LDAP

From Amahi Wiki
Revision as of 14:15, 10 May 2010 by Gboudreau (talk | contribs) (Created page with '==Install prerequisites== <div style="text-align: left; border: 1px solid #A3B1BF; padding: .5em 1em; color: #000; background-color: #E6F2FF; margin: 3px 3px 1em 3px;"> yum -y in…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Install prerequisites

yum -y install openldap openldap-servers openldap-clients migrationtools

Update slapd.conf

DOMAIN=`mysql -u amahihda -pAmahiHDARulez -e "select value from settings where name = 'domain'" hda_production | grep -v value`
SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`

cd /etc/openldap

mv slapd.conf.bak slapd.conf
POS=`grep -n "# allow onl. rootdn to read the monitor" slapd.conf | awk -F':' '{print $1}'`
head -n `echo $POS-1|bc` slapd.conf > slapd.conf.new && mv -f slapd.conf.new slapd.conf

sed --in-place -e "s/suffix.*.dc=my-domain,dc=com./suffix \"$SUFFIX\"/" slapd.conf
sed --in-place -e "s/rootdn.*.cn=Manager,dc=my-domain,dc=com./rootdn \"cn=root,$SUFFIX\"/" slapd.conf
sed --in-place -e "s/# rootpw.*crypt.*/rootpw {MD5}ISMvKXpXpadDiUoOSoAfww==\npassword-hash {crypt}\npassword-crypt-salt-format \"\$1\$%.8s\"/" slapd.conf

cat >> slapd.conf <<'EOF'

access to dn.regex=".*,$SUFFIX" attrs=userPassword
 by dn="cn=root,$SUFFIX" write
 by self write
 by * auth

access to dn.regex=".*,$SUFFIX" attrs=mail
 by dn="cn=root,$SUFFIX" write
 by self write
 by * read

access to dn.regex=".*,ou=People,$SUFFIX"
 by * read

access to dn.regex=".*,$SUFFIX"
 by self write
 by * read

EOF
sed --in-place -e "s/\$SUFFIX/$SUFFIX/" slapd.conf

Add authorizedService schema

cat > /etc/openldap/schema/ldapns.schema <<'EOF'

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
 DESC 'IANA GSS-API authorized service name'
 EQUALITY caseIgnoreMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
 DESC 'Auxiliary object class for adding authorizedService attribute'
 SUP top
 AUXILIARY
 MAY authorizedService )

EOF

echo "include /etc/openldap/schema/ldapns.schema" >> slapd.conf

Setup DB_CONFIG

cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

Disable slap.d config files

mv slapd.d slapd.d.orig

Start service

chown -R ldap:ldap .
service slapd start
chkconfig slapd on

Import base schema

/usr/share/migrationtools/migrate_base.pl > base.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" base.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f base.ldif

If you only want to use LDAP as an address book, you're done.

Just find a way to insert entries in your LDAP server, and you'll be able to use it in your email clients as your address book.

If you want to use LDAP to control who can use SSH, web-applications, etc. continue below.

Import Linux accounts details in schema

/usr/share/migrationtools/migrate_hosts.pl /etc/hosts hosts.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" hosts.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f hosts.ldif

Error is fine. Duplicate names for IPv6 probably...

/usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
vi group.ldif # Remove all system groups; keep 'users' etc.
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" group.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f group.ldif

ETC_SHADOW=/etc/shadow /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif
vi passwd.ldif # Remove all system users; keep only 'real' users
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" passwd.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif

Retrieved from "https://wiki.amahi.org/index.php?title=LDAP&oldid=12595"