Differences between revisions 1 and 2
Revision 1 as of 2004-01-11 21:34:10
Size: 3868
Editor: anonymous
Comment:
Revision 2 as of 2004-01-26 20:13:46
Size: 4264
Editor: anonymous
Comment:
Deletions are marked like this. Additions are marked like this.
Line 91: Line 91:

03-12-26:
---
This search line did not work for me, but this one does:
ldapsearch -b "ou=People,dc=example,dc=com" -LLL -D "cn=admin,dc=example,dc=com" \
-H "ldap://127.0.0.1:389/" -W -x "(uid=loginnameoftestuser)"

Enter det password for the cn=admin,dc=example,dc=com when prompted. Then you should get a few lines if account info.
If you return to prompt directly the uid was not found.
---

Configuring LDAP Authentication for Debian

LDAPMigrationTools

Importing Data

1. Install the LDAP migration tools

Do 'apt-get install migrationtools' (for stable (a.k.a. 'woody'), although I would not be surprised if this package gets renamed).

2. Edit a migration tool configuration file

Edit /etc/migrationtools/migratecommon.ph by changing the following lines.

Wherever you see the line 'objectClass = account', comment it out with a '#'.

  # Default DNS domain
  $DEFAULT_MAIL_DOMAIN = "yourhost.your.domain";
  #
  # Default base
  $DEFAULT_BASE = "dc=yourhost,dc=your,dc=domain";
  #
  # turn this on to support more general object clases
  # such as person.
  $EXTENDED_SCHEMA = 0;
  #
  # Uncomment these to avoid Debian-managed system users and groups
  $IGNORE_UID_BELOW = 1000;
  $IGNORE_GID_BELOW = 100;


NOTE

Note that EXTENDED_SCHEMA is set to '1' in many other documents.

I found that this caused problems for me as I don't know if Debian includes all the additional schema definitions in /etc/ldap/schema/.

This problem has to do with the version of slapd that you are running. If you are running slapd 2.0.x then you may use EXTENDED_SCHEMA=1 freely. If you are using slapd 2.1.x then you can set the value to '1', but you must make a small change to the ldif file.


3. Import the data

Import all the data into LDAP by doing to following as 'root' and answering questions as required. Note that if you don't do this as root, the shadow passwords will not be imported, and you will have all sorts of strange problems:

  # cd /usr/share/migrationtools
  # LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh

4. Verify the data was imported

Check that the data is in there using 'ldapsearch' as above under Tools.

5. Synchronize the password encoding

Make the password encoding as stored in the LDAP is something glibc can understand. I'm using '{["MD5"}]', but you can use '{CRYPT}'. Anything else will not work.

6. If you do not want to move all of your data

If you don't want to do it all (migrate_all_online.sh also moves a lot of IP-related stuff into the LDAP tree ... (yep this makes yor system a whole lot slower).

First we need to fix a bug in 'migrate_group' There is a bug in the migrationtools package (version 40-1) 'migrate_group' script around lines 55 and 56.

Change them into:

 next if (int($IGNORE_GID_BELOW) and int($gid) < int ($IGNORE_GID_BELOW));

 next if (int($IGNORE_GID_ABOVE) and int($gid) > int($IGNORE_GID_ABOVE));

Do not forget to change 'int($uid)' to 'int($gid)' on both lines...

Move all the data in three steps:

Step 1:

 # cd /usr/share/migrationtools

Step 2:

 # ./migrate_base > base.ldif
 # ./migrate_group /etc/group > group.ldif
 # ./migrate_passwd /etc/passwd >passwd.ldif

Step 3:

 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f base.ldif
 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f group.ldif
 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f passwd.ldif

And you are done.

During the import of the base.ldif files you get two (2) warnings -- ignore them. The Debian package creates 'base.ldif' with 'ou=People' already populated.

7. Verify things are running correctly

Be sure to set your defaults in /etc/ldap/ldap.conf to point at your LDAP server, then run ldapsearch and see if it returns anything:

 # ldapsearch -b'dc=example,dc=com'

03-12-26: --- This search line did not work for me, but this one does: ldapsearch -b "ou=People,dc=example,dc=com" -LLL -D "cn=admin,dc=example,dc=com" \ -H "ldap://127.0.0.1:389/" -W -x "(uid=loginnameoftestuser)"

Enter det password for the cn=admin,dc=example,dc=com when prompted. Then you should get a few lines if account info. If you return to prompt directly the uid was not found. ---

[This page http:index.cgi?["LDAPAuthenticationTools"]] has more info about reading the output .


See Also:

  • ["LDAPAuthentication"]