ldap on Debian Squeeze

apt-get install slapd

Set the password for the ldap-server. You should also get questions about dn, if not, run

dpkg-reconfigure slapd

#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'

for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/"`
do
    UID1=`echo $line | cut -d: -f1`
    NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
    if [ ! "$NAME" ]
    then
        NAME=$UID1
    else
        NAME=`echo $NAME | sed -e "s/%/ /"`
    fi
    SN=`echo $NAME | awk '{print $2}'`
    if [ ! "$SN" ]
    then
        SN=$NAME
    fi
    GIVEN=`echo $NAME | awk '{print $1}'`
    UID2=`echo $line | cut -d: -f3`
    GID=`echo $line | cut -d: -f4`
    PASS=`grep $UID1 /etc/shadow | cut -d: -f2`
    SHELL=`echo $line | cut -d: -f7`
    HOME=`echo $line | cut -d: -f6`
    EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
    FLAG=`grep $UID1 /etc/shadow | cut -d: -f9`
    if [ ! "$FLAG" ]
    then
        FLAG="0"
    fi
    WARN=`passwd -S $UID1 | awk '{print $6}'`
    MIN=`passwd -S $UID1 | awk '{print $4}'`
    MAX=`passwd -S $UID1 | awk '{print $5}'`
    LAST=`grep $UID1 /etc/shadow | cut -d: -f3`

    echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "uid: $UID1" >> $LDIF
    echo "sn: $SN" >> $LDIF
    echo "givenName: $GIVEN" >> $LDIF
    echo "cn: $NAME" >> $LDIF
    echo "displayName: $NAME" >> $LDIF
    echo "uidNumber: $UID2" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    echo "userPassword: {crypt}$PASS" >> $LDIF
    echo "gecos: $NAME" >> $LDIF
    echo "loginShell: $SHELL" >> $LDIF
    echo "homeDirectory: $HOME" >> $LDIF
    echo "shadowExpire: $EXPIRE" >> $LDIF
    echo "shadowFlag: $FLAG" >> $LDIF
    echo "shadowWarning: $WARN" >> $LDIF
    echo "shadowMin: $MIN" >> $LDIF
    echo "shadowMax: $MAX" >> $LDIF
    echo "shadowLastChange: $LAST" >> $LDIF
    echo >> $LDIF
done

/etc/ldap/ldap.conf

BASE    dc=ekbrand,dc=net
URI     ldap://localhost

migration

Edit /etc/migrationtools/migrate_common.ph

$DEFAULT_MAIL_DOMAIN = "ekbrand.net";
$DEFAULT_BASE = "dc=ekbrand,dc=net";
$EXTENDED_SCHEMA = 0;

./migrate_base.pl | ldapadd -h localhost -x -W -D "cn=admin,dc=ekbrand,dc=net" -c
./migrate_group.pl /etc/group | ldapadd -h localhost -x -W -D "cn=admin,dc=ekbrand,dc=net" -c
./migrate_passwd.pl /etc/passwd | ldapadd -h localhost -x -W -D "cn=admin,dc=ekbrand,dc=net" -c
./migrate_hosts.pl /etc/hosts | ldapadd -h localhost -x -W -D "cn=admin,dc=ekbrand,dc=net" -c

This is a start. The main points

• the migration scripts does not work out of the box, host is duplicated.
• manually edit /etc/pam.d/common-*
• ldap://, not ldapi://
• don't export shadow

Sources:

• http://wiki.debian.org/LDAP/MigrationTools
• http://wiki.debian.org/LDAP/OpenLDAPSetup
• http://wiki.debian.org/LDAP/NSS
• http://wiki.debian.org/LDAP/PAM

Let's say you have a ldap server running on 192.168.0.7

On the clients

aptitude install libpam-ldap libnss-ldapd

Note the that ldap:// is not the same as ldapi://

I use ldap://

and put 192.168.0.7 in there

ldap://192.168.0.7

Edit /etc/pam.d/common-account:

# Check local authentication first, so root can still login
# while LDAP is down.
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so use_first_pass
account required pam_permit.so

Edit /etc/pam.d/common-auth:

auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

Edit /etc/pam.d/common-passwd:

password    sufficient    pam_ldap.so
password    required      pam_unix.so nullok obscure md5
password    required      pam_deny.so

Edit /etc/pam.d/common-session (this one is not tested!).

session  [success=1 default=ignore] pam_unix.so
session  required pam_ldap.so use_first_pass
session  required      pam_limits.so

Don't activate the shadow in /etc/nsswitch.conf, because the ldap-server does the authentication, so the clients never need to see the hashed passwords.

change the configuration of slapd

I saw this in the logs:

Sep  6 18:27:17 spelmaskinen slapd[1527]: <= bdb_equality_candidates: (uid) not indexed
Sep  6 18:34:13 spelmaskinen slapd[1527]: <= bdb_equality_candidates: (cn) not indexed
Sep  6 18:34:13 spelmaskinen slapd[1527]: <= bdb_equality_candidates: (memberUid) not indexed
Sep  6 18:36:17 spelmaskinen slapd[1527]: <= bdb_equality_candidates: (gidNumber) not indexed
Sep  6 18:36:17 spelmaskinen slapd[1527]: <= bdb_equality_candidates: (uniqueMember) not indexed

Instruct slapd to index these. Save the following to /root/tree.ldif

index   objectClass             eq
index   sn                      pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq

index   uid                     pres,sub,eq
index   cn                      pres,sub,eq
index   memberUid               eq
index   gidNumber               eq
index   Uniquemember            eq

ldapmodify -QY EXTERNAL -H ldapi:/// -f /root/tree.ldif

# 1.
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

# 2.1.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
-
# 2.2.
add: olcDbIndex
olcDbIndex: cn eq
-
# 2.3.
add: olcDbIndex
olcDbIndex: ou eq
-
# 2.4.
add: olcDbIndex
olcDbIndex: dc eq

needed?

ldapadd -cxWD cn=admin,dc=example,dc=com -f /root/people-group.ldif

dn: ou=People, dc=ekbrand, dc=net
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=ekbrand, dc=net
ou: Group
objectclass: organizationalUnit

comments powered by Disqus

Back to the index

Blog roll

R-bloggers, Debian Weekly

---

Last modified: oktober 17, 2019