Difference between revisions of "LDAP"

Revision as of 14:46, 10 May 2010

Install prerequisites

yum -y install openldap openldap-servers openldap-clients migrationtools

Update slapd.conf

DOMAIN=`mysql -u amahihda -pAmahiHDARulez -e "select value from settings where name = 'domain'" hda_production | grep -v value`
SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`

cd /etc/openldap

mv slapd.conf.bak slapd.conf
POS=`grep -n "# allow onl. rootdn to read the monitor" slapd.conf | awk -F':' '{print $1}'`
head -n `echo $POS-1|bc` slapd.conf > slapd.conf.new && mv -f slapd.conf.new slapd.conf

sed --in-place -e "s/suffix.*.dc=my-domain,dc=com./suffix \"$SUFFIX\"/" slapd.conf
sed --in-place -e "s/rootdn.*.cn=Manager,dc=my-domain,dc=com./rootdn \"cn=root,$SUFFIX\"/" slapd.conf
sed --in-place -e "s/# rootpw.*crypt.*/rootpw {MD5}ISMvKXpXpadDiUoOSoAfww==\npassword-hash {crypt}\npassword-crypt-salt-format \"\$1\$%.8s\"/" slapd.conf

cat >> slapd.conf <<'EOF'

access to dn.regex=".*,$SUFFIX" attrs=userPassword
 by dn="cn=root,$SUFFIX" write
 by self write
 by * auth

access to dn.regex=".*,$SUFFIX" attrs=mail
 by dn="cn=root,$SUFFIX" write
 by self write
 by * read

access to dn.regex=".*,ou=People,$SUFFIX"
 by * read

access to dn.regex=".*,$SUFFIX"
 by self write
 by * read

EOF
sed --in-place -e "s/\$SUFFIX/$SUFFIX/" slapd.conf

Add authorizedService schema

cat > /etc/openldap/schema/ldapns.schema <<'EOF'

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
 DESC 'IANA GSS-API authorized service name'
 EQUALITY caseIgnoreMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
 DESC 'Auxiliary object class for adding authorizedService attribute'
 SUP top
 AUXILIARY
 MAY authorizedService )

EOF

echo "include /etc/openldap/schema/ldapns.schema" >> slapd.conf

Setup DB_CONFIG

cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

Disable slap.d config files

mv slapd.d slapd.d.orig

Start service

chown -R ldap:ldap .
service slapd start
chkconfig slapd on

Import base schema

/usr/share/migrationtools/migrate_base.pl > base.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" base.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f base.ldif

If you only want to use LDAP as an address book, you're done.

Just find a way to insert entries in your LDAP server, and you'll be able to use it in your email clients as your address book.

If you want to use LDAP to control who can use SSH, web-applications, etc. continue below.

Import Linux accounts details in schema

/usr/share/migrationtools/migrate_hosts.pl /etc/hosts hosts.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" hosts.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f hosts.ldif

Error is fine. Duplicate names for IPv6 probably...

/usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
vi group.ldif # Remove all system groups; keep 'users' etc.
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" group.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f group.ldif

ETC_SHADOW=/etc/shadow /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif
vi passwd.ldif # Remove all system users; keep only 'real' users
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" passwd.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif

Setup LDAP client on the HDA

sed --in-place -e "s/#host 127.0.0.1/host hda.home.com/" /etc/ldap.conf
sed --in-place -e "s/base dc=example,dc=com/base $SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#rootbinddn cn=manager,dc=example,dc=com/rootbinddn cn=root,$SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#scope one/scope one/" /etc/ldap.conf
sed --in-place -e "s/#pam_filter objectclass=account/pam_filter objectclass=posixaccount/" /etc/ldap.conf
sed --in-place -e "s/#pam_login_attribute uid/pam_login_attribute uid/" /etc/ldap.conf
sed --in-place -e "s/#pam_member_attribute uniquemember/pam_member_attribute gid/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_passwd.*ou=People,dc=example,dc=com.*/nss_base_passwd ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_shadow.*ou=People,dc=example,dc=com.*/nss_base_shadow ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_group.*ou=Group,dc=example,dc=com.*/nss_base_group ou=Group,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_hosts.*ou=Hosts,dc=example,dc=com.*/nss_base_hosts ou=Hosts,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#pam_check_service_attr yes/pam_check_service_attr yes/" /etc/ldap.conf

echo admin > /etc/ldap.secret
chown root:root /etc/ldap.secret
chmod 600 /etc/ldap.secret

sed --in-place -e "s/^passwd:.*/passwd: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^shadow:.*/shadow: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^hosts:.*/hosts: files ldap dns mdns/" /etc/nsswitch.conf

Change a LDAP user to use authorizedService

For a specific user to be authorized or not on specific services, you need to add an objectClass to it's LDAP object, like this:

cat > authorizedService.ldif <<'EOF'

dn: uid=some_user,ou=People,dc=home,dc=com
changetype: modify
add: objectclass
objectclass: authorizedServiceObject

EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f authorizedService.ldif

Replace uid=some_user with the Linux username you want to modify.

Allow a user SSH access

cat > give_ssh_access.ldif <<'EOF'

dn: uid=some_user,ou=People,dc=home,dc=com
changetype: modify
add: authorizedService
authorizedService: sshd

EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_ssh_access.ldif