LDAP Notes

From Wiki

Contents 1 Package installation 1.1 ldap clients and libs 1.2 ldap server 1.3 Heimdal clients and libs 1.4 Heimdal servers 1.5 SASL clients and libs 1.6 Other common packages 2 slapd 2.1 Configuration 2.2 migrationtools 2.2.1 ~/tmp/ldap-init.ldif 2.2.2 /etc/ldap/slapd.conf 2.2.3 /etc/default/slapd 2.3 Replication 3 Heimdal 3.1 /etc/krb5.conf 3.2 Start the servers 3.3 kadmin 3.4 /etc/shorewall/rules 4 SASL 5 PAM

Package installation

ldap clients and libs

$ sudo apt-get install libsasl2-modules libsasl2-modules-ldap ldaptor

ldap server

$ sudo apt-get install slapd

Heimdal clients and libs

$ sudo apt-get install libroken16-heimdal libkrb5-17-heimdal heimdal-clients

Heimdal servers

$ sudo apt-get install heimdal-servers-x heimdal-servers heimdal-kdc libkadm5srv7-heimdal

SASL clients and libs

$ sudo apt-get install libsasl2-modules-gssapi-heimdal sasl2-bin

Other common packages

$ sudo apt-get install ssh emacs21-nox shorewall wget links less libglib2.0-0 popularity-contest unattended-upgrades

slapd

Configuration

migrationtools

• edit /etc/migrationtools/migrate_common.ph
• cd to /usr/share/migrationtools
• remove/comment lines in /etc/services that migrate_all doesn't recognize
• repeat this mantra until you get it right:

 $ sudo /etc/init.d/slapd stop && \
     sudo rm -rf /var/lib/ldap/* && \
     sudo dpkg-reconfigure slapd && \
     ./migrate_all_online.sh && \
     cp /tmp/nis.*.ldif > ~/tmp/ldap-init.ldif

~/tmp/ldap-init.ldif

Add the following to contain principals

dn: ou=KerberosPrincipals,dc=padl,dc=com
ou: KerberosPrincipals
objectClass: top
objectClass: organizationalUnit
objectClass: krb5Principal
krb5PrincipalName: root/admin

/etc/ldap/slapd.conf

include /etc/ldap/schema/hdb.schema

index objectClass             eq
index cn                      eq,sub,pres
index uid                     eq,sub,pres
index displayName             eq,sub,pres
index krb5PrincipalName       eq

sasl-secprops minssf=0
sasl-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
                "cn=admin,dc=padl,dc=com"
access to dn.subtree=ou=KerberosPrincipals,dc=padl,dc=com
        by sockurl="^ldapi:///$" write

/etc/default/slapd

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Replication

• [file:///usr/src/tar/openldap-2.3.37/doc/rfc/rfc3296.txt RFC 3296]

Heimdal

file:///home/cjac/Desktop/docs/Heimdal.html http://www.padl.com/Research/Heimdal.html

$ sudo adduser openldap sasl

/etc/krb5.conf

Add the following to tell kerberos to store principals in the directory

[kdc]
        database = {
                dbname = ldap:ou=KerberosPrincpals,dc=padl,dc=com
                mkey_file = /path/to/mkey
        }

Start the servers

sudo /etc/init.d/heimdal-kdc start
sudo /etc/init.d/heimdal-kcm start

kadmin

After the directory is online and the heimdal servers are started, run the following

$ sudo kadmin -l
kadmin> init PADL.COM
kadmin> add myfancyuser/admin

/etc/shorewall/rules

Allow access on port 88

#
#  Kerberos
#
ACCEPT          net             $FW             tcp     88

SASL

PAM