Re: [SLUG] Implementing LDAP Newbie! Help please

From: James Marcinek (jmarc1@jemconsult.biz)
Date: Wed Sep 29 2004 - 19:56:49 EDT


I have my linux server acting as a domain controller already (using Samba). I
want to also integrate other applications (such as OpenGroupware) as well as
integrate the Unix systems (hopefully using windbind but first things first).
There are some samba-ldap tools (I'm using Red Hat) and they're located in the
/usr/share/doc/samba-3.0.7/LDAP/smbldap-tools. The ../LDAP directory contains
the samba.schema that is used. I hoping to use the pbedit command to export my
current tbdsam into an ldap format. I'm trying to sort through my docs to see
the best approach as well. The ldap tools have scripts that supposedly update
ldap.

slug@nks.net wrote:
> You can use Linux as a domain controller for a Windows network
> environment. Is that what you're trying to do? I got the SSO part, don't
> know much about that. I've used it before at my job...but not as the
> admin that put it together, but as joe.average.user.
>
> Russell
>
> On Wed, 2004-09-29 at 18:19, James Marcinek wrote:
> > Yes, I was kindof outlying my overall goal. I think the problem was the
shell
> > script itself. I just found another good website that is giving examples
using
> > the individual migrate_*.pl scripts. I'm taking this piece by piece but my
> > overall intent is to integrate my my environment into a Single Sign On
> > authentication scheme. From what I've read the windbindd gives the
capability to
> > have the Unix/linux systems give some type of integration into a windows
> > environment. Does anyone know if this includes samba? That would be great if
I
> > could!
> >
> > Here's the site that I used to help:
> >
> > http://www.xenos.net/library/ldapauth.html
> >
> > slug@nks.net wrote:
> > > I played around with ldap at one point, and there's actually specific
> > > mailing lists to get help with open-ldap. Googling for openldap mailing
> > > list gives this: http://www.openldap.org/lists
> > >
> > > I'd offer help, but I got lost in your stuff somewhere. If you're trying
> > > this out, I'd start extremely simply, and make it more complex as you
> > > go.
> > >
> > > Russell
> > >
> > > On Wed, 2004-09-29 at 14:18, James Marcinek wrote:
> > > > Hello All,
> > > >
> > > > I'm trying to implement Open-LDAP on my linus system. I've been reading
the
> > > > books/docs and online
> > > > docs and I'm now to the point where I'm trying to create my .ldif files
> > using
> > > > the /usr/share/openldap/migration tools. I keep getting errors trying to
run
> > the
> > > > migrate_all_offline.sh script. I'll explain my environment before
parsing
> > the
> > > > errors:
> > > >
> > > > I've never used NIS in this environment and I want to also implement
samba.
> > > > Here's some of the slapd.conf file:
> > > >
> > > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31
> > > > kurt Exp $
> > > > #
> > > > # See slapd.conf(5) for details on configuration options.
> > > > # This file should NOT be world readable.
> > > > #
> > > > include /etc/openldap/schema/core.schema
> > > > include /etc/openldap/schema/cosine.schema
> > > > include /etc/openldap/schema/inetorgperson.schema
> > > > include /etc/openldap/schema/nis.schema
> > > > include /etc/openldap/schema/redhat/autofs.schema
> > > > include /etc/openldap/schema/redhat/kerberosobject.schema
> > > > include /etc/openldap/schema/samba.schema
> > > >
> > > > I only added the samba.schema to the includes, all else was left alone
> > > >
> > > > My O'Reilly book for LDAP (nor any of the other docs I've come across)
> > doesn't
> > > > discuss these entries (can anyone tell me what to use them for):
> > > >
> > > > # Load dynamic backend modules:
> > > > # modulepath /usr/sbin/openldap
> > > > # moduleload back_ldap.la
> > > > # moduleload back_ldbm.la
> > > > # moduleload back_passwd.la
> > > > # moduleload back_shell.la
> > > >
> > > > I created a slapd.pem certificate but wondered if I should wait until I
know
> > > > it's running before I turn this on:
> > > >
> > > > #
> > > > # The next three lines allow use of TLS for connections using a dummy
test
> > > > # certificate, but you should generate a proper certificate by changing
to
> > > > # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
on
> > > > # slapd.pem so that the ldap user or group can read it.
> > > > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > > TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> > > >
> > > > Now I'm wanting to implement Samba with this and I found a sample
slapd.conf
> > > > file that indicated setting the following. I'm a bit confused about the
> > > > ou=People entry but I'm assuming this will all be setup by the schema.
> > However
> > > > my rootdn is different (see below this entry):
> > > >
> > > > access to attrs=lmPassword,ntPassword
> > > > by dn="cn=root,ou=People,dc=jemconsult,dc=biz" write
> > > > by * none
> > > > access to dn="dc=jemconsult,dc=biz"
> > > > by self write
> > > > by * read
> > > >
> > > > As I'm new I didn't change the database type that was defined in the
file
> > (left
> > > > as is). Would it be advisable to change the type and if so did they too
get
> > > > installed with the default open-ldap packages?
> > > >
> > > > database ldbm
> > > > suffix "dc=jemconsult,dc=biz"
> > > > rootdn "cn=root,dc=jemconsult,dc=biz"
> > > > rootpw {SSHA}I'VE_SET_THIS_TOO
> > > >
> > > > The directory permissions have been set for the database to 700:
> > > > directory /var/lib/ldap
> > > >
> > > > I left most of my indices but added a few for Samba (from examples):
> > > > # Indices to maintain
> > > > index objectClass,uid,uidNumber,gidNumber,memberUid pres,eq
> > > > index cn,mail,surname,givenname eq,subinitial
> > > > index sambaSID eq
> > > > index sambaPrimaryGroupSID eq
> > > > index sambaDomainName eq
> > > > index default sub
> > > >
> > > > All of my replication stuff is commented at as I don't need it yet and
don't
> > > > want to further complicate the matter.
> > > >
> > > > Now when I run the /usr/share/openldap/migration/migrate_all_offline.sh
I
> > get
> > > > the following output (I started the debugging mode #!/bin/sh -x):
> > > >
> > > > [root@srv01 migration]# ./migrate_all_offline.sh
> > > > + INSTDIR=/usr/share/openldap/migration/
> > > > ++ mktemp /tmp/nis.ldif.XXXXXX
> > > > + DB=/tmp/nis.ldif.zfjTlI
> > > > + '[' X = X ']'
> > > > + ETC_ALIASES=/etc/aliases
> > > > + '[' X = X ']'
> > > > + ETC_HOSTS=/etc/hosts
> > > > + '[' X = X ']'
> > > > + ETC_NETWORKS=/etc/networks
> > > > + '[' X = X ']'
> > > > + ETC_PASSWD=/etc/passwd
> > > > + '[' X = X ']'
> > > > + ETC_GROUP=/etc/group
> > > > + '[' X = X ']'
> > > > + ETC_SERVICES=/etc/services
> > > > + '[' X = X ']'
> > > > + ETC_PROTOCOLS=/etc/protocols
> > > > + '[' X = X ']'
> > > > + ETC_RPC=/etc/rpc
> > > > + '[' X = X ']'
> > > > + ETC_NETGROUP=/etc/netgroup
> > > > + '[' X = X ']'
> > > > + '[' -x /usr/bin/perl ']'
> > > > + PERL=/usr/bin/perl
> > > > + '[' X = X ']'
> > > > + '[' -x /usr/local/etc/ldif2ldbm ']'
> > > > + '[' -x /usr/local/sbin/ldif2ldbm ']'
> > > > + '[' -x /usr/sbin/ldif2ldbm ']'
> > > > + '[' -x /bin/slapd/server/ns-slapd ']'
> > > > + '[' -x /usr/iplanet/servers/bin/slapd/server/dsimport ']'
> > > > + '[' -x /usr/local/sbin/slapadd ']'
> > > > + '[' -x /usr/sbin/slapadd ']'
> > > > + SLAPADD=/usr/sbin/slapadd
> > > > + echo 'Creating naming context entries...'
> > > > Creating naming context entries...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_base.pl
> > > > + echo 'Migrating aliases...'
> > > > Migrating aliases...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_aliases.pl /etc/aliases
> > > > + echo 'Migrating groups...'
> > > > Migrating groups...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_group.pl /etc/group
> > > > + echo 'Migrating hosts...'
> > > > Migrating hosts...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_hosts.pl /etc/hosts
> > > > + echo 'Migrating networks...'
> > > > Migrating networks...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_networks.pl /etc/networks
> > > > + echo 'Migrating users...'
> > > > Migrating users...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd
> > > > + echo 'Migrating protocols...'
> > > > Migrating protocols...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_protocols.pl /etc/protocols
> > > > + echo 'Migrating rpcs...'
> > > > Migrating rpcs...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_rpc.pl /etc/rpc
> > > > + echo 'Migrating services...'
> > > > Migrating services...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_services.pl /etc/services
> > > > + echo 'Migrating netgroups...'
> > > > Migrating netgroups...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_netgroup.pl /etc/netgroup
> > > > + echo 'Importing into LDAP...'
> > > > Importing into LDAP...
> > > > + echo 'Migrating netgroups (by user)...'
> > > > Migrating netgroups (by user)...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_netgroup_byuser.pl /etc/netgroup
> > > > sh: line 1: /etc/netgroup: No such file or directory
> > > > + echo 'Migrating netgroups (by host)...'
> > > > Migrating netgroups (by host)...
> > > > + /usr/bin/perl -I/usr/share/openldap/migration/
> > > > /usr/share/openldap/migration/migrate_netgroup_byhost.pl /etc/netgroup
> > > > sh: line 1: /etc/netgroup: No such file or directory
> > > > + echo 'Preparing LDAP database...'
> > > > Preparing LDAP database...
> > > > + '[' X/usr/sbin/slapadd = X ']'
> > > > + /usr/sbin/slapadd -l /tmp/nis.ldif.zfjTlI
> > > > slapadd: could not parse entry (line=71)
> > > > + EXITCODE=1
> > > > + '[' X '!=' Xno ']'
> > > > + exit 1
> > > >
> > > >
> > > > When I parse the temp file on line 71 I get the following (set nu
enabled):
> > > >
> > > > 71
> > > > 72 dn: cn=info,ou=Aliases,dc=jemconsult,dc=biz
> > > > 73 cn: info
> > > > 74 objectClass: nisMailAlias
> > > > 75 objectClass: top
> > > > 76 rfc822MailMember: jmarc1
> > > >
> > > >
> > > > I get files produced in the /var/lib/ldap directory:
> > > >
> > > > ls -la /var/lib/ldap
> > > > total 40
> > > > drwx------ 2 ldap ldap 4096 Sep 29 12:30 .
> > > > drwxr-xr-x 23 root root 4096 Sep 17 17:50 ..
> > > > -rw------- 1 root root 8192 Sep 29 12:30 dn2id.dbb
> > > > -rw------- 1 root root 8192 Sep 29 12:30 id2entry.dbb
> > > > -rw------- 1 root root 8192 Sep 29 12:30 nextid.dbb
> > > > -rw------- 1 root root 8192 Sep 29 12:30 objectClass.dbb
> > > >
> > > > I think I'll have to change the permissions later (after I'm sure it'll
> > work)
> > > >
> > > > As I'm getting these errors with the shell script I'm not sure of how to
> > > > proceed. Can anyone give me some pointers?
> > > >
> > > > Thanks,
> > > >
> > > > James
> > > >
> > > > -----------------------------------------------------------------------
> > > > This list is provided as an unmoderated internet service by Networked
> > > > Knowledge Systems (NKS). Views and opinions expressed in messages
> > > > posted are those of the author and do not necessarily reflect the
> > > > official policy or position of NKS or any of its employees.
> > >
> > > -----------------------------------------------------------------------
> > > This list is provided as an unmoderated internet service by Networked
> > > Knowledge Systems (NKS). Views and opinions expressed in messages
> > > posted are those of the author and do not necessarily reflect the
> > > official policy or position of NKS or any of its employees.
> > >
> >
> >
> > -----------------------------------------------------------------------
> > This list is provided as an unmoderated internet service by Networked
> > Knowledge Systems (NKS). Views and opinions expressed in messages
> > posted are those of the author and do not necessarily reflect the
> > official policy or position of NKS or any of its employees.
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:17:45 EDT