Re: LDAP configuration help needed! PLEASE
From: Craig White (craigwhite_at_azapple.com)
Date: 09/30/04
- Previous message: Yang Xiao: "Re: Fedora Core 2 on Compaq (HP) Proliant DL360 G2"
- In reply to: James Marcinek: "LDAP configuration help needed! PLEASE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: James Marcinek <jmarc1@jemconsult.biz>, For users of Fedora Core releases <fedora-list@redhat.com> Date: Wed, 29 Sep 2004 17:19:18 -0700
On Wed, 2004-09-29 at 09:38, James Marcinek wrote:
> Hello All,
>
> I'm trying to implement Open-LDAP. I've been reading the books/docs and online
> docs and I'm now to the point where I'm trying to create my .ldif files using
> the /usr/share/openldap/migration tools. I keep getting errors trying to run the
> migrate_all_offline.sh script. I'll explain my environment before parsing the
> errors:
>
> I've never used NIS in this environment and I want to also implement samba.
> Here's some of the slapd.conf file:
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
> kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/redhat/autofs.schema
> include /etc/openldap/schema/redhat/kerberosobject.schema
> include /etc/openldap/schema/samba.schema
>
> I only added the samba.schema to the includes, all else was left alone
>
> My O'Reilly book for LDAP (nor any of the other docs I've come across) doesn't
> discuss these entries (can anyone tell me what to use them for):
>
> # Load dynamic backend modules:
> # modulepath /usr/sbin/openldap
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> I created a slapd.pem certificate but wondered if I should wait until I know
> it's running before I turn this on:
>
> #
> # The next three lines allow use of TLS for connections using a dummy test
> # certificate, but you should generate a proper certificate by changing to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
> # slapd.pem so that the ldap user or group can read it.
> TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
>
> Now I'm wanting to implement Samba with this and I found a sample slapd.conf
> file that indicated setting the following. I'm a bit confused about the
> ou=People entry but I'm assuming this will all be setup by the schema. However
> my rootdn is different (see below this entry):
>
> access to attrs=lmPassword,ntPassword
> by dn="cn=root,ou=People,dc=jemconsult,dc=biz" write
> by * none
> access to dn="dc=jemconsult,dc=biz"
> by self write
> by * read
>
> As I'm new I didn't change the database type that was defined in the file (left
> as is). Would it be advisable to change the type and if so did they too get
> installed with the default open-ldap packages?
>
> database ldbm
> suffix "dc=jemconsult,dc=biz"
> rootdn "cn=root,dc=jemconsult,dc=biz"
> rootpw {SSHA}I'VE_SET_THIS_TOO
>
> The directory permissions have been set for the database to 700:
> directory /var/lib/ldap
>
> I left most of my indices but added a few for Samba (from examples):
> # Indices to maintain
> index objectClass,uid,uidNumber,gidNumber,memberUid pres,eq
> index cn,mail,surname,givenname eq,subinitial
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
> All of my replication stuff is commented at as I don't need it yet and don't
> want to further complicate the matter.
>
> Now when I run the /usr/share/openldap/migration/migrate_all_offline.sh I get
> the following output (I started the debugging mode #!/bin/sh -x):
>
> [root@srv01 migration]# ./migrate_all_offline.sh
> + INSTDIR=/usr/share/openldap/migration/
> ++ mktemp /tmp/nis.ldif.XXXXXX
> + DB=/tmp/nis.ldif.zfjTlI
> + '[' X = X ']'
> + ETC_ALIASES=/etc/aliases
> + '[' X = X ']'
> + ETC_HOSTS=/etc/hosts
> + '[' X = X ']'
> + ETC_NETWORKS=/etc/networks
> + '[' X = X ']'
> + ETC_PASSWD=/etc/passwd
> + '[' X = X ']'
> + ETC_GROUP=/etc/group
> + '[' X = X ']'
> + ETC_SERVICES=/etc/services
> + '[' X = X ']'
> + ETC_PROTOCOLS=/etc/protocols
> + '[' X = X ']'
> + ETC_RPC=/etc/rpc
> + '[' X = X ']'
> + ETC_NETGROUP=/etc/netgroup
> + '[' X = X ']'
> + '[' -x /usr/bin/perl ']'
> + PERL=/usr/bin/perl
> + '[' X = X ']'
> + '[' -x /usr/local/etc/ldif2ldbm ']'
> + '[' -x /usr/local/sbin/ldif2ldbm ']'
> + '[' -x /usr/sbin/ldif2ldbm ']'
> + '[' -x /bin/slapd/server/ns-slapd ']'
> + '[' -x /usr/iplanet/servers/bin/slapd/server/dsimport ']'
> + '[' -x /usr/local/sbin/slapadd ']'
> + '[' -x /usr/sbin/slapadd ']'
> + SLAPADD=/usr/sbin/slapadd
> + echo 'Creating naming context entries...'
> Creating naming context entries...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_base.pl
> + echo 'Migrating aliases...'
> Migrating aliases...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_aliases.pl /etc/aliases
> + echo 'Migrating groups...'
> Migrating groups...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_group.pl /etc/group
> + echo 'Migrating hosts...'
> Migrating hosts...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_hosts.pl /etc/hosts
> + echo 'Migrating networks...'
> Migrating networks...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_networks.pl /etc/networks
> + echo 'Migrating users...'
> Migrating users...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd
> + echo 'Migrating protocols...'
> Migrating protocols...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_protocols.pl /etc/protocols
> + echo 'Migrating rpcs...'
> Migrating rpcs...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_rpc.pl /etc/rpc
> + echo 'Migrating services...'
> Migrating services...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_services.pl /etc/services
> + echo 'Migrating netgroups...'
> Migrating netgroups...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_netgroup.pl /etc/netgroup
> + echo 'Importing into LDAP...'
> Importing into LDAP...
> + echo 'Migrating netgroups (by user)...'
> Migrating netgroups (by user)...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_netgroup_byuser.pl /etc/netgroup
> sh: line 1: /etc/netgroup: No such file or directory
> + echo 'Migrating netgroups (by host)...'
> Migrating netgroups (by host)...
> + /usr/bin/perl -I/usr/share/openldap/migration/
> /usr/share/openldap/migration/migrate_netgroup_byhost.pl /etc/netgroup
> sh: line 1: /etc/netgroup: No such file or directory
> + echo 'Preparing LDAP database...'
> Preparing LDAP database...
> + '[' X/usr/sbin/slapadd = X ']'
> + /usr/sbin/slapadd -l /tmp/nis.ldif.zfjTlI
> slapadd: could not parse entry (line=71)
> + EXITCODE=1
> + '[' X '!=' Xno ']'
> + exit 1
>
>
> When I parse the temp file on line 71 I get the following (set nu enabled):
>
> 71
> 72 dn: cn=info,ou=Aliases,dc=jemconsult,dc=biz
> 73 cn: info
> 74 objectClass: nisMailAlias
> 75 objectClass: top
> 76 rfc822MailMember: jmarc1
>
>
> I get files produced in the /var/lib/ldap directory:
>
> ls -la /var/lib/ldap
> total 40
> drwx------ 2 ldap ldap 4096 Sep 29 12:30 .
> drwxr-xr-x 23 root root 4096 Sep 17 17:50 ..
> -rw------- 1 root root 8192 Sep 29 12:30 dn2id.dbb
> -rw------- 1 root root 8192 Sep 29 12:30 id2entry.dbb
> -rw------- 1 root root 8192 Sep 29 12:30 nextid.dbb
> -rw------- 1 root root 8192 Sep 29 12:30 objectClass.dbb
>
> I think I'll have to change the permissions later (after I'm sure it'll work)
>
> As I'm getting these errors with the shell script I'm not sure of how to
> proceed. Can anyone give me some pointers?
-----
probably too much to solve all at once.
First, I used the migration scripts in a manual mode which permitted me
to operate in an orderly manner.
cd /usr/share/openldap/migration
emacs migrate_common.ph #edit this - IMPORTANT
./migrate_passwd passwd.ldif
./migrate_group group.ldif
continue with hosts, services and anything else you care to bring into
ldap
create a base ldif file which has the base stuff - something like...
dn: o=Domain,c=US
o: Domain
objectClass: top
objectClass: organization
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Hosts,o=Domain,c=US
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Rpc,o=Domain,c=US
ou: Rpc
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Services,o=Domain,c=US
ou: Services
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: nisMapName=netgroup.byuser,o=Domain,c=US
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Mounts,o=Domain,c=US
ou: Mounts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Networks,o=Domain,c=US
ou: Networks
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=People,o=Domain,c=US
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Groups,o=Domain,c=US
ou: Groups
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Netgroup,o=Domain,c=US
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Protocols,o=Domain,c=US
ou: Protocols
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: ou=Aliases,o=Domain,c=US
ou: Aliases
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
dn: nisMapName=netgroup.byhost,o=Domain,c=US
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: Domainpr.com
# Setting up admin handle for People OU
dn: cn=admin,ou=People,o=Domain,c=US
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}REMOVED
# Setting up admin handle for Groups OU
dn: cn=admin,ou=Groups,o=Domain,c=US
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}REMOVED
# Setting up container for computers
dn: ou=Computers,o=Domain,c=US
objectclass: top
objectclass: organizationalUnit
ou: Computers
# Setting up admin handle for Computers OU
dn: cn=admin,ou=Computers,o=Domain,c=US
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}REMOVED
---- Now this is just a guideline/suggestion. Then you can ldapadd or slapadd the base.ldif, passwd.ldif, group.ldif etc. If you use slapadd, you do that with ldap stopped and then you have to fix the ownership (easy enough - chown ldap.ldap /var/lib/ldap -R) If you use ldapadd, you must start the ldap service and your entries have to be in order and perfect to work. I would heavily recommend that you get this functioning first and then add other attributes such as those required for samba and other services afterwards as it is way too difficult to get everything working straight out of the box all at once. for example, leaving certs for another day. Also - with respect to your questions, start with minimal ACL's and increase security after it is working. Also, my ldap config has... ## Indices to maintain ## required by OpenLDAP index objectclass pres,eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index mail,givenname eq,subinitial ## Indices for Samba index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub My typical user looks like this... # test, People, Domain, US dn: uid=test, ou=People,o=Domain,c=US sambaPwdCanChange: 1073349561 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1073349561 roomNumber: 4304 sambaProfilePath: \\linserv1\profiles\test\ sambaLogonScript: users-pr.bat cn: test uidNumber: 1046 sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-3000 sambaAcctFlags: [U ] mail: test@domainpr.com sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE uid: test sambaHomePath: \\linserv2\homes\test\ homeDirectory: /home/users/test objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgperson objectClass: sambaSamAccount sambaDomainName: MULLEN gidNumber: 1000 sambaSID: S-1-5-21-1292501092-333717336-619646970-3092 sambaNTPassword: 0CB6948805F797BF2A82807973B89537 sambaHomeDrive: h: sn: User givenName: Test loginShell: /bin/false userPassword:: REMOVED shadowLastChange: 12423 ---- YMMV - good luck Also note - I use webmin <www.webmin.com> to create/edit users - the LDAP Users and Groups module as it allows me to automatically enter default values for much of this - I think that there is a program called LAM that can do this too. Go slowly - do as much as you can that is 'repeatable' so that you can wipe out your ldap and then 'reload' - to fix things. Samba LDAP will not work until you get smbldap_tools functioning - and that is a bear to get working until you get LDAP working and understand it. Make sure you can ldapsearch and ldapadd/ldapmodify from cli before you use crutch tools or setting up these crutch tools will make you crazy and lastly - something that caused more than a few gray hairs... Samba tends to use 'Groups' - Linux tends to use 'Group' - stick with one or the other and be consistent (smbldap, nsswitch, ldap.conf) Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Yang Xiao: "Re: Fedora Core 2 on Compaq (HP) Proliant DL360 G2"
- In reply to: James Marcinek: "LDAP configuration help needed! PLEASE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
