This group meets on the first Tuesday and third Wednesday of each month. Location is difficult to find, so request map from Carl Fitch. Note: You must fix the included email address before actually sending it.
The ultimate goal is to set up LDAP for use on our newer Unix-like boxes and have enough volunteers understand LDAP so that we can maintain what we build.
Original notes on learning and installing LDAP by Carl Fitch
Migration tools were not installed by default on debian
apt-get install migrationtools
Make the following changes to migrate_common.ph cd /etc/migrationtools/ sudo vi /etc/migrationtools/migrate_common.ph
# Default DNS domain #$DEFAULT_MAIL_DOMAIN = "padl.com"; $DEFAULT_MAIL_DOMAIN = "hickorydale.no-ip.com"; # Default base #$DEFAULT_BASE = "dc=padl,dc=com"; $DEFAULT_BASE = "dc=hickorydale,dc=no-ip,dc=com"; # turn this on to support more general object clases # such as person. #$EXTENDED_SCHEMA = 0; $EXTENDED_SCHEMA =1; # Uncomment these to exclude Debian-managed system users and groups #$IGNORE_UID_BELOW = 1000; #$IGNORE_GID_BELOW = 100; $IGNORE_UID_BELOW = 1000; $IGNORE_GID_BELOW = 100;
cd /usr/share/migrationtools/ export ETC_SHADOW=/etc/shadow ./migrate_base.pl > /tmp/base.ldif ./migrate_group.pl /etc/group /tmp/group.ldif ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
Now we have the data in the format understood by LDAP server. Now open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.
ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/base.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/group.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/passwd.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/hosts.ldif
ldapsearch -x -b "dc=hickorydale,dc=no-ip,dc=com" "(objectclass=*)"
- To find the base dn of your ldap database ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts Results in: <pre> dn: namingContexts: dc=hickorydale,dc=no-ip,dc=com </pre>
- To dump the entire directory nisMapName=auto_users ldapsearch -x -b 'dc=aoc,dc=nrao,dc=edu' -z 0 '(objectclass=*)'
- To lookup a specific user (use -C to chase referrals) ldapsearch -x -b 'ou=People,dc=aoc,dc=nrao,dc=edu' -z 0 '(uid=krowe)'
Install LAM (LDAP Account Manager) [http://lam.sourceforge.net] Possibly in a virtual machine?
phpldapadmin at http://phpadmin.sourceforge.net
apt-get install phpldapadmin
slapd Use SLUUG convention for admin password ie ldap"X".162
apt-get install slapd
libpamldap and libnssldap
apt-get install libpam-ldap libnss-ldap
For the URI ldap:///localhost
LDAP Account for Root nss requests
LDAP root account password
wouldn't you like to know! Same as root x lc
example file for nssswitch.conf
Password utilities to use pam = yes
Does the LDAP database require login? = No # Allows anonymous bind
LDAP account for root:
libpam-ldap LDAP root account password:
same as the others
apt-get install ldap-utils
After install the services should be running. Test this with:
ps ax | grep slapd netstat -an | grep 389
vi /etc/default/slapd find SLAPD_SERVICES and uncomment uncomment line and remove ldapi:///
Force external users to come over secure connection (ldaps)
We have a custom SLUUG schema that needs to be copied over.
mv /home/jmuse/sluug.schema /etc/ldap/schema
Edit /etc/ldap/slapd.conf Add : <pre> include /etc/ldap/schema/sluug.schema </code>
Test by running slaptest
Put link to phpldapadmin
ln -s /usr/share/phpldapadmin /home/www/www.sluug.org/public/phpldapadmin
At this point you should be able to go to http://www.sluug.org/phpldapadmin and see the admin page.
Add to /etc/apache2/sites-available/000-www.sluug.org
Switch Order allow,deny Allow from 127.0.0.1 Deny from all
Test with apache2ctl configtest
You should now not be able to access the site except with an ssh tunnel
ssh -Nf -L8080:localhost:80 bud.sluug.org -l //username//
Now to connect surf to the phpadmin page:
Access server by http://localhost:8080
Login with admin credentials from /etc/ldap/slapd.conf
At first the base entry does not exist. Create it by clicking Create It in left pane.
ldapadd -x -W -H ldap://127.0.0.1 "cn=admin,dc=sluug,dc=org" -f sluug.ldif
$ldapservers->SetValue($i,'server','name','SLUUG LDAP Server'); $ldapservers->SetValue($i,'server','host','127.0.0.1');
Created an xml file that allows common and known data to be pre filled. This fills in things such as home directory, uid, virtual mail ids for postfix.
The sluugAccount.xml file is located in /etc/phpadmin/templates/
The file was created from an existinf template.
Rich, Lee, Jeff, Stan, Carl, Gary
object classes have to be at the end of the file.
How do you give users access permission to modify their own spam assassin attributes? Webmin?
PAM assumes certain attributes are there already.
Courrier auth deamon willl get very confused if it doesn't have an absolute path for maildir
strace in linux is truss in Solaris
Courrir authentication lib against LDAP, MySQL, Postgress, passwd & shadow files, Berley DB hashes as well as mail
phpLDAPadmin –created an accunt for Carl.
Need trailing slash on SLUUGGmailDirectory so that it is created as a maildir
Why are we fooling with GID in the attribute for last name?
grep –color -rni xyz filename
By creating groups, this populated the picklists for groups. However, for shell choice it is probably easier for us to hardcode he choices.
We got a blckscreen when we tried a remote desktop connect to a vncserver that was NOT running. Stan got infinate mirrors by connecting.
Following the Ubuntu website.
389 the LDAP port. tcp only not udp to create conversatinal handshake.
Horn =~10A load
Long trip heats starters.
While beeping horn, turn the key. If sound stay the same, you aren't getting power to starter. If sound goes weak then it is getting electric to the starter and it is a battery/connection problem.
This session replaces the session canceled last Wed due to conflicts.
Stan, Brad Jones, Rich Seibel, Carl, Jeff, Gary
In GRUB…init=/bin/bash will put you into a shell before it gets to the mounts in the boot process.
In Lilo, you could do simlar but you'd have to create a stanza beforehand. Hit tab & it will show you tghe different kernel image. Type name of he kernel image and add a _-s or you can add the init=/bin/bash.
add -logging as the last argument to a file system in FStab in version 7,8, &9 and it will use 64MB of a disk for logging (simialr to journaling). It is automatically turned on with Solaris 10.
ldapsearch -H specifies a URI instead of a host name.
in /etc/ldap.conf on debian (not ) certificates allow gets you around the testing for PKI, then go back to demand/hard.
TSL_CACERTDIR is where all your trusted certs go (ex from Verisign) A certificate bundle file
Fedora already had the files ready with a generic certificate.
Fedora 6 has a Makefile that doe sit forward so you don't have to do the Open SSL flags. cd /tls/certs
openssl s_client -connect 10..0.025:636 |l ess
You can even interactivly issue commands at the ssl protocol level.
Fedora specifci - you specify the see -h url in man slapd
rpm -qif /usr/sbin/slaptest
We actually fixed it by reading the man page and learning about the 3 slashes.
Startup script had too much in it to make it easier and caused conflicting lines in config. ????
a "dn" is the collection of all the "dc"s and "cn".
The "ldap browser" aka 282, is a very useful/powerful tool. It will allow you to remove the locks as an attribute on accounts.
Jeff says "Why the fsck doesn't this work?!?!?!"
Most books on LDAP seriously lacking. Difficult to figure out what the most basic requirements are for LDAP, as none of them do a good introductory job of explaining what is first needed.
[http://www.howtoforge.com/linux_ldap_authentication LDAP Authentication In Linux]
[http://people.debian.org/~torsten/ldapnss.html Using LDAP for name resolution]
[http://www.openldap.org/doc/admin23/index.html OpenLDAP Software 2.3 Administrator's Guide]
[http://www.ldapman.org/ A collection of resources.]
[http://www.redbooks.ibm.com/abstracts/sg244986.html Understanding LDAP - Design and Implementation (IBM "RedBook" in HTML or .pdf)]
[http://docs.sun.com/source/816-6696-10/contents.html Sun ONE Directory Server 5.2 Getting Started Guide: Contents]
[http://www.rfc-editor.org/rfc/rfc2849.txt The LDIF specification with examples]
[http://blogs.sun.com/directorymanager Overview of Sun Directory Services - MultiMaster capability is the most interesting]
[http://mleahu.web.cern.ch/mleahu/doc/unix/ldap/Using%20OpenLDAP.htm Lots of good information and examples here. A little out of date, but still useful]
[http://www.debuntu.org/ldap-server-and-linux-ldap-clients How-To set up a LDAP server and its clients | Debian/Ubuntu Tips & Tricks]
[http://ldots.org/ldap/ LDAP Authentication HOWTO]
[http://aplawrence.com/Basics/understandingpam.html Understanding PAM]
[http://www.openldap.org/lists/openldap-software/200302/msg00015.html Example of a working pam.d/login file with LDAP]
[http://www.islandlinux.org/HOWTO/openldap_ssl.html Installing Secure LDAP (OpenLDAP with SSL)on Ubuntu Using a Self-Signed Certificate)]
[http://prefetch.net/articles/monitoringldap.html Useful information on how to monitor OpenLDAP performance]
[http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x115.html Basic PAM concepts]
The LDAP server will be restricted to localhost access only. It can be accessed using an admin account and ssh
ssh -Nf -L8080:127.0.0.1:80 firstname.lastname@example.org