simple LDAP configuration

on December 10, 2009 at 12:08 pm
Posted In: Configuration (Cat)

Install openldap rpm’s

SERVERS
======
nss_ldap
openldap
openldap-clients
openldap-devel
openldap-servcers

CLIENTS
=====
nss_ldap
openldap
openldap-clients
openldap-devel

LDAP SERVER
========================================================================

using a host with the full dns of “node.dev.local”
==============================
# mkdir /var/lib/ldap/dev.local
following lines are included in case this is an attempt to rebuild the ldap database
# rm -f /var/lib/ldap/fcdev.local/alock    
# rm -f /var/lib/ldap/fcdev.local/__db.003 
# rm -f /var/lib/ldap/fcdev.local/__db.006  
# rm -f /var/lib/ldap/fcdev.local/__db.001 
# rm -f /var/lib/ldap/fcdev.local/__db.004 
# rm -f /var/lib/ldap/fcdev.local/log.0000000001 
# rm -f /var/lib/ldap/fcdev.local/__db.002 
# rm -f /var/lib/ldap/fcdev.local/__db.005 
# rm -f /var/lib/ldap/fcdev.local/*.bdb

ADD LDAPUSER ACCOUNT
# useradd -g users ldapuser
# passwd ldapuser

ON RH Linux
# cd /etc/openldap
vi slapd.conf
and add/change the lines to:
database        bdb
suffix          “dc=dev,dc=local”
rootdn          “cn=root,dc=dev,dc=local”
rootpw          IAMAPASSWORD
directory       /var/lib/ldap/dev.local

# cp DB_CONFIG.example /var/lib/ldap/dev.local/DB_CONFIG

# cd /usr/share/openldap/migration/
Edit migrate_common.ph and change padl.com to dev.local, dc=padl to dc=dev and dc=com to dc=local

CREATE THE DATABASE
===============
# ./migrate_all_offline.sh
ignore the errors (hopefully)
# chown -R ldap:ldap /var/lib/ldap/*

START LDAP
========
service ldap start
chkconfig ldap on

Check directory working:
===============
# ldapsearch -x -b ‘dc=fcdev,dc=local’ ‘(objectclass=*)’
Should list the full directory

ADD THE ACCOUNTS
=============
If it doesn’t exist create th following script in /usr/share/openldap
modifyuser.sh
#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ /tmp/modifyldapuser.ldif
ldapmodify -x -D “cn=root,dc=fcdev,dc=local” -W -f /tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*

Add users by:
./modifyldapuser.sh ldapuser
./modifyldapuser.sh oracle
./modifyldapuser.sh phh

TEST USERS
========
ldapsearch -x -b ‘dc=fcdev,dc=local’ | grep oracle
Should return something like:
dn: cn=oracle,ou=Group,dc=dev,dc=local
cn: oracle
memberUid: oracle
# oracle, People, dev.local
dn: uid=oracle,ou=People,dc=dev,dc=local
uid: oracle
cn: oracle
homeDirectory: /home/oracle
gecos: oracle

CLIENT
====================================================================
# env LANG=C authconfig-tui
On first screen ensure LDAP is selected
On first screen ensure MD5 is selected
On first screen ensure SHADOW PASSWORDS is selected
On second screen enter the LDAP servers ip address,
On second screen enter base DN, e.g. dc=dev,dc=local
On second screen do not select TLS
EXIT
the file /etc/openldap/ldap.conf should now exist and contain the data entered above.
The file /etc/nsswitch.conf should have LDAP referenced.

Ensure the ldapuser account does not exist on the client.
# grep ldapuser /etc/passwd
Create the ldapuser home
# mkdir /home/ldapuser
Check ldap is working
# chown ldapuser:users /home/ldapuser
If the directory ownership is changed then ldap is working.
Also check ldap with:
# ldapsearch -x -b ‘dc=fcdev,dc=local’ ‘(objectclass=*)’
Should list the full directory

DEBUG
========================================================

edit /etc/syslog.conf and add the following line (ensure tabs are used as space)
local4.debug                                            /var/log/ldap.log

#touch /var/log/ldap.log
#/etc/init.d/syslogd restart 
OR
#kilall -HUP syslogd
OR REBOOT

WEBSITES I USED
===========

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
http://www.linux.com/archive/feature/114074
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
http://www.zytrax.com/books/ldap/ch6/
http://www.padl.com/Contents/OpenSourceSoftware.html

FOR Windows Active Directory
===================
For 11g clients set NAMES.LDAP_AUTHENTICATE_BIND=Yes in sqlnet.ora
http://download.oracle.com/docs/cd/B28359_01/network.111/b28528/appc.htm
http://www.oracle.com/technology/tech/windows/wp/2008/ukoug2008-oracle_activedirectory_windows_security.ppt