ldap-setup.txt

Download ldap-setup.txt

  1: # Fedora 11 setup of OpenLdap:
  2: 
  3: yum -y install openldap-clients openldap-servers nss_ldap \
  4:                phpldapadmin openldap-servers-sql migrationtools gq
  5: cd /var/lib/ldap/
  6: mkdir gcaw.org
  7: touch gcaw.org/ DB_CONFIG
  8: chown -R ldap.ldap gcaw.org
  9: cd /etc/openldap
 10: vi slapd.conf
 11: vi ldap.conf
 12: slaptest -uv # -v: verbose mode, -u: don't fail when DB can't be
 13:              # opened (which doesn't exists yet!)
 14: 
 15: vi /etc/*syslog.conf  # Add: local4.* /var/log/ldap.log
 16: touch /var/log/ldap.log
 17: /etc/init.d/rsyslog restart
 18: 
 19: cat > /etc/logrotate.d/ldap <<'EOF'
 20: /var/log/ldap.log {
 21:     missingok
 22:     create 0644 ldap ldap
 23: }
 24: EOF
 25: 
 26: /etc/init.d/ldap start  # may generate warnings/errors, since the
 27:                         # new files were created by root and are not
 28:                         # writable by ldap.
 29: /etc/init.d/ldap stop
 30: chown ldap.ldap /var/lib/ldap/gcaw.org/*
 31: /etc/init.d/ldap start
 32: /etc/init.d/ldap status
 33: chkconfig ldap on
 34: ldapsearch -xW -D 'cn=Manager,dc=gcaw,dc=org' -b cn=monitor
 35: 
 36: cd
 37: vi data.ldif
 38: cat >data.ldif <<'EOF'
 39: dn: cn=Manager,dc=gcaw,dc=org
 40: objectType:  Person
 41: cn: Manager
 42: EOF
 43: ldapadd -xvWf data.ldif -D 'cn=Manager,dc=gcaw,dc=org'
 44: ldapsearch -xb 'dc=gcaw,dc=org'
 45: ldapsearch -x
 46: ldapsearch -xLLL '(sn=Pollock)' cn telephoneNumber
 47: ldapsearch -xb 'dc=gcaw,dc=org' '(objectclass=*)'
 48: ldapsearch -LLLxb 'dc=gcaw,dc=org' '(cn=wayne*)' mail
 49: # read an object when you know it's DN:
 50: ldapsearch -x -s base -b 'uid=euser,ou=People,dc=gcaw,dc=org' mail
 51: 
 52: /*
 53: The 'LLL" formats the output to be brief.
 54: The "-x" means to skip SASL.
 55: The "-b 'dc=gcaw,dc=org'" means to search from that base;
 56: the default can be specified in /etc/openldap/ldap.conf.
 57: The '(cn=wayne*)' is a search filter.
 58: The "mail" is the attribute to fetch (plus the DN);
 59: the default is to fetch all attributes.
 60: */
 61: 
 62: ======================================================
 63: 
 64: useradd -c "Ed User' -m euser
 65: passwd euser
 66: ssh euser@localhost  # test that new user account works.
 67: 
 68: # If you set these, no need to edit migrate_common.ph:
 69: export LDAP_EXTENDED_SCHEMA=1 \
 70:        LDAP_DEFAULT_MAIL_DOMAIN='gcaw.org' \
 71:        LDAP_BASEDN="dc=gcaw,dc=org"
 72: cd /usr/share/openldap/migration/
 73: ./migrate_group.pl /etc/group ~/group.ldif
 74: ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
 75: ./migrate_base.pl > ~/base.ldif
 76: 
 77: cd
 78: less *.ldif
 79: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f base.ldif
 80: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f passwd.ldif
 81: ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f group.ldif
 82: 
 83: cd /etc/pam.d; tar -czf ~/pam.d.tgz .
 84: vipw # Remove euser manually from passwd, shadow, and group.
 85: vigr
 86: ssh euser@localhost # verify this no longer works.
 87: 
 88: Make a copy of /etc/pam.d/* and /etc/nsswwitch.conf and /etc/ldap.conf
 89: 
 90: system-config-authentication # set to use ldap for "User Information" and "Authentication".
 91: 
 92: ssh euser@localhost # verify this works.
 93: 
 94: What files where changes?  Show the output of "diff -b" for each changed file.
 95: 
 96: Log in as euser, and run the passwd command to try to change the password.
 97: What happened?
 98: Still as euser, run this command to read root's password:
 99:  $ ldapsearch -xLLL '(uid=root)' userPassword
100: What happened?
101: 
102: Adjust the access permissions to only allow root or the user permission to
103: change that user's password, and no one (except Manager), can read any password.
104: Show the changes made to slapd.conf.
105: 
106: =====================================
107: 
108: Some public ldap directories:
109: ldap.bigfoot.com
110: directory.verisign.com
111: ldap.whowhere.com
112: dir.yahoo.com
113: ldap.itd.umich.edu (141.211.93.133?)