[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: solaris8's ldap-client with RedHat's openldap-server
On Wed, 18 Sep 2002 17:06:47 +0200, BRINER Cedric wrote:
>Hi,
>Does some of you had the following configurations which runs
>-solaris8's ldap-client
>-RedHat's openldap-server
>
>if so, please tell me any hints or give me any pointers to such
>configuration!
>
>thanks in Advance
>
>Briner
I _almost_ have this working. I'm also interested if anyone has any tips
on helping me make the last couple of steps. We're migrating from NIS+
running on a Sun box to an OpenLDAP server running on RedHat. The client
setup on the RedHat machines was fairly straightforward since everything
was OpenLDAP and easily installed by an rpm. We have some legacy Sun
machines that we also need to be able to authenticate with the LDAP
server. I initially tried putting OpenLDAP clients on the Solaris
machines (also required an installation of OpenSSL). I was able to get
user authentication (using the native pam_unix.so on solaris and by
specifying 'pam_passwd crypt' in slapd.conf) and the host tables to work
properly. Sun's automountd, however, uses its native LDAP libraries,
which didn't work when I had the OpenLDAP client installed. Since I also
wanted the netgroup table to work, I decided to try the native LDAP
client in Solaris8 (padl's nss_ldap doesn't have netgroup implemented).
Right now, I can list the LDAP contents with 'ldaplist -l'. This even
shows the encrypted password, meaning the proxy user is binding with the
proper credentials to read the passwords. When I do 'getent passwd',
however, I don't see anything in the pasword fields, and,
correspondingly, user authentication doesn't work. If you (or anyone
else) have tips on getting this to work, please let me know.
As you probably know, documentation on this topic is fairly sparse. One
of the most useful sites I have found so far is
http://www.okapi.ca/up2/solaris8_ldap.php
I have included my setup notes below. Since I couldn't get the Solaris8
LDAP client to connect to my SSL-enabled server, I used stunnel. If you
don't need SSL, you can replace 127.0.0.1 in the configuration files
with the ip address of your LDAP server.
Also, on the linux LDAP clients, I had to update pam_ldap to be able to
change passwords, and I had to update nss_ldap to get aliases to work.
NB: the notes for setting up the server (which you'll need to do first
unless you already have a server running) are at the bottom of this
message.
-----------------------------------------
Install SSL if required.
CPPFLAGS="-I/usr/local/ssl/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib"
export LDFLAGS
./configure --prefix=/usr/local/openldap --disable-bdb \
--disable-slapd --without-cyrus-sasl --with-tls
Note: the build of the shared libraries on solaris-x86 doesn't work
properly (the libraries have an undefined symbol 'main'. To fix, add
the flag '-nostartfiles' to the gcc command that builds them). After
the build takes place, perform the following:
cd openssl-0.9.6g
gcc -G -o libcrypto.so.0.9.6 -h libcrypto.so.0.9.6 \
-z allextract libcrypto.a -L. -lsocket -lnsl -ldl -lc \
-nostartfiles
gcc -G -o libssl.so.0.9.6 -h libssl.so.0.9.6 \
-z allextract libssl.a -L. -l crypto -lsocket -lnsl -ldl -lc \
-nostartfiles
cp /usr/local/ssl/lib/lib{crypto,ssl}.so.0.9.6 /usr/lib
cp /usr/local/ssl/lib/lib{crypto,ssl}.a /usr/lib
cd /usr/lib
ln -s libcrypto.so.0.9.6 libcrypto.so.0
ln -s libcrypto.so.0 libcrypto.so
ln -s libssl.so.0.9.6 libssl.so.0
ln -s libssl.so.0 libssl.so
cp /usr/local/ssl/lib/lib{ldap,lber}.{la,a,so.2.0.16} /usr/lib
ln -s libldap.so.2.0.16 libldap.so.2
ln -s libldap.so.2 libldap.so
ln -s liblber.so.2.0.16 liblber.so.2
ln -s liblber.so.2 liblber.so
-----------------------------------------
Use Solaris native LDAP client with stunnel.
Install openssl as described above.
compile stunnel
cp stunnel-3.22/src/stunnel /usr/sbin
mkdir /var/log/stunnel
Set up stunnel (this should be put in ldap client startup)
stunnel -c -d 389 -r @LDAP_SSL_SERVER_IP@:636 -P /var/log/stunnel
cat > /var/ldap/ldap_client_file <<EOF
NS_LDAP_SERVERS=127.0.0.1:389
NS_LDAP_SEARCH_BASEDN=dc=group,dc=example,dc=com
NS_LDAP_AUTH=NS_LDAP_AUTH_SIMPLE
NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_NONE
NS_LDAP_DOMAIN=group.example.com
EOF
chmod 600 /var/ldap/ldap_client_file
test to see if it works:
% ldaplist
make credential file for proxy authentication(?)
cat > /var/ldap/ldap_client_cred <<EOF
NS_LDAP_BINDDN=cn=proxyuser,dc=group,dc=example,dc=com
NS_LDAP_BINDPASSWD={NS1}EnCrYpTeDPaSsWoRdHeRe
EOF
chmod 600 /var/ldap/ldap_client_cred
ldap_gen_profile -P bogus -b dc=group,dc=example,dc=com \
-a simple -w 'secretpasword' 127.0.0.1
Note: secretpassword is what you store in /etc/ldap.secret for
OpenLDAP clients.
Copy the {NS1}AbuNcH0FJunk password generated from ldap_gen_profile to
the appropriate line in /var/ldap/ldap_client cred
Add solaris.schema to slapd config (on OpenLDAP server):
cp solaris.schema /etc/openldap/schema
add include line in /etc/openldap/schema for solaris.schema
Add nisDomainObject to root DN:
cat << EOF > /tmp/entry
dn: dc=group,dc=example,dc=com
objectclass: nisDomainObject
nisDomain: group.example.com
EOF
-----------------------------------------------------------------
Notes for setting up OpenLDAP server to handle Solaris8 native LDAP
clients.
get solaris.schema from http://www.tzone.org/~okapi/up2/solaris.schema
replace TBD with a number (I used 1466)
Add solaris.schema to slapd config (on OpenLDAP server):
cp solaris.schema /etc/openldap/schema
add include line in /etc/openldap/schema for solaris.schema
When initially setting up OpenLDAP server be sure also to specify the
nisDomain (specified below).
This file describes the installation and configuration of the OpenLDAP
server on a Linux Machine.
References:
http://www.mandrakesecure.net/en/docs/ldap-auth.php
Install LDAP server packages
----------------------------
in addition to the client packages, install: openldap-servers
Server configuration files
--------------------------
chgrp ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf
Update /etc/openldap/slapd.conf:
+ put encrypted password on 'rootpw' line (use slappasswd)
make new slapd certificate:
cd /usr/share/ssl/certs
rm -f slapd.pem
make slapd.pem
chgrp ldap slapd.pem
chmod 640 slapd.pem
/etc/init.d/ldap start
Check to make sure server is working:
(make sure /etc/openldap/ldap.conf setup first)
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
should return:
dn:
namingContexts: dc=group,dc=example,dc=com
If slapd was ever run as root: chown --recursive ldap:ldap /var/lib/ldap
### OpenLDAP clients only
Create Manager entry in database: (strip leading and trailing
whitespace)
cat << EOF > example.ldif
dn: dc=group,dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Wireless Research Group
dc: group
dn: cn=Manager,dc=group,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
EOF
### Solaris native LDAP clients included
cat << EOF > example.ldif
dn: dc=group,dc=example,dc=com
objectclass: dcObject
objectclass: nisDomainObject
objectclass: organization
o: Wireless Research Group
nisDomain: group.example.com
dc: group
dn: cn=Manager,dc=group,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
EOF
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
rm -f example.ldif
Check to see if it works:
ldapsearch -x -b 'dc=group,dc=example,dc=com' '(objectclass=*)'
(should return all entries, including the one just created)
Create proxyuser for authentication:
cat << EOF > example.ldif
dn: cn=proxyuser,dc=group,dc=example,dc=com
cn: proxyuser
sn: proxyuser
objectclass: top
objectclass: person
userPassword: paste-encrypted-password-here
EOF
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
rm -f example.ldif
Migration
---------
edit defaults in /usr/share/openldap/migration/migrate_common.ph:
$DEFAULT_MAIL_DOMAIN = "group.example.com";
$DEFAULT_BASE = "dc=group,dc=example,dc=com";
$DEFAULT_MAIL_HOST = "group.example.com";
$EXTENDED_SCHEMA = 0;
migrate_base.pl > base.ldif
+ remove entries for rpc, networks, services, protocols, mounts
+ remove first entry for dc=example,dc=com
+ remove entry for dc=group,dc=example,dc=com since already exists
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f base.ldif
Migrate individually: passwd, automount, netgroup, aliases, hosts, group
# migrate passwd
umask 077
niscat passwd.org_dir > passwd.txt
migrate_passwd.pl passwd.txt passwd.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
rm -f passwd.txt passwd.ldif
# migrate automount
## for each automount map, do the following: (replace "auto_home" with
mapname)
niscat auto_home.org_dir > auto_home
+ remove entries that begin with '+'
migrate_automount.pl auto_home nismap.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f nismap.ldif
rm -f auto_home nismap.ldif
#migrate netgroup
scp group:/etc/netgroup .
migrate_netgroup.pl netgroup netgroup.ldif
migrate_netgroup_byhost.pl netgroup netgroup_byhost.ldif
migrate_netgroup_byuser.pl netgroup netgroup_byuser.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup_byhost.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup_byuser.ldif
rm -f netgroup netgroup.ldif netgroup_byhost.ldif netgroup_byuser.ldif
# migrate aliases
scp group:/etc/aliases .
migrate_aliases.pl aliases aliases.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f aliases.ldif
rm -f aliases aliases.ldif
# migrate hosts
scp group:/etc/hosts .
migrate_hosts.pl hosts hosts.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f hosts.ldif
rm -f hosts hosts.ldif
# migrate group
niscat group.org_dir > group
migrate_group.pl group group.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f group.ldif
rm -f group group.ldif
######### Warning: accounts can be erased during this procedure
To re-sync passwd database from nis:
umask 077
niscat passwd.org_dir > passwd.txt
# this next step removes old accounts from LDAP
ldapdelete -r -x -D "cn=Manager,dc=group,dc=example,dc=com"
'ou=People,dc=group,dc=example,dc=com' -W
migrate_passwd.pl passwd.txt passwd.ldif
cat <<EOF > people.ldif
dn: ou=People,dc=group,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
EOF
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f people.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
rm -f passwd.txt passwd.ldif people.ldif
######### End Warning