/home/wpollock1/public_html/AUnixNet/LDAP/ldap-setup.txt.bak
# Fedora 11 setup of OpenLdap:
yum -y install openldap-clients openldap-servers nss_ldap \
phpldapadmin openldap-servers-sql migrationtools gq
cd /var/lib/ldap/
mkdir gcaw.org
touch gcaw.org/ DB_CONFIG
chown -R ldap.ldap gcaw.org
cd /etc/openldap
vi slapd.conf
vi ldap.conf
slaptest -uv # -v: verbose mode, -u: don't fail when DB can't be
# opened (which doesn't exists yet!)
vi /etc/*syslog.conf # Add: local4.* /var/log/ldap.log
touch /var/log/ldap.log
/etc/init.d/rsyslog restart
cat > /etc/logrotate.d/ldap <<'EOF'
/var/log/ldap.log {
missingok
create 0644 ldap ldap
}
EOF
/etc/init.d/ldap start # may generate warnings/errors, since the
# new files were created by root and are not
# writable by ldap.
/etc/init.d/ldap stop
chown ldap.ldap /var/lib/ldap/gcaw.org/*
/etc/init.d/ldap start
/etc/init.d/ldap status
chkconfig ldap on
ldapsearch -xW -D 'cn=Manager,dc=gcaw,dc=org' -b cn=monitor
cd
vi data.ldif
cat >data.ldif <<'EOF'
dn: cn=Manager,dc=gcaw,dc=org
objectType: Person
cn: Manager
EOF
ldapadd -xvWf data.ldif -D 'cn=Manager,dc=gcaw,dc=org'
ldapsearch -xb 'dc=gcaw,dc=org'
ldapsearch -x
ldapsearch -xLLL '(sn=Pollock)' cn telephoneNumber
ldapsearch -xb 'dc=gcaw,dc=org' '(objectclass=*)'
ldapsearch -LLLxb 'dc=gcaw,dc=org' '(cn=wayne*)' mail
# read an object when you know it's DN:
ldapsearch -x -s base -b 'uid=euser,ou=People,dc=gcaw,dc=org' mail
/*
The 'LLL" formats the output to be brief.
The "-x" means to skip SASL.
The "-b 'dc=gcaw,dc=org'" means to search from that base;
the default can be specified in /etc/openldap/ldap.conf.
The '(cn=wayne*)' is a search filter.
The "mail" is the attribute to fetch (plus the DN);
the default is to fetch all attributes.
*/
======================================================
useradd -c "Ed User' -m euser
passwd euser
ssh euser@localhost # test that new user account works.
# If you set these, no need to edit migrate_common.ph:
export LDAP_EXTENDED_SCHEMA=1 \
LDAP_DEFAULT_MAIL_DOMAIN='gcaw.org' \
LDAP_BASEDN="dc=gcaw,dc=org"
cd /usr/share/openldap/migration/
./migrate_group.pl /etc/group ~/group.ldif
./migrate_passwd.pl /etc/passwd ~/passwd.ldif
./migrate_base.pl > ~/base.ldif
cd
less *.ldif
ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f base.ldif
ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f passwd.ldif
ldapadd -xW -D 'cn=Manager,dc=gcaw,dc=org' -f group.ldif
cd /etc/pam.d; tar -czf ~/pam.d.tgz .
vipw # Remove euser manually from passwd, shadow, and group.
vigr
ssh euser@localhost # verify this no longer works.
Make a copy of /etc/pam.d/* and /etc/nsswwitch.conf and /etc/ldap.conf
system-config-authentication # set to use ldap for "User Information" and "Authentication".
ssh euser@localhost # verify this works.
What files where changes? Show the output of "diff -b" for each changed file.
Log in as euser, and run the passwd command to try to change the password.
What happened?
Still as euser, run this command to read root's password:
$ ldapsearch -xLLL '(uid=root)' userPassword
What happened?
Adjust the access permissions to only allow root or the user permission to
change that user's password, and no one (except Manager), can read any password.
Show the changes made to slapd.conf.
=====================================
Some public ldap directories:
ldap.bigfoot.com
directory.verisign.com
ldap.whowhere.com
dir.yahoo.com
ldap.itd.umich.edu (141.211.93.133?)