ldap-setup.txt
Download ldap-setup.txt
1: # Fedora 11 setup of OpenLdap:
2:
3: yum -y install openldap-clients openldap-servers nss_ldap \
4: phpldapadmin openldap-servers-sql migrationtools gq
5: cd /var/lib/ldap/
6: mkdir gcaw.org
7: touch gcaw.org/ DB_CONFIG
8: chown -R ldap.ldap gcaw.org
9: cd /etc/openldap
10: vi slapd.conf
11: vi ldap.conf
12: slaptest -uv # -v: verbose mode, -u: don't fail when DB can't be
13: # opened (which doesn't exists yet!)
14:
15: vi /etc/*syslog.conf # Add: local4.* /var/log/ldap.log
16: touch /var/log/ldap.log
17: /etc/init.d/rsyslog restart
18:
19: cat > /etc/logrotate.d/ldap <<'EOF'
20: /var/log/ldap.log {
21: missingok
22: create 0644 ldap ldap
23: }
24: EOF
25:
26: /etc/init.d/ldap start # may generate warnings/errors, since the
27: # new files were created by root and are not
28: # writable by ldap.
29: /etc/init.d/ldap stop
30: chown ldap.ldap /var/lib/ldap/gcaw.org/*
31: /etc/init.d/ldap start
32: /etc/init.d/ldap status
33: chkconfig ldap on
34: ldapsearch -xW -D 'cn=Manager,dc=gcaw,dc=org' -b cn=monitor
35:
36: cd
37: vi data.ldif
38: cat >data.ldif <<'EOF'
39: dn: cn=Manager,dc=gcaw,dc=org
40: objectType: Person
41: cn: Manager
42: EOF
43: ldapadd -xvWf data.ldif -D 'cn=Manager,dc=gcaw,dc=org'
44: ldapsearch -xb 'dc=gcaw,dc=org'
45: ldapsearch -x
46: ldapsearch -xLLL '(sn=Pollock)' cn telephoneNumber
47: ldapsearch -xb 'dc=gcaw,dc=org' '(objectclass=*)'
48: ldapsearch -LLLxb 'dc=gcaw,dc=org' '(cn=wayne*)' mail
49: # read an object when you know it's DN:
50: ldapsearch -x -s base -b 'uid=euser,ou=People,dc=gcaw,dc=org' mail
51:
52: /*
53: The 'LLL" formats the output to be brief.
54: The "-x" means to skip SASL.
55: The "-b 'dc=gcaw,dc=org'" means to search from that base;
56: the default can be specified in /etc/openldap/ldap.conf.
57: The '(cn=wayne*)' is a search filter.
58: The "mail" is the attribute to fetch (plus the DN);
59: the default is to fetch all attributes.
60: */
61:
62: ======================================================
63:
64: useradd -c "Ed User' -m euser
65: passwd euser
66: ssh euser@localhost # test that new user account works.
67:
68: # If you set these, no need to edit migrate_common.ph:
69: export LDAP_EXTENDED_SCHEMA=1 \
70: LDAP_DEFAULT_MAIL_DOMAIN='gcaw.org' \
71: LDAP_BASEDN="dc=gcaw,dc=org"
72: cd /usr/share/openldap/migration/
73: ./migrate_group.pl /etc/group ~/group.ldif
74: ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
75: ./migrate_base.pl > ~/base.ldif
76:
77: cd
78: less *.ldif
79: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f base.ldif
80: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f passwd.ldif
81: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f group.ldif
82:
83: cd /etc/pam.d; tar -czf ~/pam.d.tgz .
84: vipw # Remove euser manually from passwd, shadow, and group.
85: vigr
86: ssh euser@localhost # verify this no longer works.
87:
88: Make a copy of /etc/pam.d/* and /etc/nsswwitch.conf and /etc/ldap.conf
89:
90: system-config-authentication # set to use ldap for "User Information" and "Authentication".
91:
92: ssh euser@localhost # verify this works.
93:
94: What files where changes? Show the output of "diff -b" for each changed file.
95:
96: Log in as euser, and run the passwd command to try to change the password.
97: What happened?
98: Still as euser, run this command to read root's password:
99: $ ldapsearch -xLLL '(uid=root)' userPassword
100: What happened?
101:
102: Adjust the access permissions to only allow root or the user permission to
103: change that user's password, and no one (except Manager), can read any password.
104: Show the changes made to slapd.conf.
105:
106: =====================================
107:
108: Some public ldap directories:
109: ldap.bigfoot.com
110: directory.verisign.com
111: ldap.whowhere.com
112: dir.yahoo.com
113: ldap.itd.umich.edu (141.211.93.133?)