Title: LDAP setup notes Subject: Create your own ldap server on Linux root /etc/openldap 525--> vi slapd.conf database ldbm suffix "dc=skyflow,dc=com" rootdn "cn=Manager,dc=skyflow,dc=com" rootpw secret directory /var/lib/ldap root /etc/openldap 526--> /etc/init.d/ldap restart Shutting down ldap-server: failed Starting ldap-server. done root /etc/openldap 528--> ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts version: 2 # # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=skyflow,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # Add enteries to ldap in 2 steps ( created LDIF file, then run ldapadd). vi johns_ldif # Organization for Example Corporation dn: dc=skyflow,dc=com objectClass: dcObject objectClass: organization dc: skyflow o: Skyflow description: Skyflow - Integrated Voice and Data Soltions # Organizational Role for Directory Manager dn: cn=Manager,dc=skyflow,dc=skyflow objectClass: organizationalRole cn: Manager description: Directory Manager ldapadd -f johns.ldif -x -D "cn=Manager,dc=skyflow,dc=com" -w secret adding new entry "dc=skyflow,dc=com" ldap_add: Undefined attribute type additional info: dn: attribute type undefined ls -alF /var/lib/ldap/ -rw------- 1 root root 8192 Mar 12 15:15 dn2id.dbb # check to see that the entery is there: ldapsearch -x -b 'dc=skyflow,dc=com' '(objectclass=*)' version: 2 # # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 # =============================================== tar -qzxvpf general-0.3.8.tar.gz /usr/local/httpd/htdocs/ mkdir /etc/general cp /usr/local/httpd/htdocs/general/config/realms.conf /etc/general/ cp /usr/local/httpd/htdocs/general/config/localhost/* /etc/general/ chmod 644 /etc/general/* #Modify /etc/general/support.conf "basedn" => "dc=skyflow,dc=com" #Modify /etc/general/user.conf # ===================================================== # Use openldap for user authentication # 1. select schema and # add include lines to /etc/openldap/slapd.conf include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema # add index enteries index cn,uid eq index uidNumber eq index gidNumber eq # enable logging loglevel 296 # 2. Convert user account data (see http://www.padl.org). # resulting in an ldif file include /etc/openldap/schema/core.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema =========================================================== # Add users and groups (into ou People and Group) http://www.padl.com/OSS/MigrationTools.html tar -zxvpf MigrationTools.tgz cd MigrationTools-40 ./migrate_passwd.pl /etc/passwd /etc/openldap/tmp/entery5 ldapadd -x -D "cn=Manager,dc=test1,dc=com" -w secret -f /etc/openldap/tmp/entery5 ./migrate_group.pl /etc/group /etc/openldap/tmp/entery6 ldapadd -x -D "cn=Manager,dc=test1,dc=com" -w secret -f /etc/openldap/tmp/entery6 # add this to the top of /etc/openldap/tmp/entery6 dn: ou=Group,dc=test1,dc=com objectclass: top rpm -qa |grep ldap nss_ldap-150-31 pam_ldap-105-47 vi /etc/nsswitch.conf passwd: compat files ldap shadow: files ldap vi /etc/openldap/ldap.conf # # Allow users access to hosts if the user has the correct host attributes # pam_check_host_attr yes # OU location for passwd, shadow, and group in LDAP diretory nss_base_passwd ou=People,dc=test1,dc=com nss_base_shadow ou=Peope,dc=test1,dc=com nss_base_group ou=Group,dc=test1,dc=com # Now test from the console window # You should see duplicate enteries (one from /etc/passwd, one from ldap) # Make a list of users in LDAP directory Users=`grep uid= /etc/openldap/tmp/entery5 |sed 's/.*uid=\(.*\)\,ou.*/\1/'` for User in $Users; do # getent - get entries from administrative databas getent passwd |grep $User done # Make pam use open LDAP # by inserting pam_ldap.so above pam_unix.so in the stack rpm -qa |grep pam_ldap pushd /etc/pam.d/ vi login auth required /lib/security/pam_ldap.so account requried /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so popd # Allow non-root users to query the database: vi /etc/openldap/slapd.conf # access control: read-only except passwds access to dn=".*,dc=test1,dc=com" attr=userPassword by self write by dn=root,ou=People,dc=test1,dc=com write by * auth access to dn=".*,dc=test1,dc=com" by self write by * read ----------------------------------------- -===============================================================- #/etc/pam.d/login #---------------------------- auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix_auth.so try_first_pass account sufficient pam_ldap.so account required pam_unix_acct.so password required pam_ldap.so session sufficient pam_ldap.so session required pam_unix_session.so ---------------------------- #/etc/pam.d/gdm #---------------------------- auth sufficient pam_ldap.so auth required pam_nologin.so auth required pam_env.so auth required pam_unix_auth.so account sufficient pam_ldap.so account required pam_unix_acct.so password required pam_ldap.so session sufficient pam_ldap.so session required pam_unix_session.so ---------------------------- #Add this to /etc/pam.d/passwd #---------------------------- password sufficient pam_ladp.so ---------------------------- # /etc/pam.d/xscreensaver #---------------------------- auth sufficient pam_ldap.so auth required pam_unix_auth.so ---------------------------- # /etc/pam.d/ftp #---------------------------- auth sufficient pam_ftp.so auth sufficient pam_unix.so auth required pam_ldap.so account sufficient pam_ldap.so account required pam_unix_acct.so session sufficient pam_ldap.so session required pam_unix_session.so ----------------------------