debconf
questions; this configuration phase can be forced by the dpkg-reconfigure slapd
command.
falcot.com
”.
dpkg-reconfigure slapd
right after the initial installation.
$
ldapsearch -x -b dc=falcot,dc=com
# extended LDIF # # LDAPv3 # base <dc=falcot,dc=com> with scope sub # filter: (objectclass=*) # requesting: ALL # # falcot.com dn: dc=falcot,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Falcot Corp dc: falcot # admin, falcot.com dn: cn=admin,dc=falcot,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
/etc/passwd
, /etc/group
, /etc/services
, /etc/hosts
and so on), convert this data, and inject it into the LDAP database.
/etc/migrationtools/migrate_common.ph
must be edited; the IGNORE_UID_BELOW
and IGNORE_GID_BELOW
options need to be enabled (uncommenting them is enough).
migrate_all_online.sh
command, as follows:
#
cd /usr/share/migrationtools
#
LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh
migrate_all_online.sh
asks a few questions about the LDAP database into which the data is to be migrated. Table 11.1 summarizes the answers given in the Falcot use-case.
Table 11.1. Answers to questions asked by the migrate_all_online.sh
script
Question | Answer |
---|---|
X.500 naming context |
dc=falcot,dc=com
|
LDAP server hostname |
localhost
|
Manager DN |
cn=admin,dc=falcot,dc=com
|
Bind credentials | the administrative password |
Create DUAConfigProfile | no |
/etc/aliases
file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the /etc/ldap/schema/misc.schema
file should be added to the standard schema.
-c
option to the ldapadd
command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the /etc/services
often generates a few errors that can safely be ignored.
Table 11.2. Configuring the libnss-ldap package
Question | Answer |
---|---|
LDAP server Uniform Resource Identifier |
ldap://ldap.falcot.com
|
Distinguished name of the search base |
dc=falcot,dc=com
|
LDAP version to use |
3
|
Does the LDAP database require login? | no |
LDAP account for root |
cn=admin,dc=falcot,dc=com
|
LDAP root account password | the administrative password |
/etc/nsswitch.conf
file then needs to be modified, so as to configure NSS to use the freshly-installed ldap
module.
Example 11.31. The /etc/nsswitch.conf
file
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: ldap compat group: ldap compat shadow: ldap compat hosts: files dns ldap networks: ldap files protocols: ldap db files services: ldap db files ethers: ldap db files rpc: ldap db files netgroup: files
ldap
module is usually inserted before others, and it will therefore be queried first. The notable exception is the hosts
service since contacting the LDAP server requires consulting DNS first (to resolve ldap.falcot.com
). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop. As for the netgroup
services, it is not yet handled by the LDAP module.
files
module disregarded), services can be configured with the following syntax:
service
: ldap [NOTFOUND=return] files
.
/etc/environment
and /etc/default/locale
) that will allow applications to perform the required authentications against the LDAP database.
Table 11.3. Configuration of libpam-ldap
Question | Answer |
---|---|
Allow LDAP admin account to behave like local root? |
Yes. This allows using the usual passwd command for changing passwords stored in the LDAP database.
|
Does the LDAP database require logging in? | no |
LDAP account for root |
cn=admin,dc=falcot,dc=com
|
LDAP root account password | the LDAP database administrative password |
/etc/pam.d/common-auth
, /etc/pam.d/common-password
and /etc/pam.d/common-account
files. This mechanism uses the dedicated pam-auth-update
tool (provided by the libpam-runtime package). This tool can also be run by the administrator should they wish to enable or disable PAM modules.
/usr/lib/ssl/misc/CA.pl -newcert
asks a few mundane questions (location, organization name and so on). The answer to the “common name” question must be the fully-qualified hostname for the LDAP server; in our case, ldap.falcot.com
.
newcert.pem
file; the corresponding private key is stored in newkey.pem
.
#
mv newkey.pem /etc/ssl/private/ldap-key.pem
#
chmod 0600 /etc/ssl/private/ldap-key.pem
#
mv newcert.pem /etc/ssl/certs/ldap-cert.pem
slapd
daemon also needs to be told to use these keys for encryption; this involves adding the following directives to the /etc/ldap/slapd.conf
file:
Example 11.32. Configuring slapd
for encryption
# TLS support TLSCipherSuite HIGH TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ssl/private/ldap-key.pem
SLAPD_SERVICES
variable in the /etc/default/slapd
file. We'll play it safe and disable unsecured LDAP altogether.
Example 11.33. The /etc/default/slapd
file
# Default location of the slapd.conf file SLAPD_CONF= # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER= # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP= # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= # Configure if the slurpd daemon should be started. Possible values: # - yes: Always start slurpd # - no: Never start slurpd # - auto: Start slurpd if a replica option is found in slapd.conf # (default) SLURPD_START=auto # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldaps:/// ldapi:///" # Additional options to pass to slapd and slurpd SLAPD_OPTIONS="" SLURPD_OPTIONS=""
ssl on
directive to the /etc/pam_ldap.conf
and /etc/libnss-ldap.conf
configuration files.
/etc/ssl/certs/ldap-cert.pem
), and reference the location of this copy in the /etc/ldap/ldap.conf
file.
Example 11.34. The /etc/ldap/ldap.conf
file
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=falcot,dc=com URI ldaps://ldap.falcot.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /etc/ssl/certs/ldap-cert.pem