Configuring LDAP Authentication for Debian

LDAPMigrationTools

Importing Data

1. Install the LDAP migration tools

Do 'apt-get install migrationtools' (for stable (a.k.a. 'woody'), although I would not be surprised if this package gets renamed).

2. Edit a migration tool configuration file

Edit /etc/migrationtools/migratecommon.ph by changing the following lines.

Wherever you see the line 'objectClass = account', comment it out with a '#'.

  # Default DNS domain
  $DEFAULT_MAIL_DOMAIN = "yourhost.your.domain";
  #
  # Default base
  $DEFAULT_BASE = "dc=yourhost,dc=your,dc=domain";
  #
  # turn this on to support more general object classes
  # such as person.
  $EXTENDED_SCHEMA = 0;
  #
  # Uncomment these to avoid Debian-managed system users and groups
  $IGNORE_UID_BELOW = 1000;
  $IGNORE_GID_BELOW = 100;


NOTE

Note that EXTENDED_SCHEMA is set to '1' in many other documents.

I found that this caused problems for me as I don't know if Debian includes all the additional schema definitions in /etc/ldap/schema/.

This problem has to do with the version of slapd that you are running. If you are running slapd 2.0.x then you may use EXTENDED_SCHEMA=1 freely. If you are using slapd 2.1.x then you can set the value to '1', but you must make a small change to the ldif file.

(Debian doesn't include a kerberos.schema, so one must manually edit passwd.ldif to remove the two lines refering to kerberos. slapd 2.1 also has a problem with having both account and inetOrgPeson as object classes. I believe inetOrgPerson is a superset of account, and removed account, and was able to import the data. TRL)


3. Import the data

Do you want to import everything, or are you just wanting to do user/password lookups? If you are only doing this as an NIS replacement, you can probably skip through to step 5 or 6 below.

To import all the data into LDAP, do the following as 'root' and answering questions as required. Note that if you don't do this as root, the shadow passwords will not be imported, and you will have all sorts of strange problems: see 6 to adjust migrate_groups

  # cd /usr/share/migrationtools
  # LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh

4. Verify the data was imported

Check that the data is in there using 'ldapsearch' as above under Tools.

5. Synchronize the password encoding

Make sure the password encoding as stored in the LDAP is something glibc can understand. I'm using '{["MD5"}]', but you can use '{CRYPT}'. Anything else will not work.

The migration script doesn't appear to detect the coding; if it's reading from a shadow file it simply tacks '(CRYPT}' on ahead of the encrypted password it found. This can be a problem if your system has actually stored the passwords in ["MD5"] format. I don't know how to get around this; editing the migrate_passwd.pl script or creating and then editing an ldif (see below) might work. -Rj

6. If you do not want to move all of your data

If you don't want to do it all (migrate_all_online.sh also moves a lot of IP-related stuff into the LDAP tree ... (yep this makes yor system a whole lot slower).

First we need to fix a bug in 'migrate_group' There is a bug in the migrationtools package (version 40-1) 'migrate_group' script around lines 55 and 56.

Change them into:

 next if (int($IGNORE_GID_BELOW) and int($gid) < int ($IGNORE_GID_BELOW));

 next if (int($IGNORE_GID_ABOVE) and int($gid) > int($IGNORE_GID_ABOVE));

Do not forget to change 'int($uid)' to 'int($gid)' on both lines...

Move all the data in three steps:

Step 1:

 # cd /usr/share/migrationtools

Step 2:

 # ./migrate_base.pl > base.ldif
 # ./migrate_group.pl /etc/group > group.ldif
 # ./migrate_passwd.pl /etc/passwd >passwd.ldif

Step 3:

 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f base.ldif
 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f group.ldif
 # ldapadd -x -W -h localhost -D "cn=admin,dc=yourdomain,dc=com" -c -f passwd.ldif

And you are done.

During the import of the base.ldif files you get two (2) warnings -- ignore them. The Debian package creates 'base.ldif' with 'ou=People' already populated.

7. Verify things are running correctly

Be sure to set your defaults in /etc/ldap/ldap.conf to point at your LDAP server, then run ldapsearch and see if it returns anything:

 # ldapsearch -x -D'dc=example,dc=com'

03-12-26: --- This search line did not work for me, but this one does:

 ldapsearch -b "ou=People,dc=example,dc=com" -LLL -D "cn=admin,dc=example,dc=com" \
 -H "ldap://127.0.0.1:389/" -W -x "(uid=loginnameoftestuser)"

Enter det password for the cn=admin,dc=example,dc=com when prompted. Then you should get a few lines if account info. If you return to prompt directly the uid was not found.

04-01-06: The original search line didn't work for me either but simply appending -x does make it work. I don't know what the implications of this are yet.

2004-07-28: The -x switches to "simple authentication" instead of "SASL" -- Balu

04-04-11

  # ldapsearch -x

This works for me. It shows an unauthenticated view of the database. I.E. it doesn't show password lines. This works only if one has edited ldap.conf correctly. TRL

---

[This page http:index.cgi?["LDAPAuthenticationTools"]] has more info about reading the output .


See Also: