simple LDAP configuration
Install openldap rpm’s
SERVERS
======
nss_ldap
openldap
openldap-clients
openldap-devel
openldap-servcers
CLIENTS
=====
nss_ldap
openldap
openldap-clients
openldap-devel
LDAP SERVER
========================================================================
using a host with the full dns of “node.dev.local”
==============================
# mkdir /var/lib/ldap/dev.local
following lines are included in case this is an attempt to rebuild the ldap database
# rm -f /var/lib/ldap/fcdev.local/alock   Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.003Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.006Â Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.001Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.004Â
#Â rm -f /var/lib/ldap/fcdev.local/log.0000000001Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.002Â
#Â rm -f /var/lib/ldap/fcdev.local/__db.005Â
#Â rm -f /var/lib/ldap/fcdev.local/*.bdb
ADD LDAPUSER ACCOUNT
#Â useradd -g users ldapuser
#Â passwd ldapuser
ON RH Linux
# cd /etc/openldap
vi slapd.conf
and add/change the lines to:
database       bdb
suffix         “dc=dev,dc=local”
rootdn         “cn=root,dc=dev,dc=local”
rootpw         IAMAPASSWORD
directory      /var/lib/ldap/dev.local
# cp DB_CONFIG.example /var/lib/ldap/dev.local/DB_CONFIG
#Â cd /usr/share/openldap/migration/
Edit migrate_common.ph and change padl.com to dev.local, dc=padl to dc=dev and dc=com to dc=local
CREATE THE DATABASE
===============
#Â ./migrate_all_offline.sh
ignore the errors (hopefully)
#Â chown -R ldap:ldap /var/lib/ldap/*
START LDAP
========
service ldap start
chkconfig ldap on
Check directory working:
===============
#Â ldapsearch -x -b ‘dc=fcdev,dc=local’ ‘(objectclass=*)’
Should list the full directory
ADD THE ACCOUNTS
=============
If it doesn’t exist create th following script in /usr/share/openldap
modifyuser.sh
#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ /tmp/modifyldapuser.ldif
ldapmodify -x -D “cn=root,dc=fcdev,dc=local” -W -f /tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*
Add users by:
./modifyldapuser.sh ldapuser
./modifyldapuser.sh oracle
./modifyldapuser.sh phh
TEST USERS
========
ldapsearch -x -b ‘dc=fcdev,dc=local’ | grep oracle
Should return something like:
dn: cn=oracle,ou=Group,dc=dev,dc=local
cn: oracle
memberUid: oracle
# oracle, People, dev.local
dn: uid=oracle,ou=People,dc=dev,dc=local
uid: oracle
cn: oracle
homeDirectory: /home/oracle
gecos: oracle
CLIENT
====================================================================
# env LANG=C authconfig-tui
On first screen ensure LDAP is selected
On first screen ensure MD5 is selected
On first screen ensure SHADOW PASSWORDS is selected
On second screen enter the LDAP servers ip address,
On second screen enter base DN, e.g. dc=dev,dc=local
On second screen do not select TLS
EXIT
the file /etc/openldap/ldap.conf should now exist and contain the data entered above.
The file /etc/nsswitch.conf should have LDAP referenced.
Ensure the ldapuser account does not exist on the client.
# grep ldapuser /etc/passwd
Create the ldapuser home
# mkdir /home/ldapuser
Check ldap is working
# chown ldapuser:users /home/ldapuser
If the directory ownership is changed then ldap is working.
Also check ldap with:
#Â ldapsearch -x -b ‘dc=fcdev,dc=local’ ‘(objectclass=*)’
Should list the full directory
DEBUG
========================================================
edit /etc/syslog.conf and add the following line (ensure tabs are used as space)
local4.debug                                           /var/log/ldap.log
#touch /var/log/ldap.log
#/etc/init.d/syslogd restartÂ
OR
#kilall -HUP syslogd
OR REBOOT
WEBSITES I USED
===========
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
http://www.linux.com/archive/feature/114074
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
http://www.zytrax.com/books/ldap/ch6/
http://www.padl.com/Contents/OpenSourceSoftware.html
FOR Windows Active Directory
===================
For 11g clients set NAMES.LDAP_AUTHENTICATE_BIND=Yes in sqlnet.ora
http://download.oracle.com/docs/cd/B28359_01/network.111/b28528/appc.htm
http://www.oracle.com/technology/tech/windows/wp/2008/ukoug2008-oracle_activedirectory_windows_security.ppt
Discussion ¬