# Fedora 11 setup of OpenLdap: yum -y install openldap-clients openldap-servers nss_ldap \ phpldapadmin openldap-servers-sql migrationtools gq cd /var/lib/ldap/ mkdir gcaw.org touch gcaw.org/ DB_CONFIG chown -R ldap.ldap gcaw.org cd /etc/openldap vi slapd.conf vi ldap.conf slaptest -uv # -v: verbose mode, -u: don't fail when DB can't be # opened (which doesn't exists yet!) vi /etc/*syslog.conf # Add: local4.* /var/log/ldap.log touch /var/log/ldap.log /etc/init.d/rsyslog restart cat > /etc/logrotate.d/ldap <<'EOF' /var/log/ldap.log { missingok create 0644 ldap ldap } EOF /etc/init.d/ldap start # may generate warnings/errors, since the # new files were created by root and are not # writable by ldap. /etc/init.d/ldap stop chown ldap.ldap /var/lib/ldap/gcaw.org/* /etc/init.d/ldap start /etc/init.d/ldap status chkconfig ldap on ldapsearch -xW -D 'cn=Manager,dc=gcaw,dc=org' -b cn=monitor cd vi data.ldif cat >data.ldif <<'EOF' dn: cn=Manager,dc=gcaw,dc=org objectType: Person cn: Manager EOF ldapadd -xvWf data.ldif -D 'cn=Manager,dc=gcaw,dc=org' ldapsearch -xb 'dc=gcaw,dc=org' ldapsearch -x ldapsearch -xLLL '(sn=Pollock)' cn telephoneNumber ldapsearch -xb 'dc=gcaw,dc=org' '(objectclass=*)' ldapsearch -LLLxb 'dc=gcaw,dc=org' '(cn=wayne*)' mail # read an object when you know it's DN: ldapsearch -x -s base -b 'uid=euser,ou=People,dc=gcaw,dc=org' mail /* The 'LLL" formats the output to be brief. The "-x" means to skip SASL. The "-b 'dc=gcaw,dc=org'" means to search from that base; the default can be specified in /etc/openldap/ldap.conf. The '(cn=wayne*)' is a search filter. The "mail" is the attribute to fetch (plus the DN); the default is to fetch all attributes. */ ====================================================== useradd -c "Ed User' -m euser passwd euser ssh euser@localhost # test that new user account works. # If you set these, no need to edit migrate_common.ph: export LDAP_EXTENDED_SCHEMA=1 \ LDAP_DEFAULT_MAIL_DOMAIN='gcaw.org' \ LDAP_BASEDN="dc=gcaw,dc=org" cd /usr/share/openldap/migration/ ./migrate_group.pl /etc/group ~/group.ldif ./migrate_passwd.pl /etc/passwd ~/passwd.ldif ./migrate_base.pl > ~/base.ldif cd less *.ldif ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f base.ldif ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f passwd.ldif ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f group.ldif cd /etc/pam.d; tar -czf ~/pam.d.tgz . vipw # Remove euser manually from passwd, shadow, and group. vigr ssh euser@localhost # verify this no longer works. Make a copy of /etc/pam.d/* and /etc/nsswwitch.conf and /etc/ldap.conf system-config-authentication # set to use ldap for "User Information" and "Authentication". ssh euser@localhost # verify this works. What files where changes? Show the output of "diff -b" for each changed file. Log in as euser, and run the passwd command to try to change the password. What happened? Still as euser, run this command to read root's password: $ ldapsearch -xLLL '(uid=root)' userPassword What happened? Adjust the access permissions to only allow root or the user permission to change that user's password, and no one (except Manager), can read any password. Show the changes made to slapd.conf. ===================================== Some public ldap directories: ldap.bigfoot.com directory.verisign.com ldap.whowhere.com dir.yahoo.com ldap.itd.umich.edu (141.211.93.133?)