page.

Add to /etc/apache2/sites-available/000-www.sluug.org



Switch Order allow,deny Allow from 127.0.0.1 Deny from all

Test with apache2ctl configtest

if OK

apache2ctl restart

You should now not be able to access the site except with an ssh tunnel

ssh -Nf -L8080:localhost:80 bud.sluug.org -l //username//

Now to connect surf to the phpadmin page:

http://127.0.0.1:8080/phpldapadmin/

Initial Server

Access server by http://localhost:8080

Login with admin credentials from /etc/ldap/slapd.conf

At first the base entry does not exist. Create it by clicking Create It in left pane.

ldapadd -x -W -H  ldap://127.0.0.1 "cn=admin,dc=sluug,dc=org" -f sluug.ldif

vi phpldapadmin.conf

$ldapservers->SetValue($i,'server','name','SLUUG LDAP Server');
$ldapservers->SetValue($i,'server','host','127.0.0.1');

xml file

Created an xml file that allows common and known data to be pre filled. This fills in things such as home directory, uid, virtual mail ids for postfix.

The sluugAccount.xml file is located in /etc/phpadmin/templates/

The file was created from an existinf template.

Meeting Notes

Tuesday - 5 June 2007

Rich, Lee, Jeff, Stan, Carl, Gary

object classes have to be at the end of the file.

How do you give users access permission to modify their own spam assassin attributes? Webmin?

PAM assumes certain attributes are there already.

Courrier auth deamon willl get very confused if it doesn't have an absolute path for maildir

strace in linux is truss in Solaris

Courrir authentication lib against LDAP, MySQL, Postgress, passwd & shadow files, Berley DB hashes as well as mail

authdaemonrc file

phpLDAPadmin –created an accunt for Carl.

Need trailing slash on SLUUGGmailDirectory so that it is created as a maildir

Why are we fooling with GID in the attribute for last name?

grep –color -rni xyz filename

By creating groups, this populated the picklists for groups. However, for shell choice it is probably easier for us to hardcode he choices.

We got a blckscreen when we tried a remote desktop connect to a vncserver that was NOT running. Stan got infinate mirrors by connecting.

Following the Ubuntu website.

/etc/libnss-ldap.conf /etc/libnss-ldap.secret

/etc/pam_ldap.conf

/etc/pam.d_common-account

389 the LDAP port. tcp only not udp to create conversatinal handshake.

ssh -XY

Horn =~10A load

Long trip heats starters.

While beeping horn, turn the key. If sound stay the same, you aren't getting power to starter. If sound goes weak then it is getting electric to the starter and it is a battery/connection problem.

**Tues 26 June '07**

This session replaces the session canceled last Wed due to conflicts.

Stan, Brad Jones, Rich Seibel, Carl, Jeff, Gary

In GRUB…init=/bin/bash will put you into a shell before it gets to the mounts in the boot process.

In Lilo, you could do simlar but you'd have to create a stanza beforehand. Hit tab & it will show you tghe different kernel image. Type name of he kernel image and add a _-s or you can add the init=/bin/bash.

add -logging as the last argument to a file system in FStab in version 7,8, &9 and it will use 64MB of a disk for logging (simialr to journaling). It is automatically turned on with Solaris 10.

Breaking into

ldapsearch -H specifies a URI instead of a host name.

in /etc/ldap.conf on debian (not ) certificates allow gets you around the testing for PKI, then go back to demand/hard.

TSL_CACERTDIR is where all your trusted certs go (ex from Verisign) A certificate bundle file

Fedora already had the files ready with a generic certificate.

Fedora 6 has a Makefile that doe sit forward so you don't have to do the Open SSL flags. cd /tls/certs

openssl s_client -connect 10..0.025:636 |l ess

You can even interactivly issue commands at the ssl protocol level.

Fedora specifci - you specify the see -h url in man slapd

rpm -qif /usr/sbin/slaptest

We actually fixed it by reading the man page and learning about the 3 slashes.

Startup script had too much in it to make it easier and caused conflicting lines in config. ????

a "dn" is the collection of all the "dc"s and "cn".

The "ldap browser" aka 282, is a very useful/powerful tool. It will allow you to remove the locks as an attribute on accounts.

Jeff says "Why the fsck doesn't this work?!?!?!"


Resources

Books

Most books on LDAP seriously lacking. Difficult to figure out what the most basic requirements are for LDAP, as none of them do a good introductory job of explaining what is first needed.

URLs

[http://www.howtoforge.com/linux_ldap_authentication LDAP Authentication In Linux]

[http://people.debian.org/~torsten/ldapnss.html Using LDAP for name resolution]

[http://www.openldap.org/doc/admin23/index.html OpenLDAP Software 2.3 Administrator's Guide]

[http://www.ldapman.org/ A collection of resources.]

[http://www.redbooks.ibm.com/abstracts/sg244986.html Understanding LDAP - Design and Implementation (IBM "RedBook" in HTML or .pdf)]

[http://docs.sun.com/source/816-6696-10/contents.html Sun ONE Directory Server 5.2 Getting Started Guide: Contents]

[http://www.rfc-editor.org/rfc/rfc2849.txt The LDIF specification with examples]

[http://blogs.sun.com/directorymanager Overview of Sun Directory Services - MultiMaster capability is the most interesting]

[http://mleahu.web.cern.ch/mleahu/doc/unix/ldap/Using%20OpenLDAP.htm Lots of good information and examples here. A little out of date, but still useful]

[http://www.debuntu.org/ldap-server-and-linux-ldap-clients How-To set up a LDAP server and its clients | Debian/Ubuntu Tips & Tricks]

[http://ldots.org/ldap/ LDAP Authentication HOWTO]

[http://aplawrence.com/Basics/understandingpam.html Understanding PAM]

[http://www.openldap.org/lists/openldap-software/200302/msg00015.html Example of a working pam.d/login file with LDAP]

[http://www.islandlinux.org/HOWTO/openldap_ssl.html Installing Secure LDAP (OpenLDAP with SSL)on Ubuntu Using a Self-Signed Certificate)]

[http://prefetch.net/articles/monitoringldap.html Useful information on how to monitor OpenLDAP performance]

[http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x115.html Basic PAM concepts]

NOTES

Remote Access

The LDAP server will be restricted to localhost access only. It can be accessed using an admin account and ssh

ssh -Nf -L8080:127.0.0.1:80 sluug@10.0.0.25