*NIX

Nov. 20, 2009, 11:39 a.m.
posted by whitehat

Configuring the LDAP Server



Configuring the LDAP Server

The first stage of the project is to correctly configure the LDAP server. To do so, you must create an LDAP database into which you import the /etc/passwd file. Take a closer look at the steps.

Create a Database Directory

Fedora LDAP defaults to putting all databases in the /var/lib/ldap directory. For the example, create a dedicated example.com directory owned by the user ldap. (The ldap user is always created during the RPM installation process.)

     [root@bigboy tmp]# mkdir /var/lib/ldap/example.com
     [root@bigboy tmp]# chown ldap:ldap /var/lib/ldap/example.com

Create an LDAP Root Password

Only the LDAP root user can create, import data, and export data into an LDAP database. This user needs an encrypted password. You can create it with the slappasswd command and use the result in the LDAP configuration file.

     [root@bigboy tmp]# slappasswd
     New password:
     Re-enter new password:
     {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
     [root@bigboy tmp]#

Edit the slapd.conf File

The main LDAP server configuration file is the /etc/openldap/slapd.conf file. Update it with:

  • A database of the default type ldbm using the domain suffix example.com made up of domain components (DCs) example and com.

  • The root user with a common name (CN), or nickname, of Manager who, as expected, is part of the example and com DCs.

  • The encrypted version of the LDAP root password as well as the location of the LDAP database.

    The configuration file syntax to do this is:

database       ldbm
suffix         "dc=example,dc=com"
rootdn         "cn=Manager,dc=example,dc=com"
rootpw         {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
directory      /var/lib/ldap/example.com

Start the ldap Daemon

The service command uses the options start, stop, and restart to control the LDAP server's operation. Use the start option to load the contents of the slapd.conf file:

     [root@bigboy tmp]# service ldap start
       Starting slapd:  [ OK  ]
     [root@bigboy tmp]#

Convert the /etc/passwd File to LDIF Format

The data on the server's /etc/passwd file now needs to be converted to LDAP Data Interchange Files (LDIF) format before it can be imported into the LDAP database. You don't need to import all of the usernames, just the ones you need.

Create the ldapuser Test Account

To create the ldapuser account you'll use for testing, type the commands:

     [root@bigboy tmp]# useradd -g users ldapuser
     [root@bigboy tmp]# passwd ldapuser
     Changing password for user ldapuser.
     New password:
     Retype new password:
     passwd: all authentication tokens updated successfully.
     [root@bigboy tmp]#

Extract the Desired Records from /etc/passwd

You need to extract the ldapuser information from the /etc/passwd file using the grep command and save it by appending the information to the /etc/openldap/passwd.ldapusers file with the > character:

     [root@bigboy tmp]# grep ldapuser /etc/passwd > \
         /etc/openldap/passwd.ldapusers
     [root@bigboy tmp]#

If this is your first time creating the LDAP database, you will also want to extract the information for the Linux root account from the /etc/passwd file to a brand new file called /etc/openldap/passwd.root:

     [root@bigboy tmp]# grep root /etc/passwd > \
         /etc/openldap/passwd.root
     [root@bigboy tmp]#

Find the Conversion Script

The /etc/passwd conversion program is called migrate_passw.pl; you can find it using the locate command. The locate utility updates its database every night and may not be able to find newly installed files. You can use the locate command to do the update ahead of schedule.

     [root@bigboy tmp]# locate -u
     [root@bigboy tmp]# locate migrate
     ...
     /usr/share/openldap/migration/migrate_passwd.pl
     ...
     [root@bigboy tmp]#

Convert the .ldapuser File

You now need to convert the extracted /etc/passwd data into an LDIF that will then be imported into the database. Give the file used by regular users the name /etc/openldap/ldapuser.ldif and the one for the root user the name /etc/openldap/root.ldif:

     [root@bigboy tmp]# /usr/share/openldap/migration/migrate_passwd.pl \
     /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif
     [root@bigboy tmp]#

     [root@bigboy tmp]# /usr/share/openldap/migration/migrate_passwd.pl \
     /etc/openldap/passwd.root /etc/openldap/root.ldif
     [root@bigboy tmp]#

Modify the LDIF Files

With your two new LDIF files, the next step is to import this data into the LDAP database. To prepare for this, you must do some editing and create a new LDIF file that defines the organizational unit.

Edit the User LDIF File

The Fedora migrate_passwd.pl script creates users that are all part of the organizational unit called People, but everyone belongs to the padl.com domain. You now have to edit both LDIF files and convert the string "padl" to "example" in each record. A text editor is fine for the job. For example, at the vi editor's : prompt, use the command

     %s/padl/example/g

to perform a global substitution of example for padl.

In the slapd.conf file, you gave the root user a common name (CN) of Manager. You now have to add this information to the root LDIF file by inserting this line under the UID line in the file:

     cn: Manager

Create an LDIF File for the example.com Domain

The LDIF files you created from /etc/passwd referred to users only. The attributes of the example.com domain haven't yet been defined, and you also haven't defined the organizational unit called People. This can be done using a third LDIF file called /etc/openldap/example.com.ldif, which should look like this:

     dn: dc=example,dc=com
     dc: example
     description: Root LDAP entry for example.com
     objectClass: dcObject
     objectClass: organizationalUnit
     ou: rootobject

     dn: ou=People, dc=example,dc=com
     ou: People
     description: All people in organisation
     objectClass: organizationalUnit

Import the LDIF Files into the Database

Use the LDAP add command to import all three LDIF files into the database starting with the example.com.ldif file, followed by root.ldif, and lastly by ldapusers.ldif.

Enter the LDAP root password you created when you are prompted:

     [root@bigboy tmp]# ldapadd -x -D "cn=Manager,dc=example,dc=com" \
           -W -f /etc/openldap/example.com.ldif
     [root@bigboy tmp]# ldapadd -x -D "cn=Manager,dc=example,dc=com" \
           -W -f /etc/openldap/root.ldif
     [root@bigboy tmp]# ldapadd -x -D "cn=Manager,dc=example,dc=com" \
           -W -f /etc/openldap/ldapusers.ldif
     [root@bigboy tmp]#

Test the LDAP Database

You can view all the LDAP database entries all at once with the ldapsearch command; this is a good test to make sure you have all the correct functionality:

     [root@bigboy tmp]# ldapsearch -x -b 'dc=example,dc=com' \
         '(objectclass=*)'
     [root@bigboy tmp]#

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows