From 06552e25513b8e641a1e8c143feda53ef1011f0b Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Tue, 21 Jun 2011 20:13:34 -0400 Subject: [PATCH] Add Ubuntu section to LDAP post. --- posts/LDAP.mdwn | 74 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/posts/LDAP.mdwn b/posts/LDAP.mdwn index f108262..21733cc 100644 --- a/posts/LDAP.mdwn +++ b/posts/LDAP.mdwn @@ -43,7 +43,8 @@ Note that [inetorgperson][] is huge, but it's standardized. I think it's better to pick a big standard right off, than to outgrow something smaller and need to migrate. -Gentoo creates the default database directory for you, so you can ignore warnings about needing to create it yourself. +Gentoo creates the default database directory for you, so you can +ignore warnings about needing to create it yourself. Configure LDAP client access. Again, read the docs for details on adapting this to your particular situation: @@ -274,6 +275,76 @@ You can configure `mutt-ldap.py` with the following lines in port = 636 ssl = yes +Debian-based systems +-------------------- + +I wanted to mirror my home LDAP info on my public Ubuntu server. +Here's a quick rundown of the Ubuntu setup. Install OpenLDAP: + + $ sudo apt-get install slapd ldap-utils + +Don't serve in the clear: + + $ cat /etc/default/slapd + ... + SLAPD_SERVICES="ldaps:/// ldapi:///" + ... + +Avoid `Unrecognized database type (hdb)` by loading the `hdb` backend +module before declaring `hdb` databases: + + $ sudo cat /etc/ldap/slapd.conf + ... + moduleload back_hdb + database hdb + ... + +Convert the old school `slapd.conf` to the new [slapd.d][]: + + $ sudo mv slapd.d{,.bak} + $ sudo mkdir slapd.d + $ sudo slaptest -f slapd.conf -F slapd.d + ... + hdb_db_open: database "dc=example,dc=com": db_open(/var/lib/slapd/id2entry.bdb) failed: No such file or directory (2). + ... + slap_startup failed (test would succeed using the -u switch) + ... + $ sudo chown -R openldap.openldap slapd.d + +Don't worry about that `db_open` error, the conversion to `slapd.d` +will have completed successfully. + +Set permissions on the database directory (note that the databases +should be under `/var/lib/ldap` to match Ubuntu's default apparmor +config. Otherwise you'll see `invalid path: Permission denied` errors +when `slapd` tries to initialize the databaes). + + $ sudo chown openldap.openldap /var/lib/ldap/ + $ sudo chmod 750 /var/lib/ldap/ + +Configure your clients + + $ cat /etc/ldap/ldap.conf + BASE dc=example,dc=com + URI ldaps://example.com + TLS_CACERT /etc/ldap/ssl/ldapserver.crt + +Start `slapd` and add it to your default runlevel: + + $ sudo /etc/init.d/slapd start + $ sudo update-rc.d slapd defaults + +Finally, import your directory data. Dump the data on your master +server: + + master$ sudo slapcat -b 'dc=example,dc=com' > database.ldif + +Load the data on your slave: + + $ sudo /etc/init.d/slapd stop + $ sudo slapadd -l database.ldif + $ sudo /etc/init.d/slapd start + References ---------- @@ -296,6 +367,7 @@ the countryName attribute, ... [aab]: http://support.apple.com/kb/ht2486 [SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security [certtool]:http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool +[slapd.d]: http://www.openldap.org/doc/admin24/slapdconf2.html [schema]: http://www.oreillynet.com/pub/a/sysadmin/2006/11/09/demystifying-ldap-data.html [[!tag tags/linux]] -- 2.26.2