Installing and configuring OpenLDAP for RedHat Enterprise Linux3

 

(SimpleBind + SSL/TLS/start_tls + without-sasl + automount + netgroup + sudo + apache)

(See also related documents at http://web.singnet.com.sg/~garyttt/)

 

Credits: OpenLDAP is an OpenSource product brought to us by the OpenLDAP coreteam.

 

http://www.openldap.org/project/

 

Last Updated: 5-May-2007

 

Purpose:

 

This document describes the steps involved in installing and configuring an OpenLDAP Directory Server on RedHat EL3. This is to be accessed by RedHat or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.

 

To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3” and/or " Installing and configuring OpenSSH with pam_ldap for Solaris9".

 

Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.

 

Useful URLs:

·         QuickStart to OpenLDAP: http://www.openldap.org/doc/admin23/quickstart.html

·         Replication with slurpd: http://www.openldap.org/doc/admin23/replication.html

·         How to install and configure Solaris 9 for Authentication with OpenLDAP 2.1 http://netmojo.ca/howto/solaris-openldap.html

·         OpenLDAP SSL/TLS How-To: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

·         Replacing NIS with Kerberos and LDAP: http://ofb.net/~jheiss/krbldap/

·         Replacing NIS with Kerberos and LDAP: http://www.ofb.net/~jheiss/krbldap/kerberos_and_ldap.html

·         SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”: http://docs.sun.com/app/docs/doc/816-4856

·         SUN Solaris10's “System Administration Guide: Naming and Directory Services”: http://docs.sun.com/app/docs/doc/816-4556

·         Using TLS (from OpenLDAP Admin. Guide)

http://www.openldap.org/doc/admin23/tls.html

·         Chinese version of OpenLDAP HOW-TO

      http://www.ringkee.com/note/opensource/openldap.htm

      http://www.nseasy.net/

·         Highly Available LDAP

http://linuxjournal.com/article/5505

·         OpenSSH LDAP Public Key Patch

http://www.opendarwin.org/projects/openssh-lpk/

·         BIND9.NET LDAP Page

http://www.bind9.net/ldap

·         LDAP Error and Status Codes

http://www.directory-info.com/LDAP/LDAPErrorCodes.html

·         LDAP Client Login Authentication

      http://yolinux.com/TUTORIALS/LDAP_Authentication.html

·         Integrating AIX into Heterogenous LDAP Environments

      http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf

·         Integrating  UNIX/Linux LDAP Clients into Active Directory – ad4unix

      http://sourceforge.net/projects/ad4unix/

·         Integrating  Windows Clients into UNIX/Linux LDAP Server - pGina

      http://sourceforge.net/projects/pgina/

 

Public Mail Lists:

http://lists.fini.net/mailman/listinfo/ldap-interop

http://www.openldap.org/lists/openldap-software (please search FAQ/MailList archives before posting)

http://www.ldapguru.com/

http://www.dbforums.com/ (comp.unix.solaris)

http://bbs.chinaunix.net/ (Chinese web site)

 

Freeware tools used:

·         Berkeley DB 4.2.52 or later - http://www.sleepycat.com/

·         NSS_LDAP 2.2.X and PAM_LDAP 1.6.X or later – http://www.padl.com/

·         OpenSSL 0.9.7e or later – http://www.openssl.org/

·         OpenLDAP 2.3.XX or later - http://www.openldap.org/

·         BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools

·         LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/

·         JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/  (can do SSL connection)

·         PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/

·         Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html

·         Novell LDAP CoolTools http://www.novell.com/coolsolutions/tools/bycategory/168.html

 

Example used:

 

·         MASTER OpenLDAP Server: ldap1.example.com, 192.168.1.168

·         SLAVE OpenLDAP Server: ldap2.example.com, 192.168.1.178

·         RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188

·         Solaris8 LDAP Client: client2.example.com, 192.168.1.198

·         Solaris9 LDAP Client: client3.example.com, 192.168.1.208

 

It is highly recommended that OS level Security Hardening be applied to all LDAP Servers. Note that MASTER and SLAVE OpenLDAP Server can be based on RedHat Linux or Solaris operating system.

 

Preparation Steps:

 

This step is for BOTH OpenLDAP Server(s) as well as Clients

 

Please ensure that IP addresses of LDAP Servers are defined in DNS and/or /etc/hosts

 

It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:

192.168.1.168             ldap1.example.com    ldap1

 

Please ensure that LDAP domain example.com is defined in /etc/resolv.conf

 

Run the following command to set LDAP domainname

# domainname example.com

 

IMPORTANT NOTE: Please ensure that the openldap-servers rpm be removed if you are building OpenLDAP server component or openldap-clients rpm be removed if you are building OpenLDAP client component:

 

# rpm -qa | grep openldap

openldap-devel-2.X.XX-X

openldap-servers-2.X.XX-X

openldap-2.X.XX-X

openldap-clients-2.X.XX-X

# mv /etc/init.d/ldap /etc/init.d/ldap.saved
# rpm -e --nodeps openldap-servers-2.0.27-1X
# rpm -e --nodeps openldap-clients-2.0.27-1X
# mv /etc/init.d/ldap.saved /etc/init.d/ldap

Add two lines to the “start” function in /etc/init.d/ldap, this is to fix slapd start issue complaining about file permissions of slapd.pid and slapd.args.

function start() {
        # gtay, 23-Jan-2006, added 2 lines to fix OpenLDAP 2.3.XX startup issue
        touch /var/run/slapd.pid; chown ldap:ldap /var/run/slapd.pid
        touch /var/run/slapd.args; chown ldap:ldap /var/run/slapd.args
        # Start daemons.
        prog=`basename ${slapd}`
        echo -n $"Starting $prog: "

}

Optional steps as "rpm -e" of openldap-servers rpm renamed the existing files with .rpmsave extentions
# cd /etc/openldap
# mv slapd.conf.rpmsave slapd.conf
# cd schema/redhat
# mv autofs.schema.rpmsave autofs.schema
# chown -R ldap:ldap /etc/openldap

Note 1: RHEL3 has OpenLDAP 2.0.27-XX rpm and RHEL4 has OpenLDAP 2.2.13-XX rpm.

Note 2: In case “rpm –e” invokes post-removal script and removes the useful /etc/init.d/ldap script, the two “mv” commands are used to retain it.

 

===For those who does not want to build from source:

Buchan has done a great job building RHEL/Mandriva OpenLDAP 2.3.XX RPMS for us, see:

 
For the future, either:
a)Upgrade to 2.3 which doesn't/shouldn't need the operations listed
below (hint: http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/ has
packages which are parallel installable with the original RH packages and affect
no other aspects of the OS or any packages provided by it)
b)Do some things RH missed out which are necessary on 2.2: -ensure
database recover is run any time that it is likely that slapd has been 
shut down uncleanly. The strategy I prefer is doing database recovery in
the start() function of the initscript (not restart though). -ensure the
database is checkpointed (run db_checkpoint with appropriate 
options from and as the appropriate user from cron)
 
Regards,
Buchan

===

 

Step 1: Install Berkeley DB 4.X.XX +4 patches and OpenSSL 0.9.7e

 

This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.

 

IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.

 

 

Installing these packages are OPTIONAL as RedHat EL3 comes bundled with them, you may also OPTIONALLY compile/install OpenSSL 0.9.7e from source and overwrite the OpenSSL 0.9.7a comes with RedHat EL3.

 

Log in as root at ldap1.example.com

 

If you are using 4.2.52, please apply these four patches:

 

# cd /var/tmp

# wget http://downloads.sleepycat.com/db-4.2.52.tar.gz
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2

# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.3

# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.4

# gzip –d db-4.2.52.tar.gz
# tar xvf db-4.2.52.tar
# chmod u+w db-4.2.52/mp/mp_fget.c
# chmod u+w db-4.2.52/lock/lock.c
# cd db-4.2.52
# patch -p0 -i ../patch.4.2.52.1
# patch -p0 -i ../patch.4.2.52.2

# patch -p0 -i ../patch.4.2.52.3

# patch -p0 -i ../patch.4.2.52.4

 

Otherwise,

 

# cd db-4.X.XX/build_unix

# ../dist/configure --prefix=/usr

# make clean

# make

# make install

 

# cd openssl-0.9.7e

# ./config shared --prefix=/usr                          # Build shared library

# make clean

# make

# make install

 

Note 1: --prefix=/usr is required so as to overwrite RedHat EL3 built-in rpm.

Note 2: db-4.X.XX in the above case overwrites the db-4.X.XX-XX built-into RedHat EL3

Note 3: openssl-0.9.7e in the above case overwrites the openssl-0.9.7a built-into RedHat EL3

 

Additional steps shown bellow are required to rename and hide openssl-0.9.7a original files (due to the fact that RedHat stores libssl and libcrypto shared object files at odd location, i.e. /lib), and to edit /etc/man.config to include /usr/ssl/man

 

# cd /lib

# mv -f libssl.so.4 libssl.so.4.orig

# ln -s /usr/lib/libssl.so.0.9.7 libssl.so.4

# mv -f libcrypto.so.4 libcrypto.so.4.orig

# ln -s /usr/lib/libcrypto.so.0.9.7 libcrypto.so.4

 

Note: if OpenSSL is installed in other prefix location, please make sure it could be referenced by editing /etc/ld.so.conf and run "ldconfig" to effect the changes.

 

# vi /etc/ld.so.conf

# ldconfig

 

Optionally setting up MANPATH for OpenSSL:

 

# vi /etc/man.config

Add /usr/ssl/man in front of other MANPATHs

 

Verify the version of OpenSSL:

 

# /usr/bin/openssl version

OpenSSL 0.9.7X DD Mmm YYYY

 

 

Step 2: Install OpenLDAP 2.3.XX

 

This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.

 

If you have done the Preparation Steps stated above, you may skip this step, otherwise you may want to try out the following steps to gain the experience of compiling and installing it from source.

 

Log in as root at ldap1.example.com

 

# cd openldap-2.3.XX

# ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl --enable-ldbm

 

(Note: enable-ldbm if you need older DB backend)

 

# make depend

# make clean

 

Optionally, apply “result.c” patch (See Appendix)

 

# make

# make install

 

This will install OpenLDAP server and client binaries/libraries, using default configuration directory /etc/openldap, default schema directory /etc/openldap/schema, and default data directory /usr/var/openldap-data, you may change the default data directory in /etc/openldap/slapd.conf to RedHat default, i.e., /var/lib/ldap by editing the "directory" directive.

 

IMPORTANT NOTE: Whenever RedHat “up2date” is run and if it overwrites the version you have built from source codes, remember to restore your intended version back by running “make install” from the build directory again. Alternatively, you may choose to remove “openldap*.rpm” by using “rpm -e --nodeps --force” options prior to building OpenLDAP from source.

 

Step 3: Create OpenLDAP Server

 

This step is for OpenLDAP Server(s).

 

If you did not install RedHat OpenLDAP RPMs and choose to compile/install the package from source, then please create a user for the OpenLDAP owner of data/binary files, prior to anything. User id of 55 and Group id of 55 are intentionally chosen to tally with the ldap:ldap user created by installing from RedHat RPMs.

 

# groupadd –g 55 ldap

# useradd -u 55 -g 55 -d /var/lib/ldap -s /bin/false ldap

 

Create a blank default OpenLDAP data directory, protect this directory

 

# mkdir -p /var/lib/ldap                                     # directory already exists if RedHat rpms are installed

# chmod 700 /var/lib/ldap

# chown -R ldap:ldap /var/lib/ldap                  # user ldap:ldap already exists if RH rpms are installed

# chown -R ldap:ldap /etc/openldap

 

Create a blank /home/ldap directory, this will be used to keep .ldif generated by the productivity scripts db2ldif_group.sh and db2ldif_People.sh, and used for my script-based LDAP replication scripts, openldap_repl_group.sh and openldap_repl_People.sh. Alternatively, you may also use the OpenLDAP built-in replication feature.

 

# mkdir -p /home/ldap; chown ldap:ldap /home/ldap

 

Create SSL self-signing certificates for local LDAP Server, if you intend to use SSL or TLS.

 

This can be achieved by running this productivity script, cr_ssl_certs_openldap.sh, at the MASTER LDAP Server, which generates a self-signed CA Cert and a signed Server Cert for MASTER LDAP Server. Later on, please use the SAME CA Cert to sign a Server Cert created at SLAVE LDAP Server.

 

# ./cr_ssl_certs_openldap.sh

 

Content of cr_ssl_certs_openldap.sh:

 

#! /bin/sh

#

# cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server

#

# Gary Tay, 6-Mar-2004

#

 

mkdir demoCA >/dev/null 2>&1

cd demoCA

mkdir certs crl newcerts private >/dev/null 2>&1

echo "01" > serial

cp /dev/null index.txt

 

# Un-comment next two lines for RedHat

cp /usr/share/ssl/openssl.cnf openssl.cnf

ETC_OPENLDAP=/etc/openldap

# Un-comment next two lines for Others

#cp /usr/local/ssl/openssl.cnf openssl.cnf

#ETC_OPENLDAP=/usr/local/etc/openldap

 

sed -e 's/GB/SG/' \

   -e 's/Berkshire/Singapore/' \

   -e 's/Newbury/Singapore/' \

   -e 's/My Company Ltd/Example Company Ltd/' \

   -e '/default_days/s/365/3652/' \

   openssl.cnf > openssl.cnf.new

mv openssl.cnf.new openssl.cnf

 

echo "" >>openssl.cnf
echo "[ usr_cert ] " >>openssl.cnf
echo "subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`" >>openssl.cnf
echo "" >>openssl.cnf

 

echo "Creating CA cert..."

echo "Please enter server's FQDN when prompted for Common Name:"

openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \

            -days 3652 -config openssl.cnf

 

echo "Creating server cert..."

echo "Please enter server's FQDN when prompted for Common Name:"

openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem \

            -days 3652 -config openssl.cnf

 

echo "Self signing server cert..."

echo "Please enter server's FQDN when prompted for Common Name:"

openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem

cd ..

openssl ca -config demoCA/openssl.cnf -policy policy_anything \

           -out demoCA/newcert.pem -infiles demoCA/tmp.pem

rm -f demoCA/tmp.pem

 

echo "Please copy CA Cert, New Cert and Key to OpenLDAP config dir..."

echo "using the following commands" echo "cp demoCA/cacert.pem $ETC_OPENLDAP"

echo "cp demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"

echo "cp demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"

echo "chmod 640 $ETC_OPENLDAP/slapd-key-ldap1.pem"

# Uncomment for RedHat

echo "chown ldap:ldap $ETC_OPENLDAP/*.pem"

# Uncomment for Others

#echo "chown ldap:daemon $ETC_OPENLDAP/*.pem"

echo ""

 

The following is the output of running cr_ssl_certs_openldap.sh

 

# ./cr_ssl_certs_openldap.sh

Creating CA cert...

Please enter server's FQDN when prompted for Common Name:

Generating a 1024 bit RSA private key

.....................................................++++++

....++++++

writing new private key to 'private/cakey.pem'

Enter PEM pass phrase: secret

Verifying - Enter PEM pass phrase: secret

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [SG]:

State or Province Name (full name) [Singapore]:

Locality Name (eg, city) [Singapore]:

Organization Name (eg, company) [Example Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:ldap1.example.com

Email Address []: first_last@example.com

Creating server cert...

Please enter server's FQDN when prompted for Common Name:

Generating a 1024 bit RSA private key

....................++++++

..................................................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [SG]:

State or Province Name (full name) [Singapore]:

Locality Name (eg, city) [Singapore]:

Organization Name (eg, company) [Example Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:ldap1.example.com

Email Address []: first_last@example.com

Self -signing server cert...

Please enter server's FQDN when prompted for Common Name:

Getting request Private Key

Generating certificate request

Using configuration from demoCA/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem: secret

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Mar 15 05:50:15 2004 GMT

            Not After : Mar 15 05:50:15 2005 GMT

        Subject:

            countryName               = SG

            stateOrProvinceName       = Singapore

            localityName              = Singapore

            organizationName          = Example Ltd

            commonName                = ldap1.example.com

        X509v3 extensions:

            X509v3 Basic Constraints:

            CA:FALSE

            Netscape Comment:

            OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

            51:F4:FB:11:07:35:79:56:B8:11:DA:5F:54:16:2C:3A:95:1C:03:2C

            X509v3 Authority Key Identifier:

            keyid:CC:95:06:D3:EF:09:13:57:1F:A2:75:B4:28:AC:E2:B7:5C:1B:5D:66

            DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/CN=ldap1.example.com

            serial:00

 

Certificate is to be certified until Mar 15 05:50:15 2015 GMT (3652 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Please copy CA Cert, New Cert and Key to OpenLDAP config dir...

using the following commands:

cp demoCA/cacert.pem /etc/openldap

cp demoCA/newcert.pem /etc/openldap/slapd-cert-ldap1.pem

cp demoCA/newreq.pem /etc/openldap/slapd-key-ldap1.pem

chmod 640 /etc/openldap/slapd-key-ldap1.pem

chown ldap:ldap /etc/openldap/*.pem

 

Copy cacart.pem, slapd-cert-ldap1.pem and slapd-key-ldap1.pem created by the above script to /etc/openldap and setup file permission protection. 

 

Also please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate with this LDAP Server.

 

IMPORTANT NOTE: Make sure the CommonName (CN) of the SSL Server Certificate is in Fully Qualified Domain Name (FQDN) format, eg: ldap1.example.com, and this FQDN must be defined in DNS AND /etc/hosts file.

 

ADDITIONAL STEPS if SLAVE LDAP Server is built:

 

At the SLAVE LDAP Server, login as root and run:

# ./cr_unsigned_ssl_cert.sh

 

Go back to the MASTER LDAP Server, login as root and run :

# ./ sign_ssl_cert_from_slave.sh

 

Both scripts could be found in Appendix.

 

The followings show the expected outputs:

 

# ./cr_unsigned_ssl_cert.sh

Please enter an unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
             02 can be used for 1st SLAVE LDAP Server
             03 can be used for 2nd SLAVE LDAP Server

02

Creating un-signed SLAVE LDAP Server cert...

Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:

Generating a 1024 bit RSA private key

.................++++++

...............................................++++++

writing new private key to 'newreq_slave.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]: SG

State or Province Name (full name) [New York]: Singapore

Locality Name (eg, city) []: Singapore

Organization Name (eg, company) [Example Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:ldap2.example.com

Email Address []:first_last@example.com

 

# ./sign_ssl_cert_from_slave.sh

Please enter an unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
             02 can be used for 1st SLAVE LDAP Server
             03 can be used for 2nd SLAVE LDAP Server

02

We must copy the unsigned SSL Server Cert from SLAVE LDAP Server

 

Enter HOSTNAME/IP of SLAVE LDAP Server: \c

ldap2

Enter directory to locate un-signed server cert/key: \c

/home/gtay/demoCA

Copying un-signed server cert/key from SLAVE LDAP Server...

newreq_slave.pem                                                                                                                                                                                                                                                                                                        newreq_slave.pem                                                                                                                                                                                                                                                                                                                      100% 2319   627.1KB/s   00:00

Self signing server cert for SLAVE LDAP Server...

Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:

Getting request Private Key

Generating certificate request

Using configuration from demoCA/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem: secret

DEBUG[load_index]: unique_subject = "yes"

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Oct 22 16:05:32 2004 GMT

            Not After : Oct 22 16:05:32 2005 GMT

        Subject:

            countryName               = SG

            stateOrProvinceName       = Singapore

            localityName              = Singapore

            organizationName          = Example Ltd

            organizationalUnitName    =

            commonName                = ldap2.example.com

            emailAddress              = first_last@example.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                F7:C2:5F:54:C1:3F:E3:16:F2:1D:F7:5E:B0:CA:C8:95:35:45:DA:A9

            X509v3 Authority Key Identifier:

                keyid:25:BC:A0:B3:45:F1:E5:25:7B:46:E5:E7:30:0F:45:EB:98:B8:36:37

                DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/OU=/CN=ldap1.example.com/emailAddress=first_last@example.com

                serial:00

            X509v3 Subject Alternative Name:
                DNS:ldap.example.com, DNS:loadbalancer.example.com

Certificate is to be certified until Oct 22 16:05:32 2015 GMT (3652 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir...

Example: assuming ldap2:/etc/openldap is the target directory on SLAVE:

scp demoCA/cacert.pem ldap2:/etc/openldap

scp demoCA/newcert_slave.pem ldap2:/etc/openldap/slapd-cert-ldap2.pem

scp demoCA/newreq_slave.pem ldap2:/etc/openldap/slapd-key-ldap2.pem

ssh ldap2 chmod 640 /etc/openldap/slapd-key-ldap2.pem

ssh ldap2 chown ldap:ldap /etc/openldap/*.pem

 

Now add these three lines to /etc/openldap/slapd.conf.

 

TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3

TLSCACertificateFile /etc/openldap/cacert.pem

TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem

TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem

 

Next start slapd to listen on BOTH ports 389 and 636, note the two “” enclosing BOTH ldap:/// and ldaps:///.

 

/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:///"

 

Use the following command to show the details of the CA/Chain/Server Certificate(s):

 

# openssl s_client -connect localhost:636 –showcerts

---

<Ctrl-C or Ctrl-Break to exit>

 

In the above output please ignore these non-critical errors as we sign-self the certs:

verify error:num=20:unable to get local issuer certificate

verify error:num=21:unable to verify the first certificate

verify return code: 21 (unable to verify the first certificate)

 

IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.

 

Also please copy cacert.pem to all the LDAP clients that use TLS to authenticate with this LDAP Server.

 

Edit /etc/openldap/ldap.conf, add the following lines in BLUE, this is for local LDAP commands

 

# vi /etc/openldap/ldap.conf

 

HOST    ldap1.example.com

BASE     dc=example,dc=com

# Un-comment for RedHat

TLS_CACERT     /etc/openldap/cacert.pem

# Un-comment for others

#TLS_CACERT      /usr/local/etc/openldap/cacert.pem

 

IMPORTANT NOTE:

 

Some options such as TLS_CACERT are missing from the ldap.conf man pages for some versions of  OpenLDAP, see:

 

http://www.openldap.org/lists/openldap-bugs/200206/msg00092.html

 

Useful information on START_TLS options is described in:

 

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

 

Now we are ready to create configuration file for OpenLDAP server daemon, slapd.

 

Make a copy of /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf, and modify it to include the following lines in BLUE. You should copy DUAConfgProfile.schema and solaris.schema, which are attached in Appendix and needed for Solaris LDAP client/server to the schema directory.

 

# cp /etc/openldap/slapd.conf.default /etc/openldap/slapd.conf

# chmod 600 /etc/openldap/slapd.conf

# vi /etc/openldap/slapd.conf

 

include   /etc/openldap/schema/core.schema

include   /etc/openldap/schema/cosine.schema

include   /etc/openldap/schema/inetorgperson.schema

include   /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/DUAConfigProfile.schema

## solaris.schema provides nisDomainObject, which is absent from nis.schema

include         /etc/openldap/schema/solaris.schema

 

# example will NOT work:

# allow bind_v2

# allow bind_anon_dn

# The second entry (bind_anon_dn) overrides the first

# one (bind_v2) since they are in separate lines.

# The line below WILL work.

allow bind_v2 bind_anon_dn

 

# ACL directives

access to attrs=userPassword

            by self write

            by * auth

access to dn.base=""
            by * read

access to dn.base="cn=Subschema" by * read
# Change “anonymous auth” to “anonymous read” or “anonymous none” depending on your need

access to dn.subtree="ou=People,dc=example,dc=com"

            by self write

            by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read

            by users read

            by anonymous auth

access to * by self write

            by * read

 

# DB directives

database                bdb

suffix                     "dc=example,dc=com"

rootdn                   "cn=Manager,dc=example,dc=com"

 

rootpw   secret

#rootpw         {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory               /var/lib/ldap

index   objectClass,uid,uidNumber,gidNumber,ou       eq

index   cn,mail,surname,givenname                                               eq,subinitial

index   memberUid                                                                                          eq

index   nisDomain                                                                                            eq

index      uniqueMember                                                                 pres

 

# Performance tuning directives

sizelimit 5000

threads 8

idletimeout 14400

cachesize 10000

checkpoint 256 15

 

TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3

TLSCACertificateFile /etc/openldap/cacert.pem

TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem

TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem

 

# Use the following if client authentication is required

#TLSVerifyClient demand

# ... or not desired at all

#TLSVerifyClient never

 

password-hash {CRYPT}

 

Note: you may use “slaptest” (OpenLDAP 2.3.XX) to test the syntax of slapd.conf.

 

Copy/Create my productivity UNIX scripts (as provided here in Appendix section) to/in /home/gtay, or any directory you so prefer, eg: /home/ldap, use the scripts to create and rebuild a fully populated MASTER OpenLDAP Server.

 

Note: before running the scripts, please create a sample People.ldif and group.ldif.

 

It helps if you would take some times to browse and study all the productivity scripts, especially the two main scripts, i.e. cr_example_com_ldif.sh and rebuild_example_com.sh.

 

# cp cr_ssl_certs_openldap.sh /home/gtay                                    

# cp cr_unsigned_ssl_cert.sh /home/gtay

# cp sign_ssl_cert_from_slave.sh /home/gtay

# cp cr_People_ldif.sh /home/gtay                                                 

# cp cr_group_ldif.sh /home/gtay                                                  

# cp cr_example_com_ldif.sh /home/gtay                                     

# cp openldap_add.sh /home/gtay                                                 

# cp openldap_delete_Peoples.sh /home/gtay                

# cp openldap_delete_groups.sh /home/gtay                 

# cp openldap_repl_People.sh /home/gtay                                    

# cp openldap_repl_group.sh /home/gtay                                     

# cp openldap_search.sh /home/gtay                                             

# cp rebuild_example_com.sh /home/gtay                                    

 

Copy/Create these three scripts to/in /home/ldap as they are meant for LDAP Backup and Replication:

 

# cp db2ldif_backup.sh /home/ldap

# cp db2ldif_People.sh /home/ldap                                                               

# cp db2ldif_group.sh /home/ldap                                                                

# cp openldap_add.sh /home/ldap

# cp openldap_delete_groups.sh /home/ldap

# cp openldap_delete_Peoples.sh /home/ldap

# cp openldap_repl_group.sh /home/ldap

# cp openldap_repl_People.sh /home/ldap

 

Some of these scripts are optional or specific to a particular environment, for instances, cr_People_ldif.sh is used if People.ldif is an exported ldif file created from an existing iPlanet Directory Server; so does cr_group_ldif.sh.

 

Create and protect LDAP rootdn password file, for OpenLDAP’s “Manager”, in script directories (/home/gtay and /home/ldap in these cases)

 

# cd /home/gtay

# echo “secret” >mgr.pwd

# chmod 600 mgr.pwd

# cd /home/ldap

# echo “secret” >mgr.pwd

# chmod 600 mgr.pwd

 

Prepare People.ldif and group.ldif  in  /home/gtay (or your preferred script directory).

 

Tips: Use /usr/local/sbin/slappasswd command to find the encrypted format of LDAP userPassword.

 

A sample People.ldif with only two entries is shown here

 

dn: uid=gtay, ou=People, dc=example,dc=com

givenName: Gary

sn: Tay

loginShell: /bin/bash

uidNumber: 6167

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: gtay

cn: Gary Tay

homeDirectory: /home/gtay

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Gary Tay

userPassword: {CRYPT}U8bo2twhJ9Kkg

 

dn: uid=tuser, ou=People, dc=example,dc=com

givenName: Test

sn: User

loginShell: /bin/bash

uidNumber: 9999

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: tuser

cn: Test User

homeDirectory: /home/tuser

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Test User

userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=

 

A sample group.ldif with only one entry is shown here

 

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixGroup

 

IMPORTANT NOTE ABOUT LDIF IMPORT FILES:

 

When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of  LDAP data import using ldapadd command, please make sure that ALL TRAILING SPACES at every line in the .ldif files be removed or else “openldap_add.sh” which calls “ldapadd” command will throw errors.

 

Create OpenLDAP server start/stop script /etc/init.d/openldap.server, this step is OPTIONAL and you may want to use the original RedHat EL3 OpenLDAP start/stop script instead, i.e. /etc/init.d/ldap

 

If you prefer to use RedHat original start/stop script /etc/init.d/ldap, please customize it to work by editing /etc/sysconfig/ldap.

 

Tips: You may also add this line to /etc/sysconfig/ldap ONLY when you are debugging /etc/init.d/ldap

SLAPD_OPTIONS="-d 10"

 

Otherwise, create your own OpenLDAP start/stop script

 

# touch /etc/init.d/openldap.server

# chmod 744 /etc/init.d/openldap.server

# vi /etc/init.d/openldap.server

 

Content of /etc/init.d/openldap.server

 

#! /bin/sh

#

# openldap.server - OpenLDAP start script

#

# Gary Tay, 19-Feb-2004

#

 

# Un-Comment for RedHat

ETC_OPENLDAP_DIR=/etc/openldap

SLAPD_DIR=/usr/sbin

# Un-Comment for Others

#ETC_OPENLDAP_DIR=/usr/local/etc/openldap

#SLAPD_DIR=/usr/local/libexec

 

# Pls customize

DEBUG=""

# Un-Comment to debug

#DEBUG="-d 10"

 

case "$1" in

'start')

        if [ -f $ETC_OPENLDAP_DIR/slapd.conf -a -f $SLAPD_DIR/slapd ]; then

           echo 'OpenLDAP slapd service starting.'

           $SLAPD_DIR/slapd $DEBUG -u ldap -h "ldap:/// ldaps:///"

        fi

        ;;

 

'stop')

        PID=`ps -ef | grep slapd | grep -v grep | awk '{print $2}'`

        if [ -n "$PID" ]; then

            echo 'OpenLDAP slapd service stopping.'

            # using INT signal is less drastic and less prone to LDAP data corruption

            kill -INT $PID

        fi

        ;;

 

*)

        echo "Usage: $0 { start | stop }"

        exit 1

        ;;

esac

 

Create cr_example_com_ldif.sh, do not run it as it will be "called" by the other script, rebuild_example_com.sh.

 

# vi cr_example_com_ldif.sh

 

Content of cr_example_com_ldif.sh

 

#! /bin/sh

# cr_example_com_ldif.sh - Create initial ldif entries for dc=example,dc=com

# OpenLDAP initial root entries

 

cat <<EOF >example_com.ldif

dn: dc=example,dc=com

objectclass: top

# For RedHat use the next line

objectclass: organization

# For Solaris use the next line

#objectclass: domain

objectClass: nisDomainObject

nisDomain: example.com

objectclass: dcObject

o: Example Companies

dc: example

 

dn: cn=Manager,dc=example,dc=com

objectclass: organizationalRole

cn: Manager

 

dn: ou=People,dc=example,dc=com

objectclass: organizationalUnit

ou: People

 

dn: ou=group,dc=example,dc=com

objectclass: organizationalUnit

ou: group

 

dn: ou=profile,dc=example,dc=com

ou: profile

objectClass: top

objectClass: organizationalUnit

 

dn: cn=proxyagent,ou=profile,dc=example,dc=com

cn: proxyagent

sn: proxyagent

objectClass: top

objectClass: person

userPassword: {CRYPT}l14aeXtphVSUg

 

dn: cn=sol8profile,ou=profile,dc=example,dc=com

ObjectClass: top

ObjectClass: SolarisNamingProfile

SolarisLDAPServers: 192.168.1.168

SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com

SolarisBindPassword: {NS1}ecfa88f3a945c411

SolarisSearchBaseDN: dc=example,dc=com

SolarisAuthMethod: NS_LDAP_AUTH_NONE

SolarisTransportSecurity: NS_LDAP_SEC_NONE

SolarisSearchReferral: NS_LDAP_FOLLOWREF

SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL

SolarisSearchTimeLimit: 30

SolarisCacheTTL: 43200

cn: sol8profile

 

dn: cn=sol9profile,ou=profile,dc=example,dc=com

objectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: simple

followReferrals: TRUE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

cn: sol9profile

credentialLevel: proxy

bindTimeLimit: 2

 

dn: cn=default,ou=profile,dc=example,dc=com

objectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: simple

followReferrals: TRUE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

cn: default

credentialLevel: proxy

bindTimeLimit: 2

 

dn: cn=tls_profile,ou=profile,dc=example,dc=com

ObjectClass: top

ObjectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example, dc=com

authenticationMethod: tls:simple

followReferrals: FALSE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

bindTimeLimit: 10

cn: tls_profile

credentialLevel: proxy

serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one

serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one

 

EOF

cp example_com.ldif ldap_add.ldif

cp example_com.ldif openldap_add.ldif

 

Create DB_CONFIG in OpenLDAP data directory (it is usually /usr/local/var/openldap-data, for RedHat, it is /var/lib/ldap , this file contains performance parameters for Berkeley DB, consult Internet or OpenLDAP maillist and adjust the content as per need.

 

# vi /usr/local/var/openldap-data/DB_CONFIG

or

# vi /var/lib/ldap/DB_CONFIG

 

Content of DB_CONFIG, below is an example for a LDAP Server with 640MB RAM, 1000 users

set_cachesize 0 20971520 0
set_lg_regionmax        131072
set_lg_bsize            2097152

set_flags DB_LOG_AUTOREMOVE

 

Create rebuild_example_com.sh, edit and uncomment those OS specific lines.

 

# vi rebuild_example_com.sh

 

Content of rebuild_example_com.sh

 

#! /bin/sh

# rebuild_example_com.sh - ReBuild LDAP Server for dc=example,dc=com

# Un-comment for RedHat

OPENLDAP_DATA_DIR=/var/lib/ldap

# Un-comment for Others

#OPENLDAP_DATA_DIR=/usr/local/var/openldap-data

echo "WARNING: LDAP Data in $OPENLDAP_DATA_DIR will be gzipped!!!"

echo "         and rebuilt from scratch, make sure you know what it means"

echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."

read a_key

[ "$a_key" != "Yes" ] && exit 1

/etc/init.d/openldap.server stop

mkdir -p $OPENLDAP_DATA_DIR

chmod 750 $OPENLDAP_DATA_DIR

chown ldap:daemon $OPENLDAP_DATA_DIR

#/bin/rm -f $OPENLDAP_DATA_DIR/*.bdb

#/bin/rm -f $OPENLDAP_DATA_DIR/__db.*

#/bin/rm -f $OPENLDAP_DATA_DIR/log.*

#/bin/rm -f $OPENLDAP_DATA_DIR/alock

gzip -f $OPENLDAP_DATA_DIR/*.bdb

gzip -f $OPENLDAP_DATA_DIR/__db.*[0-9]

gzip -f $OPENLDAP_DATA_DIR/log.*[0-9]

gzip -f $OPENLDAP_DATA_DIR/alock

/etc/init.d/openldap.server start

sleep 3

./cr_example_com_ldif.sh

./openldap_add.sh

./cr_People_ldif.sh

./openldap_add.sh

./cr_group_ldif.sh

./openldap_add.sh

 

Execute this script:

 

# ./rebuild_example_com.sh

WARNING: LDAP Data in /usr/local/var/openldap-data will be deleted!!!

         and rebuilt from scratch, make sure you know what it means

Press [Ctrl-C] to abort, enter [Yes] to continue...

 

OpenLDAP slapd service stopping.

OpenLDAP slapd service starting.

adding new entry "dc=example,dc=com"

adding new entry "cn=Manager,dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

adding new entry "ou=group,dc=example,dc=com"

adding new entry "uid=gtay,ou=People, dc=example,dc=com"

adding new entry "uid=tuser,ou=People, dc=example,dc=com"

adding new entry "cn=Users,ou=group,dc=example,dc=com"

 

Congratulation!!! You have created an OpenLDAP Server

 

IMPORTANT Note: rebuild_example_com.sh is a VERY DESTRUCTIVE script, make sure you understand what every step of the script is trying to do, avoid testing this script in production environment.

 

For massive import of People and group entries, you may use PADL’s MigrationTools.

 

http://www.padl.com/OSS/MigrationTools.html

 

Try stopping and starting OpenLDAP server

 

# /etc/init.d/openldap.server stop

# /etc/init.d/openldap.server start

 

OR use the RedHat's way:

One-Time setup:

# chkconfig --add ldap

# chkconfig --level 2345 ldap on

LDAP Restart

# service ldap restart

 

Verify:

 

# ps -ef | grep slapd

    root   706   702  0 03:31:03 pts/3    0:00 grep slapd

    root   216     1  0   Feb 23 ?        2:11 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///

 

Tips: whenever you have problem starting OpenLDAP server, i.e. it is not shown in process status, comment out this line in /etc/init.d/openldap.server and re-try.

 

#DEBUG="-d 10"

 

Prepare LDAP Client's (LDAP Client local to LDAP Server) ldap.conf file in /etc/openldap, the following is a typical content:

 

HOST    ldap1.example.com

BASE    dc=example,dc=com

 

# Un-comment for RedHat

TLS_CACERT      /etc/openldap/cacert.pem

# Un-comment for others

#TLS_CACERT     /usr/local/etc/openldap/cacert.pem

 

Try to list the LDAP content locally at the server, note that userPassword never get listed.

 

# ./openldap_search.sh | less

dn: dc=example,dc=com

objectClass: top

objectClass: organization

objectClass: dcObject

o: Example Companies

dc: example

 

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

 

dn: uid=gtay,ou=People,dc=example,dc=com

givenName: Gary

sn: Tay

loginShell: /usr/bin/bash

uidNumber: 6167

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: gtay

cn: Gary Tay

homeDirectory: /home/gtay

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Gary Tay

 

dn: uid=tuser,ou=People,dc=example,dc=com

givenName: Test

sn: User

loginShell: /bin/bash

uidNumber: 9999

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: tuser

cn: Test User

homeDirectory: /home/tuser

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Test User

 

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixgroup

 

You could also test if slapd is running fine locally by using simple authentication and with "start_tls":

 

# ldapsearch -x -LLL

# ldapsearch -x -LLL –ZZ

Use “-d -1” option to debug

# ldapsearch -d -1 -x -LLL –ZZ

 

Congratulation!!! You have created an OpenLDAP server capable for answering name service (uid) lookup requests from any LDAP Client.

 

TIPS 1: LDAP Logging

 

Logging is used to help debugging. OpenLDAP by default logs through "LOCAL4" local syslog user, you may setup /etc/syslog.conf and restart syslogd, if you do this, please take care of log file trimming and rotation.

 

# vi /etc/syslog.conf

Add this line:

local4.debug         /var/log/ldap.log

 

IMPORTANT NOTE 1: use one or more <TAB> in between “local4.debug” and “/var/log/ldap.log”, if spaces are used, syslog will log NOTHING.

 

IMPORTANT NOTE 2: if you are using "service" script in RedHat to stop/start slapd, please also edit /etc/sysconfig/ldap to define SLAPD_OPTIONS for "-l" syslog local facility user, to be passed to /etc/init.d/ldap script, or else nothing will get logged in syslog.

# vi /etc/sysconfig/ldap

Add this line for normal debug level
SLAPD_OPTIONS="-l local4"

Note: Do not set "-d" flag for SLAPD_OPTIONS as it will hang "service ldap start" as "-d" is meant for non-forked, terminal based debugging, see "man slapd"

 

# touch /var/log/ldap.log

# pkill –HUP syslogd; service ldap restart

 

Setup log rotation using RedHat “logrotate”, add “/var/log/ldap.log” to /etc/logrotate.d/syslog.

 

# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/ldap.log {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

 

TIPS 2: LDAP Account Maintenance

 

To easily maintain the LDAP account details, it is highly recommended that the Java Based LDAP Browser-Editor (downloadable from http://www.iit.edu/~gawojar/ldap/) Tool be used.

 

What is required to configure this tool is to simply define JAVA_HOME in LBE.BAT and create a program icon LBE on your desktop pointing to it, don't forget the start directory must be the same as LBE.BAT. For OpenLDAP Server,

 

To add a NEW LDAP user, choose the "Edit/Add Entry" and select the "posixAccount" Template.

 

Another good GUI tool is Web-based PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/, this tool requires more setup steps.

 

 

Step 4: Configure UNIX/Linux LDAP Client

 

This step is for LDAP Clients ONLY.

 

Assuming client1.example.com is the RedHat EL3 LDAP Client to be configured

 

Log in to client1 as ‘root’ at the SYSTEM CONSOLE, so that if there is any misconfiguration, repair can be done at the console.

 

The following RedHat RPMs are typically required for a LDAP Client:

 

nss_ldap-2XX-X

openldap-devel-2.X.XX-X

openldap-2.X.XX-X

openldap-clients-2.X.XX-X

 

IMPORTANT NOTE: If you intend to build OpenLDAP Server and Clients with SSL_TLS support, you MUST download and install the latest OpenLDAP RPMs from RedHat web site, SSL_TLS requires OpenLDAP 2.1.X or later.

 

As shown in previous steps, you may obtain the source for the above and compile them.

 

These lines should be present in /etc/openldap/ldap.conf of the LDAP Client

 

# List two or more LDAP servers if failover is required

HOST    ldap1.example.com ldap2.example.com

# URI ldap://ldap1.example.com ldap://ldap2.example.com

BASE    dc=example, dc=com

# Un-comment for RedHat

TLS_CACERT     /etc/openldap/cacert.pem

# Un-comment for others

#TLS_CACERT      /usr/local/etc/openldap/cacert.pem

 

Package NSS_LDAP includes /etc/ldap.conf which is said to be shared among Name Service Switch for LDAP (NSS_LDAP) and Pluggable Authentication Module for LDAP (PAM_LDAP), do not confuse this ldap.conf with OpenLDAP client configuration file, in our case, /etc/openldap/ldap.conf.

 

Edit /etc/ldap.conf, below is a well-commented sample, the lines in GREEN are usually changed

 

# List two or more LDAP servers if failover is required

host ldap1.example.com ldap2.example.com

# “host” directive may be deprecated in future releases,

# you may wish to use ‘uri’ directive to replace “host” directive

# uri ldap://ldap1.example.com ldap://ldap2.example.com

base dc=example,dc=com

ldap_version 3

binddn cn=proxyagent,ou=profile,dc=example,dc=com

bindpw password

# The distinguished name to bind to the server with

# if the effective user ID is root. Password is

# stored in /etc/ldap.secret (mode 600)

rootbinddn cn=Manager,dc=example,dc=com

port 389

# The search scope.

#scope sub

#scope one

#scope base

# Search timelimit

#timelimit 30

# Bind timelimit

#bind_timelimit 30

# Idle timelimit; client will close connections

# (nss_ldap only) if the server has not been contacted

# for the number of seconds specified below.

#idle_timelimit 3600

 

# Filter to AND with uid=%s

#pam_filter objectclass=account

pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

 

# Search the root DSE for the password policy (works

# with Netscape Directory Server)

#pam_lookup_policy yes

 

# Check the 'host' attribute for access control

# Default is no; if set to yes, and user has no

# value for the host attribute, and pam_ldap is

# configured for account management (authorization)

# then the user will not be allowed to login.

#pam_check_host_attr yes

 

# Group to enforce membership of

#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

 

# Group member attribute

#pam_member_attribute uniquemember

pam_member_attribute memberUid

 

# Specify a minium or maximum UID number allowed

#pam_min_uid 0

#pam_max_uid 0

 

# Template login attribute, default template user

# (can be overriden by value of former attribute

# in user's entry)

#pam_login_attribute userPrincipalName

#pam_template_login_attribute uid

#pam_template_login nobody

 

# HEADS UP: the pam_crypt, pam_nds_passwd,

# and pam_ad_passwd options are no

# longer supported.

 

# Do not hash the password at all; presume

# the directory server will do it, if

# necessary. This is the default.

#pam_password clear

 

# Hash password locally; required for University of

# Michigan LDAP server, and works with Netscape

# Directory Server if you're using the UNIX-Crypt

# hash mechanism and not using the NT Synchronization

# service.

pam_password crypt

 

# Remove old password first, then update in

# cleartext. Necessary for use with Novell

# Directory Services (NDS)

#pam_password nds

 

# Update Active Directory password, by

# creating Unicode password and updating

# unicodePwd attribute.

#pam_password ad

 

# Use the OpenLDAP password change

# extended operation to update the password.

#pam_password exop

 

# Redirect users to a URL or somesuch on password

# changes.

#pam_password_prohibit_message Please visit http://internal to change your password.

 

# RFC2307bis naming contexts

# Syntax:

# nss_base_XXX          base?scope?filter

# where scope is {base,one,sub}

# and filter is a filter to be &'d with the

# default filter.

# You can omit the suffix eg:

# nss_base_passwd       ou=People,

# to append the default base DN but this

# may incur a small performance impact.

nss_base_passwd ou=People,dc=example,dc=com?one

nss_base_shadow ou=People,dc=example,dc=com?one

nss_base_group          ou=group,dc=example,dc=com?one

#nss_base_hosts         ou=Hosts,dc=example,dc=com?one

#nss_base_services      ou=Services,dc=example,dc=com?one

#nss_base_networks      ou=Networks,dc=example,dc=com?one

#nss_base_protocols     ou=Protocols,dc=example,dc=com?one

#nss_base_rpc           ou=Rpc,dc=example,dc=com?one

#nss_base_ethers        ou=Ethers,dc=example,dc=com?one

#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne

#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one

#nss_base_aliases       ou=Aliases,dc=example,dc=com?one

nss_base_netgroup      ou=netgroup,dc=example,dc=com?one

 

# attribute/objectclass mapping

# Syntax:

#nss_map_attribute      rfc2307attribute        mapped_attribute

#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

 

# configure --enable-nds is no longer supported.

# For NDS now do:

#nss_map_attribute uniqueMember member

 

# configure --enable-mssfu-schema is no longer supported.

# For MSSFU now do:

#nss_map_objectclass posixAccount User

#nss_map_attribute uid msSFUName

#nss_map_attribute uniqueMember posixMember

#nss_map_attribute userPassword msSFUPassword

#nss_map_attribute homeDirectory msSFUHomeDirectory

#nss_map_objectclass posixGroup Group

#pam_login_attribute msSFUName

#pam_filter objectclass=User

#pam_password ad

 

# configure --enable-authpassword is no longer supported

# For authPassword support, now do:

#nss_map_attribute userPassword authPassword

#pam_password nds

 

# For IBM SecureWay support, do:

#nss_map_objectclass posixAccount aixAccount

#nss_map_attribute uid userName

#nss_map_attribute gidNumber gid

#nss_map_attribute uidNumber uid

#nss_map_attribute userPassword passwordChar

#nss_map_objectclass posixGroup aixAccessGroup

#nss_map_attribute cn groupName

#nss_map_attribute uniqueMember member

#pam_login_attribute userName

#pam_filter objectclass=aixAccount

#pam_password clear

 

# Netscape SDK LDAPS

#ssl on

 

# Netscape SDK SSL options

#sslpath /etc/ssl/certs/cert7.db

 

# OpenLDAP SSL mechanism

# start_tls mechanism uses the normal LDAP port, LDAPS typically 636

ssl start_tls

#ssl on

 

# OpenLDAP SSL options

# Require and verify server certificate (yes/no)

# Default is "no"

tls_checkpeer yes

 

# CA certificates for server certificate verification

# At least one of these are required if tls_checkpeer is "yes"

#tls_cacertfile /etc/ssl/ca.cert

#tls_cacertdir /etc/ssl/certs

# Un-comment for RedHat

tls_cacertfile /etc/openldap/cacert.pem

# Un-comment for Others

#tls_cacertfile /usr/local/etc/openldap/cacert.pem

 

# Seed the PRNG if /dev/urandom is not provided

#tls_randfile /var/run/egd-pool

 

# SSL cipher suite

# See man ciphers for syntax

#tls_ciphers TLSv1

 

# Client certificate and key

# Use these, if your server requires client authentication.

#tls_cert

#tls_key

 

Now from LDAP Client, we could test again the openssl “CAfile” command:

 

# openssl s_client -connect ldap1.example.com:636 -CAfile /etc/openldap/cacert.pem -debug

---

<Ctrl-C or Ctrl-Break to exit> it should not display verification error

 

# openssl s_client -connect ldap2.example.com:636 -CAfile /etc/openldap/cacert.pem -debug

---

<Ctrl-C or Ctrl-Break to exit> it should not display verification error

 

 

IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.

 

You should test if LDAP client could connect to LDAP Server (slapd) by using simple authentication (-x), without or with START_TLS (-ZZ).

 

# ldapsearch -x -LLL

# ldapsearch -x -LLL -ZZ

 

To test the use of LDAP for user id lookup, you may use "id" or "getent", before that please ensure that keyword 'ldap' appears in /etc/nsswitch.conf and "nscd" is running

 

#  grep ldap /etc/nsswitch.conf

passwd:     files ldap

shadow:   files ldap

group:      files ldap

 

# service  nscd restart

 

# id tuser

uid=99999(tuser) gid=102(Users)

# getent passwd gtay

 

Step 5: Configure Solaris Native LDAP Client

 

This step is for Solaris8 or later (Solaris9/10) Native LDAP Clients only.

 

The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:

http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html

 

For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.

 

Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.

 

Please note that for Solaris8 LDAP Client, “SUNWnisu” package (from Solaris8 OS CD, it contains “ldapclient” command), lastest kernel patch and ldapv2 Patch 108993-XX must be installed, for Solaris9 LDAP Client, latest kernel patch abd ldap Patch 112960-XX must be installed.

 

Log in to client2 or client3 as ‘root’.

 

e would first need to generate two files /var/ldap/cert7.db and /var/ldap/key3.db such that cert7.db contains self-signed SSL Web Server certificate(s).

 

Run "netscape" browser locally, or from a remote Windows PC, and capture the self-signed SSL Server certificates from ldap1.example.com and ldap2.example.com into $HOME/.netscape/cert7.db or c:\Program Files\Netscape\users\user_name\cert7.db.

 

The URL to capture cert7.db is https://ldapserver_fqdn:636/, ignore "The document contained no data" message. FQDN means Fully Qualified Domain Name.

 

https://ldap1.example.com:636/

https://ldap2.example.com:636/

 

To view the content of cert7.db in Netscape Browser, click Communicator/Tools/Security Info/Web Sites.

 

Copy this cert7.db and the corresponding key3.db to /var/ldap of all Solaris LDAP Clients.

 

Don’t forget to:

# chmod 644 /var/ldap/cert7.db

# chmod 644 /var/ldap/key3.db

 

To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.

 

IMPORTANT NOTE: the orginal /usr/bin/ldapsearch on Solaris8/9 LDAP Client DOES NOT HAVE “-Z” and “-P” options to perform this test, please download SUN ONE DS5.2 software and perform a dummy install to say a SERVER_ROOT of /var/Sun/mps, so that there is this /var/Sun/mps/shared/bin/ldapsearch that provides these options.

 

$ cat test_native_client_tls.sh

IDS5_PATH=/var/Sun/mps

LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH

echo "Testing MASTER LDAP Server..."

$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" “+”

echo "Press any key"

read any_key

echo "Testing SLAVE LDAP Server..."

$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" “+”

echo "Done"

 

Note 1: the “+” is needed for OpenLDAP Server to return full details in RootDSE entry.

 

Note 2: Please note that /usr/bin/ldapsearch DOES NOT support “-Z” and “-P” options, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of “ldapsearch”?

 

For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location, if it id not there, you may download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.

 

For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY  installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.

 

Note 3: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script “test_native_client_tls.sh” ONCE at ONE of the Solaris LDAP Clients.

 

Now run the TLS BASELINE test.

 

$ ./test_native_client_tls.sh

Testing Master LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: OTP
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Press any key

Testing SLAVE LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
Done

 

(Note: without result.c patch to slapd, ONLY the first five lines will be shown)

 

Next we will configure LDAP Client, there are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred need to be created, the first contain all parameters and the second the password of “proxyAgent”.

 

IMPORTANT NOTE: DO NOT RUN “ldapclient” to generate these two files for Solaris Native LDAP Client against OpenLDAP Server (be it RedHat or Solaris) as “ldapclient” will throw “Cannot find the rootDN” error, unless you have applied “result.c” patch (See Appendix) during server binary build.

 

Content of /var/ldap/ldap_client_file:

 

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com

NS_LDAP_SEARCH_BASEDN= dc=example,dc=com

NS_LDAP_AUTH= tls:simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= one

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= tls_profile

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one

NS_LDAP_BIND_TIME= 10

 

Content of /var/ldap/ldap_client_cred:

 

NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com

NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411

 

(Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)

 

Alternatively, if result.c patch is applied to Server “slapd” binary the following script, ldapclient_init_tlsprofile_sol9.sh may be used to initialize Solaris9 Native LDAP Client and generate the above two files. For Solaris8 Native LDAP Client, use another script ldapclient_init_tlsprofile_sol.sh which shows different ldapclient command syntax.

 

Content of ldapclient_init_tlsprofile_sol9.sh:

 

#! /usr/bin/sh

#

# ldapclient_init_tlsprofile_sol9.sh

#

# Gary Tay, 18-Feb-2005, written

#

# Make sure root account is used

[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1

# Please customize the values of profileName and LDAP Server IP Address

ldapclient -v init \

-a profileName=tls_profile \

-a domainName=example.com \

-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \

-a proxyPassword=password 192.168.1.168

# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap

# which contains a bug in "hosts:" entry, we need to repair it

sed -e '/^hosts:/s/ldap.*files$/files dns/' \

    -e '/^passwd:/a\

shadow:     files ldap' \

    /etc/nsswitch.ldap >/etc/nsswitch.work

cp /etc/nsswitch.work /etc/nsswitch.conf

# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf

/etc/init.d/nscd stop

/etc/init.d/nscd start

# Refresh autofs and sendmail to fix high-CPU bugs for autmount and sendmail
/etc/init.d/sendmail stop
sleep 1
/etc/init.d/sendmail start
pkill -9 automount
/etc/init.d/autofs stop
sleep 3
/etc/init.d/autofs start

 

 

# ./ ldapclient_init_tlsprofile_sol9.sh

Parsing profileName=tls_profile

Parsing domainName=example.com

Parsing defaultSearchBase=dc=example,dc=com

Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com

Parsing proxyPassword=password

Arguments parsed:

        defaultSearchBase: dc=example,dc=com

        domainName: example.com

        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com

        profileName: tls_profile

        proxyPassword: password

        defaultServerList: 192.168.1.168

Handling init option

Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com

Proxy password: {NS1}ecfa88f3a945c411

Authentication method: 0

Authentication method: 0

No proxyDN/proxyPassword required

About to modify this machines configuration by writing the files

Stopping network services

Stopping sendmail

Stopping nscd

Stopping autofs

Stopping ldap

nisd not running

nis_cache not running

nispasswd not running

nis(yp) not running

Removing existing restore directory

file_backup: stat(/etc/nsswitch.conf)=0

file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)

file_backup: stat(/etc/defaultdomain)=0

file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)

file_backup: stat(/etc/.rootkey)=-1

file_backup: No /etc/.rootkey file.

file_backup: stat(/var/nis/NIS_COLD_START)=-1

file_backup: No /var/nis/NIS_COLD_START file.

file_backup: nis domain is "example.com"

file_backup: stat(/var/yp/binding/example.com)=-1

file_backup: No /var/yp/binding/example.com directory.

file_backup: stat(/var/ldap/ldap_client_file)=0

file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)

file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)

Starting network services

start: /usr/bin/domainname example.com... success

start: /usr/lib/ldap/ldap_cachemgr... success

start: /etc/init.d/autofs start... success

start: /etc/init.d/nscd start... success

start: /etc/init.d/sendmail start... success

System successfully configured

#

 

Content of ldapclient_init_tlsprofile_sol8.sh:

#
# ldapclient_init_tlsprofile_sol8.sh
#
# Gary Tay, 28-Jul-2005, written
#
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
echo We first initialize a /var/ldap/ldap_client_file with "default" profile
/usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c proxy \
   -D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
   -S "passwd: ou=People,dc=example,dc=com?one" \
   -S "shadow: ou=People,dc=example,dc=com?one" \
   -S "group: ou=group,dc=example,dc=com?one" \
   -S "netgroup: ou=netgroup,dc=example,dc=com?one" \
   192.168.1.168
echo ...
echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
    -e '/^passwd:/a\
shadow:     files ldap' \
    /etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo ...
echo We then overwrite /var/ldap/ldap_client_file with "tls_profile" version
echo and refresh ldap_cachemgr
echo Please customize the NS_LDAP_XXX parameters in this script
cat <<EOF >/var/ldap/ldap_client_file.tls_profile
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
EOF
cp /var/ldap/ldap_client_file.tls_profile /var/ldap/ldap_client_file
/etc/init.d/ldap.client stop
/etc/init.d/ldap.client start
echo Done.

 

(Note: if you are not using TLS, comment out the relevant section of the script)

 

# ./ldapclient_init_tlsprofile_sol8.sh

 

Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed

 

# cd /var/ldap

# chmod 400 ldap_client_file ldap_client_cred

 

Edit /etc/nsswitch.conf, make sure that these lines exist:

 

passwd:          files ldap

group:             files ldap

shadow:          files ldap

hosts:              files dns

 

IMPORTANT NOTE: One side effect of running “ldapclient” is that it resets “hosts: files dns” in /etc/nsswitch.conf to “hosts: ldap files” and this affects the DNS names lookup, the above script will attempt to revert it back, but in case the script does not run to completion, it is always advisable to double check the “hosts:” entry in /etc/nsswitch.conf and adjust it back to the desired “files dns” setting.

 

Now try refreshing ldap_cachemgr and nscd

 

# /etc/init.d/ldap.client stop

# /etc/init.d/ldap.client start

# ps -ef | grep ldap

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

# ps -ef | grep nscd

 

Make sure also that ldap1.example and ldap2.example.com are defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".

 

(IMPORTANT NOTE: if you are using SUN Native LDAP Client, there is no need to build NSS_LDAP and PAM_LDAP from source to support OpenLDAP Client Library, simply just use the SUN's built-in /usr/lib/nss_ldap.so,1 and /usr/lib/security/pam_ldap.so.1)

 

To test the name service, on top of using "id" and "getent", there is also "ldaplist" command

 

# /usr/lib/ldap/ldap_cachemgr -g

# id tuser

uid=9999(tuser) gid=102(Users)

# getent passwd tuser

tuser::9999:102::/home/tuser:/bin/bash

# ldaplist -l passwd tuser

dn: uid=tuser,ou=People,dc=example,dc=com

        givenName: Test

        sn: User

        loginShell: /bin/bash

        uidNumber: 9999

        gidNumber: 102

        objectClass: top

        objectClass: person

        objectClass: organizationalPerson

        objectClass: inetorgperson

        objectClass: posixAccount

        objectClass: shadowAccount

        uid: tuser

        cn: Test User

        homeDirectory: /home/tuser

 

Tips: If there is problem looking up the LDAP entries, try to look for errors in /var/log/messages and/or /var/log/ldap.log.

 

Step 5X: Configure “automount” to work with RedHat or Solaris Native LDAP Clients

 

Assumtions: one or more NFS Servers, eg: nfs_server and nfs_server2 have exported /home directories.

 

First, at the LDAP Server, add “solaris_automount.schema” to slapd.conf and restart slapd.

 

# touch solaris_automount.schema; chown ldap:daemon solaris_automount.schema

The definition of these automount attributes and objectclasses are taken from SUN ONE DS5.2 $SERVER_ROOT/config/schema/S99user.ldif and modified to suit OpenLDAP schema.

Please note that optional attribute "ou" is added to objectclass "automountMap" and "cn" is added to objectclass "automount".

# vi solaris_automount.schema
attributetype ( 1.3.6.1.1.1.1.33
        NAME 'automountInformation'
        DESC 'automount information'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE
        X-ORIGIN 'user defined' )

attributetype ( 1.3.6.1.1.1.1.31
        NAME 'automountMapName'
        DESC 'automount Map Name'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE
        X-ORIGIN 'user defined' )

attributetype ( 1.3.6.1.1.1.1.32
        NAME 'automountKey'
        DESC 'automount Key Value'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE
        X-ORIGIN 'user defined' )

objectclass ( 1.3.6.1.1.1.2.16
        NAME 'automountMap'
        SUP top
        STRUCTURAL
        MUST automountMapName
        MAY ( description $ ou )
        X-ORIGIN 'user defined' )

objectclass ( 1.3.6.1.1.1.2.17
        NAME 'automount'
        SUP top
        STRUCTURAL
        MUST ( automountInformation $ automountKey )
        MAY ( cn $ description )
        X-ORIGIN 'user defined' )

# vi slapd.conf
Add the following line after solaris.schema line

include         /etc/openldap/schema/solaris_automount.schema

 

Second, at the LDAP Server, create the automount maps for OpenLDAP, below is a sample, there are two sets, auto_* for Solaris Native LDAP Client and auto.* for RedHat LDAP Client.

 

# cat automount_openldap.ldif

dn: ou=automount,dc=example,dc=com
ou: automount
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.master

dn: cn=/home,nisMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: nisObject
cn: /home
nisMapEntry: ldap:nisMapName=auto.home,dc=example,dc=com
nisMapName: auto.master

dn: nisMapName=auto.home,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.home

dn: cn=/,nisMapName=auto.home,dc=example,dc=com
objectClass: top
objectClass: nisObject
cn: /
nisMapEntry: nfs_server:/home/&
nisMapName:auto.home

dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master
ou: auto_master

dn: automountkey=/home,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home
cn: /home
automountInformation: auto_home -nobrowse

dn: automountKey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
cn: /-
automountInformation: auto_direct

dn: automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_home
ou: auto_home

dn: automountKey=*,automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: *
cn: *
automountInformation: nfs_server:/home/&

dn: automountMapName=auto_direct,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_direct
ou: auto_direct

dn: automountKey=/home2,automountMapName=auto_direct,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home2
cn: /home2
automountInformation: nfs_server2:/home

 

And add it into the DIT.

 

# ldapadd -c –x -D "cn=Manager,dc=example,dc=com" –W –f automount_openldap.ldif

 

Third, at LDAP Server, create cn=tls_automount_profile under ou=profile,dc=example,dc=com

 

# cat tls_automount_profile

 

dn: cn=tls_automount_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: sub
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_automount_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
serviceSearchDescriptor: auto.master: nisMapName=auto.master,dc=example,dc=com?one
serviceSearchDescriptor: auto.home: nisMapName=auto.home,dc=example,dc=com?one
serviceSearchDescriptor: auto_master: automountMapName=auto_master,dc=example,dc=com?one
serviceSearchDescriptor: auto_home: automountMapName=auto_home,dc=example,dc=com?one
serviceSearchDescriptor: auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
objectclassMap: automount: automount=nisObject
objectclassMap: automount: automountMap=nisMap
attributeMap: automount: automountInformation=nisMapEntry
attributeMap: automount: automountKey=cn
attributeMap: automount: automountMapName=nisMapName

 

Note: either line of below is OK

attributeMap: automount: automountMapName=nisMapName

OR

attributeMap: automount: automountMapName=ou

 

# ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -W -f tls_automount_profile.ldif

 

Forth, at the Solaris Native LDAP Client ONLY, create corresponding ldap_client_file (and ldap_client_cred if different proxy password), and restart ldap_cachemgr and nscd.

 

# cat ldap_client_file

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= ldap1.example.com ldap2.example.com

NS_LDAP_SEARCH_BASEDN= dc=example,dc=com

NS_LDAP_AUTH= tls:simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= sub

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= tls_automount_profile

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=example,dc=com?one

NS_LDAP_BIND_TIME= 10

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName

NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn

NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry

NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap

NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject

 

Note: either line of below is OK

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName

OR

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou

 

# /etc/init.d/ldap.client stop                                                                                       (For Solaris only)

# /etc/init.d/ldap.client start                                                                                      (For Solaris only)

Make sure that /etc/nsswitch.conf contains “automount: files ldap” (optional if it is “automount: files” and local /etc/auto_xxx files contain +auto_xxx directives)

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

# ldaplist –l auto.master; ldaplist –l auto.home; ldaplist –l auto.direct                 (For Solaris only)

# ldapsearch -x -LLL -ZZ "objectclass=automountMap"                                    (For RedHat)

 

Fifth, create /etc/auto_master, /etc/auto_home and /etc/auto_direct for Solaris, create /etc/auto.master and /etc/auto.home for RedHat and restart autofs/automountd.

 

IMPORTANT NOTE 1: RedHat autofs/automountd has bug, please download and install the latest autofs rpm from Fedora Core3 download site: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/autofs-4.1.3-114.i386.rpm

 

IMPORTANT NOTE 2: For RedHat autofs/automountd to work, please ensure that $ETC_OPENLDAP/ldap.conf (usually it contains “host” and “base” statements for automountd to read, please note that RH automountd does not read /etc/ldap.conf)

 

Sample contents for Solaris Native LDAP Client:

 

# cat /etc/auto_master

# Master map for automounter

#

+auto_master

/net      -hosts               -nosuid,nobrowse

/home  auto_home      -nobrowse

/xfn      -xfn

/-          auto_direct

 

# cat /etc/auto_home

# Home directory map for automounter

#

+auto_home

 

# cat /etc/auto_direct

+auto_direct

 

Sample contents for RedHat LDAP Client, note that RedHat does not have auto.direct.

 

# cat /etc/auto.master

+auto.master

 

# cat /etc/auto.home

+auto.home

 

# /etc/init.d/auto.fs restart

# /etc/init.d/auto.fs start

OR to debug on Solaris Native LDAP Client, run these two lines in sequence to start autofs:
# /usr/lib/autofs/automountd -Tvn
# /usr/sbin/automount &

 

Sixth, test autofs/automount by logging in as “uid”, check “df –k” to see if /home/uid is mounted, do a “cd /home/uid2” and check again.

 

$ pwd

/home/uid

$ df -k

Filesystem            kbytes    used   avail capacity  Mounted on

nfs_server:/home/uid

                     355069743 160782087 190736959    46%    /home/uid

$ cd /home/uid2

$ df -k

 

Step 5Y: Configure “netgroup” to work with RedHat or Solaris Native LDAP Clients

 

(i.e. controlling user access to host using netgroup LDAP maps)

 

Pre-requisites:

. For Solaris, latest kernel patch and Patch 112960 must be applied

. For RedHat, RHFC3 or RHEL4 clients are recommended

. “shadowAccount” objectClass must be defined for People entries in LDAP DIT, on top of “posixAccount

. to fix issue related to Solaris Native LDAP Client netgroup query, apply the following patch to nis.schema on the LDAP Server, then restart OpenLDAP server

 

# rfc2307
#attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
#   DESC 'Netgroup triple'
#   SYNTAX 1.3.6.1.1.1.0.0 )

# rfc2307bis
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
   DESC 'Netgroup triple'
   EQUALITY caseIgnoreIA5Match
   SUBSTR caseIgnoreIA5SubstringsMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 

 

 

At the RedHat or Solaris LDAP Client, edit /etc/nsswitc.conf, change the following lines.

 

From:

passwd: files ldap
netgroup: files

 

To:

passwd: compat

passwd_compat: ldap
netgroup: ldap

 

Restart nscd.

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

 

Add the following sample lines to the end of /etc/passwd, note that there are SIX semi-colons (6 ‘:’s) and only the first two colons enclose a ‘x’ character.

 

+@netgroup1:x:::::

+@netgroup2:x:::::

 

Add the CORRESPONDING lines to the end of /etc/shadow, note that there are EIGHT semi-colons (8 ‘:’s) and between them there are NULL content:

 

+@netgroup1::::::::

+@netgroup2::::::::

 

Note: there is no need to run “pwconv” as root.

 

At the LDAP Server, add these netgroup entries. Assuming these People entries (gtay, tuser, tuser2) already exist.

 

# cat netgroup.ldif

dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)

dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
 nisNetgroupTriple: (,tuser2,)

 

# ldapadd -c -x -D “cn=Manager,dc=example,dc=com” -W -f netgroup.ldif

 

For advance netgroup usage, see the following examples:

 

# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appusers netgroup for all servers, all domains.
# scarter is in the appusers netgroup only on the server mars.
# all users are in the appusers netgroup on the server pluto.
dn: cn=appusers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appusers

 

dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: top

objectClass: nisNetgroup
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture

cn: prod_appservers

 

At the LDAP Client, login as ‘root” and test the following commands:

 

# getent passwd tuser

# id tuser

# su - tuser

 

The above commands should all work for users in netgroup1 and netgroup2, but not others.

 

Assuming “test” is a user account exists in LDAP (as shown by ldaplist command) and not belonged to either netgroup1 and netgroup2.

 

# ldaplist -l passwd test

something

# getent passwd test

nothing

# id test; su - test

 

Solaris will say:

id: invalid user name: "userid"
su: unknown id: userid

 

RedHat will say:

id: userid: No such user
su: user userid does not exist

 

Now try logging in using user accounts in netgroup1 or netgroup2, eg: “tuser” or “tuser2”, they should all succeed, others will always fail, of course “root” is not affected by netgroup host access feature.

 

# ssh -v tuser@localhost

 

Congratulation!!! You have managed to use netgroup LDAP maps to control user access to host.

 

Step 6: Regular LDAP backup cron jobs

 

This step is for LDAP Server only.

 

You may use the following UNIX root cron jobs for Daily OpenLDAP Data Backup, assuming you have created a /home/ldap to hold the scripts and exported ldif files, please adjust the runtime if required

 

0,15,30,45 * * * * /bin/chmod 600 /home/ldap/*.ldif /home/gtay/*.ldif

0,15,30,45 * * * * /bin/chmod 600 /home/ldap/mgr.pwd /home/gtay/mgr.pwd

0 3,15 * * * /home/ldap/db2ldif_backup.sh

1 3,15 * * * /home/ldap/db2ldif_People.sh

2 3,15 * * * /home/ldap/db2ldif_group.sh

 

Scripts could be found in Appendix.

 

IMPORTANT NOTE: the db2ldif_backup.sh and db2ldif_People.sh may NOT be able to list the content of userPassword due to security protection by LDAP Access Control List (ACL) directives.

 

Step 7: Replication of LDAP data from MASTER to SLAVE

 

This step is for LDAP Server only.

 

The following UNIX root cron jobs are examples of TWICE Daily Replication, modify to suit your need.

Note that Replication Script should run shortly after Backup Script.

 

# Note: LDAP Replication should start only after LDAP backup is done

#            Adjust the cron jon timing if needed

15 3,15 * * * /home/ldap/openldap_repl_People.sh ldap2.example.com

16 3,15 * * * /home/ldap/openldap_repl_group.sh ldap2.example.com

 

Scripts could be found in Appendix.

 

For these scripts to be successfully automated, “PermitRootLogin” must be enabled for SSH Server running on ldap1 and ldap2, and a ONE-WAY SSH trust using public key be setup from ldap1 to ldap2

 

Also, copy the following LDAP Replication scripts to /home/ldap of SLAVE LDAP Server:

 

openldap_repl_People.sh

openldap_repl_group.sh

openldap_delete_Peoples.sh

openldap_delete_groups.sh

openldap_add.sh

 

Step 7X: Setting up "slurpd" for MASTER to SLAVE Replication

 

You may also setup MASTER to SLAVE Replication using "slurpd", this gives instant change replication rather than scheduled changes.

 

This step is for LDAP Server only. Assuming ldap1.example.com is the MASTER and ldap2.example.com is the SLAVE.

 

First, create the Replicator user account at MASTER LDAP Server:

 

# cat Replicator.ldif

dn: cn=Replicator,dc=example,dc=com

cn: Replicator

objectClass: top

objectClass: Person

sn: Replicator

userPassword: {MD5}6zRvR8/osVedM+TTNqfoVw==

# ldapadd -c -x -D "cn=Manager,dc=example,dc=com" –W –f Replicator.ldif

 

Second, define "replica" and “replogfile” in MASTER LDAP Server's slapd.conf, place the following directives AFTER the "database" directive.

 

# vi slapd.conf

 

replica         uri=ldaps://ldap2.example.com:636

                binddn="cn=Replicator,dc=example,dc=com"

                bindmethod=simple credentials=xxxxxxxx

replogfile      /var/lib/ldap/replication.log

 

Third, define "updatedn" and “updateref” in SLAVE LDAP Server's slapd.conf, place the following directives AFTER the "database" directive.

 

updatedn        "cn=Replicator,dc=example,dc=com"

updateref       ldaps://ldap1.example.com:636

 

Also, very importantly, don’t forget to grant “Replicator” user write access to “ALL” in SLAVE’s slapd.conf, place the following line BEFORE any other ACLs, i.e. the FIRST ACL.

 

access to *

    by dn.exact="cn=Replicator,dc=example,dc=com" write

    by * none break

 

Forth, export all data from MASTER and import them into SLAVE.

 

At MASTER LDAP: shutdown slapd (or restart it in read-only mode), this is required prior to exporting its data to SLAVE LDAP.

 

# /etc/init.d/openldap.server stop

# slapcat >master.ldif

 

Copy "master.ldif" over to SLAVE LDAP.

 

At SLAVE LDAP:

 

Execute this script "slapadd_master_ldif_to_slave.sh"

 

#! /bin/sh

#

# slapadd_master_ldif_to_slave.sh

#

[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1

# Please customize LD_LIBRARY_PATH, SLAPADD_BINDIR, DATADIR, LDIFDIR and OWNER

LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib; export LD_LIBRARY_PATH

SLAPADD_BINDIR=/usr/local/sbin

DATADIR=/usr/local/var/openldap-data

LDIFDIR=/home/ldap

OWNER="ldap:daemon"

/etc/init.d/openldap.server stop

cd $DATADIR

/bin/rm -f __db.* log.* *.bdb

$SLAPADD_BINDIR/slapadd -v -l $LDIFDIR/master.ldif

if [ $? -eq 0 ]; then

   chown $OWNER *

   /etc/init.d/openldap.server start

   echo "slapadd OK."

else

   echo "slapadd failed."

fi

 

# ./slapadd_master_ldif_to_slave.sh

slapadd OK.

 

Fifth, restart "slapd" (usually run as "ldap" id), start "slurpd" (using "root") at MASTER, and start "slapd" at SLAVE, this completes the replication setup.

 

At MASTER LDAP:

# /etc/init.d/openldap.server start

# slurpd

 

At SLAVE LDAP:

# /etc/init.d/openldap.server start

 

Try changing LDAP data at MASTER and see if it is reflected in SLAVE.

 

Note that the actual changes, in ldif format, is located at /usr/var/openldap-slurp/replica on MASTER LDAP, called slurpd.replog.

 

# cd /usr/var/openldap-slurp/replica; ls -alrt

total 28

drwx------    3 root     root         4096 Mar  6 23:23 ..

drwxr-xr-x    2 root     root         4096 Mar  7 04:28 .

-rw-r--r--    1 root     root           44 Mar 24 05:08 slurpd.status

-rw-r--r--    1 root     root        14193 Mar 24 05:08 slurpd.replog

-rw-r--r--    1 root     root            0 Mar 24 05:33 slurpd.status.lock

-rw-r--r--    1 root     root            0 Mar 24 05:33 slurpd.replog.lock

 

Note that if there is replication error or issue, typically you will find the rejection log (.rej) in the above directory, if there is no error, there will be line containing “host:port:0” in slurpd.status.

 

Step 8: Configure “sudo” to use LDAP maps for centralized management

 

Login as “root” at the LDAP Server.

 

Prepare sudo.schema

Content of sudo.schema:

attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
description )
)

(The above is provided by README.LDAP from sudo source)

Include sudo.schema in slapd.conf and restart slapd to load schema.

 

Login as “root” at the LDAP Client.

For BOTH Solaris8/9 Native LDAP Client and RedHat OpenLDAP+PADL LDAP Client

Use gcc 3.2.1 or later to compile sudo source code with BOTH LDAP and PAM support, please note that the “sudo” RPM provided by RedHat does not have LDAP support compiled in, this could be easily verified by the fact that “ldd `which sudo`” will not show “libldap-2.2.so.7”.

 

# ldd `which sudo`

To compile and build sudo:
# cd /var/tmp
# tar xvf sudo-1.6.8p9.tar
# cd /var/tmp/sudo-1.6.8p9

# ./configure --with-ldap=/usr --with-pam
(For SUN Solaris Native LDAP Client or RedHat OpenLDAP+PADL LDAP Client where LDAP library directory prefix is /usr/lib)

OR
# ./configure --with-ldap=/usr/local --with-pam
(For OpenLDAP+PADL LDAP Client or any Linux/UNIX LDAP Client built from source where LDAP library directory prefix is /usr/local/lib)

# make clean
# make

 

If there are already previous version of sudoers configuration files, please back them up

# mv /etc/sudoers /etc/sudoers.orig

For RedHat:

# mv /etc/pam.d/sudo /etc/pam.d/sudo.orig

# mv /usr/bin/sudo /usr/bin/sudo.orig

# make install

For RedHat:

# cp sample.pam /etc/pam.d/sudo

 

For BOTH RedHat and Solaris

# ln -s /usr/local/bin/sudo /usr/bin/sudo


# sudo -V | head
Sudo version 1.6.8p9

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo

Prepare sample sudoers.ldif using:

Method 1) sudoers2ldif.sh which will call the sudoers2ldif tool provided by sudo build (it is in the build directory, copy it to /usr/bin or any shared area that can be referenced by $PATH), and convert existing /etc/sudoers.

Content of sudoers2ldif.sh:


#! /bin/sh
SUDOERS_BASE=ou=sudoers,dc=example,dc=com
export SUDOERS_BASE
[ -n "$1" ] && INPUT_FILE=$1
[ -z "$1" ] && INPUT_FILE=/etc/sudoers
sudoers2ldif $INPUT_FILE

Below shows the content of a text file /etc/sudoers.orig and how it is converted to ldif, the example here shows no additional sudoRole entry.

# cat /etc/sudoers.orig
root ALL=(ALL) ALL

# sudoers2ldif.sh /etc/sudoers.orig
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here

dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL

Method 2) By hand using vi, the example here shows some sample sudoRole entries.

# vi sudoers.ldif
dn: ou=sudoers,dc=example,dc=com
objectclass: organizationalUnit
ou: sudoers

dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudolog

dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL

# Everyone can "su - tuser" without giving password
dn: cn=su_tuser_wo_pw,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: su_tuser_wo_pw
sudoUser: ALL
sudoHost: ALL
sudoCommand: /bin/su - tuser
sudoOption: !authenticate

# tuser2 can reboot host1 server as default RunAs is "root"
dn: cn=tuser2_can_reboot_host1,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: tuser2_can_reboot_host1
sudoUser: tuser2
sudoHost: host1
sudoCommand: /usr/sbin/shutdown -y -g0 -i6
sudoOption:

Populate LDAP Server.

For against OpenLDAP Server
# ldapadd -c -D "cn=Manager,dc=example,dc=com" -f sudoers.ldif

For against SUN ONE DS5.2 Server
# ldapadd -c -D "cn=Directory Manager” -f sudoers.ldif

For Solaris Natvive LDAP Client, prepare a /etc/ldap.conf (mode 644 is OK as no sensitive info) containing the following THREE lines, for RedHat, only the LAST LINE needs to be added as the FIRST TWO LINES are most likely present.

host ldap1.example.com
base dc=example,dc=com
sudoers_base ou=sudoers,dc=example,dc=com

For Solaris Native LDAP Client, edit /var/ldap/ldap_client_file to add:

 

NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=example,dc=com

Don’t forget to add ADDITIONAL SSD (Service Search Descriptor) for sudoers LDAP maps lookup in LDAP DIT, using SUN ONE DS5.2 Administration Console.


Restarte ldap_cachemgr /etc/init.d/ldap.client and name service daemon /etc/init.d/nscd.

(note that README.LDAP says the "sudoers: files ldap" statement in /etc/nsswitch.conf is RESERVED but NOT YET implemented, so this line is optional)

Try the following commands to verify LDAP query OK.

For Solaris:
# ldaplist -l sudoers
# ldaplist -l sudoers root
# ldaplist -l sudoers su_tuser_wo_pw

For RedHat:

# ldapsearch -x -LLL objectclass=sudoRole

Note that “getent sudoers root” won't work but that does not matter.

Make sure there is a /etc/pam.d/sudo, if there isn't copy sample.pam from sudo source build to it, the difference between sample.pam and the original /etc/pam.d/sudo is most likely additional commented lines.

To REALLY TEST if sudo+LDAP is working you MUST have EITHER an EMPTY /etc/sudoers or leaving the ORIGINAL /etc/sudoers file which contains effectively only ONE DEFAULT LINE “root ALL=(ALL) ALL”.



Now try to login as "gtay" and try both "su - tuser" and "sudo su - tuser"
$ su - tuser
Password:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)
$ exit

$ sudo -l
$ sudo su - tuser (No password required)
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)

Now try to login as "tuser2" and try to reboot the server
$ id
uid=9998(tuser2) gid=102(Users)
$ /usr/sbin/shutdown -y -g0 -i6

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
Shutdown started. Fri May 20 15:23:20 SGT 2005

Changing to init state 6 - please wait
Broadcast Message from root (pts/3) on host1 Fri May 20 15:23:20...
THE SYSTEM sins001u5 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being damaged

Congratulation!!! You have successfully setup sudo+LDAP.

IMPORTANT NOTES:

1) With the absence of /etc/sudoers, "sudo -l" will complain and it will not retrieve sudo LDAP maps
sudo: can't stat /etc/sudoers: No such file or directory

2) "sudo -L" shows one option related to LDAP

ignore_local_sudoers: If LDAP directory is up, do we ignore local sudoers file
...

3) Don't forget to set LDAP Object Access permission to all objects under ou=sudoers,dc=example,dc=com using ACI in SUN ONE DS5.2 or ACL in OpenLDAP

 

Step 9: Configure “Apache” to use LDAP Authentication

 

The auth_ldap modules built-into Apache 2 is “experiemental” and may not be stable, you may use:

 

Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

 

Apache must be built with .so (shared object) support and SSL support if StartTLS is used.

To configure Apache2 with shared object and SSL support:

./configure --enable-so --enable-ssl --with-ssl-dir=/usr/local/ssl

(Refer to the URL above for Apache 1.X syntax)


IMPORTANT NOTE: DO NOT add --enable-ldap or --enable-auth-ldap or --with-ldap, to the above, they are for the "experiemental" ldap module support built-into Apache 2.x, and they DID NOT work for me, no sure of experience of others.

To configure “mod_auth_ldap” from muquit.com:

# OpenLDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr/local

# iPlanet LDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr


After that, modify httpd.conf, add the following lines in GREEN for testing purposes.

LoadModule auth_ldap_module modules/mod_auth_ldap.so

Alias /syslog "/var/log/"

<Directory "/var/log/">
Options Indexes FollowSymLinks MultiViews IncludesNoExec ExecCGI
AddOutputFilter Includes html
AllowOverride All
Order allow,deny
Allow from all
</Directory>

<Location /syslog>
AuthType Basic
AuthName "syslog"
require valid-user
#LDAP_Debug On
#LDAP_StartTLS On
LDAP_Server ldap1.example.com
# Add SLAVE LDAP Server for failover
LDAP_Server ldap2.example.com
LDAP_Port 389
Base_DN dc=example,dc=com
UID_Attr uid
</Location>

 

Restart httpd, and test this URL:

http://apache.example.com/syslog/

 

Appendix:

 

Some of the scripts may assume a script directory /home/gtay (or /home/ldap), please feel free to modify to suit your project need.

 

You would also notice that mgr.pwd needs to be created for some of the scripts to be executed automatically.

 

The author would disclaim from holding any responsibility resulting from any logic error(s) or destruction(s) the scripts might have caused upon.

 

Content of cr_group_ldif.sh (is used to strip unwanted lines from Netscape exported ldif file)

 

cat group.ldif | egrep -v "^ |^nsUniqueId:|^aci:|^mod|^creat|^ ot|^ t" >group_ldapadd.ldif

cp group_ldapadd.ldif ldap_add.ldif

cp group_ldapadd.ldif openldap_add.ldif

 

 

Content of cr_People_ldif.sh (is used to strip unwanted lines from Netscape exported ldif file)

 

cat People.ldif | egrep -v "^gecos:|^ |nsUniqueId:|^aci:|^mod|^creat|^ ot|^ t" >People_ldapadd.ldif

cp People_ldapadd.ldif ldap_add.ldif

cp People_ldapadd.ldif openldap_add.ldif

 

Content of cr_unsigned_ssl_cert.sh

 

#! /bin/sh

#

# cr_unsigned_ssl_cert.sh - Create un-signed SSL Cert at SLAVE LDAP Server

#

# Gary Tay, 22-Oct-2004, written
#           10-Jun-2005, modified openssl.cnf, 3652 days validity now
#           22-Jul-2005, added code to prompt for SSL Cert. SERIAL Number

# Note: after creation of un-signed cert, login as root

#       at MASTER LDAP Server and run sign_ssl_cert_from_slave.sh

 

# Un-comment for RedHat

#PATH=$PATH:/usr/bin; export PATH

# Un-comment for Others

PATH=$PATH:/usr/local/ssl/bin; export PATH

 

mkdir demoCA >/dev/null 2>&1

cd demoCA

mkdir certs crl newcerts private >/dev/null 2>&1

echo "Please enter an unique number as Certificate Serial Number"
echo "Examples: if 01 is reserved for MASTER LDAP Server"
echo "             02 can be used for 1st SLAVE LDAP Server"
echo "             03 can be used for 2nd SLAVE LDAP Server"
read SERIAL
echo $SERIAL >serial

cp /dev/null index.txt

 

# Un-comment next two lines for RedHat

#cp /usr/share/ssl/openssl.cnf openssl.cnf

# Un-comment next two lines for Others

cp /usr/local/ssl/openssl.cnf openssl.cnf

 

sed -e 's/AU/SG/' \

   -e 's/Some-State/Singapore/' \

   -e 's/Newbury/Singapore/' \

   -e 's/Internet Widgits Pty Ltd/Example Ltd/' \

   -e '/default_days/s/365/3652/' \

   openssl.cnf > openssl.cnf.new

mv openssl.cnf.new openssl.cnf

 

echo "" >>openssl.cnf
echo "[ usr_cert ] " >>openssl.cnf
echo "subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`" >>openssl.cnf
echo "" >>openssl.cnf

 

echo "Creating un-signed SLAVE LDAP Server cert..."

echo "Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:"

openssl req -new -x509 -nodes -keyout newreq_slave.pem -out newreq_slave.pem \

            -days 3652 -config openssl.cnf

 

Content of sign_ssl_cert_from_slave.sh

 

#! /bin/sh

#

# sign_ssl_cert_from_slave.sh

#

# Self sign un-signed SSL Cert copied from SLAVE LDAP Server

#

# Gary Tay, 22-Oct-2004, written
#           10-Jun-2005, modified openssl.cnf, 3652 days validity now
#           22-Jul-2005, added code to prompt for SSL Cert. SERIAL Number

 

# Un-comment for RedHat

#PATH=$PATH:/usr/bin; export PATH

# Un-comment for Others

PATH=$PATH:/usr/local/ssl/bin; export PATH

 

mkdir demoCA >/dev/null 2>&1

cd demoCA

mkdir certs crl newcerts private >/dev/null 2>&1

echo "Please enter an unique number as Certificate Serial Number"
echo "Examples: if 01 is reserved for MASTER LDAP Server"
echo "             02 can be used for 1st SLAVE LDAP Server"
echo "             03 can be used for 2nd SLAVE LDAP Server"
read SERIAL
echo $SERIAL >serial

cp /dev/null index.txt

 

# Un-comment next two lines for RedHat

cp /usr/share/ssl/openssl.cnf openssl.cnf

ETC_OPENLDAP=/etc/openldap

# Un-comment next two lines for Others

#cp /usr/local/ssl/openssl.cnf openssl.cnf

#ETC_OPENLDAP=/usr/local/etc/openldap

 

sed -e 's/AU/SG/' \

   -e 's/Some-State/Singapore/' \

   -e 's/Newbury/Singapore/' \

   -e 's/Internet Widgits Pty Ltd/Example Ltd/' \

   -e '/default_days/s/365/3652/' \

   openssl.cnf > openssl.cnf.new

mv openssl.cnf.new openssl.cnf

echo "" >>openssl.cnf
echo "[ usr_cert ] " >>openssl.cnf
echo "subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`" >>openssl.cnf
echo "" >>openssl.cnf

echo "We must copy the unsigned SSL Server Cert from SLAVE LDAP Server"

echo ""

echo "Enter HOSTNAME/IP of SLAVE LDAP Server: \c"

read SLAVE_LDAP

echo "Enter directory to locate un-signed server cert/key: \c"

read DEMOCA_DIR

echo "Copying un-signed server cert/key from SLAVE LDAP Server..."

scp $SLAVE_LDAP:$DEMOCA_DIR/newreq_slave.pem .

 

echo "Self signing server cert for SLAVE LDAP Server..."

echo "Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:"

openssl x509 -x509toreq -in newreq_slave.pem -signkey newreq_slave.pem -out tmp.pem

cd ..

openssl ca -config demoCA/openssl.cnf -policy policy_anything \

           -out demoCA/newcert_slave.pem -infiles demoCA/tmp.pem

rm -f demoCA/tmp.pem

 

echo "Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir..."

echo "Example: assuming ldap2:$ETC_OPENLDAP is the target directory on SLAVE:"

echo "scp demoCA/cacert.pem ldap2:$ETC_OPENLDAP"

echo "scp demoCA/newcert_slave.pem ldap2:$ETC_OPENLDAP/slapd-cert-ldap2.pem"

echo "scp demoCA/newreq_slave.pem ldap2:$ETC_OPENLDAP/slapd-key-ldap2.pem"

echo "ssh ldap2 ‘chmod 640 $ETC_OPENLDAP/slapd-key-ldap2.pem’"

# Uncomment for RedHat

echo "ssh ldap2 ‘chown ldap:ldap $ETC_OPENLDAP/*.pem’"

# Uncomment for Others

#echo "ssh ldap2 ‘chown ldap:daemon $ETC_OPENLDAP/*.pem’"

echo ""

 

Content of db2ldif_backup.sh

 

#

# db2ldif_backup.sh

#

BASEDN="dc=example,dc=com"

LDIF_FILE=/home/ldap/full_backup.ldif

if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]

then

   # For RedHat

   BINDIR=/usr/bin

   # For Others

   #BINDIR=/usr/local/bin

   $BINDIR/ldapsearch -x -LLL -b "$BASEDN" \

              -D "cn=Manager,$BASEDN" \

              -w `cat /home/ldap/mgr.pwd` \

              "objectclass=*" >$LDIF_FILE

   echo "Full user data backup written to $LDIF_FILE"

fi

chmod 600 $LDIF_FILE /home/ldap/mgr.pwd

 

Content of db2ldif_group.sh

 

#

# db2ldif_group.sh

#

BASEDN="dc=example,dc=com"

LDIF_FILE=/home/ldap/group.ldif

if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]

then

   # For RedHat

   BINDIR=/usr/bin

   # For Others

   #BINDIR=/usr/local/bin

   $BINDIR/ldapsearch -x -LLL -b "ou=group,$BASEDN" \

              -D "cn=Manager,$BASEDN" \

              -w `cat /home/ldap/mgr.pwd` \

              "objectclass=*" >$LDIF_FILE

fi

chmod 600 $LDIF_FILE /home/ldap/mgr.pwd

 

Content of db2ldif_People.sh

 

#

# db2ldif_People.sh

#

BASEDN="dc=example,dc=com"

LDIF_FILE=/home/ldap/People.ldif

if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]

then

   # For RedHat

   BINDIR=/usr/bin

   # For Others

   #BINDIR=/usr/local/bin

   $BINDIR/ldapsearch -x -LLL -b "ou=People,$BASEDN" \

              -D "cn=Manager,$BASEDN" \

              -w `cat /home/ldap/mgr.pwd` \

              "objectclass=*" >$LDIF_FILE

fi

chmod 600 $LDIF_FILE /home/ldap/mgr.pwd

 

 

Content of openldap_add.sh

 

#! /bin/sh

# openldap_add.sh

 

# Un-Comment for RedHat

BINDIR=/usr/bin

# Un-Comment for others

#BINDIR=/usr/local/bin

 

if [ -f mgr.pwd ]

then

   $BINDIR/ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_add.ldif

else

   echo "mgr.pwd not found"

   echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."

   $BINDIR/ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_add.ldif

fi

 

Content of openldap_delete_groups.sh

 

#! /bin/sh

# openldap_delete_groups.sh

# Destructive script

# Never do deletion at LDAP Master Server

# Do deletion only at LDAP Slave Server

[ "`uname -n`" = "ldap1" ] && exit

 

# Un-Comment for RedHat

BINDIR=/usr/bin

# Un-Comment for others

#BINDIR=/usr/local/bin

 

grep "^dn:" group.ldif | sed 's/^dn: //' >openldap_delete_groups.ldif

if [ -f mgr.pwd ]

then

   $BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_delete_groups.ldif

else

   echo "mgr.pwd not found"

   echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."

   $BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_delete_groups.ldif

fi

 

Content of openldap_delete_Peoples.sh

 

#! /bin/sh

# openldap_delete_Peoples.sh

# Destructive script

# Never do deletion at LDAP Master Server

# Do deletion only at LDAP Slave Server

[ "`uname -n`" = "ldap1" ] && exit

 

# Un-Comment for RedHat

BINDIR=/usr/bin

# Un-Comment for others

#BINDIR=/usr/local/bin

 

grep "^dn:" People.ldif | sed 's/^dn: //' >openldap_delete_Peoples.ldif

if [ -f mgr.pwd ]

then

   $BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_delete_Peoples.ldif

else

   echo "mgr.pwd not found"

   echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."

   $BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_delete_Peoples.ldif

fi

 

Content of openldap_repl_group.sh

 

#! /bin/sh

#

# openldap_repl_group.sh

#

# Gary Tay, 10-Oct-2003, written

#

# Assumption: root@$MASTER_LDAP has been SSH trusted by root@$SLAVE_LDAP

#

# Required these modular scripts/files:

#

# 1. db2ldif_group.sh

# 2. openldap_delete_groups.sh

# 3. openldap_add.sh

# 4. mgr.pwd contains password for "Manager"

#

 

MASTER_LDAP="ldap1"

SLAVE_LDAP="ldap2"

 

# Make sure current hostname is Master LDAP Server

[ "`uname -n`" != "$MASTER_LDAP" ] && exit 1

# Make sure root account is used

[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1

 

if [ $# -le 0 ]

then

   echo ""

   echo "OpenLDAP Replicate group data to Slave LDAP Server"

   echo ""

   echo "Usage: $0 <HOSTNAME or IP of Slave LDAP Server>"

   echo "Example: $0 $SLAVE"

   exit 1

fi

SSH=/usr/bin/ssh

SCP=/usr/bin/scp

cd /home/ldap

# Export group ldif file

./db2ldif_group.sh

cp group.ldif openldap_add.ldif

# Copy ldif files to Slave LDAP Server

$SCP group.ldif $1:/home/ldap

$SCP openldap_add.ldif $1:/home/ldap

# Execute script at Slave LDAP Server

$SSH $1 "cd /home/ldap; chmod 600 mgr.pwd; chmod 750 db2ldif_group.sh; ./db2ldif_group.sh; chmod 750 openldap_delete_groups.sh; ./openldap_delete_groups.sh; chmod 750 openldap_add.sh; ./openldap_add.sh"

 

Content of openldap_repl_People.sh

 

#! /bin/sh

#

# openldap_repl_People.sh

#

# Gary Tay, 10-Oct-2003, written

#

# Assumption: root@$MASTER_LDAP has been SSH trusted by root@$SLAVE_LDAP

#

# Required these modular scripts/files:

#

# 1. db2ldif_People.sh

# 2. openldap_delete_Peoples.sh

# 3. openldap_add.sh

# 4. mgr.pwd contains password for "Manager"

#

 

MASTER_LDAP="ldap1"

SLAVE_LDAP="ldap2"

 

# Make sure current hostname is Master LDAP Server

[ "`uname -n`" != "$MASTER_LDAP" ] && exit 1

# Make sure root account is used

[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1

 

if [ $# -le 0 ]

then

   echo ""

   echo "OpenLDAP Replicate People data to Slave LDAP Server"

   echo ""

   echo "Usage: $0 <HOSTNAME or IP of Slave LDAP Server>"

   echo "Example: $0 $SLAVE_LDAP"

   exit 1

fi

SSH=/usr/bin/ssh

SCP=/usr/bin/scp

cd /home/ldap

# Export People ldif file

./db2ldif_People.sh

cp People.ldif openldap_add.ldif

# Copy ldif files to Slave LDAP Server

$SCP People.ldif $1:/home/ldap

$SCP openldap_add.ldif $1:/home/ldap

# Execute script at Slave LDAP Server

$SSH $1 "cd /home/ldap; chmod 600 mgr.pwd; chmod 750 db2ldif_People.sh; ./db2ldif_People.sh; chmod 750 openldap_delete_Peoples.sh; ./openldap_delete_Peoples.sh; chmod 750 openldap_add.sh; ./openldap_add.sh"

 

Content of openldap_search.sh

 

# Un-Comment for RedHat

BINDIR=/usr/bin

# Un-Comment for others

#BINDIR=/usr/local/bin

$BINDIR/ldapsearch -x -LLL –w `cat mgr.pwd` "objectclass=*"

 

Content of DUAConfigProfile.schema

 

See http://web.singnet.com.sg/~garyttt/DUAConfigProfile.schema.txt

 

Content of solaris.schema

 

See http://web.singnet.com.sg/~garyttt/solaris.schema.txt

 

Content of result.c patch for OpenLDAP 2.2.X

 

See http://web.singnet.com.sg/~garyttt/result_c_patch.txt

 

Steps to apply result.c patch:

 

# cd /var/tmp/openldap-2.2.X

# patch -p0 -i result_c_patch.txt
patching file servers/slapd/result.c
Hunk #1 succeeded at 916 with fuzz 1 (offset 37 lines).
Hunk #2 succeeded at 1082 with fuzz 1 (offset 5 lines).

 

Content of cr_proxyAgent_pw_in_NS1_format.sh (Solaris8 specific ldap_gen_profile command)

 

# cat cr_proxyAgent_pw_in_NS1_format.sh

/usr/sbin/ldap_gen_profile -P testprofile -b "dc=example,dc=com" \
   -D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w password \
   192.168.1.168

 

# ./cr_proxyAgent_pw_in_NS1_format.sh
dn: cn=testprofile,ou=profile,dc=example,dc=com
        SolarisBindDN: cn=proxyAgent,ou=profiLe,dc=example,dc=com
        SolarisBindPassword: {NS1}ecfa88f3a945c411
        SolarisLDAPServers: 192.168.1.168
        SolarisSearchBaseDN: dc=example,dc=com
        SolarisAuthMethod: NS_LDAP_AUTH_NONE
        SolarisTransportSecurity: NS_LDAP_SEC_NONE
        SolarisSearchReferral: NS_LDAP_FOLLOWREF
        SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
        SolarisSearchTimeLimit: 30
        SolarisCacheTTL: 43200
        cn: testprofile
        SolarisBindTimeLimit: 30
        ObjectClass: top
        ObjectClass: SolarisNamingProfile

--- End-of-Doc ---