====== LDAP Study Group ======

This group meets on the first Tuesday and third Wednesday of each month.
Location is difficult to find, so request map from [[mailto:cfit@sluug.org|Carl Fitch]].  //Note: You must fix the included email address before actually sending it.//

The ultimate goal is to set up LDAP for use on our newer Unix-like boxes
and have enough volunteers understand LDAP so that we can maintain
what we build.

Original notes on learning and installing LDAP by Carl Fitch

====== Migration Tools ======

====Obtain Tools====
Migration tools were not installed by default on debian

//apt-get install migrationtools
//


====Edit ====
Make the following changes to migrate_common.ph 
 cd /etc/migrationtools/
 sudo vi /etc/migrationtools/migrate_common.ph

<code>
# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "hickorydale.no-ip.com";

# Default base
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=hickorydale,dc=no-ip,dc=com";

# turn this on to support more general object clases
# such as person.
#$EXTENDED_SCHEMA = 0;
$EXTENDED_SCHEMA =1;

# Uncomment these to exclude Debian-managed system users and groups
#$IGNORE_UID_BELOW = 1000;
#$IGNORE_GID_BELOW = 100;
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 100;

</code>


====Perform Migration====

<code>
cd /usr/share/migrationtools/
export ETC_SHADOW=/etc/shadow
./migrate_base.pl > /tmp/base.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
</code>

Now we have the data in the format understood by LDAP server. Now open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.

<code>
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/base.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/group.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/passwd.ldif
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/hosts.ldif
</code>

----

===Command Lines===
ldapsearch -x -b "dc=hickorydale,dc=no-ip,dc=com" "(objectclass=*)"

====Base Name====
- To find the base dn of your ldap database
 ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Results in:
<pre>
dn:
namingContexts: dc=hickorydale,dc=no-ip,dc=com
</pre>

====Dump Directory====
- To dump the entire directory nisMapName=auto_users
 ldapsearch -x -b 'dc=aoc,dc=nrao,dc=edu' -z 0 '(objectclass=*)'


====Lookup User====
- To lookup a specific user (use -C to chase referrals)
 ldapsearch -x -b 'ou=People,dc=aoc,dc=nrao,dc=edu' -z 0 '(uid=krowe)'


==== Next Steps====
Install LAM (LDAP Account Manager) [http://lam.sourceforge.net]
Possibly in a virtual machine?


====== Install LDAP ======







===== Applications =====
phpldapadmin at [[http://phpadmin.sourceforge.net ]]
<code>
apt-get install phpldapadmin
</code>

slapd 
Use SLUUG convention for admin password ie ldap"X".162
<code>
apt-get install slapd
</code>

libpamldap and libnssldap
<code>
apt-get install libpam-ldap libnss-ldap
</code>
For the URI ldap:///localhost
<code>
dc=sluup.org,dc=org
</code>
Version
<code>
3
</code>
LDAP Account for Root
nss requests 
<code>
cn=manager,dc=sluug,dc=org
</code>

LDAP root account password
<code>
wouldn't you like to know! Same as root x lc
</code>

example file for nssswitch.conf
<code>
/usr/share/doc/libnss-ldap/examples/nssswitch.ldap
</code>

Password utilities to use pam = yes

Does the LDAP database require login? = No # Allows anonymous bind

LDAP account for root:
<code>
cn=manager,dc=sluug,dc=org
</code>

libpam-ldap LDAP root account password:
<code>
same as the others
</code>

ldap-utils
<code>
apt-get install ldap-utils
</code>


===== test installs =====
After install the services should be running. Test this with:
<code>
ps ax | grep slapd
netstat -an | grep 389
</code>



===== configure =====
<code>
vi /etc/default/slapd
find SLAPD_SERVICES and uncomment
uncomment line and remove ldapi:///
</code>

Force external users to come over secure connection (ldaps)

===== Load Data =====
We have a custom SLUUG schema that needs to be copied over.
<code>
mv /home/jmuse/sluug.schema /etc/ldap/schema
</code>
Edit /etc/ldap/slapd.conf
Add :
<pre>
include        /etc/ldap/schema/sluug.schema
</code>

Test by running slaptest

restart ldap
<code>
/etc/init.s/splapd restart
</code>






===== Configure phpldapadmin =====
Put link to phpldapadmin
<code>
ln -s /usr/share/phpldapadmin /home/www/www.sluug.org/public/phpldapadmin
</code>
At this point you should be able to go to [[http://www.sluug.org/phpldapadmin]] and see the admin page.

Add to /etc/apache2/sites-available/000-www.sluug.org

<code>

</code>


Switch Order allow,deny
Allow from 127.0.0.1
Deny from all

Test with apache2ctl configtest

if OK

apache2ctl restart

You should now not be able to access the site except with an ssh tunnel
<code>
ssh -Nf -L8080:localhost:80 bud.sluug.org -l //username//
</code>

Now to connect surf to the phpadmin page:
<code>http://127.0.0.1:8080/phpldapadmin/</code>

====== Initial Server ======
Access server by [[http://localhost:8080]]

Login with admin credentials from /etc/ldap/slapd.conf

At first the base entry does not exist. Create it by clicking **Create It** in left pane.

<code>
ldapadd -x -W -H  ldap://127.0.0.1 "cn=admin,dc=sluug,dc=org" -f sluug.ldif
</code>

vi phpldapadmin.conf
<code>
$ldapservers->SetValue($i,'server','name','SLUUG LDAP Server');
$ldapservers->SetValue($i,'server','host','127.0.0.1');
</code>

====== xml file ======
Created an xml file that allows common and known data to be pre filled. This fills in things such as home directory, uid, virtual mail ids for postfix.

The sluugAccount.xml file is located in /etc/phpadmin/templates/

The file was created from an existinf template.







====== Meeting Notes ======

===== Tuesday - 5 June 2007 =====


Rich, Lee, Jeff, Stan, Carl, Gary


object classes have to be at the end of the file.


How do you give users access permission to modify their own spam assassin  attributes?   Webmin?  

PAM assumes certain attributes are there already.


Courrier auth deamon willl get very confused if it doesn't have an absolute path for maildir


strace in linux is truss in Solaris

Courrir authentication lib against LDAP, MySQL, Postgress, passwd & shadow files,
Berley DB hashes as well as mail

authdaemonrc file



phpLDAPadmin --created an accunt for Carl.

Need trailing slash on SLUUGGmailDirectory so that it is created as a maildir


Why are we fooling with GID in the attribute for last name?


grep --color -rni xyz filename



By creating groups, this populated the picklists for groups.   
However, for shell choice it is probably easier for us to hardcode he choices.

We got a blckscreen when we tried a remote desktop connect to a vncserver that was NOT running.  
Stan got infinate mirrors by connecting.


Following the Ubuntu website.


/etc/libnss-ldap.conf
/etc/libnss-ldap.secret

/etc/pam_ldap.conf

/etc/pam.d_common-account


389  the LDAP port.   tcp only not udp to create conversatinal handshake.



ssh -XY


Horn =~10A load

Long trip heats starters.

While beeping horn, turn the key. 
If sound stay the same, you aren't getting power to starter.  
If sound goes weak then it is getting electric to the starter and it is a battery/connection problem.

==== **Tues 26 June '07** ====



 This session replaces the session canceled last Wed due to conflicts.

Stan, Brad Jones, Rich Seibel, Carl, Jeff, Gary

In GRUB...init=/bin/bash will put you into a shell before it gets to the 
mounts in the boot process.

In Lilo, you could do  simlar but you'd have to create a stanza beforehand.
Hit tab & it will show you tghe different kernel image.
Type name of he kernel image and add a  _-s or you can add
the init=/bin/bash.




add -logging as the last argument to a file system in FStab
in version 7,8, &9 and it will use 64MB of a disk for logging (simialr to 
journaling).  It is automatically turned on with Solaris 10.


Breaking into 


ldapsearch -H specifies a URI instead of a host name.

in /etc/ldap.conf on debian (not )   certificates  
allow gets you around the testing for PKI, then go back to demand/hard.

TSL_CACERTDIR is where all your trusted certs go (ex from Verisign)
A certificate bundle file

Fedora already had the files ready with a generic certificate.

Fedora 6 has a Makefile that doe sit forward so you don't have to do the Open SSL flags.    cd /tls/certs


openssl  s_client -connect 10..0.025:636 |l ess

You can even interactivly issue commands at the ssl protocol level.


Fedora specifci   - you specify the 
see -h url  in man slapd

rpm -qif /usr/sbin/slaptest 

We actually fixed it by reading the man page and learning about the 3 slashes.

Startup script had too much in it to make it easier and caused conflicting lines in config.   ????


a "dn" is the collection of all the "dc"s and "cn".


The "ldap browser" aka 282, is a very useful/powerful tool.  It will allow you to remove the locks as an attribute on accounts.


Jeff says "Why the fsck doesn't this work?!?!?!"


----


====== Resources ======

===== Books =====
Most books on LDAP seriously lacking.  Difficult to figure out what the most basic requirements are for LDAP, as none of them do a good introductory job of explaining what is first needed.



===== URLs =====

[http://www.howtoforge.com/linux_ldap_authentication LDAP Authentication In Linux]

[http://people.debian.org/~torsten/ldapnss.html Using LDAP for name resolution]

[http://www.openldap.org/doc/admin23/index.html OpenLDAP Software 2.3 Administrator's Guide]

[http://www.ldapman.org/ A collection of resources.]

[http://www.redbooks.ibm.com/abstracts/sg244986.html Understanding LDAP - Design and Implementation (IBM "RedBook" in HTML or .pdf)]

[http://docs.sun.com/source/816-6696-10/contents.html Sun ONE Directory Server 5.2 Getting Started Guide:  Contents]

[http://www.rfc-editor.org/rfc/rfc2849.txt The LDIF specification with examples]

[http://blogs.sun.com/directorymanager Overview of Sun Directory Services - MultiMaster capability is the most interesting]

[http://mleahu.web.cern.ch/mleahu/doc/unix/ldap/Using%20OpenLDAP.htm Lots of good information and examples here. A little out of date, but still useful]

[http://www.debuntu.org/ldap-server-and-linux-ldap-clients How-To set up a LDAP server and its clients | Debian/Ubuntu Tips & Tricks]

[http://ldots.org/ldap/ LDAP Authentication HOWTO]

[http://aplawrence.com/Basics/understandingpam.html Understanding PAM]

[http://www.openldap.org/lists/openldap-software/200302/msg00015.html Example of a working pam.d/login file with LDAP]

[http://www.islandlinux.org/HOWTO/openldap_ssl.html Installing Secure LDAP (OpenLDAP with SSL)on Ubuntu Using a Self-Signed Certificate)]

[http://prefetch.net/articles/monitoringldap.html Useful information on how to monitor OpenLDAP performance]

[http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x115.html Basic PAM concepts]

====== NOTES ======


===== Remote Access =====
The LDAP server will be restricted to localhost access only. It can be accessed using an admin account and ssh
<code>
ssh -Nf -L8080:127.0.0.1:80 sluug@10.0.0.25
</code>