# slappasswd -New password: my-password -Re-enter new password: my-password +New password: my-password +Re-enter new password: my-password {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4
-Now edit the LDAP Server config at
-# Include the needed data schemes below core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema - -Uncomment modulepath and hdb module -# Load dynamic backend modules: -modulepath /usr/lib/openldap/openldap -# moduleload back_shell.so -# moduleload back_relay.so -# moduleload back_perl.so -# moduleload back_passwd.so -# moduleload back_null.so -# moduleload back_monitor.so -# moduleload back_meta.so -moduleload back_hdb.so -# moduleload back_dnssrv.so +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/misc.schema + +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +serverID 0Used in case of replication +loglevel 0 -# Uncomment sample access restrictions (Note: maintain indentation!) +## Access Controls access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * - by self write - by users read - by anonymous auth + by self write + by users read + by anonymous read +## Database definition +database hdb +suffix "dc=genfic,dc=com" +checkpoint 32 30 +rootdn "cn=Manager,dc=genfic,dc=com" +rootpw "{SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4"# See earlier slappasswd command +directory "/var/lib/openldap-ldbm" +index objectClass eq + +## Synchronisation (pull from other LDAP server) +syncrepl rid=000 + provider=ldap://ldap2.genfic.com + type=refreshAndPersist + retry="5 5 300 +" + searchbase="dc=genfic,dc=com" + attrs="*,+" + bindmethod="simple" + binddn="cn=ldapreader.genfic.com,dc=genfic,dc=com" + credentials="ldapsyncpass" -# BDB Database definition +index entryCSN eq +index entryUUID eq -database hdb -suffix "dc=genfic,dc=com" -checkpoint 32 30 # <kbyte> <min> -rootdn "cn=Manager,dc=genfic,dc=com" -rootpw {SSHA}EzP6I82DZRnW+ou6lyiXHGxSpSOw2XO4 -directory /var/lib/openldap-ldbm -index objectClass eq +mirrormode TRUE + +overlay syncprov +syncprov-checkpoint 100 10
@@ -223,17 +237,27 @@
-Now edit
-+ +# Note: we don't use cn=config here, so stay with this line: -OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" +OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" +
+Finally, create the
+~# mkdir -p /var/lib/openldap-ldbm +~# chown ldap:ldap /var/lib/openldap-ldbm +~# chmod 700 /var/lib/openldap-ldbm
@@ -262,18 +286,153 @@
+If your environment requires high availability, then you need to setup
+replication of changes across multiple LDAP systems. Replication within OpenLDAP
+is, in this guide, set up using a specific replication account
+(
+This setup is then mirrored, allowing the secundary LDAP server to act as a +primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if +they are already in the LDAP structure. +
+ + ++To setup replication, first setup a second OpenLDAP server, similarly as above. +However take care that, in the configuration file, +
+ ++Next, create the synchronisation account. We will create an LDIF file (the +format used as data input for LDAP servers) and add it to each LDAP server: +
+ ++~# slappasswd -s myreaderpassword + {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM + +~# cat ldapreader.ldif +dn: cn=ldapreader.genfic.com,dc=genfic,dc=com +userPassword: {SSHA}XvbdAv6rdskp9HgFaFL9YhGkJH3HSkiM +objectClass: organizationalRole +objectClass: simpleSecurityObject +cn: ldapreader.genfic.com +description: LDAP reader used for synchronization + +~# ldapadd -x -W -D "cn=Manager,dc=genfic,dc=com" -f ldapreader.ldif +Password:+ + +enter the administrative password +
+Configuring OpenLDAP for centralized administration and management of common +Linux/Unix items isn't easy, but thanks to some tools and scripts available on +the Internet, migrating a system from a single-system administrative +point-of-view towards an OpenLDAP-based, centralized managed system isn't hard +either. +
+ +
Go to
+Next, extract the tools and copy the
+~# mktemp -d +/tmp/tmp.zchomocO3Q +~# cd /tmp/tmp.zchomocO3Q +~# tar xvzf /path/to/MigrationTools.tgz +~# mv /path/to/make_master.sh MigrationTools-47 +~# cd MigrationTools-47 ++ +
+The next step now is to migrate the information of your system to OpenLDAP. The
+
+At the time of writing, the tools require the following input: +
+ +Input | +Description | +Example | +
---|---|---|
+The tool will also ask you which accounts and settings you want to migrate.
@@ -310,7 +469,7 @@ #%PAM-1.0 auth required pam_env.so -auth sufficient pam_unix.so try_first_pass likeauth nullok +auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so @@ -318,7 +477,7 @@ account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 -password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so @@ -338,20 +497,20 @@ suffix "dc=genfic,dc=com"@@ -376,26 +535,14 @@
-To test the changes, type: -
- --# getent passwd|grep 0:0 - -- -(You should get two entries back:) -root:x:0:0:root:/root:/bin/bash -root:x:0:0:root:/root:/bin/bash -
If you noticed one of the lines you pasted into your