Attachment #133526 for bug #176075

View | Details | Raw Unified | Return to bug 176075 | Differences between
Collapse All | Expand All




<author title="Author">
  <mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
</author>

<author title="Editor">
  <mail link="swift@gentoo.org">Sven Vermeulen</mail>
</author>

<author title="Editor">
  <mail link="tseng@gentoo.org">Brandon Hale</mail>
</author>
<author title="Editor">
  <mail link="bennyc@gentoo.org">Benny Chuang</mail>
</author>
<author title="Editor">
  <mail link="nightmorph@gentoo.org">Joshua Saddler</mail>
</author>
<author title="Contributor">
  <mail link="robbat2@gentoo.org">Robin H. Johnson</mail>
</author>

<abstract>
This guide introduces the basics of LDAP and shows you how to setup

</p>

<pre caption="Install OpenLDAP">
# <i>emerge openldap</i>
# <i>chown ldap:ldap /var/lib/openldap-data /var/lib/openldap-slurp</i>
</pre>

<p>


<pre caption="/etc/openldap/slapd.conf">
<comment># Include the needed data schemes</comment>
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

<comment># Hash the passwords with standard MD5-Crypt</comment>
password-hash {CRYPT}
password-crypt-salt-format $1$%.8s

<comment># Define SSL and TLS properties (optional)</comment>
TLSCertificateFile /etc/ssl/ldap.pem


<comment>(Further down...)</comment>

database        bdb
suffix          "dc=genfic,dc=com"
rootdn          "cn=Manager,dc=genfic,dc=com"
rootpw          <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
directory       /var/lib/openldap-data
index           objectClass,uidNumber,gidNumber,memberUid    pres,eq
index           uid,description pres,eq,sub,approx
index           cn, pres,eq,sub
index           entryUUID pres,eq
sessionlog      100 500
checkpoint      64  5
cachesize       10000
idlcachesize    10000
sizelimit       1000

<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>

<comment># This is the monitoring interface for slapd</comment>
database        monitor
access to dn.subtree="cn=Monitor"
by dn.base="cn=Manager,dc=genfic,dc=com"

</pre>

<p>

TLS_REQCERT  allow
</pre>

<!-- TODO: this section needs to be completely redone without self-signing SSL
<p>
Now you will generate an SSL certificate to secure your directory.
Answer the question you receive as good as possible. When asked for your

</p>

<pre caption="Generating SSL Certificate">
# <i>cd /etc/ssl</i>
# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>
</pre>
-->

<p>
Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out 

</p>

<pre caption="/etc/conf.d/slapd">
OPTS="-h 'ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
</pre>

<p>

</section>
</chapter>

<!--TODO: explain how to use diradm for data migration
<chapter>
<title>Migrate Existing Data</title>
<section>
<title>Migrate User Accounts</title>
<body>

<p>
Next, we migrate the user accounts. Open 
<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the 
following:
</p>

<pre caption="/usr/share/migrationtools/migrate_common.ph">
$DEFAULT_BASE = "dc=genfic,dc=com";
$EXTENDED_SCHEMA = 1;
<comment># Comment these lines out unless you have a mail schema loaded</comment>
<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
</pre>

<p>
Now run the migration scripts:
</p>

<pre caption="Running the migration scripts">
# <i>export ETC_SHADOW=/etc/shadow</i>
# <i>cd /usr/share/migrationtools</i>
# <i>./migrate_base.pl > /tmp/base.ldif</i>
# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
</pre>

<p>
This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
</p>

<pre caption="Importing the data to our directory">
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
</pre>

<p>
If you come across an error in your ldif files, you can resume from where you
left off by using <c>ldapadd -c</c>.
</p>

</body>
</section>
</chapter>
-->

<chapter>
<title>Client Configuration</title>

Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
</p>

<!--
Code sample needs a complete replacement with a more recent one, then the pam_ldap
lines can be added
-->
<pre caption="/etc/pam.d/system-auth">
auth    required    pam_env.so
auth    sufficient  pam_unix.so likeauth nullok shadow

session optional    pam_ldap.so
</pre>

<!--  Should work now, see #87930
<note>
If you find that login on using ssh on these system fails, try interchanging the
two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and
other tools refuse to function correctly if you do.
</note>
-->

<p>
Now change <path>/etc/ldap.conf</path> to read:
</p>

<comment>#base dc=padl,dc=com</comment>

ssl start_tls
ssl on
suffix          "dc=genfic,dc=com"
<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>

uri ldap://auth.genfic.com/
pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
base dc=genfic,dc=com
nss_base_passwd ou=People,dc=genfic,dc=com
nss_base_shadow ou=People,dc=genfic,dc=com
nss_base_group  ou=Group,dc=genfic,dc=com


scope one
</pre>
<!-- TODO: Add time/retry numbers to the above code -->

<p>
Next, copy over the (OpenLDAP) <path>ldap.conf</path> file from the server to 
the client so the clients are aware of the LDAP environment:
</p>

<!--
TODO: add a separate /etc/openldap/ldap.conf for the server that uses ldapi
-->
<pre caption="Copying over the OpenLDAP ldap.conf">
<comment>(Substitute ldap-server with your LDAP server name)</comment>
# <i>scp ldap-server:/etc/openldap/ldap.conf /etc/openldap</i>

To test the changes, type:
</p>

<!-- TODO: REPLACE with an example showing a single pure LDAP user -->
<pre caption="Testing LDAP Auth">
# <i>getent passwd|grep 0:0</i>


root:x:0:0:root:/root:/bin/bash
</pre>

<p>
If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
was commented out (the <c>rootbinddn</c> line): you don't need it unless you 
want to change a user's password as superuser. In this case you need to echo 
the root password to <path>/etc/ldap.secret</path> in plaintext. This is 
<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that 
file blank and when I need to change someones password thats both in the ldap 
and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I 
change it and remove it when I'm done.
</p>

</body>
</section>
</chapter>


</body>
</section>

</chapter>
</guide>

Return to bug 176075

Lines 8-25 Link Here

(-)ldap-howto.xml (-82 / +46 lines)
8	<author title="Author">	8	<author title="Author">
9	<mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>	9	<mail link="sj7trunks@pendulus.net">Benjamin Coles</mail>
10	</author>	10	</author>
11
12	<author title="Editor">	11	<author title="Editor">
13	<mail link="swift@gentoo.org">Sven Vermeulen</mail>	12	<mail link="swift@gentoo.org">Sven Vermeulen</mail>
14	</author>	13	</author>
15
16	<author title="Editor">	14	<author title="Editor">
17	<mail link="tseng@gentoo.org">Brandon Hale</mail>	15	<mail link="tseng@gentoo.org">Brandon Hale</mail>
18	</author>	16	</author>
19	<author title="Editor">	17	<author title="Editor">
20	<mail link="bennyc@gentoo.org">Benny Chuang</mail>	18	<mail link="bennyc@gentoo.org">Benny Chuang</mail>
21	</author>	19	</author>
22		20	<author title="Editor">
		21	<mail link="nightmorph@gentoo.org">Joshua Saddler</mail>
		22	</author>
		23	<author title="Contributor">
		24	<mail link="robbat2@gentoo.org">Robin H. Johnson</mail>
		25	</author>
23		26
24	<abstract>	27	<abstract>
25	This guide introduces the basics of LDAP and shows you how to setup	28	This guide introduces the basics of LDAP and shows you how to setup
Lines 155-162 Link Here
155	</p>	158	</p>
156		159
157	<pre caption="Install OpenLDAP">	160	<pre caption="Install OpenLDAP">
158	# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>	161	# <i>emerge openldap</i>
159	# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>	162	# <i>chown ldap:ldap /var/lib/openldap-data /var/lib/openldap-slurp</i>
160	</pre>	163	</pre>
161		164
162	<p>	165	<p>
Lines 166-177 Link Here
166		169
167	<pre caption="/etc/openldap/slapd.conf">	170	<pre caption="/etc/openldap/slapd.conf">
168	<comment># Include the needed data schemes</comment>	171	<comment># Include the needed data schemes</comment>
		172	include /etc/openldap/schema/core.schema
169	include /etc/openldap/schema/cosine.schema	173	include /etc/openldap/schema/cosine.schema
170	include /etc/openldap/schema/inetorgperson.schema	174	include /etc/openldap/schema/inetorgperson.schema
171	include /etc/openldap/schema/nis.schema	175	include /etc/openldap/schema/nis.schema
172		176
173	<comment># Use md5 to hash the passwords</comment>	177	<comment># Hash the passwords with standard MD5-Crypt</comment>
174	password-hash {md5}	178	password-hash {CRYPT}
		179	password-crypt-salt-format $1$%.8s
175		180
176	<comment># Define SSL and TLS properties (optional)</comment>	181	<comment># Define SSL and TLS properties (optional)</comment>
177	TLSCertificateFile /etc/ssl/ldap.pem	182	TLSCertificateFile /etc/ssl/ldap.pem
Lines 180-193 Link Here
180		185
181	<comment>(Further down...)</comment>	186	<comment>(Further down...)</comment>
182		187
183	database ldbm	188	database bdb
184	suffix "dc=genfic,dc=com"	189	suffix "dc=genfic,dc=com"
185	rootdn "cn=Manager,dc=genfic,dc=com"	190	rootdn "cn=Manager,dc=genfic,dc=com"
186	rootpw <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>	191	rootpw <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
187	directory /var/lib/openldap-ldbm	192	directory /var/lib/openldap-data
188	index objectClass eq	193	index objectClass,uidNumber,gidNumber,memberUid pres,eq
		194	index uid,description pres,eq,sub,approx
		195	index cn, pres,eq,sub
		196	index entryUUID pres,eq
		197	sessionlog 100 500
		198	checkpoint 64 5
		199	cachesize 10000
		200	idlcachesize 10000
		201	sizelimit 1000
189		202
190	<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>	203	<comment>(You can get an encrypted password like above with slappasswd -h {Md5})</comment>
		204
		205	<comment># This is the monitoring interface for slapd</comment>
		206	database monitor
		207	access to dn.subtree="cn=Monitor"
		208	by dn.base="cn=Manager,dc=genfic,dc=com"
		209
191	</pre>	210	</pre>
192		211
193	<p>	212	<p>
Lines 203-208 Link Here
203	TLS_REQCERT allow	222	TLS_REQCERT allow
204	</pre>	223	</pre>
205		224
		225	<!-- TODO: this section needs to be completely redone without self-signing SSL
206	<p>	226	<p>
207	Now you will generate an SSL certificate to secure your directory.	227	Now you will generate an SSL certificate to secure your directory.
208	Answer the question you receive as good as possible. When asked for your	228	Answer the question you receive as good as possible. When asked for your
Lines 212-222 Link Here
212	</p>	232	</p>
213		233
214	<pre caption="Generating SSL Certificate">	234	<pre caption="Generating SSL Certificate">
215	# <i>cd /etc/ssl</i>
216	# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
217	ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
218	# <i>chown ldap:ldap /etc/openldap/ssl/ldap.pem</i>
219	</pre>	235	</pre>
		236	-->
220		237
221	<p>	238	<p>
222	Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out	239	Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out
Lines 224-230 Link Here
224	</p>	241	</p>
225		242
226	<pre caption="/etc/conf.d/slapd">	243	<pre caption="/etc/conf.d/slapd">
227	OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"	244	OPTS="-h 'ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
228	</pre>	245	</pre>
229		246
230	<p>	247	<p>
Lines 252-309 Link Here
252	</section>	269	</section>
253	</chapter>	270	</chapter>
254		271
		272	<!--TODO: explain how to use diradm for data migration
255	<chapter>	273	<chapter>
256	<title>Migrate Existing Data</title>	274	<title>Migrate Existing Data</title>
257	<section>	275	<section>
258	<title>Migrate User Accounts</title>	276	<title>Migrate User Accounts</title>
259	<body>	277	<body>
260
261	<p>
262	Next, we migrate the user accounts. Open
263	<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the
264	following:
265	</p>
266
267	<pre caption="/usr/share/migrationtools/migrate_common.ph">
268	$DEFAULT_BASE = "dc=genfic,dc=com";
269	$EXTENDED_SCHEMA = 1;
270	<comment># Comment these lines out unless you have a mail schema loaded</comment>
271	<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
272	<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
273	</pre>
274
275	<p>
276	Now run the migration scripts:
277	</p>
278
279	<pre caption="Running the migration scripts">
280	# <i>export ETC_SHADOW=/etc/shadow</i>
281	# <i>cd /usr/share/migrationtools</i>
282	# <i>./migrate_base.pl > /tmp/base.ldif</i>
283	# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
284	# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
285	# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
286	</pre>
287
288	<p>
289	This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
290	</p>
291
292	<pre caption="Importing the data to our directory">
293	# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
294	# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
295	# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
296	# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
297	</pre>
298
299	<p>
300	If you come across an error in your ldif files, you can resume from where you
301	left off by using <c>ldapadd -c</c>.
302	</p>
303
304	</body>	278	</body>
305	</section>	279	</section>
306	</chapter>	280	</chapter>
		281	-->
307		282
308	<chapter>	283	<chapter>
309	<title>Client Configuration</title>	284	<title>Client Configuration</title>
Lines 326-331 Link Here
326	Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:	301	Now edit <path>/etc/pam.d/system-auth</path> so it looks like the following:
327	</p>	302	</p>
328		303
		304	<!--
		305	Code sample needs a complete replacement with a more recent one, then the pam_ldap
		306	lines can be added
		307	-->
329	<pre caption="/etc/pam.d/system-auth">	308	<pre caption="/etc/pam.d/system-auth">
330	auth required pam_env.so	309	auth required pam_env.so
331	auth sufficient pam_unix.so likeauth nullok shadow	310	auth sufficient pam_unix.so likeauth nullok shadow
Lines 347-360 Link Here
347	session optional pam_ldap.so	326	session optional pam_ldap.so
348	</pre>	327	</pre>
349		328
350	<!-- Should work now, see #87930
351	<note>
352	If you find that login on using ssh on these system fails, try interchanging the
353	two <c>auth sufficient</c> lines. However, you might find that <c>su</c> and
354	other tools refuse to function correctly if you do.
355	</note>
356	-->
357
358	<p>	329	<p>
359	Now change <path>/etc/ldap.conf</path> to read:	330	Now change <path>/etc/ldap.conf</path> to read:
360	</p>	331	</p>
Lines 364-380 Link Here
364	<comment>#base dc=padl,dc=com</comment>	335	<comment>#base dc=padl,dc=com</comment>
365		336
366	ssl start_tls	337	ssl start_tls
367	ssl on
368	suffix "dc=genfic,dc=com"	338	suffix "dc=genfic,dc=com"
369	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>	339	<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>
370		340
371	uri ldaps://auth.genfic.com/	341	uri ldap://auth.genfic.com/
372	pam_password exop	342	pam_password exop
373		343
374	ldap_version 3	344	ldap_version 3
375	pam_filter objectclass=posixAccount	345	pam_filter objectclass=posixAccount
376	pam_login_attribute uid	346	pam_login_attribute uid
377	pam_member_attribute memberuid	347	pam_member_attribute gid
		348	base dc=genfic,dc=com
378	nss_base_passwd ou=People,dc=genfic,dc=com	349	nss_base_passwd ou=People,dc=genfic,dc=com
379	nss_base_shadow ou=People,dc=genfic,dc=com	350	nss_base_shadow ou=People,dc=genfic,dc=com
380	nss_base_group ou=Group,dc=genfic,dc=com	351	nss_base_group ou=Group,dc=genfic,dc=com
Lines 382-393 Link Here
382		353
383	scope one	354	scope one
384	</pre>	355	</pre>
		356	<!-- TODO: Add time/retry numbers to the above code -->
385		357
386	<p>	358	<p>
387	Next, copy over the (OpenLDAP) <path>ldap.conf</path> file from the server to	359	Next, copy over the (OpenLDAP) <path>ldap.conf</path> file from the server to
388	the client so the clients are aware of the LDAP environment:	360	the client so the clients are aware of the LDAP environment:
389	</p>	361	</p>
390		362
		363	<!--
		364	TODO: add a separate /etc/openldap/ldap.conf for the server that uses ldapi
		365	-->
391	<pre caption="Copying over the OpenLDAP ldap.conf">	366	<pre caption="Copying over the OpenLDAP ldap.conf">
392	<comment>(Substitute ldap-server with your LDAP server name)</comment>	367	<comment>(Substitute ldap-server with your LDAP server name)</comment>
393	# <i>scp ldap-server:/etc/openldap/ldap.conf /etc/openldap</i>	368	# <i>scp ldap-server:/etc/openldap/ldap.conf /etc/openldap</i>
Lines 408-413 Link Here
408	To test the changes, type:	383	To test the changes, type:
409	</p>	384	</p>
410		385
		386	<!-- TODO: REPLACE with an example showing a single pure LDAP user -->
411	<pre caption="Testing LDAP Auth">	387	<pre caption="Testing LDAP Auth">
412	# <i>getent passwd\|grep 0:0</i>	388	# <i>getent passwd\|grep 0:0</i>
413		389
Lines 416-432 Link Here
416	root:x:0:0:root:/root:/bin/bash	392	root:x:0:0:root:/root:/bin/bash
417	</pre>	393	</pre>
418		394
419	<p>
420	If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
421	was commented out (the <c>rootbinddn</c> line): you don't need it unless you
422	want to change a user's password as superuser. In this case you need to echo
423	the root password to <path>/etc/ldap.secret</path> in plaintext. This is
424	<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that
425	file blank and when I need to change someones password thats both in the ldap
426	and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I
427	change it and remove it when I'm done.
428	</p>
429
430	</body>	395	</body>
431	</section>	396	</section>
432	</chapter>	397	</chapter>
Lines 522-527 Link Here
522		487
523	</body>	488	</body>
524	</section>	489	</section>
525
526	</chapter>	490	</chapter>
527	</guide>	491	</guide>