5,135 bytes added
, 14:15, 10 May 2010
==Install prerequisites==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
yum -y install openldap openldap-servers openldap-clients migrationtools
</div>
==Update slapd.conf==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
DOMAIN=`mysql -u amahihda -pAmahiHDARulez -e "select value from settings where name = 'domain'" hda_production | grep -v value`<br/>
SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`<br/>
<br/>
cd /etc/openldap<br/>
<br/>
mv slapd.conf.bak slapd.conf<br/>
POS=`grep -n "# allow onl. rootdn to read the monitor" slapd.conf | awk -F':' '{print $1}'`<br/>
head -n `echo $POS-1|bc` slapd.conf > slapd.conf.new && mv -f slapd.conf.new slapd.conf<br/>
<br/>
sed --in-place -e "s/suffix.*.dc=my-domain,dc=com./suffix \"$SUFFIX\"/" slapd.conf<br/>
sed --in-place -e "s/rootdn.*.cn=Manager,dc=my-domain,dc=com./rootdn \"cn=root,$SUFFIX\"/" slapd.conf<br/>
sed --in-place -e "s/# rootpw.*crypt.*/rootpw {MD5}ISMvKXpXpadDiUoOSoAfww==\npassword-hash {crypt}\npassword-crypt-salt-format \"\$1\$%.8s\"/" slapd.conf<br/>
<br/>
cat >> slapd.conf <<'EOF'<br/>
access to dn.regex=".*,$SUFFIX" attrs=userPassword
by dn="cn=root,$SUFFIX" write
by self write
by * auth
access to dn.regex=".*,$SUFFIX" attrs=mail
by dn="cn=root,$SUFFIX" write
by self write
by * read
access to dn.regex=".*,ou=People,$SUFFIX"
by * read
access to dn.regex=".*,$SUFFIX"
by self write
by * read
EOF<br/>
sed --in-place -e "s/\$SUFFIX/$SUFFIX/" slapd.conf
</div>
==Add authorizedService schema==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
cat > /etc/openldap/schema/ldapns.schema <<'EOF'<br/>
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
EOF
echo "include /etc/openldap/schema/ldapns.schema" >> slapd.conf
</div>
==Setup DB_CONFIG==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG<br/>
chown -R ldap:ldap /var/lib/ldap/
</div>
==Disable slap.d config files==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
mv slapd.d slapd.d.orig
</div>
==Start service==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
chown -R ldap:ldap .<br/>
service slapd start<br/>
chkconfig slapd on
</div>
==Import base schema==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
/usr/share/migrationtools/migrate_base.pl > base.ldif<br/>
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" base.ldif<br/>
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f base.ldif
</div>
If you only want to use LDAP as an address book, you're done.
Just find a way to insert entries in your LDAP server, and you'll be able to use it in your email clients as your address book.
If you want to use LDAP to control who can use SSH, web-applications, etc. continue below.
==Import Linux accounts details in schema==
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
/usr/share/migrationtools/migrate_hosts.pl /etc/hosts hosts.ldif<br/>
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" hosts.ldif<br/>
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f hosts.ldif
</div>
Error is fine. Duplicate names for IPv6 probably...
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
/usr/share/migrationtools/migrate_group.pl /etc/group group.ldif<br/>
vi group.ldif # Remove all system groups; keep 'users' etc.<br/>
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" group.ldif<br/>
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f group.ldif
</div>
<div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;">
ETC_SHADOW=/etc/shadow /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif<br/>
vi passwd.ldif # Remove all system users; keep only 'real' users<br/>
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" passwd.ldif<br/>
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif
</div>