From Debian Clusters

This is the second page of a five-part tutorial on LDAP. The full tutorial includes

• User Authentication: LDAP
• LDAP Server
• LDAP Client
• Using LDAP
• Troubleshooting LDAP

LDAP Server Overview

The steps involved in setting up an LDAP server consist of

• installing slapd
• installing migrationtools, configuring the migrationtools script, and running the script

slapd

Slapd is the LDAP server daemon - it's what runs in the background and answers when other computers ask for LDAP authentication. Install slapd with apt-get. The command should just be apt-get install slapd. The only prompt for this package will be to enter the adminstrative password.

Once it's installed, verify that slapd is running with the command ps aux | grep slapd. You should see something like this:

openldap  9741  0.0  1.0  14456  2720 ?        Ssl  08:21   0:00 /usr/sbin/slapd -g openldap -u openldap

However, the initial configuration does not set up everything necessarily, and it will need to be reconfigured. Use dpkg-reconfigure slapd.

Omit OpenLDAP server configuration?

• Choose no.

DNS domain name:

• You'll use this value again later on. I entered raptor.loc for dc=raptor,dc=loc.

Name of your organization:

• Mine is the University of Northern Iowa.

Admin password:

• This is resetting the password you entered earlier. If you changed your mind about it, now's a good time to switch passwords.

Database backend to use:

• Choose BDB, for Berkley Database. This is the preferred method.

Do you want your database to be removed when slapd is purged?

• Keep the default of no.

Move old database?

• Keep the default of yes.

Allow LDAPv2 protocol?

• Since I'm reconfiguring this from scratch, I will not be using any of the old protocols. I kept the default of no.

Now it's time to start up slapd, if it isn't already running. Try ps aux | grep slapd, and if you only see your command running, it isn't running...

eyrie:~# ps aux | grep slapd
root      4792  0.0  0.0   1784   524 pts/0    R+   13:56   0:00 grep slapd

Start it with

/etc/init.d/slapd start

and then issue the above command again.

migrationtools

Slapd should be running at this point to continue. Next, the migrationtools package will be used to take care of moving everything over from the default Unix password-based authentication to LDAP-based. After issuing the command apt-get install migrationtools, everything will be dumped into the directory /usr/share/migrationtools. Installing migrationtools will also install ldap-utils.

Moving into that directory with the command cd /usr/share/migrationtools and viewing the code will show all the files commonly used by the Linux/Unix environment that LDAP will need to integrate with. These include items like group, hosts, passwd, fstab, et cetera. The .pl files are Perl scripts; the .ph is a Perl header. The files should look something like this:

peregrine:/usr/share/migrationtools# ls
migrate_aliases.pl              migrate_group.pl
migrate_all_netinfo_offline.sh  migrate_hosts.pl
migrate_all_netinfo_online.sh   migrate_netgroup_byhost.pl
migrate_all_nis_offline.sh      migrate_netgroup_byuser.pl
migrate_all_nis_online.sh       migrate_netgroup.pl
migrate_all_nisplus_offline.sh  migrate_networks.pl
migrate_all_nisplus_online.sh   migrate_passwd.pl
migrate_all_offline.sh          migrate_profile.pl
migrate_all_online.sh           migrate_protocols.pl
migrate_automount.pl            migrate_rpc.pl
migrate_base.pl                 migrate_services.pl
migrate_common.ph               migrate_slapd_conf.pl
migrate_fstab.pl

The migrate_all files will run all the scripts, ensuring that they don't need to be run individually. migrate_all_online should be used if the LDAP system is running (which it should be, if slapd is installed), or migrate_all_offline if it is not. However, before running this script, the migrate_common.ph file should be modified.

migrate_common.ph

Migrate_common has all the flags and settings important for configuring the scripts. Most of the defaults should be fine, with a few exceptions. PADL, the implementer of LDAP, by default inserts its own domain name in some areas if the script is not changed. A quick search in a text editor like vi or nano should help locate any instances of "padl" that need to be changed. These include (but may not be limited to):

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "padl.com";

# Default base
$DEFAULT_BASE = "dc=padl,dc=com";

Use the URI name for the cluster, in DNS form for $DEFAULT_MAIL_DOMAIN and in X509 form for $DEFAULT_BASE. I'll use the name dc=raptor,dc=loc. These are the values I used:

• $DEFAULT_MAIL_DOMAIN = "raptor.loc";
• $DEFAULT_BASE = "dc=raptor,dc=loc";

migrate_all_online.sh

Now we're ready to run the setup script. Since slapd is already running, we'll use migrate_all_online.sh (otherwise, it would be migrate_all_offline.sh). Run this with the command ./migrate_all_online.sh and follow along with the prompts below:

Enter the X.500 naming context you wish to import into: [dc=raptor,dc=loc]

• The value you entered for $DEFAULT_BASE in migrate_common.ph should be here. If not, specify it.

Enter the hostname of your LDAP server [ldap]:

• This should be the hostname of the machine you're currently setting up as the LDAP server. I'm on the machine eyrie, so I typed eyrie.

Enter the manager DN: [cn=admin,dc=raptor,dc=loc]:

• This is the adminstrative user name for LDAP. The default is fine, otherwise you can change it. Even if you keep the default, you'll need to remember the name of this account!

Enter the credentials to bind with:

• This is the adminstrative account password, as entered for slapd earlier.

Do you wish to generate a DUAConfigProfile [yes|no]?

• Type no.

After this prompt, the script should begin to go to town and finish with

/usr/bin/ldapadd: succeeded

Authentication Failure?

If you get a message about authentication failing, you need to run dpkg-reconfigure slapd (see above). If you have to cancel the script, or in other special circumstances, the script will exit with a message like this:

ldap_add: Already exists (68)
/usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to /tmp/nis.10513.ldif

To get around this, the configuration needs to be set to continue in the presence of errors. Take the temporary file specific to your system and continue running the rest of the script with this command:

ldapadd -x -c -D "<adminstrative account>" -f <temp file> -W

• -x specifies to use simple binding credentials
• -c specifies to continue the script in the presence of errors
• -D specifies to use the following domain
• administrative account - Mine was cn=admin,dc=raptor,dc=loc - yours should be specific to your domain, as set up earlier
• -f means using the following file:
• temp file - This the file specified in the error. /tmp/nis.10513.ldif is the file specific to the system I'm running on - yours will probably be something else.
• -W tells it to prompt for the password

After you enter this, you'll be prompted for the LDAP password again. Enter it and continue. If the script exits without an error message, you're ready to continue.

Sanity Check

At this point, everything *should* be up and running on the LDAP server. To do a sanity check, check if you can find the user information for a user already on your system. Use the line

• ldapsearch -x uid=<an existing ID on the system>

or, for more information, do it as the root LDAP user, specifiying your root user name and domain after the -D. -W specifies that you'll be prompted for the LDAP administrative password.

• ldapsearch -x uid=<an existing ID on the system> -D "<your administrative account>" -W

I searched for kwanous. You should get results like this:

eyrie:/usr/share/migrationtools# ldapsearch -x uid=kwanous -D "cn=admin,dc=raptor,dc=loc" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=kwanous
# requesting: ALL
#

# kwanous, People, raptor.loc
dn: uid=kwanous,ou=People,dc=raptor,dc=loc
uid: kwanous
cn: KWanous
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fTdVN1cxRWxCL0FtY0E=
shadowLastChange: 13689
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/kwanous
gecos: KWanous,,,

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The reason you're able to search for an existing user is because the migration script put all of the current users into LDAP. You're still able to become that user (su - kwanous) like normal.