[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Implementing LDAP Newbie! Help please
- From: "James Marcinek" <jmarc1 jemconsult biz>
- To: kms passback co uk
- To: taroon-list redhat com
- Cc:
- Subject: Re: Implementing LDAP Newbie! Help please
- Date: Thu, 30 Sep 2004 14:14:08 -0000
I stopped trying to go the easy route and ended up calling the perl scripts
which gave me better control. I was able to impor my objects. Some of the users
that were imported were system accounts. Should I get rid of these accounts (eg
bin) as I can't see how they are useful? I'm up and running now as far as LDAP,
after playing with it all day I've learned quite a bit but I still have a long
way to go... If anyone knows any open source apps I can integrate with LDAP, I'd
sure like to hear about them.
Thanks!
I guess my next step is what next? I've set up a LDAP client linux system.
Should I create a user in LDAP and test the authentication. Now I'm assuming I
should use an LDAP editor (or manually add via {ldap/slap}add from ldif) and
then try to login? I've read that you can integrate cyrus and postifx but to
what ends I'm not sure. The real trick is how to go about samba and will
integrate with my existing posix account (as it originally did) or will it make
a new ldap entry. If this is the case can I just add accounts via samba and give
access to the NT/linux systems with this one entry. I have been working on my
smb.conf file and have exported my tdbsam database via pbedit. I'm assuming that
I'll be able to import it into the ldap backend?.
kms passback co uk,"Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list redhat com> wrote:
> On Wed, 2004-09-29 at 18:33 +0000, James Marcinek wrote:
> > Hello All,
> >
> > 'm trying to implement Open-LDAP. I've been reading the books/docs and
online
> > docs and I'm now to the point where I'm trying to create my .ldif files
using
> > the /usr/share/openldap/migration tools. I keep getting errors trying to
run
> > the
> > migrate_all_offline.sh script. I'll explain my environment before parsing
the
> > errors:
> >
> > I've never used NIS in this environment and I want to also implement samba.
> > Here's some of the slapd.conf file:
> >
> > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31
> > kurt Exp $
> > #
> > # See slapd.conf(5) for details on configuration options.
> > # This file should NOT be world readable.
> > #
> > include /etc/openldap/schema/core.schema
> > include /etc/openldap/schema/cosine.schema
> > include /etc/openldap/schema/inetorgperson.schema
> > include /etc/openldap/schema/nis.schema
> > include /etc/openldap/schema/redhat/autofs.schema
> > include /etc/openldap/schema/redhat/kerberosobject.schema
> > include /etc/openldap/schema/samba.schema
> >
> > I only added the samba.schema to the includes, all else was left alone
>
> Should be ok.
>
> > My O'Reilly book for LDAP (nor any of the other docs I've come across)
doesn't
> > discuss these entries (can anyone tell me what to use them for):
> >
> > # Load dynamic backend modules:
> > # modulepath /usr/sbin/openldap
> > # moduleload back_ldap.la
> > # moduleload back_ldbm.la
> > # moduleload back_passwd.la
> > # moduleload back_shell.la
>
> OpenLDAP can use a variety of backend to actually store your data. Most
> of these backends are implemented as loadable modules. This section
> just tells the main OpenLDAP process how to find these modules and which
> ones to load. Leave them commented out unless you know what you are
> doing :-)
>
> > I created a slapd.pem certificate but wondered if I should wait until I
know
> > it's running before I turn this on:
> >
> > #
> > # The next three lines allow use of TLS for connections using a dummy test
> > # certificate, but you should generate a proper certificate by changing to
> > # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
> > # slapd.pem so that the ldap user or group can read it.
> > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
>
> My advice would be to get things working without SSL/TLS and once you
> are happy enable this feature.
>
> > Now I'm wanting to implement Samba with this and I found a sample
slapd.conf
> > file that indicated setting the following. I'm a bit confused about the
> > ou=People entry but I'm assuming this will all be setup by the schema.
However
> > my rootdn is different (see below this entry):
>
> Objects will be created in the directory by the LDIF that you get from
> your migration scripts. The schema just defines the structure of these
> objects. You can think of it in terms of an SQL database: the schema
> defines the tables, columns, and their types. The LDIF defines the rows
> in the tables.
>
> What you need to do is to check the directory once you have completed
> the migration, and find out what the DN is for your root user. In all
> probability it will be cn=root, ou=People, .... If it is not then you
> will need to modify this ACL to match, and restart OpenLDAP.
>
> > access to attrs=lmPassword,ntPassword
> > by dn="cn=root,ou=People,dc=jemconsult,dc=biz" write
> > by * none
>
> This says that anyone connecting to the directory as
> cn=root,ou=People,dc=jemconsult,dc=biz is able to write values into
> attributes called lmPassword or ntPassword, but all other users have no
> access to these attributes.
>
> > access to dn="dc=jemconsult,dc=biz"
> > by self write
> > by * read
>
> This ACl just states that users can modify their own details (self
> write). The "* read" is a catchall that allows read access to anything
> not previously mentioned.
>
> > As I'm new I didn't change the database type that was defined in the file
(left
> > as is). Would it be advisable to change the type and if so did they too get
> > installed with the default open-ldap packages?
> >
> > database ldbm
> > suffix "dc=jemconsult,dc=biz"
> > rootdn "cn=root,dc=jemconsult,dc=biz"
> > rootpw {SSHA}I'VE_SET_THIS_TOO
>
> This looks fine, I wouldn't change the database type until you have more
> experience or you have a specific requirement for a different DB.
>
> > The directory permissions have been set for the database to 700:
> > directory /var/lib/ldap
> >
> > I left most of my indices but added a few for Samba (from examples):
> > # Indices to maintain
> > index objectClass,uid,uidNumber,gidNumber,memberUid pres,eq
> > index cn,mail,surname,givenname eq,subinitial
> > index sambaSID eq
> > index sambaPrimaryGroupSID eq
> > index sambaDomainName eq
> > index default sub
>
> You would normally change these values in relation to performance
> analysis of the directories performance. Eg, if you were getting a lot
> of lookups on a particular attribute you would add an index for that
> attribute.
>
> > All of my replication stuff is commented at as I don't need it yet and
don't
> > want to further complicate the matter.
>
> Again, you can always enable it later.
>
> > Now when I run the /usr/share/openldap/migration/migrate_all_offline.sh I
get
> > the following output (I started the debugging mode #!/bin/sh -x):
>
> Caveat, I have never used this script, but here goes...
>
> > [root srv01 migration]# ./migrate_all_offline.sh
> > + INSTDIR=/usr/share/openldap/migration/
> > ++ mktemp /tmp/nis.ldif.XXXXXX
> > + DB=/tmp/nis.ldif.zfjTlI
> > + '[' X = X ']'
> > + ETC_ALIASES=/etc/aliases
> > + '[' X = X ']'
> > + ETC_HOSTS=/etc/hosts
> > + '[' X = X ']'
> > + ETC_NETWORKS=/etc/networks
> > + '[' X = X ']'
> > + ETC_PASSWD=/etc/passwd
> > + '[' X = X ']'
> > + ETC_GROUP=/etc/group
> > + '[' X = X ']'
> > + ETC_SERVICES=/etc/services
> > + '[' X = X ']'
> > + ETC_PROTOCOLS=/etc/protocols
> > + '[' X = X ']'
> > + ETC_RPC=/etc/rpc
> > + '[' X = X ']'
> > + ETC_NETGROUP=/etc/netgroup
> > + '[' X = X ']'
> > + '[' -x /usr/bin/perl ']'
> > + PERL=/usr/bin/perl
> > + '[' X = X ']'
> > + '[' -x /usr/local/etc/ldif2ldbm ']'
> > + '[' -x /usr/local/sbin/ldif2ldbm ']'
> > + '[' -x /usr/sbin/ldif2ldbm ']'
> > + '[' -x /bin/slapd/server/ns-slapd ']'
> > + '[' -x /usr/iplanet/servers/bin/slapd/server/dsimport ']'
> > + '[' -x /usr/local/sbin/slapadd ']'
> > + '[' -x /usr/sbin/slapadd ']'
> > + SLAPADD=/usr/sbin/slapadd
> > + echo 'Creating naming context entries...'
> > Creating naming context entries...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_base.pl
> > + echo 'Migrating aliases...'
> > Migrating aliases...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_aliases.pl /etc/aliases
> > + echo 'Migrating groups...'
> > Migrating groups...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_group.pl /etc/group
> > + echo 'Migrating hosts...'
> > Migrating hosts...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_hosts.pl /etc/hosts
> > + echo 'Migrating networks...'
> > Migrating networks...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_networks.pl /etc/networks
> > + echo 'Migrating users...'
> > Migrating users...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd
> > + echo 'Migrating protocols...'
> > Migrating protocols...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_protocols.pl /etc/protocols
> > + echo 'Migrating rpcs...'
> > Migrating rpcs...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_rpc.pl /etc/rpc
> > + echo 'Migrating services...'
> > Migrating services...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_services.pl /etc/services
> > + echo 'Migrating netgroups...'
> > Migrating netgroups...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_netgroup.pl /etc/netgroup
> > + echo 'Importing into LDAP...'
> > Importing into LDAP...
> > + echo 'Migrating netgroups (by user)...'
> > Migrating netgroups (by user)...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_netgroup_byuser.pl /etc/netgroup
> > sh: line 1: /etc/netgroup: No such file or directory
> > + echo 'Migrating netgroups (by host)...'
>
> Don't worry about this. It looks like it is trying to migrate files
> from an existing NIS setup that you don't have - the /etc/netgroups
> file.
>
> > Migrating netgroups (by host)...
> > + /usr/bin/perl -I/usr/share/openldap/migration/
> > /usr/share/openldap/migration/migrate_netgroup_byhost.pl /etc/netgroup
> > sh: line 1: /etc/netgroup: No such file or directory
>
> Same here.
>
> > + echo 'Preparing LDAP database...'
> > Preparing LDAP database...
> > + '[' X/usr/sbin/slapadd = X ']'
> > + /usr/sbin/slapadd -l /tmp/nis.ldif.zfjTlI
> > slapadd: could not parse entry (line=71)
> > + EXITCODE=1
> > + '[' X '!=' Xno ']'
> > + exit 1
> >
> >
> > When I parse the temp file on line 71 I get the following (set nu enabled):
> >
> > 71
> > 72 dn: cn=info,ou=Aliases,dc=jemconsult,dc=biz
> > 73 cn: info
> > 74 objectClass: nisMailAlias
> > 75 objectClass: top
> > 76 rfc822MailMember: jmarc1
>
> Could you paste the preceeding lines? There appears to be nothing wrong
> with this object. Can you check the file and make sure that prior to
> line 71 you have something like:
>
> dn: ou=Aliases,dc=jemconsult,dc=biz
> objectClass: organizationalUnit
> objectClass: top
> organizationalUnit: Aliases
>
> The ordering might be slightly different.
>
> > I get files produced in the /var/lib/ldap directory:
> >
> > ls -la /var/lib/ldap
> > total 40
> > drwx------ 2 ldap ldap 4096 Sep 29 12:30 .
> > drwxr-xr-x 23 root root 4096 Sep 17 17:50 ..
> > -rw------- 1 root root 8192 Sep 29 12:30 dn2id.dbb
> > -rw------- 1 root root 8192 Sep 29 12:30 id2entry.dbb
> > -rw------- 1 root root 8192 Sep 29 12:30 nextid.dbb
> > -rw------- 1 root root 8192 Sep 29 12:30 objectClass.dbb
> >
> > I think I'll have to change the permissions later (after I'm sure it'll
work)
>
> You will need to do a chmod ldap.ldap *.dbb before you start OpenLDAP.
>
> > As I'm getting these errors with the shell script I'm not sure of how to
> > proceed. Can anyone give me some pointers?
>
> Hopefully this has provided some help!
>
> Keith.
>
> --
> Taroon-list mailing list
> Taroon-list redhat com
> http://www.redhat.com/mailman/listinfo/taroon-list
>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]