This group meets on the first Tuesday and third Wednesday of each month. Location is difficult to find, so request map from Carl Fitch. Note: You must fix the included email address before actually sending it.

The ultimate goal is to set up LDAP for use on our newer Unix-like boxes and have enough volunteers understand LDAP so that we can maintain what we build.

Original notes on learning and installing LDAP by Carl Fitch

Migration tools were not installed by default on debian

apt-get install migrationtools

Make the following changes to migrate_common.ph cd /etc/migrationtools/ sudo vi /etc/migrationtools/migrate_common.ph

<pre> # Default DNS domain #$DEFAULT_MAIL_DOMAIN = "padl.com"; $DEFAULT_MAIL_DOMAIN = "hickorydale.no-ip.com";

# Default base #$DEFAULT_BASE = "dc=padl,dc=com"; $DEFAULT_BASE = "dc=hickorydale,dc=no-ip,dc=com";

# turn this on to support more general object clases # such as person. #$EXTENDED_SCHEMA = 0; $EXTENDED_SCHEMA =1;

# Uncomment these to exclude Debian-managed system users and groups #$IGNORE_UID_BELOW = 1000; #$IGNORE_GID_BELOW = 100; $IGNORE_UID_BELOW = 1000; $IGNORE_GID_BELOW = 100;

</pre>

<pre> cd /usr/share/migrationtools/ export ETC_SHADOW=/etc/shadow ./migrate_base.pl > /tmp/base.ldif ./migrate_group.pl /etc/group /tmp/group.ldif ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif </pre>

Now we have the data in the format understood by LDAP server. Now open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.

<pre> ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/base.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/group.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/passwd.ldif ldapadd -x -v -D "cn=admin,dc=hickorydale,dc=no-ip,dc=com" -W -f /tmp/hosts.ldif </pre>

ldapsearch -x -b "dc=hickorydale,dc=no-ip,dc=com" "(objectclass=*)"

- To find the base dn of your ldap database ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts Results in: <pre> dn: namingContexts: dc=hickorydale,dc=no-ip,dc=com </pre>

- To dump the entire directory nisMapName=auto_users ldapsearch -x -b 'dc=aoc,dc=nrao,dc=edu' -z 0 '(objectclass=*)'

- To lookup a specific user (use -C to chase referrals) ldapsearch -x -b 'ou=People,dc=aoc,dc=nrao,dc=edu' -z 0 '(uid=krowe)'

Install LAM (LDAP Account Manager) [http://lam.sourceforge.net] Possibly in a virtual machine?

phpldapadmin at http://phpadmin.sourceforge.net

apt-get install phpldapadmin

slapd

apt-get install slapd

libpamldap and libnssldap

apt-get install libpamldap libnssldap

Rich, Lee, Jeff, Stan, Carl, Gary

object classes have to be at the end of the file.

How do you give users access permission to modify their own spam assassin attributes? Webmin?

PAM assumes certain attributes are there already.

Courrier auth deamon willl get very confused if it doesn't have an absolute path for maildir

strace in linux is truss in Solaris

Courrir authentication lib against LDAP, MySQL, Postgress, passwd & shadow files, Berley DB hashes as well as mail

authdaemonrc file

phpLDAPadmin –created an accunt for Carl.

Need trailing slash on SLUUGGmailDirectory so that it is created as a maildir

Why are we fooling with GID in the attribute for last name?

grep –color -rni xyz filename

By creating groups, this populated the picklists for groups. However, for shell choice it is probably easier for us to hardcode he choices.

We got a blckscreen when we tried a remote desktop connect to a vncserver that was NOT running. Stan got infinate mirrors by connecting.

Following the Ubuntu website.

/etc/libnss-ldap.conf /etc/libnss-ldap.secret

/etc/pam_ldap.conf

/etc/pam.d_common-account

389 the LDAP port. tcp only not udp to create conversatinal handshake.

ssh -XY

Horn =~10A load

Long trip heats starters.

While beeping horn, turn the key. If sound stay the same, you aren't getting power to starter. If sound goes weak then it is getting electric to the starter and it is a battery/connection problem.

This session replaces the session canceled last Wed due to conflicts.

Stan, Brad Jones, Rich Seibel, Carl, Jeff, Gary

In GRUB…init=/bin/bash will put you into a shell before it gets to the mounts in the boot process.

In Lilo, you could do simlar but you'd have to create a stanza beforehand. Hit tab & it will show you tghe different kernel image. Type name of he kernel image and add a _-s or you can add the init=/bin/bash.

add -logging as the last argument to a file system in FStab in version 7,8, &9 and it will use 64MB of a disk for logging (simialr to journaling). It is automatically turned on with Solaris 10.

Breaking into

ldapsearch -H specifies a URI instead of a host name.

in /etc/ldap.conf on debian (not ) certificates allow gets you around the testing for PKI, then go back to demand/hard.

TSL_CACERTDIR is where all your trusted certs go (ex from Verisign) A certificate bundle file

Fedora already had the files ready with a generic certificate.

Fedora 6 has a Makefile that doe sit forward so you don't have to do the Open SSL flags. cd /tls/certs

openssl s_client -connect 10..0.025:636 |l ess

You can even interactivly issue commands at the ssl protocol level.

Fedora specifci - you specify the see -h url in man slapd

rpm -qif /usr/sbin/slaptest

We actually fixed it by reading the man page and learning about the 3 slashes.

Startup script had too much in it to make it easier and caused conflicting lines in config. ????

a "dn" is the collection of all the "dc"s and "cn".

The "ldap browser" aka 282, is a very useful/powerful tool. It will allow you to remove the locks as an attribute on accounts.

Jeff says "Why the fsck doesn't this work?!?!?!"

Most books on LDAP seriously lacking. Difficult to figure out what the most basic requirements are for LDAP, as none of them do a good introductory job of explaining what is first needed.

[http://www.howtoforge.com/linux_ldap_authentication LDAP Authentication In Linux]

[http://people.debian.org/~torsten/ldapnss.html Using LDAP for name resolution]

[http://www.openldap.org/doc/admin23/index.html OpenLDAP Software 2.3 Administrator's Guide]

[http://www.ldapman.org/ A collection of resources.]

[http://www.redbooks.ibm.com/abstracts/sg244986.html Understanding LDAP - Design and Implementation (IBM "RedBook" in HTML or .pdf)]

[http://docs.sun.com/source/816-6696-10/contents.html Sun ONE Directory Server 5.2 Getting Started Guide: Contents]

[http://www.rfc-editor.org/rfc/rfc2849.txt The LDIF specification with examples]

[http://blogs.sun.com/directorymanager Overview of Sun Directory Services - MultiMaster capability is the most interesting]

[http://mleahu.web.cern.ch/mleahu/doc/unix/ldap/Using%20OpenLDAP.htm Lots of good information and examples here. A little out of date, but still useful]

[http://www.debuntu.org/ldap-server-and-linux-ldap-clients How-To set up a LDAP server and its clients | Debian/Ubuntu Tips & Tricks]

[http://ldots.org/ldap/ LDAP Authentication HOWTO]

[http://aplawrence.com/Basics/understandingpam.html Understanding PAM]

[http://www.openldap.org/lists/openldap-software/200302/msg00015.html Example of a working pam.d/login file with LDAP]

[http://www.islandlinux.org/HOWTO/openldap_ssl.html Installing Secure LDAP (OpenLDAP with SSL)on Ubuntu Using a Self-Signed Certificate)]

[http://prefetch.net/articles/monitoringldap.html Useful information on how to monitor OpenLDAP performance]

[http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x115.html Basic PAM concepts]

The LDAP server will be restricted to localhost access only. It can be accessed using an admin account and ssh

ssh -Nf -L8080:127.0.0.1:80 sluug@10.0.0.25