Installation
polar@backus ~ % sudo aptitude install slapd ldap-utils migrationtools
Answer the questions. Seemingly, dpkg needs to be asked to ask us more questions.
polar@backus ~ % sudo dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No DNS domain name: warwickcompsoc.co.uk Admin Password: *** Confirm Password: *** Do you want your database to be removed when slapd is purged? No Move old database? Yes Allow LDAPv2 Protocol? No
/etc/ldap/ldap.conf :
BASE dc=warwickcompsoc, dc=co, dc=uk URI ldap://backus.warwickcompsoc.co.uk
Check if it's working with something like
ldapsearch -x dc=foo
ldap_bind: Can't contact LDAP server (-1)
probably means the server isn't running, in which case
/etc/init.d/slapd start
Migration
Edit /etc/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "warwickcompsoc.co.uk"; $DEFAULT_BASE = "dc=warwickcompsoc,dc=co,dc=uk";
We used migrationtools to import data from /etc/passwd and /etc/groups
Create people_group.ldif (for People and Group nodes) with
dn: ou=People, dc=warwickcompsoc, dc=co, dc=uk ou: People objectclass: organizationalUnit dn: ou=Group, dc=warwickcompsoc, dc=co, dc=uk ou: Group objectclass: organizationalUnit
Export
polar@backus ~ % sudo /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif polar@backus ~ % sudo /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif
If you get a message complaining about something to do with h2ph, run:
oddbloke@backus:/usr/share/migrationtools$ sudo h2ph -d /usr/share/perl/5.8.8/ /usr/share/migrationtools/migrate_common.ph
Import
polar@backus ~ % sudo ldapadd -v -x -W -D "cn=admin,dc=warwickcompsoc,dc=co,dc=uk" -f people_group.ldif polar@backus ~ % sudo ldapadd -c -v -x -W -D "cn=admin,dc=warwickcompsoc,dc=co,dc=uk" -f passwd.ldif polar@backus ~ % sudo ldapadd -c -v -x -W -D "cn=admin,dc=warwickcompsoc,dc=co,dc=uk" -f group.ldif
Client Password Setup
oddbloke@backus ~ % sudo aptitude install libpam-ldap libnss-ldap ldap-utils
For all of the /etc/pam.d/common-<foo> files, the following line needs to be added above the existing line:
${foo} sufficient pam_ldap.soFor example, /etc/pam.d/common-account looks like:
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account sufficient pam_ldap.so account required pam_unix.so
The following line should be added to /etc/ldap/ldap.conf:
pam_password exop
The passwd, group and shadow lines in /etc/nsswitch.conf currently look like:
passwd: compat
These should be amended to have files ldap like so:
passwd: files ldap group: files ldap shadow: files ldap
MoinMoin
In order to enable LDAP, the following has been added to the Wiki configuration (/etc/moin/compsocwiki.py):
1 import ldap
2 from MoinMoin.auth import ldap_login, moin_cookie
3
4 auth = [ldap_login, moin_cookie] # LDAP should be used,
5 # MoinMoin should create cookies
6 ldap_uri = 'ldap://backus.uwcs.co.uk' # Our server
7 ldap_coding = 'utf-8'
8 ldap_verbose = True # More informative error messages, this may want
9 # to go
10
11 ldap_binddn = '' # We currently have our LDAP server set up for anonymous bind, so that is
12 ldap_bindpw = '' # what is used
13
14 ldap_email_attribute = '' # If email addresses are ever stored in LDAP, this should be
15 # set to point to them
16
17 ldap_base = 'ou=People,dc=warwickcompsoc,dc=co,dc=uk' # base DN we use for searching
18 ldap_scope = ldap.SCOPE_SUBTREE # scope of the search we do
19 ldap_name_attribute = 'uid'
20 ldap_timeout = 10 # how long we wait for the ldap server [s]
21 cookie_lifetime = 1 # 1 hour after last access ldap login is required again
22 user_autocreate = True # If a user doesn't exist, create them
ejabberd
{auth_method, ldap}.
{ldap_servers, ["localhost"]}. % List of LDAP servers
{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
{ldap_base, "ou=People,dc=warwickcompsoc,dc=co,dc=uk"}. % Search base of LDAP directory